Vietnam advised to ease up data localization requirements in new cybersecurity law
By Hoa Dinh ( October 3, 2025, 09:43 GMT | Insight) -- Vietnam’s new cybersecurity law should not restrict cross-border data transfers or require service providers to store data in Vietnam as such provisions will hinder data security and impede business innovation, the Business Software Alliance has told the government. Industry representatives have generally welcomed the move to streamline the framework, saying it would reduce overlap and compliance burdens.Vietnam’s new cybersecurity law should avoid restrictions on cross-border data transfers and data localization mandates because they would undermine data security and hinder business innovation, the Business Software Alliance, or BSA, said in comments on the draft submitted to the Ministry of Public Security and Ministry of Justice.The draft law — which consolidates the 2015 Law on Information Technology, the 2015 Law on Cyberinformation Security and the 2018 Cybersecurity Law (see here) — is set to be presented for discussion and approval during the National Assembly’s 10th session, which will convene on Oct. 20. BSA, which represents major software companies such as Microsoft and Amazon Web Services, said draft provisions in Article 16.3 requiring data localization and obliging foreign enterprises to set up local branches or representative offices would create barriers to cross-border data flows and imply localization of personnel.“Such requirements can frustrate efforts to implement effective security measures, protect data, and defend critical networks, just as they can impede business innovation and limit services available to consumers,” said Wong Wai San, BSA’s senior manager of policy in APAC, in the comments.The group recommended removing the obligations or, if retained, clarifying them so that companies remain free to transfer data overseas and use cloud-based services.“Foreign enterprises should also not be required to establish a branch or representative office in Vietnam to serve the Vietnam market,” Wong said. While commending the Vietnamese government’s recognition of the importance of artificial intelligence governance in a cybersecurity legislative document, BSA advises against including AI-specific obligations in the law due to risks of inconsistency with broader AI policies.“When developing implementing regulations, the Ministry of Public Security should take into consideration broader ‘whole of government’ policies related to AI. Failure to do so may lead to inconsistencies in regulations and policies related to AI policies and unintended divergence from emerging international practices,” the group said in the comments.BSA also called for narrowing broad definitions of “service providers” and “information systems of national security importance,” along with compliance, inspection and reporting duties attached to them....
Prepare for tomorrow’s regulatory change, today
MLex identifies risk to business wherever it emerges, with specialist reporters across the globe providing exclusive news and deep-dive analysis on the proposals, probes, enforcement actions and rulings that matter to your organization and clients, now and in the longer term.
Know what others in the room don’t, with features including:
Daily newsletters for Antitrust, M&A, Trade, Data Privacy & Security, Technology, AI and more
Custom alerts on specific filters including geographies, industries, topics and companies to suit your practice needs
Predictive analysis from expert journalists across North America, the UK and Europe, Latin America and Asia-Pacific
Curated case files bringing together news, analysis and source documents in a single timeline