top of page

Cross-border enterprises in Vietnam face mounting pressure from the 2025 Law on Cybersecurity

  • 1 day ago
  • 3 min read

The rapid expansion of the digital economy has made the provision of cross-border services more prevalent than ever. However, with the official enforcement of the 2025 Law on Cybersecurity, businesses-particularly foreign entities-face a wave of increasingly stringent compliance requirements designed to ensure information security and protect user data within Vietnam.

New operational requirements for foreign enterprises

The 2025 Law on Cybersecurity (specifically under Clause 3, Article 25) stipulates that foreign enterprises providing Internet-based services in Vietnam may be required to establish domestic branches or representative offices when specific conditions are met.

This mandatory commercial presence is not applied universally. Instead, it is triggered when a business operates in certain regulated sectors, when its services are exploited for illegal activities, or if the entity repeatedly fails to coordinate with competent authorities despite multiple notifications. Upon receiving a decision from the Ministry of Public Security, enterprises must comply with the establishment timeline to avoid administrative sanctions and legal risks.

Furthermore, under Clause 2, Article 28 of the Law, enterprises must review the scope of the cybersecurity services they are permitted to provide. Business operations must also strictly adhere to technical regulations defined in guiding documents and legislation on technical standards issued by regulatory bodies.

Foreign enterprises must pay close attention to the new operational conditions specified in the 2025 Law on Cybersecurity
Foreign enterprises must pay close attention to the new operational conditions specified in the 2025 Law on Cybersecurity - Image source: Freepik

Data and information security as a core focus

The provisions in Article 25 and Article 26 of the 2025 Law on Cybersecurity emphasize that safeguarding network information security and data security is a mandatory requirement for all entities operating in cyberspace, including cross-border providers.

Enterprises are required to implement robust measures such as user account authentication and protection, content moderation to handle violating materials, and the provision of information to support cybersecurity efforts. System logs must be maintained diligently. When requested by authorities, data must be provided within a short timeframe to facilitate investigations and the handling of violations.

Regarding data governance, relevant regulations also reference legislation on data and personal data protection. Within the scope of the Law on Cybersecurity, data protection requirements are concretized through technical and organizational measures, as well as system security standards, including the continuous monitoring of critical data processing systems.

Notably, cross-border service providers must conduct impact assessments related to data transfers when processing user information on their platforms.

Tightening management of AI-Generated content

The 2025 Law on Cybersecurity also marks the initial steps in regulating risks arising from Artificial Intelligence (AI). Specifically, Point g, Clause 2, Article 25 prohibits the use of AI to create fraudulent content-such as fabricated images, videos, or voices (Deepfakes)-for illegal purposes.

This addition reflects the commitment of regulatory bodies to control the rising tide of online fraud and privacy violations. Furthermore, issues surrounding the development and management of AI will be governed in greater detail by the 2025 Law on Artificial Intelligence, which came into effect in March 2026.

Regulatory authorities are intensifying efforts to control fraud and privacy violations arising from Artificial Intelligence (AI)
Regulatory authorities are intensifying efforts to control fraud and privacy violations arising from Artificial Intelligence (AI)- Image source: Freepik

Obligations for IP address identification

According to regulations on network information management and detailed guidance in sub-law documents (related to Article 38 of the draft decree guiding the Law on Cybersecurity), telecommunications and Internet Service Providers (ISPs) are responsible for identifying IP addresses upon request from competent authorities.

Technical systems must ensure the capability to record, store, and retrieve accurate IP information while maintaining continuous traceability to support investigations and enforcement actions.

However, meeting these requirements necessitates significant investment in infrastructure and resources, thereby increasing operational costs. This is particularly challenging for large-scale platforms or cross-border operations.

To optimize costs and alleviate compliance pressure, enterprises should consider partnering with specialized technology providers and building internal legal and technical teams capable of navigating the rapidly evolving regulatory landscape.


The 2025 Law on Cybersecurity, alongside related regulations such as the 2025 Law on Artificial Intelligence and upcoming guiding decrees, is creating a more rigorous legal framework for activities in Vietnam’s cyberspace. In this context, enterprises-especially cross-border service providers-must proactively review their operations, invest in appropriate resources, and develop effective compliance strategies to ensure stable and sustainable operations.

Reference: VietNam Lawyer Journal

Comments

IPSIP logo transparent.png

IPSIP VIETNAM ONE MEMBER LIMITED LIABILITY COMPANY (IPSIP VIETNAM OMLLC)

Tax code: 0313859600

🏢 SH05.01, B4 Street, Saritown Area, An Khanh Ward, Ho Chi Minh City, Vietnam

  • Linkedin
  • Facebook
  • TikTok
  • Email liên hệ

Our Services

Solutions for SMEs

SOC 24/7

NOC 24/7

IT Support

Cloud Security

Sign up to receive in-depth cybersecurity documents and news from IPSIP Vietnam.

bottom of page