DPO Radio
Vietnam Cybersecurity Law 24/2018
Vietnam Cybersecurity Law (Law 24/2018 Era)
Vietnam's foundational cybersecurity framework, currently in force through the transition period
Manage current cybersecurity obligations under Law 24/2018 and Decree 13/2022, prepare evidence continuity across the transition to Law 116/2025/QH15, and support organizations with in-scope determination, data localization, and incident response compliance.
Law 24/2018/QH14: Scope and Current Status
Law 24/2018/QH14 (the Vietnam Cybersecurity Law 2018) was enacted on June 12, 2018, and entered into force on January 1, 2019. Administered by the Ministry of Public Security (MPS), it established Vietnam's foundational cybersecurity regulatory framework, covering cybersecurity obligations for organizations operating information systems, online platforms, and digital infrastructure within Vietnam. It was the first comprehensive cybersecurity statute in Vietnam and created the primary obligations for incident response and notification, authority cooperation, data localization, and in-scope determination that have shaped cybersecurity compliance practice in the country.
Law 24 is currently in force. It will be replaced by Law 116/2025/QH15 (the Vietnam Cybersecurity Law 2025), which becomes effective on July 1, 2026. Until that effective date, Law 24 and its implementing instruments – including Decree 13/2022/ND-CP and Circular 24/2023/TT-BTTTT – remain the governing cybersecurity framework. Organizations operating in Vietnam are currently subject to Law 24 obligations and should manage compliance under this framework while simultaneously preparing for the transition to Law 116.
The practical significance of Law 24 during this period extends beyond its technical status as "still in force." Organizations that have been subject to Law 24 since 2019 have built compliance programs, completed in-scope determinations, established incident response procedures, implemented data localization measures, and created authority cooperation protocols under its requirements. Understanding Law 24's specific provisions is necessary to assess the completeness of those programs, to correctly scope evidence retention obligations for the Law 24 compliance period, and to conduct the gap analysis required to transition compliance programs to Law 116 requirements after July 1, 2026.
How Law 24/2018 Relates to the Vietnam Cybersecurity Law 2025
The Vietnam Cybersecurity Law 2025 (Law 116/2025/QH15) is the successor framework that will replace Law 24/2018 on July 1, 2026. For the obligations that will apply after that date, see the Vietnam Cybersecurity Law 2025 (Law 116/2025/QH15) compliance page.
Law 24 is the predecessor that defines the current baseline. Organizations that have been complying with Law 24 since 2019 have a compliance foundation that Law 116 will build on and expand. The transition from Law 24 to Law 116 involves expanded scope (more organization types and service categories come within Law 116's coverage), updated obligation specifications, and the eventual issuance of new implementing decrees under Law 116 to replace Decree 13/2022 and Circular 24/2023. The degree of continuity versus change between the two laws determines how much of an organization's Law 24 compliance program can be directly transitioned versus rebuilt.
For the Cybersecurity and Legal Operations Lead (P-VN-06) and the Internal Audit Lead (P-VN-10), the transition period creates a dual compliance requirement: maintaining active compliance under Law 24 until July 1, 2026, while simultaneously preparing for Law 116 compliance from that date. This dual-track requirement means that compliance programs must account for both frameworks during the transition window, and that evidence produced during the transition period must be correctly attributed to the applicable framework.
Technical Provisions and Compliance Obligations Under Law 24
| Obligation | Requirement | Implementing Reference |
|---|---|---|
| In-scope determination | Organizations providing domestic online services, storing or processing data affecting national security, social order, or economic rights must determine their in-scope status | Law 24, Article 26; Decree 13/2022 |
| Data localization | In-scope organizations must store "important data" domestically; foreign organizations must maintain a local representative or office | Law 24, Article 26 |
| Cybersecurity incident notification | Organizations must notify MPS of cybersecurity incidents that affect information systems, with notification to authority through defined channels | Law 24, Article 18 |
| Authority cooperation | Organizations must cooperate with MPS cybersecurity investigations, provide system access when required, and respond to information requests | Law 24, Articles 23, 24 |
| Cybersecurity condition compliance | Organizations operating important information systems must maintain prescribed cybersecurity conditions, conduct periodic security reviews, and submit to MPS audits | Law 24, Articles 22, 23 |
| Content removal | Platforms must respond to MPS requests to remove unlawful content within prescribed windows | Law 24, Article 16 |
| User data provision | In-scope organizations must provide user data to MPS upon request in accordance with legal requirements | Law 24, Article 26 |
In-scope determination is the initial and most foundational compliance obligation under Law 24. Decree 13/2022/ND-CP specifies the criteria:
| Criterion | Threshold | Implication |
|---|---|---|
| Service type | Domestic online services (telecommunications, internet, payment, e-commerce, social networking, search, email, and others) | All major digital service categories are potentially in-scope |
| User count or data volume | MOrganizations with significant user bases or data volumes affecting national interests | Threshold assessment required; no single published number – assessment based on service and data type |
| Data type | Data affecting national security, social order, public health, or economic rights | Data classification assessment required to identify qualifying data |
| Regulatory designation | Critical information infrastructure operators as designated by sector regulators | Check applicable sector regulatory designation |
| Obligation | Timeline | Reference |
|---|---|---|
| Cybersecurity incident notification to MPS | Within prescribed window based on incident severity | Law 24, Article 18 |
| Response to MPS information requests | Within the window specified in the MPS request | Law 24, Article 23 |
| Content removal upon MPS order | Within 24 hours of MPS notification | Law 24, Article 16 |
| Cybersecurity condition compliance | Ongoing; periodic review required | Decree 13/2022 |
How ComplianceOne Supports Law 24/2018 Compliance
ComplianceOne supports Law 24 compliance through its cybersecurity incident operations, authority cooperation, and program governance capabilities – with evidence continuity features that carry compliance records through the transition to Law 116.
