Why Vietnam’s new cybersecurity framework should now be on every company’s radar
Cybersecurity
Vietnam is entering a new regulatory phase in cybersecurity. The country’s Law on Cybersecurity No. 116/2025/QH15, adopted on December 10, 2025, will take effect on July 1, 2026. It replaces both the 2015 Law on Cyberinformation Security and the 2018 Cybersecurity Law, creating a more consolidated legal framework for cybersecurity, data security, digital accounts, information systems, service-provider obligations, and enforcement. For businesses operating in Vietnam, or serving users in Vietnam, this is not a marginal legal update. It is a strategic shift.
What is changing is not only the legal text. It is the regulatory philosophy behind it. Cybersecurity in Vietnam is increasingly being treated as a matter of operational resilience, national security, digital sovereignty, and corporate accountability. That means companies should no longer see cyber compliance as a narrow IT issue or as a documentation exercise handled in isolation by legal or compliance teams. The new environment points toward something much broader: the need to demonstrate real execution capability across systems, data, vendors, people, and internal governance.
A more unified and more demanding cybersecurity regime in Vietnam
One of the most significant changes is the consolidation of Vietnam’s previous cyber laws into one broader framework. The 2025 law establishes a comprehensive legal architecture covering cybersecurity, cybersecurity protection, and the rights, obligations, and responsibilities of agencies, organizations, and individuals operating in cyberspace. It also introduces more detailed statutory definitions around concepts such as data security, digital accounts, cybercrime, cyberattacks, and cyber espionage.
For companies, this matters because a more unified framework usually leads to less room for fragmented internal interpretation. Cybersecurity, data governance, digital identity, online content, and platform responsibility are becoming more connected under a single regulatory logic. In practical terms, this makes it harder for organizations to manage privacy, cybersecurity, operations, and third-party risk in silos. Businesses that continue to separate those issues too rigidly may find that their governance model no longer matches the way regulators increasingly view digital risk.
Centralized oversight means cybersecurity compliance is becoming more real
The 2025 law also strengthens centralized state management, with the Ministry of Public Security positioned as the focal authority for guidance, coordination, incident response, IP-address identification mechanisms, digital-account verification, and enforcement, while other authorities retain roles within their own remit. This matters because stronger institutional centralization generally means more coherent enforcement and more structured expectations for businesses.
From a corporate perspective, this is a signal worth taking seriously. In many jurisdictions, enforcement becomes more operational once the state architecture around a law becomes clearer. Vietnam appears to be moving in that direction. Companies should therefore expect greater scrutiny not just of policy wording, but of how quickly and consistently they can act when a compliance, cybersecurity, or information request arises.
Information system classification will matter much more from 2026
The new law classifies information systems into five security levels, based on the degree of potential harm to national security, public order, social safety, and the lawful rights and interests of organizations and individuals. It also identifies information systems critical to national security, including systems in sectors such as finance, banking, energy, telecommunications, transportation, and health. Those systems are subject to cybersecurity assessments, certification, monitoring, and incident response measures before and during operation.
This is one of the most operationally important aspects of the reform. Classification is not an abstract legal concept. It drives the depth of obligations that may follow. Businesses should already be asking which systems may be considered sensitive, essential, or high-impact in the Vietnamese context, whether existing documentation and controls are sufficient, and whether legacy classifications under the previous regime need to be revisited. Recent analysis also points to a 12-month transition window for updating systems previously classified under the old framework so that they align with the new standards and protection measures.
Faster deadlines mean cybersecurity readiness becomes a business capability
Another major change is the introduction or reinforcement of strict operational timelines for certain service providers. Recent legal analysis indicates that enterprises providing services on telecommunications networks, the internet, or value-added services in cyberspace in Vietnam may be required to provide requested user information within 24 hours, or within 3 hours in emergency situations involving threats to national security or human life. Content-removal obligations may also be accelerated, with some urgent cases requiring action within 6 hours.
This has important governance consequences. A legal deadline is really a test of organizational design. Can the company identify the data? Does it know where it is stored? Has it defined who is accountable for validation, approval, and disclosure? Can it respond across time zones, outsourced environments, or cloud infrastructures without operational confusion? Under Vietnam’s emerging framework, cyber compliance increasingly depends on execution under pressure. That is why boards and senior management should view readiness as a capability, not just a legal topic.
Data localization in Vietnam is becoming more granular and more strategic
Vietnam’s 2026 framework also reinforces the importance of data localization. Recent analysis indicates that certain domestic and foreign enterprises providing telecommunications, internet, or value-added services in cyberspace in Vietnam, and collecting or processing personal data, user relationship data, or user-generated data in Vietnam, may be required to store such data in Vietnam. In some cases, foreign enterprises falling within scope may also need to establish a branch or representative office in Vietnam, subject to implementing regulations.
