← Back to all briefings
Data Strategy 6 min read Published Updated Credibility 40/100

Data Strategy Briefing — August 15, 2022

Vietnam’s Decree 53/2022/ND-CP, issued 15 August 2022 to implement the Cybersecurity Law, mandates local storage of key user data and representative offices for specified digital services while detailing investigative support and incident response duties.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: Vietnam promulgated Decree No. 53/2022/ND-CP on 15 August 2022 to implement the 2018 Law on Cybersecurity, imposing data localisation and local establishment obligations on domestic and foreign digital service providers that collect, exploit, analyse, or process data about Vietnamese users.1 The decree, effective 1 October 2022, requires covered entities to store specified categories of data (personal data, data generated by users, and data on users’ relationships) on servers located in Vietnam for at least 24 months and maintain copies for the entire service duration.1 Foreign enterprises offering services such as telecommunications, data storage/sharing, e-commerce, online marketplaces, social networks, online gaming, messaging, voice/video calls, email, search, and payment intermediaries must establish a branch or representative office in Vietnam when formally requested by the Ministry of Public Security (MPS).2

Decree 53 clarifies the scope of Article 26 of the Cybersecurity Law and empowers the MPS’s Department of Cybersecurity and High-Tech Crime Prevention (A05) to issue data localisation requirements through written notices. The decree also outlines procedures for suspending or revoking information systems that violate cybersecurity laws, mandates cooperation with Vietnamese authorities during investigations, and codifies incident response, logging, and reporting duties.1 Companies serving Vietnamese users must reassess cross-border data strategies, vendor contracts, and operational resilience to ensure compliance.

Entities and data covered

Article 26 applies to both domestic enterprises and offshore service providers with business activities in Vietnam. Foreign providers become subject to data localisation and establishment obligations when (1) they provide regulated services to Vietnamese users, (2) collect, analyse, or process user data, and (3) fail to comply with requests to take down illegal content, provide user data for investigations, or prevent cybersecurity violations.1 Once the MPS issues a written request, the provider must store data and establish a local presence within 12 months. Data localisation applies to three categories: personal data (including names, birth dates, contact details, identification numbers), data generated by users during service usage (account information, credit card numbers, IP addresses, search histories), and data about user relationships (friends, groups, interactions).1

Domestic enterprises that already have servers in Vietnam must maintain copies of the same data categories for the specified retention periods. Companies should map data flows to identify whether information leaves Vietnam, ensure localisation controls are in place, and implement segregation for localised datasets. Because the definition of “services providing data storage and sharing in cyberspace” is broad, cloud service providers, content delivery networks, and SaaS platforms should assess exposure. Decree 53 allows the government to expand the service list based on national security needs, so ongoing monitoring is essential.

Local presence and notification obligations

Foreign providers subject to Article 26 must establish a branch or representative office in Vietnam to coordinate with authorities.1 The establishment must occur within 12 months of receiving an MPS request, and the enterprise must notify the MPS of representative details, contact information, storage locations, and compliance plans. If the provider already has a legal presence, it must update registration information to reflect cybersecurity compliance responsibilities. The representative office must maintain liaison with the MPS, ensure prompt responses to data access requests, and coordinate incident handling.

Enterprises must submit written notices to the MPS detailing (1) stored data categories, (2) storage locations (datacentre addresses), (3) storage duration, (4) contact information for legal representatives, and (5) compliance commitments.1 Changes to storage infrastructure, service scope, or ownership must be reported within 10 working days. Organisations should develop governance procedures for regulatory notifications, maintain document repositories, and ensure cross-functional coordination between legal, security, and operations teams.

Data access, takedown, and investigation support

Decree 53 delineates procedures for authorities to request data, system logs, or technical assistance. The MPS, Ministry of National Defence, Ministry of Information and Communications, and provincial police can require businesses to provide user information, service data, or decrypted content to investigate national security threats, cybercrimes, or violations of the law.1 Companies must respond within the timeline specified in the request and maintain audit trails of disclosures. Failure to comply can result in suspension of information systems or revocation of operating licences.

