ISSUE OF JUNE 2026: CORE CHANGES AND COMPLIANCE OBLIGATIONS FOR BUSINESSES UNDER THE 2025 CYBERSECURITY LAW

ISSUE OF JUNE 2026: CORE CHANGES AND COMPLIANCE OBLIGATIONS FOR BUSINESSES UNDER THE 2025 CYBERSECURITY LAW

Dear Value Clients,

In an environment where cyber threats are becoming increasingly sophisticated from supply chain enabled financial fraud to large-scale information manipulation campaigns Vietnam has recognized that the coexistence of two separate legal frameworks is no longer sufficient. The 2015 Law on Cyber Information Security and the 2018 Cybersecurity Law operated in parallel for many years, creating overlapping jurisdictions between government authorities and resulting in legal gray areas that businesses often had to navigate without a clearly designated regulatory counterpart.

Effective from 1 July 2026, the 2025 Cybersecurity Law (CSL 2025) establishes a new legal framework characterized by several fundamental features: consolidating regulatory authority under a single lead agency, the Ministry of Public Security; replacing vague, principle-based obligations with requirements that are measurable and enforceable; and, for the first time, bringing artificial intelligence (AI) within the scope of cybersecurity regulation. For the business community particularly digital service providers, e-commerce platforms and foreign organizations operating in the Vietnamese market this is not a piece of legislation that can be addressed through minor adjustments to internal policies. Instead, it introduces requirements that demand substantial technical and organizational investments, with the implementation deadline rapidly approaching.

1. Specification of Response Time Requirements

Under both previous laws, obligations to respond to requests from competent authorities were framed in relatively vague terms, requiring businesses to act “within a reasonable period” or “in a timely manner.” While this ambiguity provided a degree of flexibility, it also created significant legal uncertainty for businesses attempting to determine the scope and urgency of their compliance obligations. The 2025 Cybersecurity Law (CSL 2025, Law No. 116/2025/QH15) fundamentally changes this approach by eliminating such open-ended standards altogether.

From 1 July 2026, according to Clause 2, Article 25 CSL 2025, upon receiving a request from a competent authority, businesses must provide user information within 24 hours, with the deadline shortened to 3 hours in emergency situations. Likewise, requests to remove unlawful or prohibited content must be complied with within 24 hours under normal circumstances, or within 6 hours when the matter involves national security. These requirements are widely regarded as both specific and justified in light of the current cybersecurity landscape.

These deadlines represent a technical challenge for businesses rather than merely a procedural one. Digital platforms operating with distributed databases, multi-layer approval processes, and legal teams that function primarily during business hours are unlikely to meet such requirements through manual processes alone. Compliance with these provisions requires companies to establish automated data retrieval and extraction systems, designate authorized legal representatives capable of making immediate decisions, and implement continuous monitoring and alert mechanisms that remain operational beyond normal working hours.

This provision directly implicates infrastructure investment requirements, and businesses should view it accordingly. It is not a compliance obligation that can be addressed solely through the issuance of an internal policy or guidance document. Instead, it necessitates tangible investments in technological capabilities, operational readiness, and organizational governance to ensure timely and effective compliance with legal requests.

2. Defining Categories of Data Required to Be Stored in Vietnam

Data localization requirements previously existed only as broad legal principles, with most of the operational details delegated to implementing decrees and circulars. As a result, the scope of application was frequently subject to debate, and many businesses particularly those operating on foreign digital platforms have functioned within a legal gray area for years. Consequently, Point d, Clause 2, Article 25 CSL 2025 seeks to eliminate this uncertainty by codifying a specific, non-exhaustive list of data categories subject to mandatory domestic storage requirements. Under the new law, the following five categories of data must be stored on infrastructure located within Vietnam:

(i) User account names and identification information;

(ii) Service usage records, including duration and frequency of use;

(iii) Payment information and financial transaction data;

(iv) IP addresses and connection logs;

(v) All personal data generated by users within Vietnam while using the platform.

Simultaneously, according to Clause 3, Article 25, for foreign enterprises, this requirement is accompanied by a non-negotiable condition: the establishment of a branch office or representative office with legal status in Vietnam. No exceptions are provided, nor can this obligation be satisfied through agency agreements, outsourcing arrangements, or commercial partnerships. The law therefore creates a clear legal threshold for market participation: either maintain a formal legal presence in Vietnam or forfeit the ability to continue providing services within the Vietnamese market.

For domestic enterprises, the first priority should be to review their current storage architecture, particularly for organizations relying on international cloud infrastructure without enabling regional data residency features. Delays in assessing and adapting current systems may significantly hinder a company’s ability to comply with the new legal requirements relating to data localization and information disclosure. Furthermore, infrastructure migration projects often require substantial lead time for testing, validation, and operational adjustments to ensure business continuity and prevent service disruptions. Therefore, early preparation not only helps businesses minimize legal risks but also optimizes costs and resources in complying with CSL 2025.

