In the context of rapid digital transformation, cybersecurity has become a critical factor for every organization. Targeted cyberattacks, malware campaigns, data breaches, and supply-chain attacks are increasing in both scale and sophistication. This underscores the urgent need for a robust legal framework to safeguard national digital sovereignty, protect corporate digital assets, and ensure the privacy of citizens’ personal data.
The Draft Cybersecurity Law 2025, built on the consolidation of the Law on Network Information Security (2015) and the Cybersecurity Law (2018), is drawing strong attention from businesses, experts, and regulatory agencies. This is not merely a “combination” of two laws; it represents a comprehensive restructuring effort to resolve overlaps, enhance consistency, streamline governance, and adapt the legal system to the realities of the digital era.
Draft Cybersecurity Law 2025: Key Points Enterprises Must Understand
The draft law is expected to serve as a new “digital shield,” strengthening Vietnam’s national cybersecurity posture while providing a stable legal foundation for businesses to grow sustainably in the digital environment.
1. Unifying two laws to ensure consistency and clarity in governance
For years, the coexistence of the 2015 and 2018 laws has led to overlaps in scope, definitions, and state management responsibilities. The new draft law unifies these frameworks by adopting “cybersecurity” as the central term and assigning a single authority to oversee state management.
This reduces duplication, optimizes resources, and enables smoother coordination among ministries and agencies.
This is a significant reform that helps businesses better understand regulations and avoid confusion caused by fragmented legal documents.
2. New regulations: data security, IP address identification, and technical standards
The Draft Cybersecurity Law 2025 introduces several new regulations reflecting emerging challenges:
-
Mandatory IP address identification for network service providers
-
Stronger requirements for data security, personal data, and sensitive data protection
-
Mandatory certifications for key personnel managing critical information systems
-
Inclusion of cybersecurity budgets within organizations’ total IT investment
-
Encouragement to adopt Vietnam-developed cybersecurity products and solutions
These additions help fill legal gaps and align Vietnam’s cybersecurity framework with international trends such as the EU’s GDPR.
3. Strengthening technological self-reliance: Reducing dependence on foreign solutions
One of the draft’s most notable objectives is to reduce the heavy reliance on foreign cybersecurity technologies. Key principles include:
-
Allocating at least 10% of IT spending to cybersecurity
-
Ensuring at least one “domestic defense layer” in critical systems
-
Developing clear technical standards to distinguish local vs. foreign product quality
-
Creating opportunities for Vietnamese cybersecurity companies to innovate rather than merely implement foreign technologies
4. Streamlined regulations to reduce compliance burden
The draft law is designed to minimize unnecessary complexity:
-
No new governmental bodies created
-
No additional administrative procedures
-
No overlapping responsibilities across agencies
-
Only matters under the jurisdiction of the National Assembly are regulated
This approach helps businesses avoid dealing with excessive and repetitive legal requirements.
5. Strengthening the legal foundation for protecting critical infrastructure
The draft also emphasizes:
-
Stronger protection of national critical information infrastructure
-
Mechanisms for inter-agency coordination in incident response
-
Guaranteed investment for monitoring and operating critical systems
What Should Enterprises Do to Prepare for the Cybersecurity Law 2025?
Although the draft law is still being refined, organizations – especially those operating large-scale or critical information systems – should prepare early to avoid legal risks and ensure operational continuity.
1. Review and assess the current cybersecurity posture
Enterprises should evaluate their systems, processes, and compliance levels to identify gaps that need to be addressed under the new law.
2. Plan and allocate cybersecurity budgets
Prepare clear budget allocation frameworks that meet the expected investment requirements for cybersecurity.
3. Standardize personnel and operational capabilities
Review certification requirements and strengthen internal cybersecurity capabilities through training and structured processes.
4. Prioritize local cybersecurity solutions
Implement or maintain a domestic defense layer to align with national policy directions promoting technological self-reliance.
5. Enhance monitoring and incident response capabilities
Enterprises must strengthen continuous monitoring, detection, and response capabilities to ensure stable and secure operations when the law takes effect.
Cybersecurity Solutions from VNCS Global: Helping Enterprises Build a Compliant and Resilient Security Posture
As the Draft Cybersecurity Law 2025 introduces stricter requirements for data protection, critical system operations, and continuous monitoring, VNCS Global provides a comprehensive ecosystem of Make-in-Vietnam solutions built to international standards, enabling enterprises to achieve compliance efficiently and sustainably.
With over five years of experience, VNCS Global’s team of highly-skilled cybersecurity experts holds prestigious certifications and has delivered projects for major banks, government agencies, industrial corporations, and FDI organizations. Our solutions and services also meet key domestic and international standards such as CREST, ISO 9001, ISO 27001, ISO 20000, ensuring transparency, safety, and seamless integration with modern security architectures.
The Cybersecurity Law 2025 marks a critical milestone in strengthening Vietnam’s legal foundation for protecting national digital sovereignty. With major changes – from legal unification and technological self-reliance to new requirements on budgets, data protection, and personnel – enterprises must act now to stay ahead of regulatory changes.
