You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
July 24, 2025

Draft of Vietnam’s Consolidated 2025 Cybersecurity Law Released

Subscribe to Updates

Vietnam’s Ministry of Public Security recently released a draft version of the 2025 Cybersecurity Law, which is intended to replace both the existing 2018 Cybersecurity Law and the 2015 Law on Network Information Security (LNIS). This consolidation reflects a broader effort by the Vietnamese government to streamline and centralize the legal framework governing cybersecurity, data protection, and information security to be under the sole authority of the Ministry of Public Security, moving away from the previous sharing of responsibility with the former Ministry of Information and Communications (which ceased operations earlier this year and merged with the Ministry of Science and Technology). This shift aims to eliminate overlaps and improve enforcement efficiency.

The draft law is built upon the foundation of principles and provisions of both the 2018 Cybersecurity Law and the 2015 LNIS, while also introducing a wide range of amendments and new regulations. By merging the two laws, the government seeks to reduce legal fragmentation and ensure consistency in definitions, obligations, and enforcement mechanisms across related domains like data protection, IT system classification, and cybercrime prevention. The newly introduced amendments include enhanced obligations for service providers, stricter controls on information transmission, classification of IT systems, designation and protection of nationally important information systems, and sector-specific violations and compliance requirements.

Highlights of the draft law are discussed below.

Definition and Obligations of Service Providers

The draft law clearly defines and significantly broadens the scope of entities considered “service providers” under its jurisdiction. This now includes businesses and individuals offering products or services in cyberspace, including both infrastructure and content online services, such as:

  • Internet service providers (ISPs) and providers of telecommunications, hosting, servers, domain names, VPNs, proxy services, and cloud computing;
  • Providers of social networks, websites, and online gaming;
  • Financial institutions, banks, foreign bank branches in Vietnam, e-wallet providers, payment intermediaries, stock exchanges, and digital asset platforms;
  • E-commerce platforms;
  • Logistics providers;
  • Digital television providers; and
  • Other online service providers.

The draft law prescribes specific obligations for online service providers, notably to (i) cooperate with the authorities and facilitate the investigation and handling of cybersecurity violations; (ii) terminate, freeze, identify, and reauthenticate digital accounts, and suspend transactions; (iii) and block, temporarily suspend, or terminate the operation of websites and information systems upon request by a competent authority, among other obligations. These obligations appear to codify the authority’s power to restrict or intervene in online operations and activities in response to cybersecurity violations.

Online Information Management

The draft law generally requires the classification of online information based on its level of confidentiality, mandating the application of appropriate protection measures, including establishing policies and procedures to handle online information. Moreover, the draft law prohibits falsifying the source of the information and sending online commercial information without the recipient’s consent or when the recipient has refused, unless otherwise prescribed by law. This marks a significant tightening of rules around unsolicited digital communications.

Under the draft law, telecommunications enterprises, telecommunications application service providers and IT service providers are required to (i) prevent and address illegal online information communications (including but not limited to spam and fake or infringing information) and (ii) implement mechanisms that allow recipients to refuse such communication. These obligations reflect the government’s intent to strengthen control over harmful digital content. However, they may impose significant compliance burdens on service providers, particularly in terms of monitoring, filtering, and user interface design.

IT System Classification and Protection Requirements

While the LNIS prescribes five classification levels for IT systems based on their importance and sensitivity, the draft law provides only three levels. Notably, level 3 IT systems (those whose sabotage would cause particularly serious harm to public interest, social order, and safety, or pose a serious threat to national defense and security) are designated as important national IT systems and subject to enhanced protection requirements and obligations.

The draft law provides an initial list of important national IT systems, which includes those in the fields of energy, finance, banking, telecommunications, transport, natural resources and environment, chemicals, health, culture, and news media, and sets out that the prime minister will promulgate, amend, and supplement the list at a later stage. Level 3 IT systems would need to undergo cybersecurity eligibility assessments, be certified, and then be subject to annual reporting requirements and unscheduled inspections by the Ministry of Public Security.

Removal of Data Localization and Local Presence Requirements

The 2018 Cybersecurity Law requires foreign and domestic service providers who provide services in cyberspace to store certain regulated data in Vietnam and under specific circumstances establish a local presence in Vietnam, upon the authority’s request. These requirements have been removed under the draft law. This shift reflects a more flexible regulatory approach aimed at balancing national security interests with the realities of global digital business. It also aligns with Vietnam’s commitments under international treaties and standards, promoting freer cross-border data flows while maintaining compliance with the new 2025 Personal Data Protection Law, which remains central to data governance.

Preventing and Combating High-Tech Cybercrime

The draft law introduces a new chapter dedicated to the prevention, detection, and handling of high-tech cybercrime. It outlines the responsibilities of government agencies, organizations, businesses, and individuals in combating such crimes. This addition reflects the growing concern over cybercriminals using advanced technologies to conduct fraud and other illegal activities.

