DPO Radio
Decree 53 Cybersecurity Implementation Vietnam
Decree 53 – Cybersecurity Law Implementation
Vietnam's cybersecurity implementing decree – data localization, in-scope determination, and technical security conditions
Operationalize the specific data localization obligations, in-scope determination criteria, technical security conditions, and authority cooperation requirements defined by Decree 53/2022/ND-CP.
Decree 53/2022/ND-CP: Scope and Current Status
Decree 53/2022/ND-CP is the primary implementing decree for Vietnam's Cybersecurity Law (Law 24/2018/QH14). Issued by the Government of Vietnam and administered by the Ministry of Public Security (MPS), it translates Law 24's cybersecurity obligations into operational requirements: specifying which organizations are in-scope, what data localization means in practice, what technical security conditions organizations must maintain, and how authority cooperation is conducted. Decree 53 is currently in force and governs the operational details of cybersecurity compliance until new implementing instruments are issued under the successor Law 116/2025/QH15 after its July 1, 2026 effective date.
Decree 53 was issued in July 2022, following a period of significant market uncertainty about what Law 24's obligations concretely required. Prior to Decree 53, organizations struggled to operationalize Law 24 because the statute's obligations – data localization, in-scope determination, technical security conditions – were stated at a level of generality that made implementation ambiguous. Decree 53 resolved most of that ambiguity by specifying the categories of "important data" subject to localization, defining the criteria for in-scope determination with greater precision, and establishing the technical security conditions (cybersecurity protection levels) that organizations must achieve based on their risk classification.
For the Cybersecurity and Legal Operations Lead (P-VN-06) and the Internal Audit Lead (P-VN-10), Decree 53 is the primary working reference for cybersecurity compliance implementation. It specifies the exact data categories subject to localization requirements, the service categories and thresholds that trigger in-scope status, and the protection level framework (five protection levels based on risk classification) that determines what technical security measures must be implemented. Compliance with Decree 53's technical requirements requires both implementation evidence (technical configurations, security assessments) and governance evidence (policies, procedures, role assignments) that must be maintained for authority inspection readiness.
How Decree 53 Relates to the Vietnam Cybersecurity Law 2025
The Vietnam Cybersecurity Law 2025 (Law 116/2025/QH15), effective July 1, 2026, is the successor framework that will eventually replace both Law 24/2018 and Decree 53/2022. For the obligations that will apply after that date, see the Vietnam Cybersecurity Law 2025 (Law 116/2025/QH15) compliance page. For the current status of Law 24/2018 and the transition context, see the Vietnam Cybersecurity Law 24/2018 page.
Decree 53 matters within the Law 116 context for two practical reasons. First, Decree 53 is the operational baseline that organizations have built their cybersecurity compliance programs on since 2022. The transition to Law 116 starts from that baseline, and the gap analysis between Decree 53 and Law 116's implementing instruments (once issued) will determine what needs to change. An organization that has not fully implemented Decree 53 compliance by the time Law 116 takes effect will have a harder transition, because it will need to address Decree 53 gaps simultaneously with Law 116 additions.
Second, Decree 53's data localization and in-scope determination frameworks may carry forward into Law 116's implementing instruments with modification, or Law 116's implementing instruments may introduce significant changes. Until those instruments are issued, Decree 53 provides the most specific operational guidance available on these obligations. Organizations should implement Decree 53 fully and document that implementation as the baseline for the Law 116 transition assessment.
Technical Provisions and Compliance Obligations
Decree 53 specifies the criteria for determining which organizations are subject to the full scope of Law 24's obligations:
| Criterion Category | Specification | Assessment Approach |
|---|---|---|
| Domestic online service providers | Organizations providing services in specified categories to Vietnamese users: telecommunications, internet services, value-added services on mobile networks, e-commerce, online payments, social networking, search engines, electronic mail, online audio/video | Assess service catalog against each specified category |
| Data affecting national interests | Organizations storing or processing data that directly affects national security, social order, public health, or economic rights | Assess data inventory against each impact category with documented rationale |
| Critical information infrastructure | Organizations designated by sector regulators as critical information infrastructure operators | Check applicable sectoral designation status |
| Foreign organization presence | Foreign organizations operating in scope must maintain domestic representative or office and store localized data | Assess organizational structure and data storage locations |
| Data Category | Localization Requirement | Notes |
|---|---|---|
| Important data generated in Vietnam by domestic activities | Must be stored in Vietnam | "Important data" defined by reference to data types affecting national security, social order, public health, or economic interests |
| User data of in-scope service providers | Must be stored in Vietnam | Applies to in-scope domestic and foreign organizations |
| Foreign organization important data | Foreign organizations providing in-scope services must store important data in Vietnam; may also need local representative | Scope depends on in-scope determination outcome |
Decree 53 establishes a five-tier protection level framework for information systems. Organizations must classify their information systems and implement the technical and organizational security measures required for each system's protection level:
| Protection Level | Risk Classification | Required Measures |
|---|---|---|
| Level 1 | Low risk – systems with limited impact if compromised | Basic security controls, periodic review |
| Level 2 | Moderate risk – systems with regional or sector impact if compromised | Enhanced access controls, incident monitoring, annual security review |
| Level 3 | Significant risk – systems with broad national or sector impact | Mandatory MPS notification of protection level, technical audits, incident response plan |
| Level 4 | High risk – systems affecting critical services or national security | MPS engagement for protection level assessment, advanced technical measures, periodic MPS audit |
| Level 5 | Critical risk – national security systems | Direct MPS oversight and approval of security measures |
Note: Level 3 and above require notification to MPS and formal protection level assessment documentation.
| Cooperation Type | Obligation | Timeline |
|---|---|---|
| MPS information requests | Provide requested information about users, systems, or data | Within window specified in MPS request |
| Cybersecurity incident notification | Notify MPS of cybersecurity incidents affecting in-scope systems | Within prescribed window based on incident severity |
| System access for investigation | Facilitate MPS access to systems during cybersecurity investigations | Per MPS request terms |
| Content removal | Remove unlawful content upon MPS order | Within 24 hours of MPS notification (Law 24, Article 16) |
| Technical capability cooperation | Cooperate with MPS to prevent, detect, and respond to cybersecurity incidents on in-scope systems | Ongoing obligation |
How ComplianceOne Supports Decree 53 Compliance
ComplianceOne addresses Decree 53's three primary compliance domains – in-scope determination and documentation, data localization governance, and authority cooperation – through integrated compliance workflows.
