Vietnam’s New Cybersecurity Law to Come Into Effect 1 July 2026
On 10 December 2025, Vietnam’s National Assembly passed the Cybersecurity Law (No. 116/2025/QH15) which will come into effect on 1 July 2026 (“Law”). The Law establishes a comprehensive legal framework governing cybersecurity, cybersecurity protection, and the rights, obligations, and responsibilities of agencies, organisations, and individuals operating in cyberspace.
The Law replaces the Law on Network Information Security (No. 86/2015/QH13) and the Cybersecurity Law (No. 24/2018/QH14) (“Cybersecurity Law 2018”), which will cease to have effect from the date the Law comes into force. The Law also introduces consequential amendments to a wide range of sectoral legislation to ensure terminological and regulatory consistency across Vietnam’s legal system.
Scope of application and key definitions
The Law applies broadly to:
- Vietnamese individuals, agencies and organisations;
- foreign individuals residing in Vietnam, and foreign agencies and organisations operating in Vietnam; and
- foreign individuals, agencies, and organisations directly participating in or connected with cybersecurity protection activities or the business of cybersecurity products and services in Vietnam.
Also introduced are detailed statutory definitions of key concepts, including cybersecurity, data security, cyberspace, information systems, digital accounts, cybercrime, cyberattacks, cyberterrorism, and cyber espionage, formally integrating data security and digital account governance into the cybersecurity framework.
State policy, principles, and cybersecurity measures
The Law sets out overarching state policies on cybersecurity, including the objective of building a healthy cyberspace that does not harm national security, social order, or the legitimate rights and interests of organisations and individuals, and prioritising cybersecurity protection in national defence, security, socio-economic development, science and technology, and foreign affairs.
Cybersecurity protection is to be implemented in accordance with defined principles, including compliance with the Constitution and laws, protection of national sovereignty in cyberspace, unified state management, and the integration of cybersecurity protection with socio-economic development while ensuring human rights, civil rights, and personal data protection.
The Law provides a non-exhaustive list of cybersecurity protection measures, including cybersecurity assessments and inspections, network security monitoring, incident response, cryptographic measures, technical solutions to prevent the dissemination of illegal information, suspension or cessation of network services in specified circumstances, removal of illegal or false information, data collection for investigations, blocking or restricting information systems, and other measures prescribed by law.
International cooperation
The Law establishes a statutory basis for international cooperation on cybersecurity, including information sharing and early warning mechanisms, cooperation on cybercrime prevention and investigation, training and capacity building, technology transfer, and participation in international treaties and agreements, subject to respect for national sovereignty and Vietnam’s international obligations.
Prohibited acts and content-related restrictions
The Law sets out a detailed list of prohibited acts related to cybersecurity, including the posting or dissemination of information opposing the State, distorting history, undermining national unity, spreading false information that causes public panic or socio-economic harm, or infringing the legitimate rights and interests of organisations and individuals.
It also prohibits a wide range of acts carried out in cyberspace. Specifically, the Law adopts similar provisions as the Cybersecurity Law 2018 by prohibiting conduct such as incitement against the State, cyber fraud, online gambling, intellectual property infringement, impersonation, misuse of digital accounts, and illegal trading activities.
Cyberattacks, cyberterrorism, cyber espionage, cybercrime, and high-tech crimes, as well as unauthorised access to information systems and obstruction of cybersecurity protection activities, are also expressly prohibited.
In addition, the Law specifically prohibits the unauthorised interception or recording of communications, disclosure of state, business, or personal secrets, and the use of artificial intelligence or new technologies to falsify images, videos, or voices in violation of the law.
Information systems and critical national security systems
Information systems are classified into five security levels based on the degree of potential harm to national security, public order, social safety, and the legitimate rights and interests of organisations and individuals.
The Law identifies information systems critical to national security, including systems relating to defence, security, diplomacy, cryptography, finance, banking, energy, telecommunications, transportation, health, and other key sectors.
Such systems are required to undergo cybersecurity assessments, certification, monitoring, and incident response measures before being put into operation and must be subject to regular cybersecurity examination and monitoring during their operation.
Responsibilities for protecting critical national security information systems are allocated primarily to the Ministry of Public Security, with separate roles for the Ministry of National Defence and the Government Cipher Committee in relation to military and cryptographic systems respectively.
Obligations of service providers and data security
Local and foreign enterprises providing services on telecommunications networks, the Internet, and value-added services in cyberspace are required to verify digital account information, identify IP addresses, retain specified user data, remove illegal content, and cooperate with specialised cybersecurity forces, including within accelerated timelines in urgent cases threatening national security or human life.
Further, enterprises collecting, analysing, or processing personal data or user-generated data in Vietnam must apply data protection measures and store such data in Vietnam. Foreign enterprises falling within this scope must establish a branch or representative office in Vietnam, subject to implementing regulations.
The Law establishes a dedicated framework for data security guarantees, including organisational, technical, and legal measures to protect data, periodic risk assessments, cryptographic protections, and oversight of cross-border data transfers.
Cybersecurity standards, products, services, and licensing
The Law regulates cybersecurity standards, technical regulations, and the provision of cybersecurity products and services, including testing, monitoring, incident response, consulting, and cryptographic services.
Enterprises providing cybersecurity products or services must comply with applicable standards, hold relevant licences, meet quality requirements, and cooperate with specialised cybersecurity forces. Detailed requirements will be prescribed by the Government.
Governance and enforcement
The Government exercises unified state management of cybersecurity, with the Ministry of Public Security designated as the focal authority responsible for guidance, coordination, incident response, and enforcement.
Additional responsibilities are allocated to the Ministry of National Defence, the Government Cipher Committee, other ministries, and provincial People’s Committees.
The Law introduces funding obligations for cybersecurity protection in state agencies and state-funded entities, requiring at least 15% of digital transformation and IT investment budgets to be allocated to cybersecurity.
Effective date and transitional provisions
The Law will take effect on 1 July 2026. Existing systems, products, and services may continue operating during transitional periods, subject to compliance within prescribed timelines. Licences issued before the effective date remain valid until their stated expiry dates.
Source: ALLEN & GLEDHILL. (January 22, 2026). Vietnam’s new Cybersecurity Law to come into effect 1 July 2026. 27 Jan, 2026.