The promulgation of the 2025 Cybersecurity Law marks a significant turning point in the national effort to protect cyberspace. In the context of rapidly developing technology and increasingly complex cybersecurity threats, the new Law not only reinforces the existing legal framework but also introduces many groundbreaking provisions for data management, control over Artificial Intelligence (AI) technology, and enhanced user protection. This article will analyze the most noteworthy new provisions, from the consolidation of regulatory authorities and tighter user identification management, to data localization requirements and child protection measures, aiming to help organizations and individuals better understand these critical changes.
1. Consolidation of regulatory authority and unification of concepts
The 2025 Cybersecurity Law is intended to replace and consolidate its two predecessor legal documents: the 2015 Law on Network Information Security and the 2018 Cybersecurity Law. This consolidation addresses overlaps in the scope of regulation between “information security” (focusing on the technical aspect) and “cybersecurity” (focusing on the national security aspect), while also updating provisions to deal with new non-traditional challenges such as Artificial Intelligence (AI) and high-tech cybercrime.
Accordingly, the new law repeals the term “network information security” in many current legal documents and uniformly replaces it with the phrase “cybersecurity.” This aims to reduce the inconsistencies between previous regulations.
Furthermore, the Government unifies state management over cybersecurity. The Ministry of Public Security is assigned as the lead agency assisting the Government in performing state management and is primarily responsible for cybersecurity (instead of the previous distribution of authority between the Ministry of Information and Communications and the Ministry of Public Security).
2. Tightened management of user identification and information
The 2025 Cybersecurity Law stipulates that enterprises providing services on telecommunications networks, the Internet, and value-added services in cyberspace (“cyberspace service providers”) must be responsible for identifying the IP addresses of organizations and individuals using Internet services and providing this information to specialized forces upon request. This provision aims to support the investigation of cybercrime and limit the use of anonymity to violate the law.
Cyberspace service providers must verify information when users register digital accounts and must provide user information to specialized forces under the Ministry of Public Security no later than 24 hours from the time of request. In urgent cases threatening national security or human lives, this period is reduced to 03 hours. In addition, cyberspace service providers must block the sharing of information, delete information, remove services, and takedown applications containing content that violates the provisions of the 2025 Cybersecurity Law no later than 24 hours from the time of request by the specialized forces for cybersecurity protection under the Ministry of Public Security, and must store system logs to serve verification, investigation, and handling of cybersecurity law violations for a period prescribed by law; in urgent cases threatening national security, the request to block and delete information must be completed no later than 06 hours.
Notably, the 2025 Cybersecurity Law supplements the right to request a “service/application takedown” and “service suspension” for violating entities, instead of just removing article content as before.
Article 25, Clause 3 reaffirms the requirement for data localization in Vietnam. Domestic and foreign enterprises providing services on telecommunications networks, the Internet, and value-added services in Vietnam that engage in the collection, exploitation, and analysis of personal data, user relationship data, or data generated by users in Vietnam must:
- Store this data in Vietnam for a period prescribed by the Government.
- Foreign enterprises must establish a branch or representative office in Vietnam.
3. New Regulations on Artificial Intelligence (AI) and Prohibited Acts
The 2025 Cybersecurity Law adds specific regulations to address risks from new technologies, especially Deepfake, specifically:
(i) Prohibition of using Artificial Intelligence or new technologies to illegally forge videos, images, or voices of others (Deepfake).
(ii) In addition to traditional prohibited acts, the law bans acts that falsely represent national sovereignty or borders; call for boycotts causing damage to enterprises; or counterfeit products and trademarks in cyberspace.
(iii) Impersonating, forging information, images, counterfeiting products, trademarks, and brands of organizations and enterprises by using technological utilities, causing harm to the reputation of organizations and enterprises.
These provisions create a solid legal basis for handling individuals who use Deepfake technology to impersonate relatives or state agency leaders for the purpose of fraud, misappropriation of assets, or defamation of honor and dignity.