3. Establishing Control Mechanisms for the Use of Artificial Intelligence

Among all the innovations introduced by CSL 2025, this provision is arguably the most pioneering. As of today, Vietnam has not yet enacted a dedicated statute that directly regulates risks arising from generative artificial intelligence. Previously, conduct involving the impersonation of individuals or organisations could only be addressed indirectly, through legal provisions concerning defamation, infringement of personal honor and dignity, or the dissemination of false information – rules that were never designed with this technology in mind. Point g Clause 2 Article 7 CSL 2025 fundamentally changes this approach by explicitly prohibiting the use of AI to impersonate another person’s image or voice, as well as the creation of synthetic content intended to manipulate public perception. In doing so, the law establishes a direct legal basis for enforcement and liability, rather than relying on indirect or analogical application of existing rules.

This development creates an entirely new layer of responsibility, not only for content creators but also for the platforms through which such content is distributed. Social media networks, video sharing platforms, and AI-enabled tools that allow users to generate, upload, or disseminate synthetic content are now expected to implement mechanisms for detection, monitoring, and removal of unlawful content. Failure to do so may expose both individuals and corporate entities to secondary or contributory liability when prohibited content is disseminated through their systems.

It is important to note, however, that CSL 2025 currently serves only as a foundational framework. A dedicated Artificial Intelligence Law, which is presently under development, is expected to introduce more comprehensive and detailed regulations governing AI technologies. Businesses operating in sectors that develop, deploy, or rely heavily on artificial intelligence should therefore adopt a two-stage compliance strategy. In the short term, they must ensure compliance with the immediate obligations imposed by CSL 2025. In the longer term, they should maintain sufficient operational and governance flexibility to accommodate the additional requirements that may emerge once a specialized AI regulatory framework is enacted.

From a strategic perspective, companies should not treat AI compliance as a future issue to be addressed only after the enactment of a dedicated AI law. The regulatory direction has already been established. Organizations that begin implementing governance mechanisms for synthetic content, model oversight, risk assessment, and content moderation today will be significantly better positioned to adapt to the next phase of Vietnam’s evolving AI regulatory landscape.

4. Updating Information System Classification Levels

The 2025 Cybersecurity Law retains the five-tier information system classification framework established under previous legislation. However, the role of this framework within the new legal regime is considerably more significant than before. Under CSL 2025, a system’s classification level is no longer merely a descriptive label; it serves as the primary basis for determining the full range of technical and organizational obligations that an enterprise must satisfy.

To be specific, Article 8 sets out a classification scale ranging from Level 1, which applies to systems where a security incident would affect only the interests of a single organization or individual, to Level 5, which is reserved for infrastructure whose compromise could result in exceptionally serious consequences for national security. For private-sector entities, the most critical threshold lies between Level 2 and Level 3. Once a system falls into Level 3 or above, compliance requirements escalate substantially, including mandatory periodic security assessments, continuous monitoring mechanisms, and obligations to connect with the national cybersecurity monitoring infrastructure operated by the Ministry of Public Security.

A practical issue that many businesses have not fully recognized is the self-assessment of information system security levels. Neither CSL 2025 nor Decree No. 85/2016/ND-CP on ensuring information system security by level designates a specific agency to perform this classification for businesses; in other words, businesses must self-assess and take responsibility for their own classification results. A small-scale internal management application might fall into level 1 or 2. However, e-commerce platforms, fintech applications, or digital healthcare systems often easily fall into level 3, because these are systems that provide online services to a large number of users (10,000 or more), process important personal or transaction data, and can significantly affect the rights and interests of citizens when incidents occur. Meanwhile, Level 4 typically applies to information systems with nationwide operation, requiring continuous 24/7 operation and not permitted to experience unplanned downtime, such as e-government platforms, national-scale shared information infrastructure, or industrial control systems for Class I projects. Furthermore, critically important national data storage systems, international connectivity infrastructure, or key projects related to national security may fall under Level 5 according to Article 11 of the Decree. Therefore, underestimating the actual level is not a safe solution but rather carries significant legal risks, as the determined level directly dictates the technical, supervisory, and protective obligations that the enterprise must fulfill. With the Ministry of Public Security becoming the central coordinating body for unified management and enforcement under CSL 2025, the ability to detect and handle cases of misclassification or non-compliance will be significantly higher than during the period when previous regulations were in effect.

Regarding the transition roadmap, systems already classified under the 2015 Law on Information Security and the 2018 Law on Cybersecurity remain legally valid, but they will have 12 months, until July 1, 2027, to fully update to meet the new protection conditions and standards. This timeframe is sufficient for a systematic implementation if a serious assessment of the criteria begins in the second half of 2026, but it will be insufficient if businesses consider this a matter that can be addressed later.