What to Know About the Amended Cybersecurity Law 2025

On what foundation is the Law on Cybersecurity (Amended) 2025 built?

In terms of legislative technique, the Law on Cybersecurity (Amended) is the result of the process of consolidating and amending two pillar statutes:

• The 2018 Law on Cybersecurity: focuses on protecting national security and social order and safety in cyberspace.
• The 2015 Law on Network Information Safety: focuses on information safety, prevention of cyberattacks, malware, and data leaks.

Merging these two "segments" into a unified statute carries two significant meanings:

• Reducing overlaps between regulations on cybersecurity and network information safety.
• Clarifying the roles and responsibilities of various entities: state agencies, enterprises, service providers, and individual Internet users.

Simply put, the Law on Cybersecurity (Amended) serves as both a "fence" protecting critical information systems and a "safety framework" for data and users in an increasingly complex digital environment.

Where does Vietnam stand in the global cybersecurity law landscape?

Three major approaches in the world

When placing the Law on Cybersecurity (Amended) 2025 alongside other legal systems, three typical approaches can be observed:

1. The European Union (EU)
   

   The EU builds its "backbone" around individual data rights with the GDPR and NIS2. The core focus is on transparency, accountability, and user protection.

2. China
   

   The trio of the Cybersecurity Law – Data Security Law – Personal Information Protection Law places heavy emphasis on national security and system security, while strictly managing the inbound and outbound flows of data across borders.

3. Vietnam
   

   The Law on Cybersecurity (Amended) 2025 attempts to strike a balance by:

   • Protecting critical information systems and digital sovereignty.
   • Placing greater emphasis on data security.
   • Adding provisions to protect vulnerable groups in cyberspace.

If the EU views cyberspace through the "lens" of data rights, and China views it from the "lens" of system security, then Vietnam is building a model that emphasizes cybersecurity + data security + social safety.

Data – from technical assets to strategic resources

A common thread among many legal systems – including Vietnam's – is the recognition of data as a strategic resource. The Law on Cybersecurity (Amended) 2025 elevates the concept of data security to a clearer position, tied to the following requirements:

• Data classification (personal data, critical data, and data related to the operations of vital agencies and organizations).
• Determining data protection responsibilities corresponding to the level of risk.
• Perfecting mechanisms for data-related incident management, supervision, and response.

Notable new features of the Law on Cybersecurity (Amended) 2025

Protecting vulnerable groups in cyberspace

For the first time, vulnerable groups are explicitly specified in the law, including:

• Children;
• The elderly;
• Persons with cognitive difficulties.

This shifts the focus of the Cybersecurity Law from purely technical aspects (systems, servers, data) closer to social life by:

• Reducing the risks of fraud, harassment, and abuse online.
• Supplementing protection mechanisms tailored to each target group.
• Imposing higher requirements on digital platforms and online service providers.

Placing "data security" at the core

The Law on Cybersecurity (Amended) 2025 emphasizes:

• Data is not just "raw material for business," but an asset directly linked to national security and the safety of organizations and individuals.
• Agencies, organizations, and enterprises must develop formal and methodical data protection schemes, moving beyond superficial backups.
• The collection, storage, processing, and sharing of data must adhere to stricter principles, particularly regarding critical and personal data.

Management of IP address identification and digital accounts

One of the notable contents is the mechanism for IP address identification and tighter linkage between digital accounts and user information as prescribed by law.

The objectives are:

• Restricting anonymity to commit violations.
• Supporting the investigation and handling of cybercrimes.
• Enhancing traceability in complex cases.

Specific implementation methods (applicable entities, level of detail, retention periods...) will be clarified through guiding decrees and circulars.

Regulations related to emerging technologies and Artificial Intelligence (AI)

The Law on Cybersecurity (Amended) 2025 directly addresses the use of emerging technologies, including Artificial Intelligence (AI), to create:

• Fake images, fake videos;
• Impersonated voices;
• Other digital content capable of causing confusion, fraud, or infringing upon the legitimate rights and interests of others.

This is a natural legal response to the rise of deepfake technology and AI applications whose authenticity is difficult to distinguish with the naked eye.

Strengthening international cooperation on cybersecurity

The new law dedicates significant coverage to international cooperation in preventing and combating cybercrime, including:

• Exchanging information on cybersecurity threats.
• Supporting the collection, preservation, and transfer of electronic evidence.
• Coordinating the handling of cross-border cybercrime cases.

This aligns closely with Vietnam's role in international cooperation frameworks, such as the UN Convention against Cybercrime.

How does the new law impact businesses?

Reviewing data systems and information infrastructure

For businesses, the Law on Cybersecurity (Amended) 2025 is not just a reference document.

This is the appropriate time to:

• Inventory and classify data (customers, personnel, finance, operations).
• Identify which information systems would cause operational disruption if paralyzed.
• Assess the level of risk and current security gaps.

Updating internal regulations on cybersecurity and data

Businesses should consider establishing or updating:

• Regulations on the use of information systems (email, internal networks, work devices).
• Personal data protection policies for customers and employees.
• Incident response procedures upon detecting data leaks, cyberattacks, or fraud.
• Procedures for coordinating with state agencies upon valid requests.

Increasing resources for cybersecurity

The new law encourages, and in some cases requires, organizations and enterprises to:

     

• Allocate a proportionate percentage of funding for cybersecurity out of the total information technology investment.

     

• Build a dedicated team or point of contact specialized in information security.

     

• Consider utilizing domestic cybersecurity products and services to enhance autonomy.

   

Human resource training – an indispensable link

A good technical infrastructure is only half the story. Businesses need to:

     

• Train employees to recognize phishing emails, fraudulent links, and common attack vectors.

     

• Instruct them on how to protect accounts, devices, and work data.

     

• Maintain the habit of reporting early when detecting abnormal signs.

   

What should Internet users keep in mind?

For individuals, the Law on Cybersecurity (Amended) 2025 does not alter daily Internet usage, but it draws a clearer "line" regarding responsibilities:

     

• Be cautious when sharing personal information, family photos, and especially images of children.

     

• Refrain from disseminating information that infringes upon the honor, privacy, or secrets of others.

     

• Use strong passwords and enable two-factor authentication for important accounts.

     

• Verify sources of information before sharing to avoid inadvertently spreading fake news.

   

Understanding and complying with the law is not only a legal obligation, but it is also how each person contributes to building a safer and healthier online environment.

When does the Law on Cybersecurity (Amended) 2025 take effect?

The Law on Cybersecurity (Amended) 2025 was passed by the National Assembly on

      December 10, 2025 and is expected to take effect from July 1, 2026.

      The period between now and when the law takes effect is a crucial "buffer zone" to:

     

• State agencies issue detailed guiding decrees and circulars.

     

• Businesses and organizations develop transition plans, adjusting processes and systems.

     

• Internet users gradually familiarize themselves with standards for safe and responsible cyberspace usage.

   

Conclusion: Why should businesses care from now on?

In a context where data, information systems, and business operations are closely tied to cyberspace, the Law on Cybersecurity (Amended) 2025 is not just a story for regulatory authorities or "tech giants." This is a law that will touch every business with a digital infrastructure, every organization processing customer data, and every individual participating in daily digital life.

Preparing early helps businesses:

     

• Reduce legal and financial risks when incidents occur.

     

• Increase trust among customers and partners regarding data protection.

     

• Better capitalize on the opportunities of digital transformation on a clear legal foundation.

   

DL Pinnacle Law accompanies businesses in:

     

• Reviewing and assessing compliance with the Law on Cybersecurity (Amended) 2025 and related documents.

     

• Formulating and updating internal regulations on cybersecurity, data protection, and information system usage.

     

• Providing strategic legal counsel during digital transformation, M&A, and the expansion of digital platforms and online services.

   

If your business is looking for a legal partner who understands both the language of law and digital transformation, please contact us:

Contact Information

DL PINNACLE LAW FIRM LLC

Address: 3rd Floor, 18A/76 Nguyen Thi Minh Khai, Saigon Ward, Ho Chi Minh City

Hotline: 0914.491.911

Email: info@dlpinnacle.vn

Website: https://www.dlpinnacle.vn