Vietnam tightens data localization rules in new draft cybersecurity law
By Hoa Dinh ( November 5, 2025, 05:16 GMT | Insight) -- A new draft of Vietnam’s revised cybersecurity law has increased data localization requirements for foreign service providers while retaining provisions that enable government access to data. The latest draft was released after the National Assembly reviewed and commented on it last week during its ongoing 10th session.A new draft of Vietnam’s revised cybersecurity law has been released after the National Assembly reviewed and commented on it last week during its ongoing 10th session.The new draft (see here) adds foreign agencies, organizations and individuals in Vietnam to the scope of application, as well as those that provide cybersecurity products and services in the country.Despite recommendations from industry players to ease data localization requirements (see here), the new draft further tightens these rules and gives the state more authority over cross-border data transfers.Not only does it retain the requirement for domestic and foreign enterprises providing online services in Vietnam to store user data in the country for a government-prescribed period, it also mandates that foreign enterprises establish branches or representative offices in Vietnam, which will increase compliance costs.The requirement applies not only to users’ personal data but also data on users’ relationships — such as friends or groups they connect or interact with — and data generated by users in Vietnam.The new draft also explicitly prohibits organizations that establish databases, data centers or data storage systems from transferring core data and important data to a third party, an issue not addressed in the previous draft.It also assigns the cybersecurity task force of the Ministry of Public Security, or MPS, the responsibility to inspect and evaluate cross-border data transfers.Despite industry advice to reduce government access to data, the latest draft still requires covered enterprises to provide user information to MPS within 24 hours, and in emergencies or cases threatening national security or human life, within 3 hours.The requirement to delete information within 24 hours when directed by the MPS, or within six hours in emergencies or national security threats, is also retained.– New information classification system –The new draft introduces a new information classification system with five cybersecurity levels, up from three in the previous draft.Information systems at the lowest level are those whose interruption, attack, or destruction would harm the legitimate rights and interests of organizations or individuals but not affect public interests, social order, or safety.Systems at the highest level are those whose interruption, attack, or destruction would cause severe damage to sovereignty, national interests, defense, or security.Presenting its appraisal report on the draft law last Friday, the National Assembly's Committee on National Defense, Security and Foreign Affairs recommended that the government specify the role and protection measures for each level of information system.It also recommended adding certain prohibited acts to the law, including the use of artificial intelligence or deepfake technology to create, modify or spread false information that affects individuals, organizations or national security, or to impersonate celebrities and their relatives.Lawmakers will continue discussing the draft law on Friday. It is set to be passed during this session of the National Assembly, which lasts until Dec. 11. Please email editors@mlex.com to contact the editorial staff regarding this story, or to submit the names of lawyers and advisers....
Prepare for tomorrow’s regulatory change, today
MLex identifies risk to business wherever it emerges, with specialist reporters across the globe providing exclusive news and deep-dive analysis on the proposals, probes, enforcement actions and rulings that matter to your organization and clients, now and in the longer term.
Know what others in the room don’t, with features including:
Daily newsletters for Antitrust, M&A, Trade, Data Privacy & Security, Technology, AI and more
Custom alerts on specific filters including geographies, industries, topics and companies to suit your practice needs
Predictive analysis from expert journalists across North America, the UK and Europe, Latin America and Asia-Pacific
Curated case files bringing together news, analysis and source documents in a single timeline