Navigating Vietnam’s Draft Cybersecurity Law 2025: What Businesses Need to Know

Vietnam’s Ministry of Public Security has introduced the draft Cybersecurity Law 2025, inviting public consultation until July 16, 2025. This comprehensive legal document aims to replace the existing Cybersecurity Law 2018 and the Law on Network Information Security 2015. As part of a larger overhaul of digital policies that includes the Data Law and the Personal Data Protection Law passed on June 26, 2025, the new draft is poised to reshape the regulatory landscape for businesses operating in Vietnam’s cyberspace.

Broader Scope of Application

One of the most significant aspects of the draft law is its expanded definition of “service providers.” This change means a wider range of industries will now fall under its purview, extending beyond traditional technology firms. The following sectors are explicitly included:

• Internet Service Providers (ISPs): This includes telecom companies, hosting services, domain name providers, and more.
• Social Networks and Online Platforms: Social media, websites, and online gaming platforms are now subject to the law.
• Financial Institutions: Banks, e-wallets, and payment intermediaries must comply with new regulations.
• E-commerce and Digital Asset Platforms: Stock exchanges and platforms dealing with digital assets will face stricter guidelines.
• Logistics and Digital Services: Companies providing logistics and digital television services also fall within the law’s scope.

This broadening means that many businesses previously considered exempt will now need to align with the new regulatory requirements.

Changes to Data Storage and Local Presence Requirements

A notable shift is observed in the data storage and local presence obligations, particularly for foreign enterprises. Under the current 2018 law, both domestic and foreign entities collecting or processing data from Vietnamese users are required to store this data in Vietnam and establish a local office. The draft 2025 law, however, removes the necessity for a local office, while still emphasizing compliance with the upcoming Personal Data Protection Law set to take effect on January 1, 2026. This is a significant easing of the requirements but still emphasizes the importance of data protection.

New Obligations to Combat Cybercrime

The draft introduces direct responsibilities for service providers to help combat high-tech cybercrime. Key obligations include:

• User Identification: Businesses must implement thorough identity verification processes for users to prevent the creation and use of fake accounts.
• Reporting and Cooperation: Cyberattacks must be reported to authorities within 24 hours, and companies must collaborate with requests from the Ministry of Public Security.
• Authority Powers: Officials are granted the authority to suspend accounts, freeze transactions, block websites, or seize devices linked to legal violations.

Moreover, users are now required to safeguard their account information vigilantly and may face penalties if their accounts are exploited for illegal activities. This includes disciplinary and even criminal repercussions depending on the severity of the violation.

Importantly, the draft also classifies intellectual property infringement as a cybercrime, providing a new legal framework for IP owners to combat counterfeiting and other abuses on e-commerce platforms.

Legal Definition of “Digital Assets”

For the first time, the draft law provides a clear definition of “digital assets” as products that are created, issued, transferred, and verified via blockchain technology. This move is crucial for businesses involved in blockchain, cryptocurrency, and NFTs, as it lays the groundwork for future regulatory frameworks within these sectors, signaling an era of increased oversight and potential accountability.

Tightened Controls on Cybersecurity Products and Services

The draft also introduces chapters focusing on cybersecurity standards and regulations for IT products and services. Organizations will need to demonstrate the conformity of their products with these newly established standards before they can be traded. This measure aims to strengthen controls over cybersecurity offerings and ensure that they meet national requirements, thereby enhancing the overall security landscape.

What Should Businesses Do?

In light of these sweeping changes, businesses operating in Vietnam should take proactive steps to prepare:

• Review Business Scope: Assess whether your company qualifies as a “service provider” under the new draft law.
• Assess Data Policies: Re-evaluate your data management practices to ensure compliance with the evolving data protection landscape.
• Prepare Compliance Processes: Update internal procedures related to user identification, incident reporting, and collaboration with authorities. Companies providing IT products and services should stay vigilant to align with national cybersecurity standards.
• Monitor Legal Developments: As the draft is still under review, it’s essential to remain updated on potential changes to avoid compliance gaps.

The draft Cybersecurity Law 2025 signifies a major shift in Vietnam’s approach to governance in cyberspace, emphasizing the importance of preparedness and adaptability for businesses. As the new law is on track to be implemented on January 1, 2026, advance preparation can be crucial in navigating the legal intricacies and maintaining operational stability in the Vietnamese market.