DPO Radio

This is a draft general implementing decree under Cybersecurity Law 116/2025/QH15, published as Ministry of Public Security consultation material. It is not final law. Its provisions, and any timelines or penalties associated with it, must not be treated as enacted until a promulgated instrument is verified.
The active parent law is Law 116/2025/QH15, effective 1 July 2026. Decision 437/QĐ-TTg is the official implementation roadmap confirming that subordinate instruments — including this decree — are planned. ComplianceOne tracks the draft as a preparatory readiness item, not an obligation in force.

The Cybersecurity Law remains the active parent framework and the source of primary obligations. This draft decree would supply implementing detail. Until it is promulgated, it stays in a separate readiness track alongside the other draft and planned child instruments.
Decree 163/2024/NĐ-CP is not part of this stack, it belongs under the Telecommunications Law and is cross-linked only where telecom, cloud, data-center, OTT, platform, or infrastructure obligations overlap with cybersecurity compliance.
No official forms, deadlines, submission channels, or fine amounts are seeded for this draft.
| Area | Readiness ComplianceOne Supports | Evidence to Maintain |
|---|---|---|
| Cybersecurity responsibility | Assign and document protection responsibilities across organizations and service providers | Ownership records, responsibility matrix |
| System and service inventory | Maintain an inventory relevant to protection obligations | Inventory records, scope decisions |
| Network information security | Prepare network and data-security lifecycle controls | Control evidence, review findings |
| Authority interactions | Capture request/response evidence and corrective actions | Request records, response proof, audit trail |
Only areas clearly described in the consultation source are tracked, and all are treated as draft:
No official forms, deadlines, submission channels, or fine amounts are seeded for this draft.

ComplianceOne keeps draft preparation separate from enacted obligations. Teams can assess whether current ownership, inventory, controls, and authority-response evidence would support the draft's expected themes without presenting draft provisions as final law.
When a promulgated decree is verified, the readiness track can be converted into governed obligations, official forms, and deadlines, with a scheduled review already anchored to the law's 1 July 2026 effective date.
See how ComplianceOne separates draft preparation from enacted cybersecurity obligations.

No. It is a draft published as consultation material under the Cybersecurity Law. Its provisions and any penalties must not be treated as final until the instrument is promulgated.
No. No official forms, deadlines, or fine amounts are presented for this draft. Those are added only when a verified promulgated instrument is available.
No. Decree 163/2024/NĐ-CP belongs under the Telecommunications Law and is only cross-linked where telecom or infrastructure obligations overlap with cybersecurity compliance.