4. Data protection and storage regulations
The 2025 Cybersecurity Law introduces the concept of “Data Security” (Article 26) and regards data as a strategic resource that must be protected by specialized technical and cryptographic measures. Enterprises that collect and process personal data in Vietnam must store this data in Vietnam for a period prescribed by the Government. The data required to be stored includes account name, usage time, payment information, IP address, and related data. Foreign enterprises providing services in Vietnam that fall under this category must establish a branch or representative office in Vietnam.
5. Protection of children and vulnerable groups
The new Law expands the scope of protection for vulnerable groups in cyberspace, including: Children, the elderly, and those with cognitive difficulties. The State prioritizes disseminating knowledge and guiding self-protection skills for these groups. Service providers must control content, prevent the sharing, and delete information harmful to children. Parents/guardians must register accounts for children using their own information and are responsible for supervision.
6. Resources and budget for cybersecurity protection
The 2025 Cybersecurity Law stipulates that state agencies, organizations, and enterprises must allocate a minimum of 15% of the total annual budget for digital transformation programs and IT application projects towards cybersecurity protection.
The State prioritizes investment in the cybersecurity industry infrastructure and encourages the use of domestically produced cybersecurity products and services (Make in Vietnam).
The State prioritizes allocating budget capital for investment in building cybersecurity industry infrastructure, including: Research, design, production, and testing facilities for cybersecurity products and services; National key cybersecurity laboratories; Facilities for measuring, testing, and evaluating cybersecurity products and services; Large data centers; Concentrated cybersecurity industrial parks; and Cybersecurity industrial complexes.
Investment activities in building cybersecurity industry infrastructure are designated as sectors with special investment incentives, receiving preferential treatment and support under the laws on investment, taxes, land, and other related laws.
Recommendations for Enterprises:
To prepare for the effective date of the 2025 Cybersecurity Law (July 1, 2026), enterprises need to utilize the transitional period to implement the following critical preparation steps to ensure legal compliance and minimize risks:
1. Review and classification of information systems
- Re-evaluate security level: Enterprises need to determine which of the 5 new security levels (Article 8) their information systems fall under. Systems already classified under the old law (2015 Law on Network Information Security) are still recognized, but enterprises must update protective measures to meet the new standards within 12 months from the effective date of the Law.
- Check critical systems: Special attention is required if an enterprise operates information systems critical to national security; preparations must be made for assessment and certification of eligibility for network security before operation.
2. Upgrading technical infrastructure and operating procedures:
- Ensure technical infrastructure systems have the capability to “identify IP addresses“ of users and provide them to specialized forces upon request.
- Review data storage procedures to ensure that personal data, usage time, payment information, and IP addresses are stored in Vietnam for the prescribed period.
- For online platforms, technical solutions must be deployed to proactively control and prevent content harmful to children and other prohibited information.
3. Developing rapid response procedures (3h/6h/24h Rule):Enterprises need to establish internal procedures and assign on-duty personnel to ensure the ability to meet the strict deadlines when required by the Ministry of Public Security.
4. Preparing resources and budget
- If a state enterprise or budget-using entity, adhere to the mandatory regulation of allocating a minimum of 15% of the total budget for digital transformation/IT projects to the cybersecurity protection category.
- Strengthen cybersecurity awareness training for employees, especially skills in identifying fraud and protecting customer data.
5. Updating internal policies:Enterprises should review and amend their information security policies, internal network usage regulations, and communication crisis handling procedures to align with the new prohibited acts (such as prohibiting the use of AI/Deepfake for fraud, prohibiting illegal calls for boycotts).
Conclusion
The 2025 Cybersecurity Law is a comprehensive legal document that demonstrates a strong shift in the national strategy for protecting cyberspace. The Law not only moves the focus from protecting technical systems to Data Security and social order online but also addresses new challenges such as AI technology. For organizations and individuals, understanding and complying with these new provisions are essential to ensure lawful operation in cyberspace and contribute to a safe and healthy online environment.
This Law will officially take effect on July 1, 2026.
Date written: 20/01/2026
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Technology and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
