You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

July 24, 2025

Draft of Vietnam’s Consolidated 2025 Cybersecurity Law Released

Subscribe to Updates

Vietnam’s Ministry of Public Security recently released a draft version of the 2025 Cybersecurity Law, which is intended to replace both the existing 2018 Cybersecurity Law and the 2015 Law on Network Information Security (LNIS). This consolidation reflects a broader effort by the Vietnamese government to streamline and centralize the legal framework governing cybersecurity, data protection, and information security to be under the sole authority of the Ministry of Public Security, moving away from the previous sharing of responsibility with the former Ministry of Information and Communications (which ceased operations earlier this year and merged with the Ministry of Science and Technology). This shift aims to eliminate overlaps and improve enforcement efficiency.

The draft law is built upon the foundation of principles and provisions of both the 2018 Cybersecurity Law and the 2015 LNIS, while also introducing a wide range of amendments and new regulations. By merging the two laws, the government seeks to reduce legal fragmentation and ensure consistency in definitions, obligations, and enforcement mechanisms across related domains like data protection, IT system classification, and cybercrime prevention. The newly introduced amendments include enhanced obligations for service providers, stricter controls on information transmission, classification of IT systems, designation and protection of nationally important information systems, and sector-specific violations and compliance requirements.

Highlights of the draft law are discussed below.

Definition and Obligations of Service Providers

The draft law clearly defines and significantly broadens the scope of entities considered “service providers” under its jurisdiction. This now includes businesses and individuals offering products or services in cyberspace, including both infrastructure and content online services, such as:

  • Internet service providers (ISPs) and providers of telecommunications, hosting, servers, domain names, VPNs, proxy services, and cloud computing;
  • Providers of social networks, websites, and online gaming;
  • Financial institutions, banks, foreign bank branches in Vietnam, e-wallet providers, payment intermediaries, stock exchanges, and digital asset platforms;
  • E-commerce platforms;
  • Logistics providers;
  • Digital television providers; and
  • Other online service providers.

The draft law prescribes specific obligations for online service providers, notably to (i) cooperate with the authorities and facilitate the investigation and handling of cybersecurity violations; (ii) terminate, freeze, identify, and reauthenticate digital accounts, and suspend transactions; (iii) and block, temporarily suspend, or terminate the operation of websites and information systems upon request by a competent authority, among other obligations. These obligations appear to codify the authority’s power to restrict or intervene in online operations and activities in response to cybersecurity violations.

Online Information Management

The draft law generally requires the classification of online information based on its level of confidentiality, mandating the application of appropriate protection measures, including establishing policies and procedures to handle online information. Moreover, the draft law prohibits falsifying the source of the information and sending online commercial information without the recipient’s consent or when the recipient has refused, unless otherwise prescribed by law. This marks a significant tightening of rules around unsolicited digital communications.

Under the draft law, telecommunications enterprises, telecommunications application service providers and IT service providers are required to (i) prevent and address illegal online information communications (including but not limited to spam and fake or infringing information) and (ii) implement mechanisms that allow recipients to refuse such communication. These obligations reflect the government’s intent to strengthen control over harmful digital content. However, they may impose significant compliance burdens on service providers, particularly in terms of monitoring, filtering, and user interface design.

IT System Classification and Protection Requirements

While the LNIS prescribes five classification levels for IT systems based on their importance and sensitivity, the draft law provides only three levels. Notably, level 3 IT systems (those whose sabotage would cause particularly serious harm to public interest, social order, and safety, or pose a serious threat to national defense and security) are designated as important national IT systems and subject to enhanced protection requirements and obligations.

The draft law provides an initial list of important national IT systems, which includes those in the fields of energy, finance, banking, telecommunications, transport, natural resources and environment, chemicals, health, culture, and news media, and sets out that the prime minister will promulgate, amend, and supplement the list at a later stage. Level 3 IT systems would need to undergo cybersecurity eligibility assessments, be certified, and then be subject to annual reporting requirements and unscheduled inspections by the Ministry of Public Security.

Removal of Data Localization and Local Presence Requirements

The 2018 Cybersecurity Law requires foreign and domestic service providers who provide services in cyberspace to store certain regulated data in Vietnam and under specific circumstances establish a local presence in Vietnam, upon the authority’s request. These requirements have been removed under the draft law. This shift reflects a more flexible regulatory approach aimed at balancing national security interests with the realities of global digital business. It also aligns with Vietnam’s commitments under international treaties and standards, promoting freer cross-border data flows while maintaining compliance with the new 2025 Personal Data Protection Law, which remains central to data governance.

Preventing and Combating High-Tech Cybercrime

The draft law introduces a new chapter dedicated to the prevention, detection, and handling of high-tech cybercrime. It outlines the responsibilities of government agencies, organizations, businesses, and individuals in combating such crimes. This addition reflects the growing concern over cybercriminals using advanced technologies to conduct fraud and other illegal activities.

