The Law on Cybersecurity 2025, adopted by the National Assembly of Vietnam on 10 December 2025 and scheduled to take effect on 1 July 2026 (the “2025 Cybersecurity Law”), marks a significant consolidation of Vietnam’s cybersecurity legal framework. This new 2025 Cybersecurity Law consolidates and replaces Vietnam’s prior legislative regimes governing security in cyberspace, namely Law on Cyber-Information Security No. 86/2015/QH13 and the Law on Cybersecurity No. 24/2018/QH14, with a single, unified statutory framework, reflecting a structural shift toward a more integrated and coherent approach to cybersecurity regulation.

A key structural change under the 2025 Cybersecurity Law is the consolidation of State management authority over cybersecurity. Under the previous framework, regulatory oversight was divided among different authorities pursuant to the 2015 and 2018 laws, resulting in fragmented supervision and duplicative regulatory responsibilities.

The 2025 Cybersecurity Law restructures this model by centralising cybersecurity administration under a unified framework. While the Government retains overarching authority, the Ministry of Public Security is designated as the principal agency assisting the Government in cybersecurity matters, except for specific responsibilities assigned to the Ministry of National Defence and the Government Cipher Committee. This reallocation is intended to enhance regulatory efficiency and provide greater clarity and consistency for regulated entities.

The 2025 Cybersecurity Law significantly expands prohibited conduct in cyberspace:
 

• “Against the State,” “inciting division,” “causing instability,” and “threatening security and order”: These are open-textured standards without clear thresholds. They may be interpreted to cover political advocacy, protests, or sharp policy criticism if officials view the impacts as disruptive;
• “Obscene,” “depraved lifestyle,” “destroying fine customs and traditions”: Morality-based terms are subjective, risking over-removal of art, education, or health-related content;
• AI/deepfakes “contrary to law”: There is no bright-line technical or legal test for parody, satire, or newsworthiness, creating uncertainty in content moderation;
• “Other acts … using IT/electronic means to violate laws on national security, order, social safety”: A catch-all provision that materially expands discretion and reduces predictability.

The breadth may capture both user behavior and platform-enabling actions, creating exposure for platforms, service providers operating online.

Beyond maintaining existing child-protection measures, the 2025 Cybersecurity Law introduces new operational obligations requiring “enterprises providing services on telecommunications networks, the Internet, or providing value added services” (i) to deploy technical systems to prevent and block child abuse content and (ii) to cooperate with authorities to disrupt dissemination sources (including prompt content removal and provision of subscriber information upon written request from the specialized cybersecurity force (MPS) to investigate violations, with tight response timelines).

Like the 2018 Cybersecurity Law, the 2025 Cybersecurity Law does not define “enterprises providing services on telecommunications networks, the Internet, or providing value added services”, leaving the scope of covered online businesses to be guided further in its implementing regulations. Decree 53/2022/ND-CP implementing the 2018 Cybersecurity Law defines “services on telecommunications networks”, “services on the Internet”, and “value added services”. Although the draft decree implementing the 2025 Cybersecurity Law has not yet been available at present, we expect it to adopt similar interpretations. That said, the scope of these services has expanded and blurred due to numerous recent legal changes, new laws, and the increasing complexity of Vietnam’s regulatory framework. Enterprises offering services through online channels should conduct comprehensive legal analysis to determine whether they fall within these categories and, if so, the consequential obligations under the 2025 Cybersecurity Law.

A notable operational development under the 2025 Cybersecurity Law is the introduction of explicit response timelines. Domestic and foreign enterprises providing services on telecommunications networks, the Internet, or providing value-added services in cyberspace in Vietnam is required to furnish requested user information within 24 hours, or within three (3) hours in emergency situations threatening national security or human life.

Content control obligations are also tightened. While the standard 24-hour deadline for content removal under the previous regime is retained, the 2025 Cybersecurity Law introduces additional duties to disable or uninstall non-compliant services or applications. In urgent national security cases, content removal requests must be complied with within six (6) hours.

The 2025 Cybersecurity Law reaffirms data localisation requirement by requiring domestic and foreign enterprises providing services on telecommunications networks, the Internet, or providing value-added services in cyberspace in Vietnam that collect, use, analyse, or otherwise process personal data, user relationship data, or data generated by users in Vietnam to store such data locally for a period to be determined by the Government. In addition, the 2025 Cybersecurity Law introduces an express obligation requiring these enterprises to implement data protection measures in accordance with the applicable law. 

Similar to the 2018 Cybersecurity Law, foreign enterprises providing services on telecommunications networks, the Internet, or providing value-added services in cyberspace in Vietnam that falls under the aforesaid requirement are also required to establish a branch or representative office in Vietnam. Of note, under Decree 53/2022/ND-CP guiding the 2018 Cybersecurity Law, the requirements on data localisation and on the establishment of a branch or representative office in Vietnam only applies to foreign enterprises¹ operating in certain specific business sectors as expressly prescribed therein. Therefore, it remains to be seen whether the decree implementing the 2025 Cybersecurity Law, once issued, would introduce any changes or refinements in this regard. 

The 2025 Cybersecurity Law largely carries forward the classification of cybersecurity products and services under the 2015 framework, with the notable exclusion of electronic signature certification services. Enterprises providing cybersecurity products and services continue to be subject to licensing requirements. However, unlike the 2015 Cybersecurity Law, which prescribed detailed licensing conditions and procedures at the statutory level, the 2025 Cybersecurity Law delegates detailed regulations on licensing, suspension, revocation, and import/export to the Government. 

Transitional provisions allow existing licences and deployed products to remain valid, subject to compliance with the new requirements within 12 months from the effective date of the 2025 Cybersecurity Law.

The Law on Cybersecurity 2025 reflects a shift toward centralised authority, clearer compliance expectations, and more enforceable operational obligations. While many foundational principles are carried forward, businesses operating in or into Vietnam should expect tighter timelines, broader content controls, and increased scrutiny of data security practices as the new regime comes into force in 2026.