Việt Nam will “focus on building a firewall.” This was among the notable statements made by Public Security Minister Lương Tam Quang on Feb. 7, following the closing session of the Communist Party’s 14th Congress. [1]
While international observers have long regarded Việt Nam as maintaining strict Internet censorship, the explicit goal of constructing a “national firewall” is relatively new. Senior Communist Party and state officials had never previously used the term publicly prior to the minister’s recent remarks.
Now, newly enacted laws and several recent draft legal documents offer some indication of how such a firewall system could operate.
On the Proposed Firewall
On Dec. 10, 2025, the 15th National Assembly of Việt Nam adopted a new cybersecurity law, which will take effect on July 1, 2026. Drafted under the lead authority of the police, the Ministry of Public Security (MPS), this legislation consolidates the 2018 Cybersecurity Law and the 2015 Law on Information Security. [2]
This new framework introduces several additions to the Internet control measures of the country, most notably the plan to build a national firewall. Point d, Clause 2, Article 10 of the 2025 Cybersecurity Law explicitly states that authorities will “study the development of a national firewall system.” [3] This marks the first appearance of such language in a Vietnamese legal document.
The term “firewall” surfaced again roughly two months later when the MPS released another draft text for public comment, titled “Draft National Standard: Cybersecurity—Firewall—Basic Technical Requirements.” [4]
In the draft, the MPS describes the firewall as a network of mandatory monitoring and filtering functions applied to Internet activities. Under the proposal, a compliant firewall device must filter traffic, conduct deep packet inspection (DPI), and allow the full extraction of data streams passing through the monitoring system of the ministry.
Notably, the technical design requires the firewall to include SSL/TLS inspection capabilities. This means the system would be able to decrypt encrypted data to read user content before re-encrypting and transmitting it onward.
SSL/TLS are encryption protocols that secure data transmitted between a user’s device and a website’s server, typically indicated by a web address beginning with “https” rather than “http.” [5]
Beyond data interception, the system would be required to link user identities to establish individualized control policies. This includes incorporating web-filtering functions based on blacklists capable of holding at least 100,000 domain names.
The draft defines these blacklists as compilations of IP addresses, domain names, and URL resource identifiers restricted under information security policies, with the stated aim of blocking online activities or data flows deemed “undesirable.”
Additionally, the cybersecurity system requires each network device to log all user connection sessions, recording the time, source address, destination address, protocol, matched signature, and enforcement action taken. Online behavior would then be analyzed and categorized into “risk levels.”
Based on these risk scores, the firewall would automatically apply control policies and issue alerts to cybersecurity authorities when thresholds are exceeded. Finally, the Cybersecurity Law grants the police oversight of IP address identification for every internet user.
Notably, the cybersecurity system would require each network device to log all user connection sessions. The required logs must include the time, source address, destination address, protocol, matched signature, and enforcement action taken.
Telecom Data Access Mandates
During the nationwide Lunar New Year holiday, the police quietly sought public comment on a new draft decree guiding the implementation of the Cybersecurity Law.
Intended to replace the current Decree 53/2022/ND-CP, the document converts existing legal provisions into detailed regulations, most notably regarding the mandatory identification of user IP addresses. [6] [7]
Under the proposal, telecommunications and internet service providers must establish systems to continuously record and store IP identification data linked directly to subscriber profiles. This data must be kept in full for a minimum of 12 months and is divided into two primary categories: basic user identification and system log data.
Basic user information encompasses the full name, organizational details, citizen identification number, subscriber name or code, registered installation address, and physical device location.
Meanwhile, system log data must capture source and destination IP addresses, connection ports, synchronized session start and end times, gateway and session IDs, alongside complete network address translation (NAT) mapping information.
The core mandate of the draft dictates that these providers must implement technical systems capable of feeding this IP identification data directly to the cybersecurity force of the MPS.
Specialized Cybersecurity Force
To effectively manage and monitor user data, the recent MPS draft decree outlines plans to continue expanding the specialized cybersecurity force already established under the Cybersecurity Law.
Members of this unit will be responsible for monitoring, extracting intelligence, and controlling online content in compliance with national security protection requirements. Furthermore, they will be granted the authority to oversee and supervise the national cyberspace system, the information systems of political agencies, and other assigned information systems.
Despite these broad mandates, the police have noted that Việt Nam currently faces a severe shortage of roughly 700,000 cybersecurity personnel. To address this gap, the government has spent recent years organizing multiple competitions and recruitment drives, offering various incentives to attract cybersecurity talent from both home and abroad. [8]
User Data Centrally Stored in Việt Nam
Data localization is a cornerstone of this framework. All described user data must be housed entirely within Việt Nam at the National Data Center, a facility operated by the MPS. [9] This is mandated under both the Cybersecurity Law and Decree 53/2022/ND-CP.
Companies are also required to surrender user service information to the specialized cybersecurity force within 24 hours of a police request. For “emergency cases,” this window narrows to just three hours, ensuring nearly real-time access for investigation and verification purposes.
***
The MPS has spearheaded several additional legal frameworks that provide the essential foundation for the national cybersecurity system. While some of these statutes have already been passed by the National Assembly, others are still in the public consultation stage, reflecting an accelerated legislative agenda. These include:
- The Draft Decree on inspection and assessment of technical security equipment [13];
- The Law on Personal Data Protection (effective Jan. 1, 2026) [10];
- The Draft Resolution on the development of digital citizenship [11], and
- The Draft Decree outlining measures to prevent and combat violations involving fake or false information [12].