Service providers must also cooperate in content takedowns. When authorities identify illegal content affecting national security, social order, or public safety, businesses must remove or block such content within the timeframe stated in the notice.1 Decree 53 emphasises proactive monitoring to detect and prevent dissemination of prohibited information. Platforms should implement content governance processes, escalation playbooks, and moderation tooling that enable rapid compliance.

Cybersecurity incident response and system protection

The decree mandates technical measures to protect information systems critical to national security. Operators of systems classified as “critical for national security” must deploy monitoring, intrusion detection, anti-malware, and data backup solutions consistent with national technical standards.1 They must also prepare incident response plans, conduct regular drills, and establish dedicated units for cybersecurity operations. When incidents occur, operators must isolate affected systems, notify authorities, and implement remediation, documenting root cause analysis and mitigation.

Decree 53 reinforces requirements from Decree 85/2016/ND-CP on ensuring safety of information systems by categorising systems into five levels and prescribing controls accordingly.3 Organisations should align with Vietnam’s national standards (TCVN) and consider adopting international frameworks (ISO/IEC 27001, NIST) to strengthen controls. For cross-border service providers, integrating Vietnam-specific incident response obligations into global playbooks is crucial to avoid conflicting legal requirements.

Data retention, deletion, and transparency

Data localisation requires storing personal data, user-generated data, and relationship data in Vietnam for at least 24 months, but providers must keep ongoing data copies for as long as services operate.1 Companies should implement retention schedules that differentiate between minimum localisation requirements and longer legal retention obligations. Policies should address secure deletion, anonymisation, and archival practices while ensuring that localised datasets remain accessible for regulatory requests.

Enterprises must publish privacy policies and service terms that clarify data collection, storage, and processing practices.2 Transparency should include notification of users about data sharing with authorities when permitted by law, consent mechanisms, and customer support channels. Organisations should localise privacy notices, ensuring accurate Vietnamese translations and alignment with consumer protection laws.

Compliance roadmap

  • Data mapping: Inventory Vietnamese user data, identify cross-border transfers, and determine which systems require localisation or replication in domestic datacentres.
  • Infrastructure planning: Evaluate hosting options (owned datacentre, co-location, cloud services with in-country regions) and design architectures that segregate Vietnamese data while integrating with global operations.
  • Governance and legal structuring: Prepare documentation for representative office registration, appoint local compliance officers, and draft standard operating procedures for regulatory requests.
  • Security controls: Align incident response, monitoring, and access management with Vietnamese standards and integrate reporting timelines into global playbooks.
  • Training and awareness: Educate engineering, customer service, and legal teams on Decree 53 obligations, takedown procedures, and escalation paths.

Strategic considerations

Organisations should evaluate the broader regulatory landscape, including pending decrees on personal data protection (Draft Decree on Personal Data Protection) and e-transaction reforms that may further shape data governance requirements.2 Businesses must assess contractual arrangements with partners and vendors to ensure localisation obligations flow down appropriately. Scenario planning should examine cost implications, latency impacts, and potential need for service redesign to accommodate local infrastructure. Firms operating across ASEAN should harmonise compliance frameworks to manage overlapping localisation mandates in markets such as Indonesia and Malaysia.

Regular engagement with Vietnamese regulators can help clarify expectations, especially regarding the scope of data categories, acceptable technical controls, and enforcement timelines. Participating in industry associations or chambers of commerce can provide collective advocacy opportunities and shared insights into implementation challenges.

Sources

Zeph Tech assists global platforms with Vietnam data localisation, regulatory liaison, and cybersecurity operations readiness under Decree 53.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Vietnam cybersecurity
  • Data localization
  • Law on Cybersecurity
  • Cross-border services
  • Incident response
Back to curated briefings