Big changes are coming to Vietnam’s digital landscape. The country is poised to enact its new Amended Law on Cybersecurity, a critical piece of legislation that will reshape how businesses and individuals manage their online security.

This new law, set to be introduced during the National Assembly’s 9th session in October 2025, merges the existing Law on Cybersecurity 2018 with the Law on Cyberinformation Security 2015. The goal? To streamline regulations and solidify the Ministry of Public Security (“MPS”) as the primary authority overseeing all cybersecurity matters in Vietnam.

The public currently has the chance to review the 4^th Draft of the Amended Law on Cybersecurity bill (“4^th Draft”). It proposes several significant updates, which are scheduled to become effective on January 1, 2026. Below, we’ve outlined the key features proposed in the draft.

1. National List of critical information systems

Article 18 of the 4th Draft introduces a specific, curated “National List” of critical information systems deemed essential to national security and the public interest. The National List includes information system infrastructure from sectors such as national defense, intelligence, diplomacy, finance, energy, healthcare, and communications. National List systems will be subject to enhanced cybersecurity obligations, including stricter protection measures, security clearance requirements, and regular inspections by competent authorities.

2. Cybersecurity risk-level classification of information systems

Article 15 of the 4th Draft introduces a three-tier classification system for information systems based on their cybersecurity risk level. This classification helps determine the level of protection and regulatory scrutiny required for each system.

• Level 1: systems affecting individual or organizational interests:
• Level 2: systems impacting public order or safety; and
• Level 3: applies to systems whose compromise would seriously harm national defense or security.

A business whose information system is classified at a higher level, such as Level 3, faces stricter security requirements, including mandatory technical standards, periodic security audits, and the need to establish specialized security teams.

3. Framework for cybersecurity standards and technical regulations

The 4th Draft introduces a new legal framework for the formulation, management and monitoring of cybersecurity standards and technical regulations. The MPS and the Ministry of Science & Technology are empowered to develop and promulgate mandatory technical standards to ensure that both public and private sector information systems meet minimum cybersecurity requirements, including systems architecture, encryption protocols, incident response procedures, and data storage requirements.

Affected entities must undergo conformity assessment and certification processes to verify compliance. Such entities may be required to conduct internal audits, submit to third-party assessments, or obtain official certifications as a precondition to system deployment or continued operation.

4. Regulation of cybersecurity products and services

The 4th Draft lays the groundwork for the regulation of cybersecurity products and services, with a clear focus on licensing, market access controls, and import-export oversight. This marks a significant evolution from the current legal framework, which largely lacks dedicated provisions on cybersecurity product governance. Cybersecurity products and services that will be regulated include:

• hardware and software products designed to protect information systems, and
• specialized services, such as
  • penetration testing,
  • system auditing,
  • cyber risk assessment,
  • threat monitoring, and
  • incident response services.

Companies that develop or distribute these products or offer such services in Vietnam will be brought under a new licensing regime.

Moreover, the 4th Draft also contains provisions regulating the import and export of cybersecurity products and services. Certain categories of products, particularly those deemed sensitive or used in national defense, public administration, or critical infrastructure, will be subject to prior approval or require specialized import licenses. This will create a clear, centralized process for market access that does not exist in such a cohesive form today.

5. Key takeaway for businesses

Businesses operating in or providing cybersecurity-related products or services to Vietnam should closely monitor the progress of the Amended Law on Cybersecurity to:

• Evaluate system classifications under the new three-tier framework and determine applicable security obligations;
• Review technical compliance gaps in light of the forthcoming national cybersecurity standards and conformity assessment requirements;
• Assess licensing needs for cybersecurity products or services, including any import/export approval obligations;
• Plan early for the 12-month transition period which is to start on 01 January 2026 to upgrade systems, adjust policies, and train staff; and
• Engage with regulators or industry associations during the consultation phase to clarify requirements and provide feedback.

Should you require further insights into the Amended Law on Cybersecurity or have any questions regarding its implications, please feel free to contact the DFDL team.

The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

Key Contacts

Phong Anh Hoang

Phong Anh Hoang

Partner

Partner

Vietnam

Kristy Newby

Kristy Newby

Partner, Co-Head of Regional Energy, Natural Resources and Infrastructure Practice I Co-Head of Regional Compliance and Investigations Practice

Partner, Co-Head of Regional Energy, Natural Resourc ...

Lao PDR