Other Briefings
Vietnam’s Cybersecurity and Data Protection Rules: A Compliance Roadmap for Businesses
As Vietnam’s digital economy continues to grow, businesses must navigate an increasingly complex landscape of cybersecurity and data protection regulations to ensure compliance and maintain customer trust.
Vietnam’s rapidly growing digital economy underscores the urgent need for stronger management frameworks to ensure cybersecurity and enhance personal data protection. For both foreign and local businesses, compliance is becoming essential to maintaining operational continuity, building customer trust, and enabling swift incident response.
Recent public-sector and industry activity in Ho Chi Minh City, including live cybersecurity drills focused on data resilience, signals a stronger emphasis on preparedness and coordination among stakeholders. Meanwhile, companies must navigate an evolving regulatory landscape that includes Vietnam’s Personal Data Protection Law, which took effect on January 1, 2026, together with Decree No. 356/2025/ND-CP, which provides implementing guidance.
Cybersecurity regulatory framework
The regulatory landscape can be grouped into three practical categories that investors and operating teams should monitor: cybersecurity-related requirements and implementing guidance, personal data protection rules, and broader policy signals that may shape future enforcement priorities.
|
Regulation |
What it covers |
Who is in scope |
|
Baseline cybersecurity framework for national security and social order in cyberspace |
Agencies, organizations, and individuals with responsibilities under the law |
|
|
Implementing decree detailing selected provisions of the Cybersecurity Law, including mechanisms linked to data storage and local presence in specified cases |
Enterprises covered by the implementing provisions, including certain telecommunications, internet, and value-added service providers operating in Vietnam’s cyberspace, and entities subject to cybersecurity inspection or requests under the decree |
|
|
Cyberinformation security regime covering information system security, civil cryptography, standards, services, and state management |
Vietnamese agencies, organizations, and individuals; and foreign organizations and individuals involved in, or related to, cyberinformation security activities in Vietnam |
|
|
Core personal data protection law covering principles, roles, and rights and obligations |
Vietnamese agencies, organizations, and individuals; and foreign agencies, organizations, and individuals in Vietnam |
|
|
Implementing measures to operationalize Personal Data Protection Law obligations. |
Personal data controllers, controller processors, and processors, with specified flexibilities for certain small, start-ups, and micro entities |
|
|
Law on Cybersecurity (Law No. 116/2025/QH15; effective July 1, 2026) |
Consolidated cybersecurity framework effective July 1, 2026 |
Vietnam-based entities; foreign entities in Vietnam; and foreign entities connected with cybersecurity protection activities or cybersecurity products and services in Vietnam |
|
Note: The Cybersecurity Law (Law No. 24/2018/QH14) and the Law on Cyberinformation Security (Law No. 86/2015/QH13) remain relevant until June 30, 2026. |
||
Several policy signals suggest that cybersecurity compliance in Vietnam is increasingly framed around resilience, capability building, and coordination. Recent public-sector activity in Ho Chi Minh City, such as live-fire cybersecurity drills paired with training, highlights a practical emphasis on testing incident response and improving cross-stakeholder preparedness.
At the institutional level, the National Cybersecurity Association has expanded its footprint with a southern branch in Ho Chi Minh City, positioning itself as a coordinating body for workforce development, awareness-raising, and strengthening digital defense capabilities. In parallel, businesses can expect continued attention to skills and culture-building through initiatives such as the proposed “Open Vietnam Cyber Range” and messaging that encourages companies to embed cybersecurity into corporate culture over time.
Key compliance challenges for businesses operating in Vietnam
Companies usually encounter a few recurring challenges when translating cybersecurity and personal data requirements into daily controls.
|
Key considerations |
What it means in practice |
Business implications |
|
Scoping and data mapping |
Identifying where personal data sits and how it flows across systems and functions |
Supports consistent controls and faster incident handling |
|
Vendor reliance and third-party risk |
Clarifying vendor roles, access, and contractual safeguards across outsourced services |
Reduces exposure through suppliers and improves auditability |
|
Localization and local-presence questions |
Assessing whether specific services or data categories trigger local storage or local presence planning |
Helps avoid late remediation and operational disruption |
|
Workforce capacity constraints |
Building internal capability through role clarity, training cadence, and escalation paths |
Improves control consistency and response readiness |
Cybersecurity governance and operational readiness
Effective compliance begins with ownership and repeatable controls backed by documentation that can be produced quickly during reviews or in the event of an incident.
