What's new in the 2025 Cybersecurity Law? 8 points businesses need to know

What's new in the 2025 Cybersecurity Law? 8 points businesses need to know

Starting July 1, 2026, Cybersecurity Law No. 116/2025/QH15 will officially replace the 2018 Cybersecurity Law and the 2015 Law on Network Information Security. Many businesses are still operating under the old regulations and haven't yet updated their practices to reflect important changes in data management, user identification obligations, and prohibited acts in cyberspace. Falling behind on these updates could expose businesses to legal risk from the very first days the law takes effect. This article summarizes the 8 genuinely new points in the 2025 Cybersecurity Law compared to the previous legislation, along with what businesses need to prepare.

1. How does the 2025 Cybersecurity Law differ from the old law?

The 2025 Cybersecurity Law (Law No. 116/2025/QH15) was passed by the 15th National Assembly on December 10, 2025, at its 10th session. It consists of 8 chapters and 45 articles and officially takes effect on July 1, 2026. Under Article 44, Clause 2, the law simultaneously repeals the 2018 Cybersecurity Law and the 2015 Law on Cyberinformation Security effective the same date, ending the situation in which two separate legal documents governed the same field in parallel. The Decree guiding the implementation of the 2018 Cybersecurity Law, along with related legal documents, will also cease to be effective once the new law takes effect.

The need for a new law stems from the fact that the cyberspace landscape has changed fundamentally since the old laws were enacted. Artificial intelligence, deepfake technology, and increasingly sophisticated cyberattack models have created entirely new security risks that the old legal framework did not adequately address. In addition, the strong wave of digital transformation has led more and more businesses and state agencies to move their information systems online, requiring cybersecurity and data security obligations to be defined more clearly and specifically.

The 2025 Cybersecurity Law does not reject all of the previous content; rather, it retains the principles that remain relevant while adding numerous new provisions to keep pace with current realities.

luat-an-ninh-mang-2025-co-gi-moi-1.jpeg
The 2025 Cybersecurity Law is the newest legal framework aimed at protecting national security, organizations, and individuals in cyberspace

2. New point 1: Unifying the concepts of "cybersecurity" and "network information security"

Before July 1, 2026, the concepts of "cybersecurity" and "network information security" were defined in two separate laws, leading to inconsistent interpretation and application among regulatory agencies and businesses. The 2025 Cybersecurity Law standardizes the entire foundational concept system, clearly defining the relationship between these two areas within a single piece of legislation.

Unifying these concepts brings three clear benefits for businesses:

  • No longer needing to cross-reference two separate laws when building internal security policies
  • Reduced risk of misapplying regulations due to differing interpretations among state management bodies
  • A clearer legal basis when working with authorities on issues related to system security

3. New point 2: Consolidating state management under the Ministry of Public Security

The 2018 Cybersecurity Law assigned state management responsibility for cybersecurity to the Ministry of Public Security. However, because the 2015 Law on Network Information Security existed in parallel and assigned part of the responsibility for network information security management to the Ministry of Information and Communications, businesses previously had to work with two different agencies depending on the nature of each case.

The 2025 Cybersecurity Law establishes the Ministry of Public Security as the lead agency and single focal point for state management of cybersecurity nationwide. This change helps businesses spend less time determining the competent authority when reporting incidents or seeking compliance guidance, while also reducing the overlapping functions that previously occurred between the two ministries.

4. New point 3: Expanding protection for vulnerable groups in cyberspace

The 2018 Cybersecurity Law already included provisions protecting children in cyberspace. The 2025 Cybersecurity Law significantly expands this scope, adding two groups that were never mentioned in the previous law: older adults and people with cognitive or behavioral impairments.