The direction of travel is important. The discussion is no longer limited to generic data residency. Commentary on the new law points to more specific categories such as account names, service usage time, service fee payment information, and access IP addresses, as well as requirements for certain service providers to identify IP addresses of users and provide that information to specialized cybersecurity forces for management and enforcement purposes.
For businesses, this means compliance in Vietnam increasingly intersects with architecture, logging, retention, identity management, cloud governance, vendor oversight, and internal records management. It is as much an operating-model issue as a legal one.
Why employee cybersecurity training in Vietnam is becoming a strategic compliance issue
One dimension is often underestimated in discussions about Vietnam cybersecurity compliance: employee training and cybersecurity awareness. Yet recent commentary on the Vietnamese framework repeatedly points in the same direction. A credible readiness program is not limited to legal analysis, system mapping, or incident response planning. It also depends on the workforce. Practical recommendations linked to the new framework emphasize regular awareness training, role-based training where needed, clear escalation paths, and stronger internal capability as part of compliance readiness. They also point to the importance of building organizational capacity, not just technical controls.
This is a critical insight for employers in Vietnam and for international groups with teams in Vietnam. The new legal environment is pushing companies toward shorter response times, greater internal coordination, and stronger evidence of preparedness. None of that works if employees do not know how to identify suspicious activity, escalate incidents, handle information securely, or respond appropriately to urgent requests. In practice, employee cybersecurity training in Vietnam is becoming a core part of operational resilience. It is also becoming one of the most practical ways for a company to show that its compliance approach is real, embedded, and scalable.
For many organizations, this creates a simple but important conclusion: if you are reviewing your Vietnam cybersecurity compliance roadmap for 2026, staff awareness training, cyber hygiene, phishing awareness, incident reporting reflexes, and role-based training should be part of the plan from the outset, not an afterthought added later.
AI, online content, and digital trust are becoming part of the compliance perimeter
The law also reflects growing concern around emerging technologies. It prohibits the use of AI or other new technologies to falsify images, videos, or voices in violation of the law and to disseminate prohibited content. That puts synthetic media, impersonation, manipulated content, and digital trust more firmly inside the regulatory frame.
This matters beyond social media or platform moderation. Companies using generative AI, digital marketing tools, automated customer engagement, or user-generated content ecosystems should recognize that cyber compliance and AI governance are starting to overlap. What may once have looked like a reputational issue can now also become a compliance issue.
Cybersecurity and personal data protection are converging in Vietnam
The broader Vietnamese compliance landscape in 2026 also includes the Personal Data Protection Law, which took effect on January 1, 2026, together with implementing guidance under Decree 356/2025/ND-CP. Recent analysis of the Vietnamese framework suggests that the real challenge for companies is not just understanding each legal instrument separately, but implementing them consistently across systems, vendors, and people.
That is the real strategic issue. In many organizations, privacy remains a legal or documentation-led workstream, while cybersecurity remains a technical or infrastructure-led function. Vietnam’s evolving framework points toward a more integrated model. Cyber risk, personal data handling, operational resilience, workforce readiness, and incident governance increasingly need to be managed together. The companies that understand that early will almost certainly be better prepared than those that continue to separate these issues too rigidly.
What businesses should do now before July 2026
The first priority is to reassess scope. Companies with operations in Vietnam, Vietnam-facing digital services, Vietnamese users, or meaningful processing of user or personal data linked to the market should revisit whether they fall within the law’s operational reach.
The second is to test operational readiness rather than relying only on policy completeness. That means reviewing system classification, authority-response procedures, incident workflows, content-removal capabilities, localization exposure, vendor dependencies, and data-retention practices.
The third is to strengthen the human layer. Companies should treat employee cybersecurity training in Vietnam as part of their compliance preparation. That includes regular awareness sessions, phishing and fraud prevention, secure data-handling practices, clear reporting channels, role-based training for higher-risk functions, and evidence of completion for internal governance purposes. Recent readiness guidance tied to the Vietnam framework clearly supports that approach.
The fourth is to stay adaptive. Important details still depend on future implementing regulations, including aspects of licensing, data retention, and operational thresholds. 2026 should therefore be approached as a year of active regulatory monitoring and staged implementation, not passive wait-and-see.
Our final thought
Vietnam’s new cybersecurity era is not simply about heavier compliance. It is about more concrete compliance. Faster response windows, stronger state coordination, deeper expectations around systems and data, and growing emphasis on practical readiness all point in the same direction. Businesses operating in Vietnam will need more than policies. They will need evidence that their governance works in practice, that their teams know what to do, and that resilience is embedded across technology, operations, and people.
