DPO Radio

The Law on Cybersecurity (LoCS) 116/2025/QH15 is Vietnam’s consolidated cybersecurity law. It took effect on 1 July 2026, replacing the earlier Law 24/2018 framework while preserving the need to understand evidence and obligations created during the transition.
The operational burden spans incident response, authority cooperation, system and data governance, security controls, and localization readiness. These activities cross legal, security, technology, and management teams, so the quality of ownership and evidence matters as much as the written policy.
The framework also has a shared draft enforcement overlay covering both cybersecurity and personal data protection sanctions chapters. That draft is not final law, and any draft fine language must remain clearly separated from current obligations and enacted penalties.
The draft enforcement overlay is also separate from Government Resolution NQ22/2026. NQ22 temporarily changes certain personal data protection administrative procedures; it is not a cybersecurity sanctions instrument and is not part of this page’s operational hierarchy.
Effective 1 July 2026
Replaces Law 24/2018 while historical records and in-flight work may remain relevant
Cybersecurity incidents, authority cooperation, security governance, localization readiness, and supporting evidence
Incident records, decisions, approvals, authority interactions, control evidence, remediation, and audit history
A separate draft sanctions instrument that covers cybersecurity and personal data protection chapters
Draft enforcement provisions and fine amounts are not presented as final law
Records created under the earlier framework may still matter for historical periods, contracts, incidents, and regulator review during transition.
The draft enforcement overlay addresses sanctions chapters across both cybersecurity and personal data protection. It remains subject to change and is managed separately from current law and from NQ22 procedural changes.

ComplianceOne structures cybersecurity incidents from intake through assessment, escalation, investigation, remediation, and closure. Evidence remains linked to the case, including who contributed, who reviewed, and which decisions were approved.
Authority interactions can be recorded with the request, scope, responsible owner, legal review, response material, and proof of completion. This creates a coherent record for both planned cooperation and urgent response work.
Security and localization readiness can be managed through assigned reviews, control evidence, findings, and remediation tasks. Vendor or service-provider dependencies can be linked to the same work so third-party evidence does not sit outside the compliance record.
Draft enforcement readiness is maintained as a separate change-management track. Teams can assess whether current evidence would support an inspection or enforcement response without treating draft provisions or fine amounts as enacted.
Coordinates investigation, evidence, escalation, remediation, and closure.
Explore Incident OperationsSupports notifications, response records, and authority interactions.
Explore Data ClassificationTracks recurring reviews, requests, findings, and follow-up work.
Explore Monitoring ProgramsMaintains access-control and accountability evidence.
Explore Access AccountabilityOrganizes readiness reviews, policy ownership, and regulatory change.
Explore Program Governance

ComplianceOne supports cross-team incident and authority-response work with reviewable evidence from first report through closure.
Transition context, current readiness, and the shared draft enforcement layer remain distinct, reducing the risk of misleading status or penalty claims.
Where the same event also involves personal data, related records can be connected while each framework keeps its own obligations and history.
Ready to see how ComplianceOne manages cybersecurity obligations operationally? Request a demo tailored to your organization's needs.

Law 116/2025/QH15 took effect on 1 July 2026, replacing the earlier Law 24/2018 with expanded scope and updated obligations. Organizations should assess scope, ownership, controls, incident processes, and evidence readiness.
No. The enforcement instrument is still a draft. Its provisions and any fine amounts must not be treated as final law until the instrument is promulgated.
The draft contains sanctions chapters that apply across both cybersecurity and personal data protection. A shared page prevents either framework from presenting the draft as exclusive to one area.
No. NQ22 is a temporary procedural overlay affecting certain personal data protection administrative procedures. It is not a sanctions instrument and is kept separate from cybersecurity enforcement content.
The Incident Operations module manages the full incident lifecycle: detection, triage, escalation based on severity classification, authority notification through defined channels, investigation with evidence collection, remediation tracking, and case closure. Evidence chain of custody is maintained throughout, with tamper-evident records of every action.
Yes. The Monitoring Programs module manages all types of authority requests — information requests, system access requests, operational data requests — through a structured workflow with verification, legal review, management approval, response execution, and closure. Every interaction is logged in a centralized disclosure register.
Data localization readiness is managed through the Program Governance module with governance workflows that document in-scope determination (based on service type, user count, and data types), localization assessment, compliance status, and ongoing review schedules. Evidence of compliant storage and retention practices is maintained with audit trail coverage.
Yes. ComplianceOne supports 7 Vietnam regulatory frameworks within a shared workflow engine. Organizations subject to both the Cybersecurity Law and the PDPL manage all obligations from a single platform. When a cybersecurity incident also involves a personal data breach, both the cybersecurity incident workflow and the PDPL breach notification workflow operate in coordination with consistent evidence production.

Test incident, authority-response, and transition-readiness workflows with your team.

Talk to our team about cybersecurity compliance operations, multi-framework coverage, and deployment for your organization.