The Incident Response module manages cybersecurity incident case workflows under Law 24's notification requirements. Each case captures the incident discovery timestamp, assessment timeline, notification to MPS, and any authority follow-up, preserving the evidence chain of custody that demonstrates compliance with the notification obligation. For organizations managing dual-framework compliance during the transition period, incident cases can be tagged to the applicable framework (Law 24 or Law 116) based on the incident date and the framework in force at the time, ensuring that historical incident records are correctly attributed.
The Monitoring Programs module handles authority cooperation workflows under Law 24 – MPS information requests, system access requests, and user data provision requests – through a structured workflow with verification, legal review, approval, and disclosure logging. Each authority interaction is captured in the centralized disclosure register with the legal basis, scope, approving authority, and response details. This register serves as the primary evidence of Law 24 authority cooperation compliance and remains accessible for historical inspection readiness after the transition to Law 116.
For in-scope determination and data localization compliance documentation, the Program Governance module supports governance workflows that record the in-scope assessment, the criteria applied (per Decree 13/2022), the determination outcome, and the data localization measures implemented. These records are the foundational evidence of Law 24 compliance posture and are maintained through the transition as part of the organization's compliance archive.
Related Modules
Incident Response
Manages cybersecurity incident notification workflows under Law 24's notification requirements with timestamp-based compliance evidence.
Explore Data MappingMonitoring Programs
Handles MPS authority cooperation workflows (information requests, system access, user data provision) with centralized disclosure logging.
Explore Monitoring ProgramsProgram Governance
Documents in-scope determination, data localization compliance, and cybersecurity condition compliance reviews under Decree 13/2022.
Explore Program GovernanceAudit Trail
Maintains tamper-evident historical records for the full Law 24 compliance period, supporting post-transition inspection readiness.
Explore Audit TrailCompliance Readiness Checklist
Organizations managing Law 24/2018 compliance and transition should confirm:
See Cybersecurity Law 24/2018 Compliance in Action
Ready to see how ComplianceOne manages Law 24/2018 incident operations, authority cooperation, and transition readiness? Request a demo tailored to your organization's cybersecurity compliance needs.
Tu Pham - Country Manager, AesirX
Head of Risk with 15+ years in fintech and banking across ERM, compliance, fraud, audit, and regulatory frameworks.
Frequently Asked Questions
Law 24/2018/QH14 is currently in force and remains the governing cybersecurity framework until July 1, 2026, when Law 116/2025/QH15 (the Vietnam Cybersecurity Law 2025) takes effect. Organizations operating in Vietnam are currently subject to Law 24 obligations and must maintain active compliance under this framework through the transition date.
The most significant risk is gap coverage – either lapsing in active Law 24 compliance during the transition window, or failing to complete the gap analysis and preparation required for Law 116 compliance by the July 1, 2026 effective date. Dual-track compliance management is required. ComplianceOne's Program Governance module supports concurrent framework tracking to manage this dual requirement.
In-scope determination under Decree 13/2022 requires assessment against four primary criteria: service type (whether the organization provides one of the designated domestic online service categories), user count or data volume (whether the scale of operations affects national interests), data type (whether the data processed affects national security, social order, or economic rights), and regulatory designation (whether the organization has been designated as critical information infrastructure). The assessment must be documented with the criteria applied, data gathered, and determination reached.
Law 24 compliance records must be retained per applicable retention schedules even after Law 116 takes effect. Regulators may examine historical compliance conduct under the framework applicable at the time, meaning Law 24 records remain relevant for any inspection covering periods before July 1, 2026. These records should be maintained in accessible form and clearly attributed to the Law 24 compliance period.
Next Steps
Start a Compliance Pilot
Test Law 24/2018 incident operations, authority cooperation, and in-scope determination workflows with your team – including transition readiness assessment.
Discuss Your Compliance Needs
Talk to our team about Law 24/2018 compliance management, transition planning to Law 116, and dual-track cybersecurity compliance for your organization.
The evolution of Aesir is Aesir + 
(the Norse symbol for Necessity)"Needed in order to achieve a particular result"
♥Join the AesirX Privacy Newsletter. Stay Informed. Stay Compliant.
