DPO Radio

Measure Value, Not Just Traffic Explore new features in AesirX Analytics

AesirX ComplianceOne | Draft Cybersecurity Implementing Decree 2026

Overview Image

Draft Cybersecurity Decree: Scope and Current Status

This is a draft general implementing decree under Cybersecurity Law 116/2025/QH15, published as Ministry of Public Security consultation material. It is not final law. Its provisions, and any timelines or penalties associated with it, must not be treated as enacted until a promulgated instrument is verified.

The active parent law is Law 116/2025/QH15, effective 1 July 2026. Decision 437/QĐ-TTg is the official implementation roadmap confirming that subordinate instruments — including this decree — are planned. ComplianceOne tracks the draft as a preparatory readiness item, not an obligation in force.

Overview Image

How This Draft Relates to the Cybersecurity Law

The Cybersecurity Law remains the active parent framework and the source of primary obligations. This draft decree would supply implementing detail. Until it is promulgated, it stays in a separate readiness track alongside the other draft and planned child instruments.

Decree 163/2024/NĐ-CP is not part of this stack, it belongs under the Telecommunications Law and is cross-linked only where telecom, cloud, data-center, OTT, platform, or infrastructure obligations overlap with cybersecurity compliance.

Explore the Vietnam Cybersecurity Law

Draft Scope to Prepare For

No official forms, deadlines, submission channels, or fine amounts are seeded for this draft.

AreaReadiness ComplianceOne SupportsEvidence to Maintain
Cybersecurity responsibilityAssign and document protection responsibilities across organizations and service providersOwnership records, responsibility matrix
System and service inventoryMaintain an inventory relevant to protection obligationsInventory records, scope decisions
Network information securityPrepare network and data-security lifecycle controlsControl evidence, review findings
Authority interactionsCapture request/response evidence and corrective actionsRequest records, response proof, audit trail

Only areas clearly described in the consultation source are tracked, and all are treated as draft:

No official forms, deadlines, submission channels, or fine amounts are seeded for this draft.

Overview Image

How ComplianceOne Supports Draft Readiness

ComplianceOne keeps draft preparation separate from enacted obligations. Teams can assess whether current ownership, inventory, controls, and authority-response evidence would support the draft's expected themes without presenting draft provisions as final law.

When a promulgated decree is verified, the readiness track can be converted into governed obligations, official forms, and deadlines, with a scheduled review already anchored to the law's 1 July 2026 effective date.

Background Image

See Draft Cybersecurity Readiness in Action

See how ComplianceOne separates draft preparation from enacted cybersecurity obligations.

Demo Image
Ronni K. Gothard Christiansen

Ronni K. Gothard Christiansen - Technical Privacy Engineer & CEO

Technical Compliance Expert, 32+ Years Open Source Advocate, X-BoD Open Source Matters Inc.

Or contact via

ronni@aesirx.io+84 909 500 760

Frequently Asked Questions

No. It is a draft published as consultation material under the Cybersecurity Law. Its provisions and any penalties must not be treated as final until the instrument is promulgated.

No. No official forms, deadlines, or fine amounts are presented for this draft. Those are added only when a verified promulgated instrument is available.

No. Decree 163/2024/NĐ-CP belongs under the Telecommunications Law and is only cross-linked where telecom or infrastructure obligations overlap with cybersecurity compliance.