|
Focus area |
Baseline expectations |
Evidence to retain |
|
Governance and accountability |
Named owner; roles and escalation path |
Governance charter; meeting minutes; responsibility matrix |
|
Data inventory and policy foundation |
Data inventory and key flows mapped; core policies approved |
Data map; policy pack; approvals and version history |
|
Vendor and outsourcing management |
Vendor tiering; minimum security and data clauses |
Vendor list; due diligence file; contract addenda |
|
Access and endpoint security |
Multi-factor authentication for key systems; least privilege; managed devices |
Access reviews; authentication coverage; device and endpoint reports |
|
Monitoring and vulnerability management |
Central logging; alerts for high-risk events; patch cadence |
Log retention policy; monitoring reports; patch and scan evidence |
|
Resilience and incident readiness |
Tested backups and restore drills; incident response plan and exercise |
Backup logs; restore test results; incident playbook; exercise notes |
|
Workforce and training |
Regular awareness training; role-based training where needed |
Training logs; communications materials; completion records |
|
Personal data handling and transfers |
Consent or lawful basis tracked; request workflow; transfer register |
Notices; consent records; request log; transfer documentation |
Implementation and coordination roadmap
An effective approach is to implement compliance readiness in phases over 90 days, using a simple timeline that moves from visibility to operational readiness without overwhelming internal teams.
Foreign investors and Vietnam-based operators can use this structure to prioritize foundational controls early and build evidence for ongoing compliance.
- In the first 30 days, companies should complete a data inventory, map key data flows, assign a governance owner, and implement controls that provide quick wins, such as tighter privileged access, multi-factor authentication for critical systems, and verified backup coverage.
- From days 31 to 60, businesses should strengthen execution by tightening vendor and outsourcing controls, clarifying shared responsibilities, and drafting an incident response playbook supported by tabletop exercises and baseline staff training.
- During days 61–90, organizations should focus on resilience testing (including restoration exercises), compiling an evidence pack for audits or incident follow-up, and introducing a limited number of monitoring metrics.
In parallel, companies should establish an authority engagement protocol, define what to document and preserve, and add optional participation activities as the program matures.
|
Scenario |
What to prepare and document |
|
Routine compliance inquiries or information requests |
Request log; scope and deadlines; relevant policies; system and data inventory excerpt; response record |
|
Formal notice, inspection, or audit activity |
Evidence index; document control pack; access and activity logs; interview notes; remediation tracker |
|
Cybersecurity incident suspected (first 24–48 hours) |
Incident timeline; affected systems list; containment actions; evidence preservation notes; decision log |
|
Confirmed incident with possible personal data exposure |
Personal data scope summary; affected groups and categories; notification decision record; communications drafts; vendor involvement record |
|
Vendor or cloud service incident affecting your environment |
Vendor incident report; shared responsibility summary; access logs; contract and service level terms; follow-up plan |
|
Cross-border transfer, outsourcing, or new system rollout |
Data flow map; vendor due diligence file; transfer documentation where applicable; approvals record; go-live checklist |
|
Participation in cybersecurity drills |
Exercise objectives; scenario and scripts; participant list; after-action report; improvement plan |
|
Joining industry or national initiatives or associations |
Participation charter; information-sharing rules; membership records; training plan; lessons learned summary |
|
Ongoing point-of-contact readiness |
Named points of contact; escalation tree; contact directory; review cadence records; evidence retention rules |
Key takeaways
Vietnam’s cybersecurity and personal data compliance expectations are strengthening. January 1, 2026, is an important operational milestone for personal data governance under the Personal Data Protection Law and related Decree 356/2025 implementation guidance. For many companies, the main challenge is not interpreting requirements but implementing them consistently across systems, vendors, and people, especially amid workforce capacity constraints.
A robust readiness program emphasizes clear ownership, practical controls, regular employee training, and rehearsed incident response supported by tested backup and recovery procedures. Public drills and national initiatives also signal that resilience and coordination are becoming core expectations for businesses operating in Vietnam, alongside day-to-day compliance.
Cybersecurity and Compliance Advisory
Dezan Shira & Associates provides cybersecurity and compliance advisory tailored for Asia’s regulatory landscape. Our services include IT infrastructure audits, Zero Trust implementation, security training, and multi-jurisdictional data privacy compliance. Contact our Vietnam team to schedule a consultation: Vietnam@dezshira.com.
About Us
Vietnam Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Hanoi, Ho Chi Minh City, and Da Nang in Vietnam. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China, Hong Kong SAR, Indonesia, Singapore, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.
For a complimentary subscription to Vietnam Briefing’s content products, please click here. For support with establishing a business in Vietnam or for assistance in analyzing and entering markets, please contact the firm at vietnam@dezshira.com or visit us at www.dezshira.com
- Previous Article Hai Phong After Merger: A Pioneering Model in Northern Vietnam
- Next Article
