In the context of rapid technological advancement and the country’s transition toward accelerated digital transformation, ensuring cybersecurity and data security has become an increasingly urgent necessity. Recent developments have witnessed a wide range of cyberattacks aimed at stealing, encrypting, or destroying data, which not only disrupt the operations of organizations but may also result in long-term consequences lasting for many years. These realities call for a robust, coherent, and unified legal framework capable of addressing emerging risks in cyberspace.
Accordingly, on the morning of 10 December 2025, the National Assembly officially adopted the Law on Cybersecurity 2025, introducing a number of notable and significant reforms.
1. Overview of the Law on Cybersecurity 2025
The Law on Cybersecurity 2025 is formulated on the basis of consolidating the Law on Cybersecurity 2018 and the Law on Network Information Security 2015, while also internalizing the provisions of the United Nation Conventions against Cybercrime (Hanoi Convention) into domestic law. This legislative consolidation aims to streamline regulatory responsibilities, eliminate overlapping mandates, and establish a unified legal framework. As such, the Law is widely regarded as an important milestone in Vietnam’s national digital transformation process and the development of its digital ecosystem.
The Law comprises eight chapters and forty-five articles, governing key areas including: the protection of cybersecurity for information systems (Chapter II); the prevention and handling of acts infringing cybersecurity (Chapter III); cybersecurity protection activities (Chapter IV); cybersecurity standards, technical regulations, products, and services (Chapter V); and cybersecurity forces and conditions ensuring cybersecurity (Chapter VI). The Law sets out the rights and obligations of organizations and individuals, regulates cybersecurity protection activities, specifies prohibited acts, promotes inter-agency coordination, and provides a framework for infrastructure investment. It also introduces several new legal concepts and revises existing provisions to keep pace with technological developments and the growing risks in cyberspace, thereby enhancing user protection.
The enactment of the Law on Cybersecurity 2025 further marks the unification of terminology in this field, with “cybersecurity” being established as the central legal concept. Moreover, the Law designates a single state authority responsible for cybersecurity governance, contributing to simplified regulatory procedures and strengthened coordination in safeguarding national cybersecurity.
2. Notable New Developments in the Law on Cybersecurity 2025
2.1. Enhanced Protection of Vulnerable Groups
One of the most notable developments of the Law on Cybersecurity 2025 is the expansion and clarification of legal protection for vulnerable groups in cyberspace. The Law expressly recognizes children, seniors, and individuals with cognitive or perceptual difficulties as groups requiring priority protection in cybersecurity awareness-raising and skills development. This marks a shift from a general, undifferentiated approach toward a more targeted and needs-based regulatory framework.
In particular, Article 16 introduces detailed provisions on the prevention and handling of child abuse in cyberspace, addressing risks such as online exploitation, harmful content, and violations of children’s personal data and privacy. Beyond direct protective measures, the Law also emphasizes prevention through education and awareness. Article 35 assigns responsibility to the State authority to encourage and coordinate with organizations, enterprises, and individuals in implementing educational programs aimed at enhancing awareness, digital literacy, and self-protection capabilities for vulnerable groups.
Compared with previous regulations, which largely focused on the general dissemination of cybersecurity knowledge, the Law on Cybersecurity 2025 clearly identifies priority beneficiaries of such efforts. This development reflects contemporary realities, as vulnerable groups increasingly become primary targets of online fraud, personal data exploitation, and psychological manipulation in cyberspace. By specifying both the protected groups and the corresponding responsibilities of the State and relevant stakeholders, the Law strengthens its preventive orientation and enhances substantive protection for those most at risk.
2.2. Strengthening National Cybersecurity Self-Reliance
Another significant innovation of the Law on Cybersecurity 2025 is the introduction of the concept of cybersecurity self-reliance, which appears for the first time as an explicit policy objective in cybersecurity legislation. The Law provides that the State shall encourage and facilitate agencies, organizations, and individuals to enhance their capacity for cybersecurity self-reliance, including the ability to manufacture, test, assess, and certify digital devices, network services, and online applications (Article 37). This provision reflects a strategic shift toward reducing technological dependence and strengthening domestic capabilities in the cybersecurity ecosystem.
At the operational level, the Law further imposes proactive responsibilities on agencies and organizations to prevent and mitigate cybersecurity risks. Under Article 17, relevant entities are required to actively prevent, detect, and block malicious software, and to establish technical systems for filtering malware during the processes of transmitting, receiving, and storing information. This obligation underscores a move from reactive incident response toward preventive and systematic risk management.
