Vietnam's New Cybersecurity Law (No. 116/2025/QH15) Takes Effect: Unified Governance, Strict Timelines, and Retained Data Localization (July 2026)
On July 1, 2026, Vietnam’s brand-new Law on Cybersecurity No. 116/2025/QH15 (passed by the National Assembly on December 10, 2025) officially came into operation. This landmark legislation represents a major consolidation of Vietnam's digital legal framework, completely replacing the Law on Cybersecurity 2018 (No. 24/2018/QH14) and the Law on Network Information Security 2015 (No. 86/2015/QH13) with a single, unified statutory framework.
While this law operates alongside Vietnam's comprehensive Personal Data Protection Law (PDPL), which is detailed in Vietnam's Personal Data Protection Law (PDPL) Takes Effect Alongside Implementing Decree 356 and Strict CTIA Dossier Mandates and Vietnam’s Decree 356/2025/ND-CP and Decree 165/2025/ND-CP: Navigating the Dual-Layered Cross-Border Data Transfer Framework, it introduces critical new compliance requirements, strict operational response timelines, and reinforces the country’s controversial data localization mandates.
1. Centralization of State Cybersecurity Authority
Under the previous dual-statute regime, cybersecurity oversight was fragmented across multiple government bodies, creating duplicative obligations for businesses. The 2025 law centralizes administration:
- Overarching authority remains with the Government, but the Ministry of Public Security (MPS) is designated as the principal agency assisting the Government in all cybersecurity matters.
- The Ministry of National Defence and the Government Cipher Committee retain narrow, specific jurisdictions. This structural shift is expected to provide greater regulatory clarity for foreign and domestic digital service providers.
2. Retention of Data Localization and Local Presence Requirements
The 2025 Cybersecurity Law explicitly reaffirms the data localization and local presence requirements from the 2018 regime1:
- Covered Entities: Domestic and foreign enterprises providing services on telecommunications networks, the Internet, or value-added services in cyberspace in Vietnam that collect, use, analyze, or process personal data, user relationship data, or data generated by users in Vietnam must store this data locally.
- Scope of Data: In-scope data includes user personal information and data created by users (such as account names, service usage duration, payment information, IP addresses, and other related data).
- Local Office Mandate: Foreign enterprises falling under these criteria must establish a branch or representative office in Vietnam. Under previous implementing decrees (e.g., Decree 53/2022/ND-CP), these requirements were triggered only under specific conditions (such as a failure to remove violating content after MPS notice). Compliance teams must monitor the forthcoming implementing decree for the 2025 law to see if this conditional trigger is maintained or expanded.
3. Strict, Time-Bound Operational Obligations
A major development is the codification of rapid-response timelines for digital platforms:
- User Information Provision: Covered service providers must furnish requested user information to the specialized cybersecurity protection forces of the MPS within 24 hours of a request. In urgent cases involving national security or threats to human life, this timeline is compressed to a maximum of 3 hours.
- Content Removal and Service Suspension: Platforms must block or remove violating content, or disable non-compliant applications/services, within 24 hours of an MPS request. In urgent national security scenarios, the deadline is shortened to 6 hours.
- Malware and Cyberattacks: Information system owners must deploy technical controls to prevent malware and cyberattacks, and connect their monitoring systems directly to MPS-designated cybersecurity centers.
4. Broad Prohibited Conduct and Expanded Child Protection
The law expands the list of prohibited acts in cyberspace to include online fraud, digital identity theft, and the unlawful use of artificial intelligence or deepfakes. It also introduces strict, proactive child-protection obligations:
- Covered service providers must deploy technical systems to actively prevent, block, and remove content that harms children or facilitates child abuse.
- Platforms must cooperate with competent authorities to block sources of harmful content and promptly notify the MPS specialized forces of violations.
Key Implications for MNC Compliance Teams
Multinational companies (MNCs) operating in or providing digital services into Vietnam must adapt to a significantly tighter operational environment. Compliance teams must:
- Establish 24/7 Rapid Response Protocols: Ensure technical and legal teams can extract and deliver user data or take down content within the strict 3-hour (emergency) and 24-hour (standard) windows.
- Review Data Architecture: Maintain local storage capabilities for user personal data, payment info, and IP logs to comply with localized residency requirements.
- Implement Proactive Content Filtering: Deploy automated systems to detect and block child-abuse and other legally prohibited content to meet the law’s heightened safety standards.
-
An instance of Centralized regional data hubs cannot survive APAC's escalating revenue-based privacy penalties. — Vietnam's strict local storage and presence rules show that sovereign states are actively dismantling centralized offshore hosting models. ↩︎