Cybersecurity Law 116/2025/QH15 - Everything businesses need to prepare

1. What is the Cybersecurity Law?

Cybersecurity Law No. 116/2025/QH15 was passed by the 15th National Assembly at its 10th session on 10/12/2025 and takes effect from 01/07/2026. It simultaneously repeals Cybersecurity Law No. 24/2018/QH14 and Law on Network Information Security No. 86/2015/QH13 from the date of entry into force (Article 44, Clause 2). In addition, the 2025 Cybersecurity Law closely intersects with the Personal Data Protection Law that has been in effect since 01/01/2026, forming the most comprehensive information security legal framework in Vietnam to date.

The need for a new law stems from a fundamental change in the cyber landscape since the old law was enacted. Artificial intelligence, deepfake technology, blockchain, and cloud computing create entirely new security risks that the old legal framework did not adequately address. Moreover, the strong wave of digital transformation has led more businesses to migrate their information systems online, demanding that cybersecurity obligations be defined more clearly and specifically.

To correctly understand the scope of the Law, businesses need to grasp four core concepts defined in Article 2:

• Cybersecurity refers to the stability, security, and safety of cyberspace, including the protection of information systems and ensuring that information, data, and activities in cyberspace do not harm national security, public order, social safety, or legitimate interests (Clause 1).
• Data security refers to ensuring data quality and all data processing and use activities in cyberspace for socioeconomic development and national digital transformation, preventing unauthorized access, use, disclosure, or modification (Clause 3). This is an entirely new concept compared to the old law, reflecting close alignment with the Personal Data Protection Law.
• A cyberattack is an act using information technology or electronic means to seize information, disrupt, interrupt, paralyze, or destroy information systems (Clause 13).
• Cybercrime refers to socially dangerous acts defined in the Penal Code carried out in cyberspace (Clause 12). These two concepts have a clear boundary: cyberattacks are subject to administrative penalties, while cybercrime is subject to criminal prosecution.

2. Who does the Cybersecurity Law apply to?

2.1 Entities required to comply

Under Article 1, Clause 2, the Law applies to three groups:

• The first group comprises Vietnamese agencies, organizations, and individuals (Point a).
• The second group includes foreign agencies, organizations, and individuals in Vietnam, as well as Vietnamese-origin persons of undetermined nationality residing in Vietnam who hold a citizen identity card (Point b).
• The third group covers foreign agencies, organizations, and individuals directly involved in or related to cybersecurity protection activities, or engaged in the business of cybersecurity products and services in Vietnam (Point c).

An important point for foreign businesses is that the third group does not need to have a registered office in Vietnam to be bound by the Law, as long as it conducts business in cybersecurity products or services there. For businesses providing services in cyberspace in Vietnam, Article 25 additionally requires them to establish a branch or representative office in Vietnam if they engage in collecting, exploiting, analyzing, or processing user data (Clause 3, Article 25).

2.2 Information systems requiring level-based protection

Article 8 of the Law classifies information systems into 5 levels based on the degree of potential harm in the event of an incident. This is the key basis for businesses to determine which protection measures they must implement. Businesses are responsible for self-assessing the level of their own information systems, as this determines the corresponding technical obligations. The Government will prescribe detailed criteria for level classification in implementing regulations (Article 8, Clause 2).

3. What acts are prohibited in cyberspace?

3.1 Prohibited content for posting and distribution

Article 7 of the Law lists all prohibited acts, divided into 8 main groups. Businesses should pay particular attention to two provisions that are entirely new compared to the old law. Point g, Clause 2, Article 7 prohibits the use of artificial intelligence or new technologies to create fake videos, images, or voices of others in violation of the law. This is a pioneering regulation on deepfakes, reflecting the reality that generative AI technology is being exploited to carry out sophisticated social engineering attacks.

Point h, Clause 2, Article 7 prohibits the unauthorized collection, use, distribution, exchange, transfer, or commercial exploitation of personal information and data of others. This provision directly intersects with the Personal Data Protection Law currently in effect: data breaches in cyberspace may be prosecuted simultaneously under both legal frameworks. Businesses that fail to properly comply with the Personal Data Protection Law therefore also risk violating the Cybersecurity Law.

Clause 1, Article 7 lists prohibited content for posting, including information propagandizing against the State, distorting history, making false accusations, spreading misinformation that causes public panic, content inciting violence, and information that violates the reputation of individuals or organizations. Businesses operating platforms that allow user-generated content must have mechanisms to control and remove such content within 24 hours upon request from competent authorities.

3.2 Cyberattacks and prohibited technical acts

Article 18, Clause 1 lists 5 categories of prohibited cyberattack acts. Of particular relevance to businesses is the prohibition on manufacturing, trading, exchanging, or giving away tools, equipment, or software with harmful network capabilities for use in unlawful purposes (Point d, Clause 1, Article 18). Businesses providing cybersecurity products and services that include penetration testing should take note: a cybersecurity business license under Article 29 is required to operate legally. Operating services listed in Article 28 without a license will result in penalties under the draft decree.

