According to Art. 95.3 of Decree No.15/2020/ND-CP, a fine ranging from VND 50,000,000 to VND 70,000,000 (approx. 2,040 USD to 2,860 USD) shall be imposed for advertising email and internet message services using servers not located in Vietnam.

Decree No. 72 establishes the management of Internet service and online networks. In March 2018, the Vietnamese government issued Decree No.27/2018/ND-CP to amend and enhance Decree 72 partially. Data retention requirements for online networks are listed in Art. 23(c). The regulation requires data on account users, log-in and log-off time, user IP address, and data processing log to be stored for at least two years.

Vietnam has licensing requirements from the Ministry of Information and Communication (MIC) in place for online social networks, general information websites, mobile telecoms network-based services, and certain online games services under Decree No. 72/2013/ND-CP and its amendment Decree No. 27/2018/ND-CP. These contemplate that companies must be established in Vietnam in order to fulfil the licensing and registration requirements. According to Arts. 22, 25, 28, and 34 of Decree No. 72, providers of websites, social networks, information on the mobile network, and online games, respectively, have to have at least one server inside the country "serving the inspection, storage, and provision of information at the request of competent state management agencies".

Art. 28 of Decree No. 13/2023/ND-CP requires a data controller and/or a data processor to appoint a department to protect personal data and to appoint a DPO if there is sensitive personal data involved. The information of such DPO must be notified to the Cybersecurity Department.

Art. 19 of Decree No. 72 of 2013, and its extension in Decree 27/2018, regulates that "organisations and individuals that use Internet resources shall provide information and cooperate with competent state management agencies at the latter’s request".

The Law on Cybersecurity stipulates that businesses have to provide users’ data to the Ministry of Public Security upon receipt of requests in writing in cases where any infringement of the cybersecurity law is being investigated (Art. 26).

Art. 17.1.c of the Law on Cyber Information Security No. 86/2015/QH13 requires technology companies to share user data at the request of competent state agencies. It also mandates that authorities be given decryption keys on request, and it introduces licensing requirements for tools that offer encryption as a primary function. There is no mention of a requirement for a court order.

Decree No. 17/2023/ND-CP establishes a safe harbour regime for intermediaries for copyright infringements. According to the Decree, to benefit from this safe harbour, Internet Service Providers (ISPs) must act promptly to remove or block content upon acquiring "knowledge" of copyright infringement. While Decree No. 17 does not define "knowledge," it considers takedown notices from authorities or rights holders as evidence of ISPs' "knowledge" without specifying whether such notices must be substantiated (Arts. 113.3 and 114.5).
Additionally, Decree No. 17 outlines the required information and documents for takedown notices and counter-responses, indicating that ISPs must take appropriate action—such as removal, blocking, or restoration—upon receipt of the complete set of required information and documents (Art. 111.4).

A basic legal framework on intermediary liability beyond copyright infringement is absent in Vietnam's law and jurisprudence.

According to Art. 26 of Vietnam's Law on Cybersecurity, owners or organisations in charge of websites must authenticate information when a user registers a digital account, ensure confidentiality of user information and accounts, provide user information to the task force in charge of network security protection under the Ministry of Public Security upon written request to serve the investigation and handling of violations of the law on network security.

According to Art. 3.16 and 25.9 of the Decree No.72/2013/ND-CP and its amendment and extension of Decree No.27/2018/ND-CP, online social network service suppliers are required to ensure that only individuals who have supplied "accurate and complete personal information as required by law", including the government-issued card number, may create blogs or provide information on online social networks.

Pursuant to Art. 15.1 of Decree No. 25/2011/ND-CP, individuals subscribing to telecommunications services are required to provide telecommunication enterprises with specific information. This includes the subscriber's full name, date of birth, and, for Vietnamese citizens, the identity card number, along with the date and place of issuance. For foreign citizens, passport details must be provided.

According to Art. 41 of Vietnam's Cybersecurity Law, Internet service providers (ISPs), websites and information systems administrators/owners are responsible for:
- Controlling information content transmitted by users so that such content will not harm or prejudice children or the children’s rights; and
- Preventing the sharing of content and deleting any content that harms or prejudices children or the children’s rights.
In addition, pursuant to Art. 16, information system administrators/owners, telecoms and Internet service providers are required to coordinate with the competent authorities to handle illegal content closely. The ISPs have 24 hours to remove content after they receive a notice from the government authorities.
It is reported that intermediaries—including those based overseas—to regulate third-party contributors in cooperation with the state, and to “eliminate or prevent information” that opposes the republic, threatens national security and the social order, or defies national traditions, among other broadly worded provisions. The laws hold cybercafé owners responsible if their customers are caught visiting prohibited websites.

According to Art. 23 of Decree No. 72/2013/ND-CP, social networks must prevent any information from being published that defames the state of Vietnam and have human resources that meet the criteria of the Ministry of Information and Communication (MIC). However, such criteria or demands by MIC have not been clarified.

Reports indicate that the government restricts access to several websites, including those of Radio Free Asia, Voice of America, the BBC Vietnamese news service, and the 88 Project. Access to international websites such as those of Human Rights Watch has been characterised by instability and unpredictability. According to Nikkei Asia, which monitors online censorship, half of the 1,000 websites it tested in 2022 were inaccessible within the country. The majority of these blocked websites were related to politics (33%), news outlets (27%), and human rights (15%).
It is also reported that content on social media is removed at an alarming rate due to the government's use of the Cybersecurity Law, which took effect in January 2019. Among other requests, in October 2022, Netflix removed a Korean drama and a Chinese series from viewing in Vietnam.