Under the new regulations, these groups receive priority in knowledge dissemination and guidance on skills to protect their own legitimate rights and interests in cyberspace. Ministries, sectors, agencies, and organizations are responsible for developing and implementing cybersecurity awareness activities for their officials, civil servants, and employees. For businesses whose digital products or services reach older users, this provides grounds to review their interfaces, authentication processes, and warning mechanisms to reduce the risk of fraud or harm to this user group.

luat-an-ninh-mang-2025-co-gi-moi-2.jpeg
Protecting older adults from online fraud risks

5. New point 4: A dedicated framework for data security

This is one of the changes with the most direct impact on businesses. The 2018 Cybersecurity Law had no dedicated chapter or provisions on data security, only scattered rules on protecting personal and business secrets. The 2025 Cybersecurity Law, for the first time, devotes specific provisions to this area, establishing data security as a key component of cybersecurity protection.

Notable elements of the new regulations include:

  • Classifying data by risk level, including personal data, important data, and data related to the operations of critical agencies and organizations
  • Requiring measures, standards, and technical regulations appropriate to each risk level
  • Implementing strict control mechanisms for personnel directly involved in data processing
  • Conducting periodic risk inspections and assessments, along with evaluations of cross-border data transfer activities

This provision is closely linked to the 2024 Data Law and Law No. 91/2025/QH15 on Personal Data Protection, together forming a more comprehensive legal system for data governance in Vietnam. Businesses processing data at scale should proactively review their data breach risks and build incident response procedures suited to the data classification levels described above.

luat-an-ninh-mang-2025-co-gi-moi-3.jpeg
Businesses are required to classify and protect data

6. New point 5: Added prohibited acts related to AI, deepfake technology, and digital assets

The 2018 Cybersecurity Law already prohibited certain acts of spreading false information in finance, banking, and e-commerce. What is genuinely new in the 2025 Cybersecurity Law lies in two categories of conduct that technology at the time the previous law was issued wasn't widespread enough to address.

First, the law prohibits, for the first time, using artificial intelligence or new technologies to unlawfully fabricate another person's video, image, or voice. This is a direct legal response to the rapid growth of deepfake technology in recent years. Second, the law clearly defines setting up or providing unauthorized services for digital asset or cryptocurrency trading platforms, or illegal multi-level marketing organizations in cyberspace, as an act that infringes on national security, raising the severity level compared to how such conduct was previously handled.

In addition, the new law also defines using fake identities or forged documents to register bank accounts, digital accounts, or create disposable accounts for criminal activity as an act that violates social order and safety, helping to curb fraud and money laundering in cyberspace.

luat-an-ninh-mang-2025-co-gi-moi-4.jpeg
Using AI to fabricate images and voices is strictly prohibited

7. New point 6: Added obligation to identify users' IP addresses

The obligation for domestic and foreign businesses providing services in cyberspace to store data within Vietnam was already established under the 2018 Cybersecurity Law. What is genuinely new in the 2025 Cybersecurity Law is the obligation to identify the IP addresses of organizations and individuals using Internet services, a requirement that did not exist at all in the previous law.

Under the new regulations, businesses providing services in cyberspace are responsible for identifying users' IP addresses and providing this identification information to dedicated cybersecurity protection forces upon valid request, supporting efforts to prevent and combat high-tech crime. Businesses operating websites, applications, or platforms with large user bases need to review their logging systems, access-tracking mechanisms, and procedures for coordinating information provision when requested by authorities, to avoid being caught unprepared once the law officially takes effect.

luat-an-ninh-mang-2025-co-gi-moi-5.jpeg
Businesses must identify the IP addresses of service users

8. New point 7: Requirements for allocating cybersecurity resources in digital transformation projects

The 2018 Cybersecurity Law had a general provision on cybersecurity protection funding being allocated in the annual state budget estimate, but it didn't specify a concrete ratio. Under Article 38 of the 2025 Cybersecurity Law, agencies using state budget funds must allocate at least 15% of the total funding for digital transformation and information technology application programs, schemes, and investment projects specifically to cybersecurity protection, rather than having it folded into a general budget line as before.

This approach directly embeds security requirements into each specific project from the investment planning stage, rather than treating security as an add-on item after the system is already running. For state-owned enterprises and agencies with digital transformation projects, this provides grounds to proactively include a cybersecurity line item in the project budget from the investment policy approval stage, avoiding a shortage of funding for protective measures once the project is operational.

9. New point 8: Special investment incentives and priority for domestic cybersecurity products and services

The 2018 Cybersecurity Law offered only general encouragement, without any concrete incentive mechanism for businesses investing in cybersecurity. The 2025 Cybersecurity Law, for the first time, establishes clear incentive mechanisms, creating a substantive driving force for the domestic cybersecurity industry to develop.

Under Article 37, investment and business activities involving cybersecurity products and services, as well as building technical infrastructure for cybersecurity protection, are designated as sectors eligible for special investment incentives. On that basis, domestic and foreign businesses investing in this field receive substantial incentives on taxes, land, and administrative procedures, creating a legal foundation for establishing research centers, specialized industrial zones, and key cybersecurity laboratories.

In parallel, Clause 4 of Article 3 establishes a mechanism prioritizing the use of domestically produced cybersecurity products and services, specifically requiring state agencies and organizations to prioritize local solutions when they meet technical, quality, and security requirements. This provision serves a market-guiding role rather than a mandatory one, but it creates an incentive for domestic businesses to confidently invest in research and gradually replace imported solutions. This mechanism ties in with the requirement to allocate at least 15% of total funding for digital transformation programs, schemes, and projects to cybersecurity, as noted in New Point 7, together forming a policy ecosystem that supports the sustainable growth of the domestic cybersecurity industry.

10. Which industries and businesses should pay special attention to the 2025 Cybersecurity Law?

Not every business is affected equally by the 2025 Cybersecurity Law. Certain industries and business models will be more directly impacted due to the nature of the data they process, their user scale, or their role in critical national infrastructure. Below are the groups that should review their compliance soonest.

10.1. Fintech, banking, securities, and e-commerce

This is the group most directly affected by the new data security regulations and the expanded scope of prohibited conduct. Businesses processing transaction data, account information, and customer identification data at scale need to classify data by risk level and conduct periodic assessments as required. In addition, activities related to unauthorized digital asset or cryptocurrency trading platforms are now defined as infringements on national security, requiring financial platforms to more rigorously review the services or partners linked to their platforms.

10.2. Businesses operating information systems critical to national security

The energy, telecommunications, healthcare, transportation, and national finance sectors fall under the category of information systems critical to national security. Businesses in this group continue to face requirements for cybersecurity assessment, certification of eligibility before operation, and ongoing cybersecurity monitoring, and they need to update their procedures to reflect the Ministry of Public Security as the single management focal point, rather than being split between two agencies as before.

10.3. Platforms with large user bases

Social networks, mobile applications, and e-commerce platforms with large user bases are directly affected by the obligation to identify users' IP addresses, an entirely new requirement. These platforms need to review their logging systems, access-tracking mechanisms, and procedures for coordinating information provision to dedicated forces upon valid request.

10.4. Foreign businesses providing telecommunications and Internet services in Vietnam

Foreign businesses that collect, exploit, analyze, or process user data in Vietnam continue to be required to store this data domestically, as already required under the previous law, while also taking on the new obligation to identify user IP addresses. This group deserves special attention, as the regulation applies to foreign organizations and individuals directly involved in or related to the business of cybersecurity products and services in Vietnam.

10.5. Businesses providing digital products and services aimed at older adults and children

Businesses offering online education, digital healthcare, or social networking services with significant numbers of older or child users need to review their interfaces, authentication processes, and warning mechanisms, as the new law extends protection to older adults and people with cognitive impairments, in addition to children who were already protected under the previous law.

10.6. State agencies and state-owned enterprises with digital transformation projects

Entities using state budget funds to carry out digital transformation and information technology application programs, schemes, or investment projects are required to allocate at least 15% of total project funding to cybersecurity protection. This gives these entities grounds to proactively include a cybersecurity line item in the budget from the investment policy approval stage.

10.7. Technology businesses looking to invest in cybersecurity products

Domestic and foreign businesses planning to invest in researching and manufacturing cybersecurity products or services benefit from special incentives on taxes, land, and administrative procedures under the new regulations, along with an added competitive advantage from the public procurement preference for domestically manufactured products.