2.3. Expansion of Prohibited Acts in Cyberspace
A prominent feature of the Law on Cybersecurity 2025 is the substantial expansion and detailed articulation of prohibited acts in cyberspace. Compared with earlier legislation, the Law adopts a more comprehensive and practice-oriented approach, encompassing a wide range of dangerous and increasingly common cyber-related behaviors.
First, the Law strictly prohibits the creation, posting, and dissemination of information that undermines the State, distorts or falsifies facts, incites war, ethnic or religious hatred, insults national leaders or heroes, or damages national unity. Content that distorts historical truth, denies revolutionary achievements, or promotes discrimination based on gender or race is likewise prohibited. These provisions reflect the State’s determination to safeguard national security, social order, and core societal values in the digital environment.
The Law further prohibits the dissemination of fabricated or false information that adversely affects socio-economic stability, causes public panic, or disrupts the normal operation of State agencies. This regulation is particularly significant in light of the rapid spread of misinformation related to finance, banking, securities, and market prices on social media platforms, where false information may trigger serious economic consequences and undermine public confidence.
In addition, the Law enumerates a broad range of commonly occurring cyber violations, including acts infringing upon the honor, dignity, and reputation of individuals; online fraud and misappropriation of property; organizing or facilitating online gambling; advertising or trading in prohibited goods and services; violations of intellectual property rights; illegal transactions involving credit card information or digital assets, crypto-assets; and the creation of fraudulent websites or electronic information pages impersonating State agencies or organizations. By explicitly listing these acts, the Law enhances legal certainty and provides clearer grounds for enforcement in practice.
A particularly notable innovation is the prohibition on the use of artificial intelligence or other emerging technologies to unlawfully impersonate another person’s image, voice, or video. Although the Law does not employ the term “deepfake,” this provision explicitly addresses deepfake-related misconduct, which has increasingly become a tool for fraud, identity theft, and serious invasions of privacy. This demonstrates the Law’s flexible and forward-looking regulatory approach to emerging technologies.
2.4. International Cooperation in Cybersecurity
The Law on Cybersecurity 2025 further concretizes international cooperation in the field of cybersecurity, recognizing that cyber threats are inherently transnational and cannot be effectively addressed through purely domestic measures. Notably, these cooperation provisions are designed to align with international commitments, particularly the Hanoi Convention.
Concretely, Article 6 of the Law expressly provides for international cooperation in cybersecurity, including cooperation with foreign states and international organizations in the prevention, detection, and response to cybersecurity threats, as well as in the exchange of information related to cyber risks, cyberattacks, and preventive measures. By facilitating cross-border information sharing, investigative support, and mutual assistance in combating cybercrime, the Law contributes to the gradual harmonization of Vietnam’s cybersecurity legal framework with international standards and practices. This alignment enhances Vietnam’s capacity to address high-tech crime and emerging cyber threats in an increasingly interconnected digital environment.
3. Conclusion and Implications for Businesses
The Law on Cybersecurity 2025 represents a significant step toward the consolidation and modernization of Vietnam’s cybersecurity legal framework in response to accelerating digital transformation and increasingly complex cyber risks. By harmonizing previous legislation and incorporating international standards, particularly through alignment with the Hanoi Convention, the Law enhances legal certainty while strengthening national capacity to prevent and respond to cyber threats.
From a business perspective, the Law signals a clear shift toward heightened compliance expectations and proactive risk management. Enterprises operating in the digital environment—especially those providing online platforms, cloud services, fintech solutions, or handling large volumes of data—are required not only to comply with prohibitions and technical obligations but also to integrate cybersecurity considerations into their internal governance, operational processes, and technology strategies. The expansion of prohibited acts, combined with clearer responsibilities for prevention and cooperation with competent authorities, increases potential legal exposure for non-compliance, reputational damage, and operational disruption.
At the same time, the Law offers opportunities for businesses to enhance trust and resilience by investing in cybersecurity compliance, internal controls, and employee awareness. For enterprises engaged in cross-border operations, the Law’s emphasis on international cooperation and alignment with global standards provides a more predictable legal environment and facilitates coordination with foreign partners. In this regard, the Law on Cybersecurity 2025 not only functions as a regulatory instrument but also serves as a strategic framework encouraging businesses to treat cybersecurity as a core component of sustainable growth and long-term risk management.
