Vietnam’s new Cybersecurity Law to come into effect 1 July 2026: Allen & Gledhill

22 January 2026

On 10 December 2025, Vietnam’s National Assembly passed the Cybersecurity Law (No. 116/2025/QH15) which will come into effect on 1 July 2026 (“Law”). The Law establishes a comprehensive legal framework governing cybersecurity, cybersecurity protection, and the rights, obligations, and responsibilities of agencies, organisations, and individuals operating in cyberspace.

The Law replaces the Law on Network Information Security (No. 86/2015/QH13) and the Cybersecurity Law (No. 24/2018/QH14) (“Cybersecurity Law 2018”), which will cease to have effect from the date the Law comes into force. The Law also introduces consequential amendments to a wide range of sectoral legislation to ensure terminological and regulatory consistency across Vietnam’s legal system.

Scope of application and key definitions

The Law applies broadly to (i) Vietnamese individuals, agencies and organisations; (ii) foreign individuals residing in Vietnam, and foreign agencies and organisations operating in Vietnam; and (iii) foreign individuals, agencies, and organisations directly participating in or connected with cybersecurity protection activities or the business of cybersecurity products and services in Vietnam.

Also introduced are detailed statutory definitions of key concepts, including cybersecurity, data security, cyberspace, information systems, digital accounts, cybercrime, cyberattacks, cyberterrorism, and cyber espionage, formally integrating data security and digital account governance into the cybersecurity framework.

State policy, principles, and cybersecurity measures

The Law sets out overarching state policies on cybersecurity, including the objective of building a healthy cyberspace that does not harm national security, social order, or the legitimate rights and interests of organisations and individuals, and prioritising cybersecurity protection in national defence, security, socio-economic development, science and technology, and foreign affairs.

Cybersecurity protection is to be implemented in accordance with defined principles, including compliance with the Constitution and laws, protection of national sovereignty in cyberspace, unified state management, and the integration of cybersecurity protection with socio-economic development while ensuring human rights, civil rights, and personal data protection.

The Law provides a non-exhaustive list of cybersecurity protection measures, including cybersecurity assessments and inspections, network security monitoring, incident response, cryptographic measures, technical solutions to prevent the dissemination of illegal information, suspension or cessation of network services in specified circumstances, removal of illegal or false information, data collection for investigations, blocking or restricting information systems, and other measures prescribed by law.

International cooperation

The Law establishes a statutory basis for international cooperation on cybersecurity, including information sharing and early warning mechanisms, cooperation on cybercrime prevention and investigation, training and capacity building, technology transfer, and participation in international treaties and agreements, subject to respect for national sovereignty and Vietnam’s international obligations.

Prohibited acts and content-related restrictions

The Law sets out a detailed list of prohibited acts related to cybersecurity, including the posting or dissemination of information opposing the State, distorting history, undermining national unity, spreading false information that causes public panic or socio-economic harm, or infringing the legitimate rights and interests of organisations and individuals.

It also prohibits a wide range of acts carried out in cyberspace. Specifically, the Law adopts similar provisions as the Cybersecurity Law 2018 by prohibiting a range of conduct including, among other things, incitement against the State, cyber fraud, online gambling, intellectual property infringement, impersonation, misuse of digital accounts, and illegal trading activities. Cyberattacks, cyberterrorism, cyber espionage, cybercrime, and high-tech crimes, as well as unauthorised access to information systems and obstruction of cybersecurity protection activities, are also expressly prohibited.

In addition, the Law specifically prohibits the unauthorised interception or recording of communications, disclosure of state, business, or personal secrets, and the use of artificial intelligence or new technologies to falsify images, videos, or voices in violation of the law.

Information systems and critical national security systems

Information systems are classified into five security levels based on the degree of potential harm to national security, public order, social safety, and the legitimate rights and interests of organisations and individuals.

The Law identifies information systems critical to national security, including systems relating to defence, security, diplomacy, cryptography, finance, banking, energy, telecommunications, transportation, health, and other key sectors. Such systems are required to undergo cybersecurity assessments, certification, monitoring, and incident response measures before being put into operation and must be subject to regular cybersecurity examination and monitoring during their operation.

Responsibilities for protecting critical national security information systems are allocated primarily to the Ministry of Public Security, with separate roles for the Ministry of National Defence and the Government Cipher Committee in relation to military and cryptographic systems respectively.

Obligations of service providers and data security

Local and foreign enterprises providing services on telecommunications networks, the Internet, and value-added services in cyberspace are required to verify digital account information, identify IP addresses, retain specified user data, remove illegal content, and cooperate with specialised cybersecurity forces, including within accelerated timelines in urgent cases threatening national security or human life.

Further, local and foreign enterprises providing services relating to telecommunications networks, the Internet, and value-added services in cyberspace that collect, analyse, or process personal data or user-generated data in Vietnam are required to apply data protection measures and store such data in Vietnam, and foreign enterprises falling within this scope must establish a branch or representative office in Vietnam, subject to implementing regulations issued by the Government.

The Law further establishes a dedicated framework for data security guarantees, including organisational, technical, and legal measures to protect data, periodic risk assessments, cryptographic protections, and oversight of cross-border data transfers, with detailed regulations to be issued by the Government.

Cybersecurity standards, products, services, and licensing

The Law also regulates cybersecurity standards, technical regulations, and the provision of cybersecurity products and services. Specifically, the Law provides a list of cybersecurity products and services including, among others, testing, monitoring, incident response, consulting, and cryptographic services. The provision of cybersecurity products are subject to applicable standards and technical regulations issued by the relevant authorities, and enterprises providing such products or services must hold the relevant licences, comply with regulatory obligations and quality requirements, and cooperate with specialised cybersecurity forces when providing such services into the market. The detailed requirements and guidance on this matter will be prescribed by the Government.

Governance and enforcement

The Government exercises unified state management of cybersecurity, with the Ministry of Public Security designated as the focal authority responsible for issuing guidance, coordinating cybersecurity protection measures, managing IP address identification and digital account verification mechanisms, responding to cybersecurity incidents, and handling violations of cybersecurity laws.

Additional responsibilities are allocated to the Ministry of National Defence, the Government Cipher Committee, other ministries, and provincial People’s Committees within their respective areas of competence.

The Law also introduces dedicated funding obligations for cybersecurity protection in state agencies and state-funded entities, including a requirement that at least 15% of digital transformation and information technology investment budgets be allocated to cybersecurity protection.

Effective date and transitional provisions

The Law will take effect on 1 July 2026. Existing information systems, products, and services established under the previous cybersecurity and network information security regime may continue to operate during specified transitional periods, subject to compliance with the requirements of the new law within the prescribed timelines. Business licences for products and services related to cybersecurity and civilian cryptography issued before the effective date of the Law shall remain valid until the expiration date stated on the respective licence.