Clause 2, Article 18 requires information system owners to apply technical measures to proactively prevent and block the 5 categories of cyberattack acts, meaning businesses cannot wait until after an attack occurs before responding. This obligation operationalizes the requirements in Article 10 and compels businesses to have technical solutions such as firewalls, WAF, and intrusion detection and prevention systems deployed proactively.

4. What mandatory obligations do businesses have?

4.1 Obligations for information system protection by level

Article 10 of the Law divides cybersecurity protection obligations into two groups: management tasks and technical measures. Importantly, not every business must implement everything; requirements depend on the system level determined in the previous step.

The management tasks group (Clause 1, Article 10) is mandatory for all levels, covering activities such as determining system level, periodically assessing and managing risks, monitoring and auditing compliance, deploying protective measures, and fulfilling reporting obligations to state agencies.

The technical measures group (Clause 2, Article 10) comprises 8 specific items, ranging from issuing internal cybersecurity regulations, appraising and evaluating systems, applying technical standards, implementing data backup and storage, continuous cybersecurity monitoring, to incident response and recovery. This group is not uniformly mandatory across all levels:

• Levels 1 and 2: only management tasks are mandatory; technical measures may be optionally applied.
• Levels 3 and 4: both management tasks and most technical measures in Clause 2 are mandatory. This is the threshold that most financial, healthcare, and telecommunications businesses are likely to fall under.
• Level 5: all of Clause 1 and Clause 2 are mandatory, with no exceptions.

In short, the higher the level, the more requirements apply. Correctly identifying the level from the outset will help businesses avoid over- or under-investing relative to legal requirements (Article 10, Clauses 3, 4, 5).

4.2 Obligations for businesses providing services in cyberspace

This is the most important group of obligations for technology companies, fintech, e-commerce, social media platforms, and mobile applications. Article 25, Clause 2 specifies 4 mandatory obligations:

• Must verify user information when they register a digital account and protect user information and account security.
• Must provide user information to the specialized cybersecurity protection forces of the Ministry of Public Security no later than 24 hours from the time of a written request.
• Must prevent the sharing of information and delete content, remove services or applications that violate the law no later than 24 hours from the request of the specialized cybersecurity protection forces.
• Must store personal information of service users and data generated by service users for the duration prescribed by law.

Importantly, Clause 3, Article 25 requires foreign businesses engaged in collecting, exploiting, analyzing, or processing personal information and data generated by service users in Vietnam to establish a branch or representative office in Vietnam.

4.3 Obligations for preventing malware and cyberattacks

Article 17 requires agencies, organizations, and individuals to proactively prevent, detect, and block malware and comply with guidance and requirements from competent state agencies (Clause 1). For businesses providing email services, information transmission and storage, they must have a malware filtering system during the sending, receiving, and storing of information on their systems and report to competent state agencies (Clause 3, Article 17).

Clause 2, Article 18 requires information system owners to apply technical measures to proactively prevent and block cyberattacks. This obligation compels businesses to deploy Defense in Depth, meaning multi-layered protection rather than relying on a single solution.

4.4 Obligations for reporting and connecting to the national monitoring system

Article 40 of the Law stipulates two important obligations for information system owners. First, they must report cybersecurity incidents to the specialized agency of the Ministry of Public Security or the Ministry of National Defense (Clause 1, Point c). Second, they must connect their cybersecurity monitoring system and centralized anti-malware system to the National Cybersecurity Center under the Ministry of Public Security or the provincial/municipal Cybersecurity Center (Clause 1, Point b).

For businesses providing telecommunications, Internet, and value-added services in cyberspace, when a cybersecurity incident occurs, they must immediately deploy emergency response measures and simultaneously report to the specialized cybersecurity protection forces (Article 41, Clause 3).

5. Which industries are particularly affected by the Cybersecurity Law?

5.1 Internet, social media, and application service providers

This group faces the most direct and significant impact. Article 25 imposes 4 core obligations: user verification, provision of information within 24 hours upon request, deletion of violating content within 24 hours, and system log retention. The requirement for foreign businesses to establish a branch or representative office in Vietnam is a critical provision to monitor, particularly for international applications serving Vietnamese users without a legal representative in country.

5.2 Businesses operating information systems in 8 critical sectors

Article 9, Clause 2 lists 8 sectors with information systems critical to national security, among which private enterprises should pay special attention to national information systems in the energy, banking and finance, telecommunications, transportation, agriculture, natural resources and environment, chemicals, healthcare, and culture sectors.