Outlook

The draft 2025 Cybersecurity Law is currently undergoing public consultation and is expected to be refined through several rounds of feedback before being presented to the 15th National Assembly for deliberation during its 10th session in October 2025. Businesses should stay informed and consider participating in the consultation process to help shape the final version of the law and ensure their operational interests are represented.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

July 24, 2025
Thai authorities have escalated efforts to block unlawful cross-border digital asset business operators. On June 19, 2025, the Ministry of Digital Economy and Society (MDES) issued a notification empowering it to ban internet access to operations or services offered by digital asset business operators who lack licenses from the Thailand Securities and Exchange Commission (SEC) under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018). This ban, issued under the 2023 Royal Decree on Measures for the Prevention and Suppression of Technology Crime, particularly aims to block Thai users’ access to services offered by unlicensed offshore digital asset providers via their own apps or websites or through public social media platforms. Compliance Requirements The notification requires internet service providers and social media platforms selected by MDES to immediately impose internet access restrictions on identified apps, websites, and IP addresses of illegal operators upon receiving MDES orders. Takedown Orders There are two tracks for competent officials at MDES to issue orders to operators: If the competent official is notified by the SEC of licensing noncompliance by a particular digital asset business operator, the competent official can issue a takedown order to the operator upon approval from the permanent secretary of MDES. If the competent official independently discovers, or receives a complaint from any third party other than the SEC, that a digital asset business operator may have violated licensing requirements, the competent official can ask the SEC to verify and confirm the relevant facts and noncompliance before seeking approval from the permanent secretary of MDES to issue the takedown order. Streamlined Enforcement Prior to this notification, the SEC could obtain takedown orders only from Thai courts under the 2007 Computer Crime Act to take down or block access to unlicensed digital asset platforms and apps. This was a relatively
Read More
July 23, 2025
On July 4, 2025, Thailand’s Electronic Transactions Development Agency (ETDA) issued two significant notifications that introduce new compliance requirements for ride-hailing platforms operating in the country. The notifications formally designate these platforms as high-impact digital services under section 18(3) of the Royal Decree on Digital Platform Service Businesses and impose a comprehensive set of additional operational obligations. These measures are designed to address regulatory gaps and enhance oversight of digital platforms providing public passenger vehicle or motorcycle ride-hailing services. First, the Notification on the Designation of Ride-Hailing Platforms under section 18(3) formally designates all ride-hailing platforms that have notified the ETDA of their operations as high-impact digital platform services under section 18(3) of the royal decree. Unlike high-risk marketplace platforms, which are named individually, any ride-hailing platform that has notified the ETDA of its operations is automatically subject to these new requirements. Next, the Notification on Additional Obligations for Ride-Hailing Platforms imposes further obligations on ride-hailing platforms, supplementing the general requirements under section 21 of the royal decree. These notifications will come into force 90 days from their publication in the Government Gazette. New Compliance Obligations The new regulatory framework introduces a range of operational, technical, and reporting requirements for ride-hailing platforms, particularly concerning the issues described below. Vehicle and Driver Compliance Operators must: Ensure that all vehicles used on the platform are registered as public vehicles in accordance with Department of Land Transport requirements Verify all drivers hold valid public driving licenses Collect service fees in compliance with applicable fare regulations under the Vehicle Law Digital Platform Features and User Verification Operators must implement robust digital platform features for both drivers and riders, including: Comprehensive identity verification and confirmation processes for drivers and riders, utilizing both face-to-face and non-face-to-face methods, including biometric and digital ID checks Real-time GPS
Read More
July 17, 2025
On July 9, 2025, Thailand issued a notification that introduces comprehensive operational requirements for digital platform service providers operating as goods marketplaces, effective December 31, 2025 (i.e., 180 days after its publication in the Government Gazette). The regulation’s official name is Notification of the Electronic Transactions Committee Re: Other Actions for Digital Platform Service Operators in the Category of Marketplace for Goods with Specific Characteristics under Section 18(2) of the Royal Decree on the Operation of Digital Platform Service Businesses that are Subject to Prior Notification B.E. 2565 (2022), B.E. 2568 (2025). Scope of Application The notification applies exclusively to goods marketplace operators formally designated by the Electronic Transactions Development Agency (ETDA), which on the same day designated 19 platforms that had previously notified the ETDA of their operations. The goods requiring enhanced oversight by these operators are limited to those regulated by the Thai Food and Drug Administration (FDA) and the Thai Industrial Standards Institute (TISI). Development from Earlier Draft An earlier draft of the notification had included a requirement for offshore platforms to establish a local entity, but this requirement was removed from the final notification. Key Obligations Despite the removal of the local entity requirement, the notification imposes a range of additional obligations on designated goods marketplace operators: Transparency. Operators must implement robust transparency measures, including clear, accessible, and understandable disclosures to users in Thai. These disclosures must cover all relevant terms and conditions, comprehensive product information, and complaint management procedures. Operators must also submit an annual compliance report to the ETDA within 60 days after the end of their accounting period, including statistics on regulated goods. Business user registration and identity verification. Before permitting the sale or advertisement of regulated goods, operators must collect and verify business user information, including contact details, identification documents, registration
Read More
July 15, 2025
Thailand has established new safe harbor rules that require social media platforms to remove specified content within 24 hours of government notification. On July 5, 2025, the Notification of the Electronic Transactions Commission on Measures to Prevent Technological Crimes for Social Media Service Providers was issued and took effect. This followed a hearing in May 2025 where only a select group of social media and online communication platform operators were invited to attend and comment on draft rules that could exempt social media platform operators from joint liability under the amended Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes in cases involving victims of technological crimes. Safe Harbor Rules The notification stipulates procedures that must be followed in order to receive the protection of the safe harbor rules. Upon being notified by the Division of Prevention and Suppression of Cybercrime, Office of the Permanent Secretary of the Ministry of Digital Economy and Society (MDES) of the presence of false or misleading information that may lead to the commission of a technological crime, social media service providers must immediately take down the specified content, with a maximum allowable turnaround time of 24 hours from the time of receiving the notification. Social media service providers are required to promptly report the outcome of each takedown to the MDES Division of Prevention and Suppression. This shift in Thailand’s regulatory approach to social media content moderation establishes clear government oversight mechanisms while providing platforms with liability protection for compliance. As the new rules took immediate effect, social media platforms need to ensure that they have adequate systems and processes in place to comply with the requirements.
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice