Data Strategy — Vietnam cybersecurity

Vietnam issued Decree No. 53/2022/ND-CP on 15 August 2022 to implement the 2018 Law on Cybersecurity, imposing data localization and local establishment obligations on domestic and foreign digital service providers that collect, exploit, analyze, or process data about Vietnamese users.¹ The decree, effective 1 October 2022, requires covered entities to store specified categories of data (personal data, data generated by users, and data on users’ relationships) on servers located in Vietnam for at least 24 months and maintain copies for the entire service duration.¹ Foreign enterprises offering services such as telecommunications, data storage/sharing, e-commerce, online marketplaces, social networks, online gaming, messaging, voice/video calls, email, search, and payment intermediaries must set up a branch or representative office in Vietnam when formally requested by the Ministry of Public Security (MPS).²

Decree 53 clarifies the scope of Article 26 of the Cybersecurity Law and helps the MPS’s Department of Cybersecurity and High-Tech Crime Prevention (A05) to issue data localization requirements through written notices. The decree also outlines procedures for suspending or revoking information systems that violate cybersecurity laws, mandates cooperation with Vietnamese authorities during investigations, and codifies incident response, logging, and reporting duties.¹ Companies serving Vietnamese users must reassess cross-border data strategies, vendor contracts, and operational resilience to stay compliant.

Entities and data covered

Article 26 applies to both domestic enterprises and offshore service providers with business activities in Vietnam. Foreign providers become subject to data localization and establishment obligations when (1) they provide regulated services to Vietnamese users, (2) collect, analyze, or process user data, and (3) fail to comply with requests to take down illegal content, provide user data for investigations, or prevent cybersecurity violations.¹ Once the MPS issues a written request, the provider must store data and set up a local presence within 12 months. Data localization applies to three categories: personal data (including names, birth dates, contact details, identification numbers), data generated by users during service usage (account information, credit card numbers, IP addresses, search histories), and data about user relationships (friends, groups, interactions).¹

Domestic enterprises that already have servers in Vietnam must maintain copies of the same data categories for the specified retention periods. Companies should map data flows to identify whether information leaves Vietnam, ensure localization controls are in place, and implement segregation for localized datasets. Because the definition of “services providing data storage and sharing in cyberspace” is broad, cloud service providers, content delivery networks, and SaaS platforms should assess exposure. Decree 53 allows the government to expand the service list based on national security needs, so ongoing monitoring is essential.

Local presence and notification obligations

Foreign providers subject to Article 26 must set up a branch or representative office in Vietnam to coordinate with authorities.¹ The establishment must occur within 12 months of receiving an MPS request, and the enterprise must notify the MPS of representative details, contact information, storage locations, and compliance plans. If the provider already has a legal presence, it must update registration information to reflect cybersecurity compliance responsibilities. The representative office must maintain liaison with the MPS, ensure prompt responses to data access requests, and coordinate incident handling.

Enterprises must submit written notices to the MPS detailing (1) stored data categories, (2) storage locations (datacenter addresses), (3) storage duration, (4) contact information for legal representatives, and (5) compliance commitments.¹ Changes to storage infrastructure, service scope, or ownership must be reported within 10 working days. Teams should develop governance procedures for regulatory notifications, maintain document repositories, and ensure cross-functional coordination between legal, security, and operations teams.

Data access, takedown, and investigation support

Decree 53 outlines procedures for authorities to request data, system logs, or technical assistance. The MPS, Ministry of National defense, Ministry of Information and Communications, and provincial police can require businesses to provide user information, service data, or decrypted content to investigate national security threats, cybercrimes, or violations of the law.¹ Companies must respond within the timeline specified in the request and maintain audit trails of disclosures. Failure to comply can result in suspension of information systems or revocation of operating licenses.

Service providers must also cooperate in content takedowns. When authorities identify illegal content affecting national security, social order, or public safety, businesses must remove or block such content within the timeframe stated in the notice.¹ Decree 53 emphasizes continuous monitoring to detect and prevent distribution of prohibited information. Platforms should implement content governance processes, escalation playbooks, and moderation tooling that enable rapid compliance.

Cybersecurity incident response and system protection

The decree mandates technical measures to protect information systems critical to national security. Operators of systems classified as “critical for national security” must deploy monitoring, intrusion detection, anti-malware, and data backup solutions consistent with national technical standards.¹ They must also prepare incident response plans, conduct regular drills, and establish dedicated units for cybersecurity operations. When incidents occur, operators must isolate affected systems, notify authorities, and implement remediation, documenting root cause analysis and mitigation.

Decree 53 reinforces requirements from Decree 85/2016/ND-CP on ensuring safety of information systems by categorising systems into five levels and prescribing controls as needed.³ Teams should align with Vietnam’s national standards (TCVN) and consider adopting international frameworks (ISO/IEC 27001, NIST) to strengthen controls. For cross-border service providers, integrating Vietnam-specific incident response obligations into global playbooks is crucial to avoid conflicting legal requirements.

Data retention, deletion, and transparency

Data localization requires storing personal data, user-generated data, and relationship data in Vietnam for at least 24 months, but providers must keep ongoing data copies for as long as services operate.¹ Companies should implement retention schedules that differentiate between minimum localization requirements and longer legal retention obligations. Policies should address secure deletion, anonymization, and archival practices while ensuring that localized datasets remain accessible for regulatory requests.

Enterprises must publish privacy policies and service terms that clarify data collection, storage, and processing practices.² Transparency should include notification of users about data sharing with authorities when permitted by law, consent mechanisms, and customer support channels. Teams should localize privacy notices, ensuring accurate Vietnamese translations and alignment with consumer protection laws.

Strategic considerations

Teams should evaluate the broader regulatory environment, including pending decrees on personal data protection (Draft Decree on Personal Data Protection) and e-transaction reforms that may further shape data governance requirements.² Businesses must assess contractual arrangements with partners and vendors to ensure localization obligations flow down appropriately. Scenario planning should examine cost implications, latency impacts, and potential need for service redesign to accommodate local infrastructure. Firms operating across ASEAN should harmonize compliance frameworks to manage overlapping localization mandates in markets such as Indonesia and Malaysia.

Regular engagement with Vietnamese regulators can help clarify expectations, especially regarding the scope of data categories, acceptable technical controls, and enforcement timelines. Participating in industry associations or chambers of commerce can provide collective advocacy opportunities and shared insights into setup challenges.

Cited sources

• ¹ Government of Vietnam Decree No. 53/2022/ND-CP guiding the Law on Cybersecurity.
• ² Vietnam Ministry of Information and Communications summary of Decree 53/2022/ND-CP.
• ³ Decree 85/2016/ND-CP on security of information systems by classification.

This brief assists global platforms with Vietnam data localization, regulatory liaison, and cybersecurity operations readiness under Decree 53.

See also

Selected articles on related subjects.

Data Strategy · Credibility 91/100 · August 1, 2021

Brazil LGPD administrative sanctions become enforceable

Brazil’s General Data Protection Law (LGPD) began administrative enforcement on 1 August 2021, activating ANPD fine authority, daily penalties, and corrective orders that force companies to evidence governance for…

Data Strategy · Credibility 86/100 · October 1, 2022

Japan APPI Cross-Border Transfer Rules Enforced

Japan enforced the amended Act on the Protection of Personal Information on 1 October 2022, requiring fuller disclosure and monitoring for cross-border transfers plus mandatory breach notification to the PPC.

Data Strategy · Credibility 73/100 · September 24, 2021

Data Strategy — Saudi PDPL

Saudi Arabia’s Personal Data Protection Law, issued 24 September 2021, introduces SDAIA-led consent, localization, rights, and breach notification duties with a one-year grace period before penalties apply.

Data Strategy · Credibility 73/100 · June 10, 2021

Data Strategy — Data localization

China passed the Data Security Law, creating a three-tier data classification system and cross-border transfer restrictions. Important data cannot leave China without government approval. Effective September 2021.

Data Strategy · Credibility 73/100 · July 17, 2024

Data Strategy — APAC regulation

Indonesia's privacy law transition ended October 17, 2024. If you are processing Indonesian data, you need local storage, a local representative, and breach notification procedures in place. The grace period is over.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

August 15, 2022

Coverage pillar

Data Strategy

Source credibility

73/100 — medium confidence

Topics

Vietnam cybersecurity · Data localization · Law on Cybersecurity · Cross-border services · Incident response

Sources cited

3 sources (vanbanphapluat.co, english.mic.gov.vn, iso.org)

Reading time

7 min

Cited sources

1. Decree 53/2022/ND-CP guiding the Law on Cybersecurity — Government of Vietnam
2. Ministry of Public Security issues Decree No. 53/2022/ND-CP guiding Law on Cybersecurity — Ministry of Information and Communications of Vietnam
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization