The draft 2025 Cybersecurity Law, currently under debate in the National Assembly, therefore carries crucial significance: unifying the legal framework, establishing a coherent management structure, and creating the foundation for technological self-reliance — a vital element of digital sovereignty.
Old defences against a new wave of attacks
The explosion of digital transformation is propelling Viet Nam into an era in which every individual, organisation, and enterprise lives, works and transacts online. But convenience comes with an unprecedented escalation of cyberattacks: deepfake scams, intrusions into critical systems, data theft… all revealing that old defences can no longer withstand new threats.
Deepfakes impersonating government authorities have become widespread, occurring daily despite repeated warnings. Many victims still trust impersonators even when law enforcement intervenes directly.
Not only are attacks increasing rapidly in number, but their scale is also reaching alarming levels. According to a survey by the National Cybersecurity Association (NCA), Viet Nam alone recorded more than 650,000 cyberattacks in 2024, while globally there were as many as 2.9 million victims every minute. After 28 years of internet connectivity, Viet Nam has capitalised on opportunities brought by digital technology, but strong dependence on online infrastructure has also heightened security risks.
Lieutenant Colonel Nguyen Dinh Do Thi, Deputy Head of the Network Information Security Division under the Department of Cybersecurity and High-Tech Crime Prevention at the Ministry of Public Security, warned: “An even greater challenge is the reliance on foreign cybersecurity products and platforms, assessed as one of three major risk groups directly affecting national security and social order.”
Imported solutions are difficult to customise for Viet Nam’s specific conditions, slow to fix vulnerabilities, and have shown weaknesses through several major data leaks. The more dependent a system is, the more easily it can be compromised, and the less control there is in responding to incidents.
At the same time, personal data are being collected and illegally traded openly; some companies secretly analyse and sell data to third parties; many agencies leak information due to lax management. These realities lead many experts to affirm that technological strength alone is insufficient, and that only by mastering defensive solutions can a nation safeguard its sovereignty in cyberspace.
Unifying laws to build a framework for protecting digital sovereignty
Weaknesses in the current defence posture indicate that Viet Nam needs a strong, unified legal framework to protect cyberspace. After nearly 10 years of implementation, the 2015 Law on Cyberinformation Security and the 2018 Cybersecurity Law have revealed overlaps, duplication, and an inability to keep pace with rapid developments in digital technology, big data, cloud computing and artificial intelligence. Overlapping regulations on protecting information systems, data and preventing cyberattacks leave enterprises confused about compliance, while regulators lack a unified basis for coordination.
Tran Quoc Chinh, Vice President of CMC Corporation and General Director of CMC Cyber Security, noted that having two parallel laws makes it difficult for organisations to identify the main legal framework and limits the effectiveness of cybersecurity investment. Therefore, unifying the laws in the draft 2025 Cybersecurity Law is not merely rearranging regulations; it is a strategic step towards building a coherent, transparent, and more facilitative legal framework for both state management and business operations.
The draft law inherits valid provisions while adding key elements such as data security, mechanisms for information linkage and sharing, mandatory incident reporting timelines, and IP address identification for investigative purposes. Its fast-tracked development reflects the view that cybersecurity is an essential component of national security, and that investment in cybersecurity is investment in sustainable development.
Legal unification also enables Viet Nam to effectively implement the United Nations Convention against Cybercrime, including mechanisms for 24/7 information sharing, technical support, and cross-border investigative cooperation.
As Minister of Public Security Luong Tam Quang emphasised, in the digital era, no country, organisation, or enterprise can guarantee cybersecurity on its own. On this basis, the 2025 Cybersecurity Law not only resolves legal overlaps but also establishes a unified management structure, with the Ministry of Public Security acting as the central authority for state cybersecurity management.
A notable highlight of the draft law is its shift in focus from “protection” to “self-reliance”. Currently, 75% of Viet Nam’s cybersecurity products and services are imported, while many domestic solutions continue to face barriers stemming from preferences for foreign products.
According to Nguyen Ai Viet, Director of the Institute of Generative New Intelligence Technology and Education, every system needs a domestic defensive layer, which, even if not as strong as foreign products immediately, has the advantages of rapid response, contextual suitability, and reduced dependency risks.
The draft law clearly defines the state’s responsibilities in enhancing self-reliance: encouraging the production, testing, assessment, and certification of digital equipment and network services; developing standards and technical regulations; controlling risks from product inception; and promoting research, mastery, and development of cybersecurity technologies.
A key new requirement is that cybersecurity products, solutions, and services are included within the law’s regulatory scope and must undergo conformity and compliance certification before being placed on the market.
Nguyen Minh Duc, CEO of CyRadar, an information security company, stated that the 2025 Cybersecurity Law not only protects digital sovereignty but also opens a transparent, standardised market, creating an important economic driver for Vietnamese enterprises. He stressed that prioritising domestic cybersecurity products is a crucial policy to build a sufficiently large market, thereby enhancing national technological autonomy.
Assessing that the new law will make the market more transparent, CMC Cyber Security General Director Tran Quoc Chinh recommended developing a national cybersecurity evaluation and ranking system, and allowing capable enterprises to independently assess Level 1-3 systems to increase objectivity and ease the burden on regulators.
Additionally, the law requires that cybersecurity spending in state agencies must be at least 10% of their IT budgets, establishing a stable market and promoting Vietnamese-made products. It encourages research and development, strengthens self-reliance, and aims to build a robust, sustainable Vietnamese cybersecurity ecosystem.
Vu Ngoc Son, Head of Research, Consultancy, Technology Development and International Cooperation at the National Cybersecurity Association, regards the 2025 law as a major step forward simultaneously protecting digital sovereignty and fostering technological self-reliance, which is vital in a digitised environment. This spirit aligns with the Politburo’s Resolution 57 on breakthroughs in science, technology, innovation, and digital transformation, which identifies safeguarding sovereignty, cybersecurity, and data security as consistent requirements for development.
From a strategic perspective, the 2025 Cybersecurity Law provides the framework to establish a domestic cybersecurity supply chain, promote the standardisation and professionalisation of Viet Nam’s cybersecurity industry, and enhance national capacity in incident response. The law not only serves as a shield but also opens a new mindset — self-reliance for protection, defence for development.