11. What do businesses need to prepare before the law takes effect?

Businesses need to review their existing security policies, classify data by risk level, update user identification procedures, and allocate cybersecurity budgets for information technology projects.

Preparation should start with assessing the current state of systems, identifying gaps relative to the new requirements, and then building a prioritized remediation roadmap. Businesses don't need to wait for detailed guiding documents before taking action, since many technical requirements can be implemented alongside the security measures already in place.

  • Review and classify the data currently being processed by risk level, and identify which information systems are critical to business operations
  • Update logging systems and access-tracking mechanisms to meet the requirement for identifying users' IP addresses
  • Apply a Zero Trust security model to tightly control access to critical systems and data
  • Build or update incident response procedures for detecting data leaks, cyberattacks, or fraud
  • Include a cybersecurity budget line item in digital transformation projects from the investment planning stage
  • Monitor implementing decrees and circulars, including documents such as Decree 356/2025/ND-CP, to stay current on detailed compliance requirements

For businesses that don't yet have a dedicated cybersecurity monitoring team under an SOC model, partnering with a professional security service provider is a solution that can shorten the time needed to meet the new compliance requirements.

12. From policy to practice: VNETWORK's journey toward security technology self-reliance

The investment incentives and domestic-product priorities that the 2025 Cybersecurity Law formalizes reflect an aspiration that many Vietnamese technology companies have pursued for years: building self-reliant cybersecurity capabilities instead of depending entirely on imported solutions. VNETWORK is one of the domestic technology companies that has consistently invested in researching and developing Vietnamese-owned cybersecurity solutions, with the goal of helping local businesses proactively protect their systems without relying on foreign providers.

With the investment incentive mechanisms and priority given to domestic products under the 2025 Cybersecurity Law, solutions developed by Vietnamese businesses now have additional motivation to scale up, invest in new technology research, and demonstrate their competitiveness. VNIS and EG-Platform are two flagship VNETWORK platforms that directly meet the cybersecurity and data security requirements set out in the new law.

12.1. VNIS - Comprehensive Web/App/API security and acceleration solution

VNIS is VNETWORK's Web/App/API security and acceleration platform, designed to help businesses proactively respond to cybersecurity threats in real time. The system provides two-layer protection: an infrastructure layer combining AI Smart Load Balancing and Multi-CDN to handle DDoS attacks at the network layer, and an application layer deploying AI-driven WAAP (Web Application and API Protection) to block malicious bots and common security vulnerabilities from the OWASP Top 10, such as SQL injection, XSS, and zero-day exploits.

Given the new requirements for periodic risk assessment and data security control under the 2025 Cybersecurity Law, the following standout features of VNIS help businesses meet compliance requirements faster:

  • Real-time multi-layer DDoS detection and mitigation (Layer 3/4/7)
  • Next-generation, AI-integrated WAF (WAAP) with continuously updated security rule sets
  • Global Multi-CDN that maintains speed and stability even while the system is under attack
  • Simultaneous protection for hundreds of thousands of websites, applications, and APIs worldwide
  • 24/7 SOC team monitoring, helping businesses detect and handle incidents promptly and meet reporting requirements when cybersecurity incidents occur
luat-an-ninh-mang-2025-co-gi-moi-6-en.png
VNIS - Web/App/API Security Solution

12.2. EG-Platform - Email security solution

EG-Platform is VNETWORK's email security platform, using AI and Machine Learning to provide comprehensive two-way email protection, covering both inbound and outbound mail, to help prevent phishing, social engineering, and targeted email attacks. The platform operates on a three-layer protection model: Spam Guard uses Machine Learning and Bayesian filtering to score the risk of each email and verifies SPF, DKIM, and DMARC authentication to detect domain spoofing; Receive Guard analyzes content, attachments, and URLs in a sandbox environment before emails reach users; and Send Guard controls outbound email to prevent compromised internal accounts from spreading phishing or leaking data.

