DPO Radio

Measure Value, Not Just Traffic Explore new features in AesirX Analytics

AesirX ComplianceOne | Draft Info Systems Protection Decree

Overview Image

Draft Cybersecurity Decree: Scope and Current Status

This is a draft decree on cybersecurity protection for information systems, published as a Ministry of Public Security consultation dossier (public consultation window 16–26 March 2026). It is not final law and its provisions must not be treated as enacted until a promulgated instrument is verified.

For enterprise cybersecurity readiness, this is the priority child instrument under the Cybersecurity Law, because it directly affects how organizations govern and evidence the protection of their information systems. The active parent law is Law 116/2025/QH15, effective 1 July 2026.

Overview Image

How This Draft Relates to the Cybersecurity Law

The Cybersecurity Law remains the active parent framework. This draft decree would detail information-system protection obligations. ComplianceOne tracks it as a preparatory readiness item in a separate track from enacted obligations and from the shared draft enforcement overlay.

Explore the Vietnam Cybersecurity Law

Draft Scope to Prepare For

Only areas supported by the consultation source are tracked, and all are treated as draft:

AreaReadiness ComplianceOne SupportsEvidence to Maintain
System owner responsibilitiesDefine and evidence information-system owner cybersecurity dutiesOwner responsibility matrix
Classification / cybersecurity levelPrepare system classification and level-assessment evidenceClassification records, assessments
Protection controlsPrepare technical and organizational protection measuresControl evidence, condition checklists
Monitoring and incident readinessMaintain monitoring, logging, and incident-readiness evidenceMonitoring records, incident readiness
Authority coordinationCapture request/response evidence and corrective actionsAuthority records, remediation tracker
Overview Image

How ComplianceOne Supports Draft Readiness

ComplianceOne prepares internal template candidates, system inventory, owner responsibility matrix, classification/level assessment, condition-evidence checklist, monitoring and logging evidence, incident readiness, authority request/response capture, and corrective-action tracking, as internal readiness artifacts. None are presented as official government forms.

When a promulgated decree is verified, these readiness artifacts can be mapped to official obligations and forms, with a scheduled review anchored to the law's 1 July 2026 effective date.

Background Image

See Draft Information-System Protection Readiness in Action

See how ComplianceOne prepares system ownership, classification, and monitoring evidence without treating draft provisions as final law.

Demo Image
Ronni K. Gothard Christiansen

Ronni K. Gothard Christiansen - Technical Privacy Engineer & CEO

Technical Compliance Expert, 32+ Years Open Source Advocate, X-BoD Open Source Matters Inc.

Or contact via

ronni@aesirx.io+84 909 500 760

Frequently Asked Questions

No. It is a draft decree published for consultation under the Cybersecurity Law. It is not yet in force and should not be treated as final until it is officially promulgated.

Because it directly affects enterprise cybersecurity governance and evidence readiness for information systems, making it the most operationally significant of the Cybersecurity Law's draft child instruments.

No. Only internal template candidates are prepared, and they remain internal-only. No official form IDs are seeded until an official draft or final decree is verified.

Next Steps

Icon Image

Start a Compliance Pilot

Test information-system ownership, classification, and monitoring-evidence readiness with your team.

Icon Image

Discuss Your Compliance Needs

Review your readiness for the Cybersecurity Law's information-system protection expectations.