The Ministry of Public Security (MPS) recently concluded a public consultation period for a draft decree detailing provisions of the Cybersecurity Law. The document was available on the government’s online portal from Feb. 13 to 22, 2026, intentionally or unintentionally coinciding with the nationwide Lunar New Year holiday. [1]
Designed to guide the implementation of the amended 2025 Cybersecurity Law and replace Decree 53/2022/NĐ-CP, the draft proposes significant new provisions regarding the management, monitoring, and handling of information in cyberspace.
While the 2025 legislation established broad principles—such as IP identification, consolidated state management, new prohibited acts, and corporate cooperation requirements—this new draft decree provides the detailed regulatory mechanisms to enforce them.
Consequently, the draft expands the authority of specialized cybersecurity forces and the MPS over both domestic and foreign entities. It introduces specific management measures, including mandatory user account verification, restrictions on posting rights for unverified users, strict deadlines for data provision, and mechanisms to lock accounts, suspend systems, or revoke domain names when violations occur.
Furthermore, it tightens cross-border data management by requiring national security assessments before data can be transferred abroad and mandating a legal presence for foreign service providers.
These clauses have the potential to infringe upon privacy and data security. By institutionalizing such expansive powers—ranging from enhanced surveillance and data collection to the removal of information and system suspension—the risks of abused authority, restricted freedom of expression, and violated privacy rights have become more apparent than ever.
Control Over Online Accounts and Content Both Domestically and Abroad
Article 25 of the draft decree emphasizes mandatory user account verification across all online services. Users must verify their identity during registration using a domestic phone number or a personal identification number, a requirement that also strictly applies to commercial livestreaming accounts. Only verified accounts will have the ability to post, share information, and utilize other interactive features.
To facilitate verification, investigation, or the handling of legal violations, the police may request user information. Providers must supply this data within a maximum of 24 hours, a deadline that shrinks to just three hours in urgent cases involving national security or human life.
Furthermore, Article 25 outlines strict measures for blocking and handling non-compliant information, services, and applications. Violating content faces restriction, removal, or takedown within a maximum of 24 hours, or six hours during urgent situations.
The draft also establishes specific thresholds for penalizing accounts, pages, and community groups. Visibility limitations and temporary locks ranging from 60 to 180 days will be enforced if entities accumulate three violations within 30 days or up to ten violations within 90 days.
Accounts may also face permanent bans if they publish content infringing on national security, repeatedly offend following a temporary suspension, or become subject to administrative penalties, criminal charges, or court judgments.
Finally, upon request from specialized authorities, services may be suspended or terminated for any organization or individual publishing information prohibited by the Cybersecurity Law.
Freedom of Expression in Cyberspace Continues to be Tightened
Under Article 20 of the draft decree, the police have the authority to mandate the removal of online information if the content is deemed to “infringe upon national security, propagate against the State, incite riots, disrupt security, or cause public disorder.”
Furthermore, the regulation retains provisions targeting information considered defamatory, fabricated, false, or capable of causing public panic, infringing upon economic management order, or causing serious harm to socio-economic activities.
The draft explicitly grants the Department of Cybersecurity and High-Tech Crime Prevention, an agency under the MPS, the power to decide when unlawful or false information must be removed.
It provides significant leverage to police and specialized forces over content removal, even for material that is not classified as a state secret but is subjectively deemed to cause “serious harm” or to be “fabricated or false.”
This subjectivity creates a clear risk of abused authority, as the criteria for “serious harm” or “false information” remain open to interpretation. These kinds of broad powers could seriously limit freedom of speech and the right to obtain information. The police have already used these powers informally, but this decree would make them official.
Finally, the provision places heavy compliance burdens on businesses and information system administrators. They must adhere to removal requests, effectively forcing them to pre-assess whether content meets the required “standards” before publication, despite those standards being entirely determined by the MPS.
Continued Control Over Foreign Enterprise Data
Under Article 28, any business or organization providing cyberspace services in Việt Nam is required to store critical categories of data domestically. This mandate covers personal user data, user-generated information (such as account names, access times, credit card details, IP addresses, and registered phone numbers), and relational data, including friends, connection groups, or interactions. Naturally, domestic companies must store this data within Việt Nam.
Foreign companies operating in sectors like telecommunications, social networks, e-commerce, online payments, electronic games, online applications, or other digital information services face additional requirements. If they use their platforms for activities that breach cybersecurity laws, they will have to set up branches or representative offices in Vietnam.
Furthermore, Article 35 of the draft decree authorizes the MPS to evaluate national security factors concerning core and important data before businesses can transfer it abroad.
In urgent scenarios threatening national security, public order, and social safety, or upon the detection of serious data security violations, the police may suspend or temporarily halt cross-border data transfers. This provision significantly strengthens the agency’s overall control over corporate data and the international transfer of information.
Universal System Monitoring
Under Articles 14 and 15 of the draft decree, cybersecurity inspection and monitoring measures will apply to all information systems, regardless of whether they are ordinary networks or critical to national security.
Specifically, Article 14 allows the police to thoroughly check “important” information systems, giving them the power to directly intervene in infrastructure and data to stop, find, and manage cybersecurity risks.
Article 15, on the other hand, deals with non-critical systems. It says that administrators must quickly report violations or serious incidents and fully cooperate in providing information.
While these provisions are ostensibly intended to bolster cybersecurity, concentrating such expansive supervisory authority within specialized forces—without any independent oversight mechanisms—creates a clear risk of abused power.
Ultimately, this lack of checks and balances could negatively impact privacy, data security, and the legitimate interests of individuals, businesses, and organizations.
Expanding Data Collection and Suspension Powers
The draft decree dramatically expands the authority of security agencies to control activities in cyberspace.
Specifically, Article 21 allows the police and related forces to gather electronic data for investigations and to deal with actions that are considered threats to national security, public order, social safety, or the legal rights of people and organizations. This provision explicitly allows the police to collect data without the consent of the information owner.
Article 22 simultaneously grants authorities the sweeping power to temporarily or permanently suspend information systems. They may also mandate complete system shutdowns and revoke domain names if there are grounds to believe a network violates national security or cybersecurity laws or is utilized to undermine public order.
These heavy responsibilities extend to providers of cross-border services. Legally, Vietnamese organizations and enterprises must collaborate in addressing cases where foreign entities breach Vietnamese law.
Thạch Hãn wrote this article in Vietnamese and published it in Luật Khoa Magazine on March 12, 2026. Đàm Vĩnh Hằng translated it into English for The Vietnamese Magazine.
1. Hồ sơ dự thảo Nghị định quy định chi tiết một số điều của Luật An ninh mạng. (Dossier on the draft decree detailing the implementation of several provisions of the Cybersecurity Law) (n.d.). https://bocongan.gov.vn/chinh-sach-phap-luat/lay-y-kien-du-thao/ho-so-du-thao-nghi-dinh-quy-dinh-chi-tiet-mot-so-dieu-cua-luat-an-ninh-mang-1770972031?type=dang-lay-y-kien