Outlook

The draft 2025 Cybersecurity Law is currently undergoing public consultation and is expected to be refined through several rounds of feedback before being presented to the 15th National Assembly for deliberation during its 10th session in October 2025. Businesses should stay informed and consider participating in the consultation process to help shape the final version of the law and ensure their operational interests are represented.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

November 27, 2023
The emergence of generative artificial intelligence (AI) has transformed the landscape for innovators and creators. As many legal practitioners have pointed out, it’s imperative for both developers of AI and artists using generative AI to understand the intricacies of intellectual property (IP) strategies so they can navigate this evolving terrain successfully. This article lays out some essential considerations relating to the major types of IP for both developers and creators in the realm of generative AI. IP Strategies for Developers of Generative AI Developers of generative AI technologies play a pivotal role in the innovation landscape. There are three overarching IP-related issues to consider: protecting their own intellectual property, mitigating the risk of violating other people’s IP rights, and IP commercialization. Key aspects of these concerns, along with suggested approaches for developers, are outlined below. Protecting IP Copyrights. One of the primary considerations for AI developers is the protection of AI-generated works, such as art and source code. The good news is that in most countries, these creations enjoy copyright protection without the need for registration. As a result, the works are automatically protected from the moment of creation. However, it’s crucial to maintain comprehensive records of your work to establish your ownership. Trademarks. Trademarks are vital for AI developers looking to establish and protect their brand. Pay close attention to Nice classifications, particularly class 9 (for software), class 35 (for business management and online marketing), and class 42 (for software design and development). Registering trademarks in these classes can provide robust protection for your brand and products. Patents. For truly innovative AI algorithms, techniques, or processes, consider the option of patenting. Patents offer strong protection, but they require a thorough application process and the documentation of your innovation, including evidence that the invention is novel, non-obvious, and practically
Read More
November 27, 2023
Thailand’s Electronic Transaction Development Agency (ETDA) has released two new subordinate regulations under the Royal Decree on Digital Platform Services: one detailing the assessment of digital platform services (DPSs) that will be deemed “high-risk” and subject to additional obligations, and another setting guidelines on user verification and authentication for all DPSs. The two subordinate regulations are summarized below. Impact Assessment of DPS Operations Under the Royal Decree on Digital Platform Services, DPS operations that have the risk of seriously impacting financial and commercial security, reliability and credibility of data message systems, or the general public are subject to additional obligations. The first subordinate regulation mentioned above (officially titled Notification of the Electronic Transactions Commission Re: Criteria for Impact Assessment on Operation of Digital Platform Services) outlines the criteria for the ETDA to determine which DPSs are “high-risk.” DPSs falling under this designation include: DPSs whose total value of transactions conducted through the platform in Thailand exceeds THB 100 million (approx. USD 2.8 million) per year; DPSs whose operators have not registered their entities with the Department of Business Development (DBD)—notably overseas operators—and that have 100 or more merchants or business users in Thailand or total users in Thailand between 5 and 10 percent of the country’s population (i.e., approx. 3.3–6.1 million users, calculated using official 2022 figures); DPSs that allow their users to freely post certain messages, or do certain acts, that may affect the public in certain cases, such as: (1) unlawful messages or acts; (2) messages or acts that may affect a child’s rights or people’s fundamental rights; and (3) messages or acts that may negatively affect political opinions of Thai citizens (whether before or after an election) or statements or actions likely to negatively affect other individuals due to gender differences or sexual violence. After considering
Read More
November 23, 2023
On November 14, 2023, Thailand’s Personal Data Protection Committee (PDPC) published a draft notification on collection of personal data regarding criminal records. The draft notification aims to provide clarifications and prescribe further criteria for processing criminal record data under the Personal Data Protection Act (PDPA), which generally requires the processing of criminal records to be carried out under the control of the relevant official authority under the law or under a data protection measure implemented according to rules prescribed by the PDPC. After its eventual passage, the draft notification will have important implications for businesses’ recruitment and human resources activities in relation to individuals with criminal records. Key aspects of the draft notification include the following: “Personal data regarding a criminal record” and “criminal record data” denote personal data related to the investigations of criminal offenses, criminal prosecution, or criminal punishment that is official information or certified by the relevant supervisory authority, regardless of whether that action is connected to a final judgment. Under the draft notification, data controllers may process criminal record data for the purpose of a recruitment process, checking the qualifications of personnel, and considering the suitability of a person for a position if the processing activities are required by law or when a data controller obtains explicit consent from the data subject. Furthermore, the necessity of processing the criminal record data must be announced at the beginning of the recruitment process. Data controllers’ requests for explicit consent to collect a data subject’s criminal record data must also notify the data subject of the consequences of not providing consent or withdrawing consent. The draft notification sets the allowable retention period for criminal record data at a maximum of six months from the end of the processing activities specified above. After the retention period ends, the criminal
Read More
November 17, 2023
On October 3, 2023, Thailand’s Board of Investment (BOI) issued a new regulation clarifying the eligibility criteria for investment promotion under the BOI category “5.10 Development of software, platforms for digital services, or digital content.” To be eligible for BOI promotion under the digital activity category, projects must meet criteria related to local development, minimum investment amount, machinery and equipment, and development processes. These criteria for category 5.10 activities, along with the latest clarifications from the BOI, are detailed in the table below. Tax Incentives The BOI also clarified the method for calculating corporate income tax (CIT) exemptions. The CIT cap amount is calculated on an annual basis from the prescribed expenses incurred after applying for BOI promotion and occurring during the year for which the CIT exemption is claimed. The allowances include 100% of expenses for salaries for newly hired Thai IT personnel, technology-related training, and obtaining quality standards (such as ISO 29110). The revenue of projects that qualify for CIT exemption must be from sales or services directly related to software, platforms for digital services, or digital content developed as promoted by the BOI, including licensing fees, subscription fees, pay-per-use expenses, in-app purchase fees, usage fees, revenue sharing, advertising fees, and so on. For more details on BOI promotion for digital activities, or on any aspect of investment promotion in Thailand, please contact Athistha (Nop) Chitranukroh at [email protected] or +66 2056 5600, Napassorn Lertussavavivat at [email protected] or +66 2056 5662, or Thammapas Chanpanich at [email protected] or +66 2056 5561.
Read More