Sùng Chính wrote this article and published it in Luật Khoa Magazine on Feb. 28, 2026. The Vietnamese Magazine owns the copyrights to its English translation.
1. Trường Tộ. (2026, February 9). Bộ Công an: Bảo vệ sự lãnh đạo và cầm quyền của đảng là mục tiêu an ninh “trọng yếu.” Luật Khoa Tạp Chí. https://luatkhoa.com/2026/02/bo-cong-an-bao-ve-su-lanh-dao-va-cam-quyen-cua-dang-la-muc-tieu-an-ninh-trong-yeu/
2. Baochinhphu.vn. (2025, December 10). Quốc hội thông qua Luật An ninh mạng (sửa đổi): Tăng cường bảo vệ không gian mạng và nhóm yếu thế. Baochinhphu.vn. https://baochinhphu.vn/quoc-hoi-thong-qua-luat-an-ninh-mang-sua-doi-tang-cuong-bao-ve-khong-gian-mang-va-nhom-yeu-the-102251210125412744.htm
3. Thuvienphapluat.vn. (2026, February 3). Cybersecurity Law 2025. THƯ VIỆN PHÁP LUẬT; thuvienphapluat.vn. https://thuvienphapluat.vn/van-ban/Cong-nghe-thong-tin/Luat-An-ninh-mang-2025-so-116-2025-QH15-666020.aspx
4. Ngân, M. (2025). Lấy ý kiến dự thảo Tiêu chuẩn quốc gia: An ninh mạng – Tường lửa – Yêu cầu kỹ thuật cơ bản. Mps.gov.vn; Bộ Công an. https://mps.gov.vn/chinh-sach-phap-luat/bai-viet/lay-y-kien-du-thao-tieu-chuan-quoc-gia-an-ninh-mang-tuong-lua-1761122538
5. Why is HTTP not secure? | HTTP vs. HTTPS. (2019). Cloudflare.com. https://www.cloudflare.com/learning/ssl/why-is-http-not-secure/
6. Draft Dossier on the Decree Detailing Several Provisions of the Cybersecurity Law. (2026). Bocongan.gov.vn. https://bocongan.gov.vn/chinh-sach-phap-luat/lay-y-kien-du-thao/ho-so-du-thao-nghi-dinh-quy-dinh-chi-tiet-mot-so-dieu-cua-luat-an-ninh-mang-1770972031?type=het-han-lay-y-kien
7. Decree 53/2022/NĐ-CP the newest instructions on how to implement the Cybersecurity Law. (n.d.). Thuvienphapluat.vn. https://thuvienphapluat.vn/van-ban/Cong-nghe-thong-tin/Nghi-dinh-53-2022-ND-CP-huong-dan-Luat-An-ninh-mang-398695.aspx
8. Sơn, M. (2025, June 19). NCA công bố Cuộc thi An ninh mạng Sinh viên toàn quốc năm 2025. Vietnam+ (VietnamPlus). https://www.vietnamplus.vn/nca-cong-bo-cuoc-thi-an-ninh-mang-sinh-vien-toan-quoc-nam-2025-post1045208.vnp
9. Trường Tộ. (2025, December 29). Zalo ra tối hậu thư, người dùng lo ngại bị lộ dữ liệu riêng tư. Luật Khoa Tạp Chí. https://luatkhoa.com/2025/12/zalo-ra-toi-hau-thu-nguoi-dung-lo-ngai-bi-lo-du-lieu-rieng-tu/
10. Ngân, M. (2026). Từ hôm nay, Luật Bảo vệ dữ liệu cá nhân chính thức có hiệu lực thi hành. Bocongan.gov.vn; Bộ Công an. https://bocongan.gov.vn/chinh-sach-phap-luat/bai-viet/luat-bao-ve-du-lieu-ca-nhan-chinh-thuc-co-hieu-luc-thi-hanh-tu-ngay-01-01-2026-1767186124
11. Dự thảo Nghị quyết về phát triển công dân số. (2025). Bocongan.gov.vn. https://bocongan.gov.vn/chinh-sach-phap-luat/lay-y-kien-du-thao/du-thao-nghi-quyet-ve-phat-trien-cong-dan-so-1765510047?type=dang-lay-y-kien
12. Ngân, M. (2026). Dự thảo Nghị định quy định về kiểm định và kiểm tra an ninh thiết bị kỹ thuật. Bocongan.gov.vn; Bộ Công an. https://bocongan.gov.vn/chinh-sach-phap-luat/bai-viet/tao-co-so-phap-ly-nham-loai-bo-cac-nguy-co-pha-hoai-khung-bo-tu-thiet-bi-ky-thuat-1770982677
13. Ngân, M. (2026). Dự thảo Nghị định quy định về kiểm định và kiểm tra an ninh thiết bị kỹ thuật. Bocongan.gov.vn; Bộ Công an. https://bocongan.gov.vn/chinh-sach-phap-luat/bai-viet/tao-co-so-phap-ly-nham-loai-bo-cac-nguy-co-pha-hoai-khung-bo-tu-thiet-bi-ky-thuat-1770982677
