In the course of developing a digital society, cyberspace has become a critical component of national infrastructure, while also constituting an environment that poses significant risks to national security, public order and social safety, and human rights. The rapid advancement of digital technologies, particularly artificial intelligence (AI), the Internet of Things (IoT), and cross-border service delivery models, has given rise to new challenges that extend beyond the regulatory scope of the Law on Network Information Security of 2015 and the Law on Cybersecurity of 2018.
Accordingly, on 10 December 2025, the 15th National Assembly promulgated the Law on Cybersecurity No. 116/2025/QH15 (the “Cybersecurity Law 2025”), which consolidates the Law on Network Information Security of 2015 and the Law on Cybersecurity of 2018. The Cybersecurity Law 2025 will officially take effect on 1 July 2026 and is expected to contribute to ensuring the consistency and coherence of the legal framework on cybersecurity, thereby strengthening safety in cyberspace.
Key Takeaways
- The Lead Authority for State Management of Cybersecurity: The Cybersecurity Law 2025 designates a lead authority and a centralized focal point for state management of cybersecurity nationwide.
- Obligations on Data Localization and User IP Address Identification in Cyberspace: In addition to the obligations retained from the Law on Cybersecurity of 2018, domestic and foreign enterprises providing services in cyberspace in Vietnam are also required to carry out user IP address identification.
- List of Prohibited Acts in the Field of Cybersecurity: The Cybersecurity Law 2025 updates and expands the list of prohibited acts to keep pace with the development of new technologies.
- Provisions on the Protection of Vulnerable Groups in Cyberspace: The Cybersecurity Law 2025 introduces enhanced protection mechanisms for children and promotes education and awareness-raising on cybersecurity for vulnerable groups.
- Provisions on Data Security Assurance: For the first time, the Cybersecurity Law 2025 introduces dedicated provisions specifically addressing data security.
This article highlights the most notable provisions of the Cybersecurity Law 2025, analyzes its key regulatory developments, and identifies practical issues that agencies, organizations, and individuals should carefully consider when conducting activities in cyberspace.
The Lead Authority for State Management of Cybersecurity
One of the key reforms introduced by the Cybersecurity Law 2025 is the clear establishment of a lead authority for the unified state management of cybersecurity. This is regarded as a significant step forward compared to the previous framework, under which regulatory functions in this area were fragmented among multiple authorities such as the Ministry of Public Security, the Ministry of Information and Communications, the Ministry of National Defence, and the Ministry of Science and Technology, resulting in coordination challenges and delays in responding to emerging situations.
Accordingly, the Cybersecurity Law 2025 designates the Ministry of Public Security as the lead and central authority responsible for the unified state management of cybersecurity nationwide. Assigning this role to the Ministry of Public Security is considered to be practically grounded and appropriate, given the Ministry of Public Security’s statutory functions and mandates in protecting national security, ensuring public order and social safety. However the Cybersecurity Law 2025 does not exclude the roles and responsibilities of other ministries, sectors, and localities, these agencies still perform their duties within their authority and coordinate implementation as prescribed by law.
Obligations on Data Localization and User IP Address Identification in Cyberspace
The Cybersecurity Law 2025 continues to maintain the requirement for data localization in Vietnam, applicable to both domestic and foreign enterprises providing services on telecommunications networks, the Internet, and value-added services in cyberspace in Vietnam, where such enterprises engage in the collection, exploitation, analysis, or processing of data, including data relating to personal information, data relating to users’ relationships, and data generated by users in Vietnam. In addition, these enterprises are required to implement data protection measures in accordance with applicable laws, such as the Law on Data and the Law on Personal Data Protection.
Notably, instead of limiting the application scope to certain sectors, the Cybersecurity Law 2025 generally provides that the aforementioned foreign enterprises must set up a branch or representative office in Vietnam. This adjustment, once again, raises compliance concern within foreign enterprises, for setting up a commercial presence in a country is not a trivial matter. In addition, the Cybersecurity Law 2025 continues to use the term “data relating to personal information” rather than “personal data”, which has not yet been fully consistent with the current legal framework. More detailed regulations on data localization obligations in Vietnam will continue to be provided and clarified by the Government in the coming period.
While inheriting the existing provisions on the responsibilities of domestic and foreign enterprises providing services in cyberspace in Vietnam, the Cybersecurity Law 2025 introduces a significant new requirement. Accordingly, enterprises providing services in cyberspace are required to identify users’ IP addresses and to provide such information to specialized cybersecurity protection forces upon a lawful request in accordance with applicable laws.
This requirement reflects practical needs in cybersecurity enforcement. In essence, an IP address functions as a unique identifier in cyberspace, similar to a “geographical address”, allowing electronic devices to identify and connect with one another to exchange information and data. Through IP addresses, competent authorities are able to determine basic elements such as the time of access, the location of the connection, and information relating to the Internet service subscriber. This, in turn, serves investigative, verification, and tracing purposes in addressing unlawful acts committed in cyberspace.
