Vietnam Cybersecurity Law
Law No. 24/2018/QH14
Vietnamese law requiring domestic and foreign organizations to store certain data in Vietnam and establish local presence.
Overview
The Vietnam Cybersecurity Law (Law No. 24/2018/QH14) represents a pivotal moment in Southeast Asian digital governance, establishing comprehensive data sovereignty regulations that fundamentally reshape data management practices. Enacted by the National Assembly in November 2018 and fully implemented through 2019-2020, the law emerged from Vietnam's strategic objectives to enhance national security and maintain strict control over citizen data. Unlike Western privacy frameworks that prioritize individual rights, this law focuses on state-level data control and national digital infrastructure protection. It mandates that all personal data of Vietnamese citizens must be processed and stored exclusively within Vietnamese territory, creating a unique operational environment for domestic and international technology providers. For data center operators, the law introduces critical compliance requirements. Foreign cloud providers (such as AWS, Google Cloud, and Microsoft Azure) can no longer offer standard cross-border services. Instead, they must establish localized infrastructure within Vietnam or partner with domestic providers holding appropriate government licenses. This approach fundamentally transforms the regional technology landscape, requiring significant infrastructure investments and creating new market dynamics. The standard applies broadly across telecommunications, internet services, online platforms, financial institutions, and any entity handling Vietnamese citizen data. Its most distinctive feature is the explicit state control mechanism, with the Ministry of Public Security maintaining comprehensive authority over cybersecurity incident reporting, security audits, and potential data access for national security purposes.
Key Requirements
Mandatory Personal Data Localization in Vietnamese Territory
All personal data of Vietnamese citizens must be collected, processed, and stored exclusively within Vietnam's geographic boundaries; data cannot be transferred across borders except under extremely limited circumstances approved by the Ministry of Public Security.
Data center operators must ensure all customer personal information resides on servers physically located within Vietnam, with redundancy and backup systems also maintained domestically, effectively prohibiting standard international cloud replication architectures.
Domestic Service Provider Local Infrastructure Requirements
Vietnamese telecommunications and internet service providers must operate independently managed data centers within Vietnam rather than relying on foreign cloud infrastructure; they cannot outsource core data storage functions to offshore providers without explicit ministerial approval.
This requirement forces domestic providers to invest in autonomous infrastructure capabilities, including redundant data centers, backup systems, and disaster recovery facilities all maintained within national borders.
Foreign Provider Localized Presence and Partnership Mandates
Foreign digital platform operators and cloud service providers must establish local legal entities within Vietnam and deploy physical infrastructure within Vietnamese territory to service Vietnamese users; simple remote service provision is prohibited.
Foreign providers must partner with licensed Vietnamese entities or establish Vietnamese subsidiaries with operational control over infrastructure, ensuring compliance with local surveillance and law enforcement data access requirements.
Extended Data Retention and Archival Obligations
Organizations must maintain personal data for minimum periods ranging from 3 to 10 years depending on data classification, sector regulations, and law enforcement investigation requirements; deletion is restricted and monitored by authorities.
Data center operators must implement long-term retention infrastructure, archival systems, and retrieval capabilities ensuring data remains accessible to government agencies throughout extended retention periods.
Government Access and Surveillance Integration Requirements
Data center infrastructure must accommodate mandatory government access capabilities for cybersecurity incident investigation, criminal investigations, and national security purposes; providers must establish dedicated interfaces enabling Ministry of Public Security and law enforcement agencies to access data without advance notice or warrant requirements.
Technical architecture must include audit logging, access monitoring, and government agency portal capabilities.
Cybersecurity Incident Reporting and Response Protocols
Organizations must report cybersecurity incidents to the Ministry of Public Security within specified timeframes (typically 24-72 hours depending on severity); data breaches involving personal data trigger mandatory government notification and investigation involvement.
Data center operators must establish incident response teams, maintain forensic capabilities, and coordinate with government agencies during breach investigations.
Security Certification and Regulatory Audit Compliance
Data center operations and information security measures must meet Vietnamese cybersecurity standards and undergo periodic audits by government-approved security assessment organizations; compliance certification is prerequisite for continuing operations.
Operators must conduct annual security assessments, vulnerability testing, penetration testing, and remediation reporting to regulatory authorities.
Technology Transfer and Source Code Access Provisions
Foreign technology providers may face implicit or explicit expectations to disclose source code, encryption keys, or security mechanisms to Vietnamese government agencies for national security review purposes; non-compliance can result in service suspension or license revocation.
Data center operators must maintain transparent communication with authorities regarding technical architectures and security implementations.
Who Uses & Why
The Vietnam Cybersecurity Law applies mandatorily to organizations collecting, processing, or storing data of Vietnamese citizens or residents. Compliance becomes critical for several key sectors: Mandatory Compliance Scenarios: - Telecommunications providers and Internet Service Providers (domestic infrastructure required) - Foreign cloud providers serving Vietnamese customers - E-commerce and digital platforms handling customer personal data - Financial institutions managing customer account information - Government agencies and state-owned enterprises Compliance becomes particularly important for organizations with: - Substantial Vietnamese market presence (5+ years projected) - More than 10,000 Vietnamese user accounts - Annual revenue exceeding $1 million in the Vietnamese market Geographic considerations are paramount. Organizations must establish physical data infrastructure within Vietnam or partner with locally licensed providers. The cost of compliance can range from $100,000 to $2 million, depending on existing infrastructure and market engagement level. While technically mandatory for any organization with Vietnamese user interactions, the enforcement complexity and investment requirements mean that smaller enterprises may have more flexible implementation strategies.