DPO Radio

This is a draft decree on cybersecurity protection for information systems, published as a Ministry of Public Security consultation dossier (public consultation window 16–26 March 2026). It is not final law and its provisions must not be treated as enacted until a promulgated instrument is verified.
For enterprise cybersecurity readiness, this is the priority child instrument under the Cybersecurity Law, because it directly affects how organizations govern and evidence the protection of their information systems. The active parent law is Law 116/2025/QH15, effective 1 July 2026.

The Cybersecurity Law remains the active parent framework. This draft decree would detail information-system protection obligations. ComplianceOne tracks it as a preparatory readiness item in a separate track from enacted obligations and from the shared draft enforcement overlay.
Only areas supported by the consultation source are tracked, and all are treated as draft:
| Area | Readiness ComplianceOne Supports | Evidence to Maintain |
|---|---|---|
| System owner responsibilities | Define and evidence information-system owner cybersecurity duties | Owner responsibility matrix |
| Classification / cybersecurity level | Prepare system classification and level-assessment evidence | Classification records, assessments |
| Protection controls | Prepare technical and organizational protection measures | Control evidence, condition checklists |
| Monitoring and incident readiness | Maintain monitoring, logging, and incident-readiness evidence | Monitoring records, incident readiness |
| Authority coordination | Capture request/response evidence and corrective actions | Authority records, remediation tracker |

ComplianceOne prepares internal template candidates, system inventory, owner responsibility matrix, classification/level assessment, condition-evidence checklist, monitoring and logging evidence, incident readiness, authority request/response capture, and corrective-action tracking, as internal readiness artifacts. None are presented as official government forms.
When a promulgated decree is verified, these readiness artifacts can be mapped to official obligations and forms, with a scheduled review anchored to the law's 1 July 2026 effective date.
See how ComplianceOne prepares system ownership, classification, and monitoring evidence without treating draft provisions as final law.

No. It is a draft decree published for consultation under the Cybersecurity Law. It is not yet in force and should not be treated as final until it is officially promulgated.
Because it directly affects enterprise cybersecurity governance and evidence readiness for information systems, making it the most operationally significant of the Cybersecurity Law's draft child instruments.
No. Only internal template candidates are prepared, and they remain internal-only. No official form IDs are seeded until an official draft or final decree is verified.

Test information-system ownership, classification, and monitoring-evidence readiness with your team.

Review your readiness for the Cybersecurity Law's information-system protection expectations.