Businesses in banking and finance, telecommunications, healthcare, and energy need to determine whether their information systems are included in the list of information systems critical to national security as decided by the Prime Minister. If so, they must undergo cybersecurity appraisal and certification before commencing operations, conduct annual cybersecurity inspections, and perform self-assessments with written notification of results before October each year (Article 11, Clause 1, Point b).

5.3 Businesses in the cybersecurity products and services sector

Article 29, Clause 1 clearly states: businesses providing cybersecurity products and services must hold a cybersecurity business license issued by the Ministry of Public Security. Article 28 lists cybersecurity products including civilian cryptographic products, cybersecurity testing and evaluation products, cybersecurity monitoring products, and intrusion prevention products. Cybersecurity services include testing and evaluation services, WAAP, consulting, monitoring, incident response, and data recovery.

For businesses currently providing security services, holding a valid license is a mandatory requirement to continue operations after 01/07/2026. Article 29, Clause 2 additionally requires cybersecurity product and service businesses to maintain, retain, and protect customer information, as well as manage records and documentation on technical solutions and product technology as required by law.

6. What are the penalties for violating the Cybersecurity Law?

6.1 Main penalty framework under the draft administrative sanctions decree

The draft decree on administrative sanctions in the field of cybersecurity and personal data protection sets a separate penalty framework for cybersecurity. Under Article 6, Clause 3 of the draft decree, the maximum fine in the cybersecurity field is VND 100 million for individuals and VND 200 million for organizations. For cybersecurity violations, organizations are fined twice the amount applicable to individuals under Article 6, Clause 1.

6.2 Additional penalties and dual liability with the Personal Data Protection Law

Beyond monetary fines, Article 4 of the draft decree provides for additional penalties including revocation of cybersecurity product and service business licenses for 1 to 3 months; suspension of operations for 1 to 3 months; confiscation of tools, equipment, and digital accounts used in violations; and deportation for foreign nationals in violation. Remedial measures include mandatory deletion of violating content, mandatory public apology through mass media, and domain name revocation.

A particularly important point to emphasize: unauthorized collection and trading of personal data in cyberspace constitutes a violation of both Article 7, Clause 2, Point h of the Cybersecurity Law and provisions of the Personal Data Protection Law in effect since 01/01/2026. Businesses may face combined penalties under both legal frameworks, along with the risk of suspension by two separate enforcement agencies.

7. Key changes compared to the 2018 Cybersecurity Law

There are 4 fundamental changes that businesses need to understand in order to adjust their systems and processes in time.

• First, the 2025 Law adds provisions prohibiting deepfakes and AI-generated impersonation content (Article 7, Clause 2, Point g). The old law did not contain such provisions because deepfakes were not yet prevalent in 2018. Media, advertising, and content platform businesses must have content moderation policies for AI-generated content.
• Second, the 2025 Law introduces the concept of data security (Article 2, Clause 3) and Article 26 provides separate regulations on data security assurance with 7 mandatory technical measures, closely linking with the Personal Data Protection Law to form a dual legal framework for data protection.
• Third, Article 34 requires personnel directly managing and operating Level 3, 4, and 5 information systems in state agencies, organizations, and enterprises to complete specialized training and hold certification in cybersecurity knowledge and skills, applicable to all officials, civil servants, public employees, and workers involved in cybersecurity protection.
• Fourth, the scope of covered entities is significantly expanded compared to the old law, now covering foreign organizations providing cybersecurity products and services in Vietnam even without a registered office there (Article 1, Clause 2, Point c).

8. Compliance roadmap for the Cybersecurity Law

The Cybersecurity Law takes effect on 01/07/2026. Preparation time is limited, and the 5 steps below should be implemented in parallel rather than sequentially to meet the deadline:

1. Determine information system level: Review all currently operating information systems and compare them against the criteria in Article 8 to determine the level. This is the foundational step as the level determines all technical and organizational obligations to fulfill. Businesses in finance, healthcare, and telecommunications must additionally determine whether they fall under the list of information systems critical to national security.
2. Review business licenses if providing cybersecurity products or services: If the business currently provides cybersecurity testing, monitoring, anti-cyberattack, or incident response services, the cybersecurity product and service business licensing process with the Ministry of Public Security must be completed before the Law takes effect under Article 29. Licensing procedures typically take considerable time, so starting early is advisable.
3. Build and supplement technical measures by level: Based on Step 1 results, implement the mandatory technical measures under Article 10, Clause 2. Prioritize deploying access control systems, cybersecurity monitoring based on zero trust principles, periodic data backups, and intrusion detection systems. For Level 3 systems and above, ensure connectivity to the National Cybersecurity Center monitoring system under Article 40.
4. Update procedures for handling requests from authorities: For businesses providing services in cyberspace, establish internal processes to provide user information within 24 hours and delete violating content within 24 hours upon request from the Ministry of Public Security under Article 25, Clause 2. Designate a point of contact for receiving requests and clearly assign processing authority.
5. Train and certify system administration personnel: For Level 3, 4, or 5 information systems, personnel directly managing them must complete training programs and obtain certification under Article 34. Training and certification registration procedures should be planned early to ensure sufficient time before the Law takes effect.

9. Conclusion

Cybersecurity Law No. 116/2025/QH15 officially takes effect from 01/07/2026, completely replacing the old legal framework with many new and more specific requirements on technical, organizational, and human resource obligations. Combined with the Personal Data Protection Law in effect since 01/01/2026, businesses are now facing the most comprehensive information security legal framework in Vietnam to date. There are 4 months left to prepare, but the 5 steps in the roadmap above must be implemented in parallel, not sequentially, to meet the deadline.

VNETWORK is ready to partner with businesses in deploying technical security solutions and responding to cybersecurity incidents in compliance with the 2025 Cybersecurity Law. Register for a free consultation: Here

10. Disclaimer and references

This article is compiled for general informational purposes and does not constitute legal advice. The analyses, interpretations, and examples are VNETWORK's perspective based on the study of legal documents and do not substitute for advice from a qualified attorney or legal expert. Businesses should seek specialized legal counsel before making any compliance decisions.

Note on the administrative sanctions decree: at the time this article was published, the decree on administrative sanctions in the field of cybersecurity and personal data protection was still in the public consultation stage and had not been officially issued. Specific penalty amounts and detailed provisions may change from the draft. VNETWORK will update this article when the decree officially takes effect.

Reference sources:

Law No. 116/2025/QH15 on Cybersecurity, passed by the 15th National Assembly on 10/12/2025, signed by National Assembly Chairman Tran Thanh Man: Here

Draft Decree on administrative sanctions in the field of cybersecurity and personal data protection, drafted by the Ministry of Public Security, currently in public consultation: Here

FAQ - Frequently asked questions about the Cybersecurity Law

1. When does Cybersecurity Law 116/2025/QH15 take effect?

Law No. 116/2025/QH15 was passed by the National Assembly on 10/12/2025 and officially takes effect on 01/07/2026 (Article 44, Clause 1). From that date, Cybersecurity Law No. 24/2018/QH14 and Law on Network Information Security No. 86/2015/QH13 are both repealed (Article 44, Clause 2).

2. Do foreign businesses providing services in Vietnam have to comply with the Cybersecurity Law?

Yes. Under Article 1, Clause 2, Point c, the Law applies to foreign organizations engaged in cybersecurity protection activities or the business of cybersecurity products and services in Vietnam even without a registered office there. Additionally, under Article 25, Clause 3, foreign businesses providing services in cyberspace in Vietnam that collect and process Vietnamese user data must establish a branch or representative office in Vietnam.

3. What is the maximum penalty for a business violating the Cybersecurity Law?

Under Article 6, Clause 3 of the draft administrative sanctions decree, the maximum fine in the cybersecurity field is VND 100 million for individuals and VND 200 million for organizations (organizations are fined twice the amount for individuals under Article 6, Clause 1). In addition to fines, businesses may have their cybersecurity product and service business licenses revoked and operations suspended for 1 to 3 months.

4. What level does a business's information system fall under?

The level is determined based on the degree of potential harm in the event of an incident or a cybersecurity violation (Article 8, Clause 1). Most information systems of ordinary private enterprises typically fall under Level 1 or 2. Systems in banking and finance, healthcare, energy, and telecommunications may fall under Level 3, 4, or 5. The Government will prescribe detailed level classification criteria in implementing regulations.

5. Are businesses using AI to create content affected by the Cybersecurity Law?

Yes, if the AI-generated content creates fake videos, images, or voices of others in violation of the law. Article 7, Clause 2, Point g of the Law prohibits the use of artificial intelligence or new technologies to impersonate personal information of others. Businesses using or developing generative AI technology need to establish output control policies to avoid creating content that violates this provision.

6. Do businesses providing security services need a new license?

Yes. Article 29, Clause 1 of the Law requires businesses providing cybersecurity products and services to hold a cybersecurity business license issued by the Ministry of Public Security. The list of cybersecurity products and services is provided in Article 28. Businesses currently operating in this sector should conduct an immediate review to complete the licensing process before the Law takes effect on 01/07/2026.

7. Can violations of the Cybersecurity Law and the Personal Data Protection Law be penalized simultaneously?

Yes. If a violation falls within the scope of both laws, businesses may be subject to penalties under both legal frameworks. For example, unauthorized collection and trading of personal data in cyberspace violates both Article 7, Clause 2, Point h of the Cybersecurity Law and provisions of the Personal Data Protection Law in effect since 01/01/2026. Businesses need to build an integrated compliance system to meet the requirements of both laws simultaneously.