For in-scope determination, the Program Governance module provides a structured assessment workflow that guides organizations through each of the Decree 53 criteria: service category assessment, data impact classification, critical information infrastructure designation check, and foreign organization structure assessment. Each criterion is documented with supporting evidence – service catalog extracts, data inventory references, sectoral designation records – and the determination outcome is formalized as a governance record. When the in-scope determination changes (due to service expansion, user growth, or data category changes), the platform supports reassessment with change tracking and comparison against the prior determination.
For data localization compliance, the Data Mapping module supports data storage location tracking alongside processing activity documentation. Organizations can tag data processing activities with storage location information, flag activities involving data storage outside Vietnam, and generate localization compliance reports that identify in-scope data categories and confirm their localization status. This living documentation of data localization compliance is the primary evidence artifact for MPS inspection and internal audit.
Authority cooperation under Decree 53 is managed through the Monitoring Programs module, which handles all types of MPS requests – information requests, system access requests, incident notification follow-ups, and content removal orders – through a structured workflow with receipt verification, legal review, management approval, response execution, and closure. Each interaction is logged in a centralized disclosure register that captures the request type, legal basis, scope, approval chain, response, and closure details. This register provides the complete, auditable record of the organization's authority cooperation history under Decree 53.
For vendor and third-party risk under the cybersecurity framework (UC-VN-14), the Vendor Governance module supports security assessment of third parties who process or store in-scope data, ensuring that the localization and security requirements that apply to the organization also flow through to its supply chain.
Related Modules
Program Governance
Provides in-scope determination workflows, protection level classification, and data localization compliance documentation.
Explore Program GovernanceMonitoring Programs
Manages all MPS authority cooperation interactions with structured workflows, approval chains, and centralized disclosure logging.
Explore Monitoring ProgramsData Mapping
|
Tracks data storage locations, in-scope data categories, and localization compliance status across all processing activities. |
Vendor Governance
Supports third-party security assessment for vendors handling in-scope data under Decree 53's supply chain obligations.
Audit Trail
Maintains tamper-evident records of in-scope determination actions, localization compliance reviews, and authority cooperation history.
Explore Audit TrailCompliance Readiness Checklist
Organizations implementing Decree 53/2022/ND-CP compliance should confirm:
See Decree 53 Compliance in Action
Ready to see how ComplianceOne operationalizes Decree 53's in-scope determination, data localization, and authority cooperation requirements? Request a demo tailored to your organization's cybersecurity compliance needs.
Tu Pham - Country Manager, AesirX
Head of Risk with 15+ years in fintech and banking across ERM, compliance, fraud, audit, and regulatory frameworks.
Frequently Asked Questions
Decree 53 defines important data by reference to the types of information that, if compromised, would affect national security, social order, public health, or economic rights. This includes personal information of Vietnamese users at scale, data relating to critical infrastructure, financial transaction data, health data, and other categories with systemic impact potential. The assessment requires organizations to evaluate their data inventory against these impact categories with documented rationale, because "important data" is not a single exhaustive list – it requires judgment applied to the organization's specific data types and processing activities.
The key practical difference is the MPS notification requirement and audit exposure. Level 2 systems require enhanced internal security controls and annual review, but do not require formal notification to MPS. Level 3 systems require mandatory notification to MPS of the protection level classification, documentation of the technical security measures implemented, and periodic MPS audit rights. Organizations that self-classify their systems and discover a Level 3 or above system that has not been notified to MPS face both a compliance gap and an enforcement risk. ComplianceOne's Program Governance module supports protection level classification with the notification tracking required for Level 3 and above systems.
Yes. Foreign organizations that provide in-scope services to Vietnamese users – including online service providers, e-commerce platforms, and social networks with Vietnamese user bases – are subject to Decree 53's obligations. They must maintain a domestic representative or office and store important data locally. The threshold for "in-scope" is determined by the same criteria applied to domestic organizations. Foreign organizations that have not conducted a formal in-scope determination under Decree 53 criteria have an unquantified compliance gap.
Decree 53 and the PDPL create overlapping obligations for organizations that process personal data and operate in-scope digital services. Personal data of Vietnamese users is likely to qualify as "important data" for Decree 53 localization purposes and is also subject to the PDPL's consent, rights, DPIA, and breach notification requirements. Organizations must manage both frameworks simultaneously. ComplianceOne supports both frameworks within a shared workflow engine, with the Data Mapping module tracking both personal data records (for PDPL) and data storage locations (for Decree 53).
Next Steps
Start a Compliance Pilot
Test Decree 53 compliance workflows with your team – in-scope determination documentation, data localization tracking, and MPS authority cooperation management.
Discuss Your Compliance Needs
Talk to our team about Decree 53 implementation, protection level classification, data localization evidence management, and how to structure your cybersecurity compliance program for the Law 116 transition.
The evolution of Aesir is Aesir + 
(the Norse symbol for Necessity)"Needed in order to achieve a particular result"
♥Join the AesirX Privacy Newsletter. Stay Informed. Stay Compliant.