List of Prohibited Acts in the Field of Cybersecurity
The rapid development of new technologies such as AI and the IoT, together with the growing prevalence of cross-border cybercrime, has posed unprecedented challenges to cybersecurity assurance.
In response to these requirements, the Cybersecurity Law 2025 restructures and systematizes the list of prohibited acts, while introducing important amendments and additions to address the development of new technologies, thereby aiming to safeguard national security, protect individual privacy, and ensure the safety and transparency of the online environment. Specifically, the Cybersecurity Law 2025 supplements and further clarifies several categories of prohibited acts, most notably:
- Forging, circulating, stealing, buying or selling, collecting or exchanging without authorization information relating to others’ credit cards, bank accounts, crypto-assets, or digital assets of other people. The inclusion of new categories of assets such as “crypto-assets” and “digital assets” is intended to ensure consistency and alignment with the provisions of the Law on Digital Technology Industry;
- Using AI or new technologies, such as deepfake technologies, AI-generated voices, or AI-generated images, to unlawfully impersonate or fabricate another person’s videos, images, or voice; and
- Collecting, using, disseminating, exchanging, transferring, or trading in the personal information or personal data of others in violation of applicable laws. The term “personal data” is formally recognized and applied in a manner that ensures consistency and alignment with the provisions of the Law on Personal Data Protection.
The revision and expansion of the list of prohibited acts under the Cybersecurity Law 2025 clearly reflect the State’s policy orientation of prioritizing the protection of privacy rights, data assets, national security and, in particular, the safety of individuals in cyberspace.
Provisions on the Protection of Vulnerable Groups in Cyberspace
Children, older persons, and individuals with limited cognitive capacity are particularly vulnerable groups in cyberspace and face a high risk of becoming victims of online fraud, exploitation, child sexual abuse, exposure to harmful content, personal data breaches due to insufficient digital security skills, or inducement into engaging in unlawful activities. Accordingly, the inclusion of these vulnerable groups within a framework of enhanced protection under cybersecurity legislation is an urgent necessity.
Under the Cybersecurity Law 2025, parents or lawful guardians, as defined under civil law, are required to register service user accounts for children using their own information, and to supervise and manage the content that children access, upload, and share in the course of using value-added services in cyberspace.
With respect to enterprises providing services on telecommunications networks, the Internet, and value-added services in cyberspace, the Cybersecurity Law 2025 imposes additional obligations to develop and implement technical systems and measures to support the detection, prevention, and handling of content that harms children in cyberspace.
In addition, the Cybersecurity Law 2025 encourages state authorities to cooperate with organizations, enterprises, and individuals in implementing education, communication, and awareness-raising programs on cybersecurity. In this regard, priority is given to disseminating digital safety knowledge and skills to children, older persons, and individuals with cognitive difficulties, thereby enhancing their capacity to protect their lawful rights and interests in cyberspace.
Provisions on Data Security Assurance
At present, the implementation of e-Government initiatives, the provision of online public services, as well as the development of the digital economy and digital society cannot be carried out effectively without data as a foundational element. Although the Law on Personal Data Protection officially came into effect on 1 January 2026, the scope of data requiring protection in cyberspace is not limited to personal data alone, but also includes organizational data, system data, data in transmission, and other categories of data as provided under the Law on Data.
Given the diversity and high sensitivity of data, the misappropriation, unlawful use, exploitation, or destruction of data may result in serious consequences, directly affecting national security, public order and social safety, and potentially giving rise to catastrophic risks.
On this basis, the Cybersecurity Law 2025 sets out a dedicated provision on data security assurance, which prescribes several notable requirements, including: the application of measures, standards, and technical regulations in accordance with cybersecurity laws; the implementation of strict control mechanisms over personnel directly involved in data processing; the conduct of periodic risk assessments; as well as the inspection and assessment of cross-border data transfers.
At the same time, the Cybersecurity Law 2025 assigns the Government the task of issuing detailed regulations and specifying the responsibilities of relevant stakeholders in ensuring data security in the period ahead.
Conclusion
The Cybersecurity Law 2025 marks an important milestone in the further development of Vietnam’s legal framework for safeguarding national security in cyberspace, responding to regulatory needs arising from a rapidly evolving reality shaped by digital technologies.
The consolidation and updating of provisions on information security and cybersecurity have contributed to the establishment of a unified legal framework, addressing the previous fragmentation and enhancing the effectiveness and efficiency of state management. Beyond serving merely as a regulatory instrument, the Cybersecurity Law 2025 also reflects a strategic orientation toward building a safe, secure, and sustainable cyberspace in Vietnam.
