DPO Radio

Measure Value, Not Just Traffic Explore new features in AesirX Analytics

AesirX ComplianceOne | Vietnam Cybersecurity Law

Overview Image

Why the Vietnam Cybersecurity Law Matters

The Law on Cybersecurity (LoCS) 116/2025/QH15 is Vietnam’s consolidated cybersecurity law. It took effect on 1 July 2026, replacing the earlier Law 24/2018 framework while preserving the need to understand evidence and obligations created during the transition.

The operational burden spans incident response, authority cooperation, system and data governance, security controls, and localization readiness. These activities cross legal, security, technology, and management teams, so the quality of ownership and evidence matters as much as the written policy.

The framework also has a shared draft enforcement overlay covering both cybersecurity and personal data protection sanctions chapters. That draft is not final law, and any draft fine language must remain clearly separated from current obligations and enacted penalties.

The draft enforcement overlay is also separate from Government Resolution NQ22/2026. NQ22 temporarily changes certain personal data protection administrative procedures; it is not a cybersecurity sanctions instrument and is not part of this page’s operational hierarchy.

What the Vietnam Cybersecurity Law Covers

Dimension

Coverage

Status

Effective 1 July 2026

Transition

Replaces Law 24/2018 while historical records and in-flight work may remain relevant

Operational areas

Cybersecurity incidents, authority cooperation, security governance, localization readiness, and supporting evidence

Evidence requirements

Incident records, decisions, approvals, authority interactions, control evidence, remediation, and audit history

Shared draft overlay

A separate draft sanctions instrument that covers cybersecurity and personal data protection chapters

Status guardrail

Draft enforcement provisions and fine amounts are not presented as final law

The Cybersecurity Instrument Stack

Law 24/2018 and Decree 53

Transition Context

Records created under the earlier framework may still matter for historical periods, contracts, incidents, and regulator review during transition.

Shared Cybersecurity and PDPL Enforcement Draft

Draft

The draft enforcement overlay addresses sanctions chapters across both cybersecurity and personal data protection. It remains subject to change and is managed separately from current law and from NQ22 procedural changes.

Overview Image

How ComplianceOne Supports the Vietnam Cybersecurity Law

ComplianceOne structures cybersecurity incidents from intake through assessment, escalation, investigation, remediation, and closure. Evidence remains linked to the case, including who contributed, who reviewed, and which decisions were approved.

Authority interactions can be recorded with the request, scope, responsible owner, legal review, response material, and proof of completion. This creates a coherent record for both planned cooperation and urgent response work.

Security and localization readiness can be managed through assigned reviews, control evidence, findings, and remediation tasks. Vendor or service-provider dependencies can be linked to the same work so third-party evidence does not sit outside the compliance record.

Draft enforcement readiness is maintained as a separate change-management track. Teams can assess whether current evidence would support an inspection or enforcement response without treating draft provisions or fine amounts as enacted.

Related Modules

Incident Operations

Coordinates investigation, evidence, escalation, remediation, and closure.

Explore Incident Operations

Incident Response

Supports notifications, response records, and authority interactions.

Explore Data Classification

Monitoring Programs

Tracks recurring reviews, requests, findings, and follow-up work.

Explore Monitoring Programs

Access Accountability

Maintains access-control and accountability evidence.

Explore Access Accountability

Audit Trail

Preserves contributor, decision, approval, and evidence history.

Explore Audit Trail

Program Governance

Organizes readiness reviews, policy ownership, and regulatory change.

Explore Program Governance

Compare the Difference

Graphic Image

Without Structured Framework Operations

Graphic Image

With ComplianceOne

IconIncidents are handled across chat, email, and documents with no single evidence chain.
IconIncidents follow a governed case process with linked evidence and decisions.
IconAuthority requests lose verification, approval, or response context.
IconAuthority interactions retain ownership, review, response, and completion proof.
IconLocalization and control reviews become static assessments that are not maintained.
IconReadiness reviews connect findings to accountable remediation work.
IconTransition records under the earlier law are difficult to retrieve.
IconHistorical and current framework records remain distinguishable and searchable.
IconDraft sanctions are confused with current legal consequences.
IconDraft enforcement preparation stays separate from enacted obligations.

Built for Cybersecurity Law Compliance Operations

ComplianceOne supports cross-team incident and authority-response work with reviewable evidence from first report through closure.

Transition context, current readiness, and the shared draft enforcement layer remain distinct, reducing the risk of misleading status or penalty claims.

Where the same event also involves personal data, related records can be connected while each framework keeps its own obligations and history.

Background Image

See Vietnam Cybersecurity Law Compliance in Action

Ready to see how ComplianceOne manages cybersecurity obligations operationally? Request a demo tailored to your organization's needs.

Demo Image
Ronni K. Gothard Christiansen

Ronni K. Gothard Christiansen - Technical Privacy Engineer & CEO

Technical Compliance Expert, 25+ Years Open Source Advocate, X-BoD Open Source Matters Inc.

Or contact via

ronni@aesirx.io+84 909500760

People Also Ask

Law 116/2025/QH15 took effect on 1 July 2026, replacing the earlier Law 24/2018 with expanded scope and updated obligations. Organizations should assess scope, ownership, controls, incident processes, and evidence readiness.

No. The enforcement instrument is still a draft. Its provisions and any fine amounts must not be treated as final law until the instrument is promulgated.

The draft contains sanctions chapters that apply across both cybersecurity and personal data protection. A shared page prevents either framework from presenting the draft as exclusive to one area.

No. NQ22 is a temporary procedural overlay affecting certain personal data protection administrative procedures. It is not a sanctions instrument and is kept separate from cybersecurity enforcement content.

The Incident Operations module manages the full incident lifecycle: detection, triage, escalation based on severity classification, authority notification through defined channels, investigation with evidence collection, remediation tracking, and case closure. Evidence chain of custody is maintained throughout, with tamper-evident records of every action.

Yes. The Monitoring Programs module manages all types of authority requests — information requests, system access requests, operational data requests — through a structured workflow with verification, legal review, management approval, response execution, and closure. Every interaction is logged in a centralized disclosure register.

 

Data localization readiness is managed through the Program Governance module with governance workflows that document in-scope determination (based on service type, user count, and data types), localization assessment, compliance status, and ongoing review schedules. Evidence of compliant storage and retention practices is maintained with audit trail coverage.

 

Yes. ComplianceOne supports 7 Vietnam regulatory frameworks within a shared workflow engine. Organizations subject to both the Cybersecurity Law and the PDPL manage all obligations from a single platform. When a cybersecurity incident also involves a personal data breach, both the cybersecurity incident workflow and the PDPL breach notification workflow operate in coordination with consistent evidence production.

 

Next Steps

Icon Image

Start a Compliance Pilot

Test incident, authority-response, and transition-readiness workflows with your team.

Icon Image

Discuss Your Compliance Needs

Talk to our team about cybersecurity compliance operations, multi-framework coverage, and deployment for your organization.