EG-Platform is well suited to businesses with high requirements for information security and regulatory compliance, especially as the 2025 Cybersecurity Law tightens regulations around data protection and digital identity:

  • AI-powered two-way email protection, covering both inbound and outbound traffic
  • Early detection of sophisticated phishing campaigns before they cause damage
  • Sandbox analysis of dangerous attachments and URLs before emails reach users
  • Full compliance with the ITU-T X.1236 international email security standard set by the International Telecommunication Union
luat-an-ninh-mang-2025-co-gi-moi-7-en.png
EG-Platform - Email Security Solution

13. Conclusion

The 2025 Cybersecurity Law brings 8 genuinely notable changes compared to the previous law, from unifying concepts and the management focal point, to expanding protection for vulnerable groups, adding a dedicated data security framework, introducing the IP identification obligation, allocating resources for digital transformation projects, and offering investment incentives for domestic cybersecurity products. Businesses don't need to wait until July 1, 2026 to begin preparing, since most technical requirements can be implemented alongside existing security systems.

If you need advice on a security solution suited to your specific scale and industry, the VNETWORK team is ready to help assess your current status and propose a compliance roadmap aligned with the new requirements of the 2025 Cybersecurity Law:

  • Hotline: 028 7306 8789
  • Email: contact@vnetwork.vn

14. Disclaimer and references

This article is prepared for general informational purposes only and does not constitute legal advice. The analysis, interpretations, and examples presented reflect VNETWORK's own views based on its research of legal documents, and do not replace the advice of a qualified lawyer or legal expert. Businesses should seek in-depth legal counsel before making any compliance decisions.

A note on the penalty decree: at the time this article was published, the draft Decree on administrative penalties for violations in cybersecurity and personal data protection, led by the Ministry of Public Security, was still in the public-comment stage and had not yet been officially issued. According to the published draft, the maximum fine for cybersecurity violations is expected to be VND 100 million for individuals and VND 200 million for organizations, while violations related to personal data protection could carry fines of up to VND 1.5 billion for individuals and VND 3 billion for organizations. The specific fine levels and detailed regulations may change from the draft content. VNETWORK will update this article once the decree officially takes effect.

Reference sources:

  • Law No. 116/2025/QH15 on Cybersecurity, passed by the 15th National Assembly on December 10, 2025: Here
  • Law No. 24/2018/QH14 on Cybersecurity: Here
  • New Content in Cybersecurity Law No. 116/2025/QH15, Vietnam Government Portal: Here
  • Draft Decree on Administrative Penalties for Violations in Cybersecurity and Personal Data Protection, led by the Ministry of Public Security, currently open for public comment at: Here
  • Proposed Administrative Penalty Levels for Violations in Cybersecurity and Personal Data Protection, Cong An Nhan Dan Newspaper: Here

FAQ

1. When does the 2025 Cybersecurity Law take effect?

The 2025 Cybersecurity Law (Law No. 116/2025/QH15) was passed by the 15th National Assembly on December 10, 2025, and officially takes effect on July 1, 2026.

2. Which laws does the 2025 Cybersecurity Law replace?

The 2025 Cybersecurity Law simultaneously replaces the 2018 Cybersecurity Law (Law No. 24/2018/QH14) and the 2015 Law on Network Information Security, effective from the date the new law takes force.

3. Are foreign businesses required to store data in Vietnam?

Domestic and foreign businesses that provide services over telecommunications networks, the Internet, or value-added services in Vietnam and that collect, exploit, analyze, or process user data must store this data in Vietnam as required by law.

4. Which agency is responsible for state management of cybersecurity?

Under the 2025 Cybersecurity Law, the Ministry of Public Security is the lead agency and unified focal point for state management of cybersecurity nationwide, rather than the responsibility being split between two ministries as before.

5. How should businesses allocate resources for cybersecurity when carrying out digital transformation?

Under the new regulations, businesses and state agencies need to allocate appropriate resources for cybersecurity directly within each digital transformation and IT application program, scheme, or investment project, rather than treating it as a general budget line item handled only after the system is up and running.

RELATED POST

Sitemap HTML