VIETNAM
Since November 2013, last amended in May 2018
Since January 2014, last amended in June 2018
Since January 2014, last amended in June 2018
Pillar Quantitative trade restrictions for ICT goods and online services |
Indicator Import ban applied on ICT goods or online services
Decree No. 69/2018/ND-CP on Guidelines for the Law on Foreign Trade Management (Nghị định Số 69/2018/NĐ-CP Quy Định Chi Tiết Một Số Điều Của Luật Quản Lý Ngoại Thương)
Circular No. 12/2018/TT-BCT dated 15 June 2018 elaborating of the Law on Foreign Trade Management and Government’s Decree No. 69/2018/ND-CP elaborating of the Law on Foreign Trade Management
Circular No. 12/2018/TT-BCT dated 15 June 2018 elaborating of the Law on Foreign Trade Management and Government’s Decree No. 69/2018/ND-CP elaborating of the Law on Foreign Trade Management
In November 2013, the Government of Vietnam issued Decree No. 187/2013/ND-CP, implementing the Commercial Law on international trade in goods and the activities of international agents involved in buying, selling, outsourcing, and transiting goods. The Decree outlined products that were either banned from importation or required an import licence, assigning regulatory oversight to specific entities. Annex 1 of the Decree identified goods banned from import, including:
(i) Used electronic products, regulated by the Ministry of Industry and Trade (MOIT);
(ii) Used IT products, regulated by the Ministry of Information and Communications (MIC);
(iii) Specific radio equipment and radio wave-applied devices, also regulated by MIC.
To facilitate the implementation of this Decree, MOIT issued Circular No. 04/2014/TT-BCT in January 2014, which provided additional details and a more specific list of used products prohibited from import. Annexe 1 of the Circular included:
(i) Personal laptops (HS 8471);
(ii) Cellphones (HS 8517);
(iii) Digital cameras (HS 8525);
(iv) Video game consoles and machines (HS 9504).
In May 2018, the Government introduced Decree No. 69/2018/ND-CP, which replaced Decree No. 187/2013/ND-CP and reallocated the list of import licensing requirements to Annex 3. Subsequently, on 15 June 2018, MOIT replaced Circular No. 04/2014/TT-BCT with Circular No. 12/2018/TT-BCT, though the list of banned electronic products remained unchanged.
(i) Used electronic products, regulated by the Ministry of Industry and Trade (MOIT);
(ii) Used IT products, regulated by the Ministry of Information and Communications (MIC);
(iii) Specific radio equipment and radio wave-applied devices, also regulated by MIC.
To facilitate the implementation of this Decree, MOIT issued Circular No. 04/2014/TT-BCT in January 2014, which provided additional details and a more specific list of used products prohibited from import. Annexe 1 of the Circular included:
(i) Personal laptops (HS 8471);
(ii) Cellphones (HS 8517);
(iii) Digital cameras (HS 8525);
(iv) Video game consoles and machines (HS 9504).
In May 2018, the Government introduced Decree No. 69/2018/ND-CP, which replaced Decree No. 187/2013/ND-CP and reallocated the list of import licensing requirements to Annex 3. Subsequently, on 15 June 2018, MOIT replaced Circular No. 04/2014/TT-BCT with Circular No. 12/2018/TT-BCT, though the list of banned electronic products remained unchanged.
Coverage Certain ICT products
VIETNAM
Since December 2025, entry into force in July 2026
Since June 2018, entry into force in January 2019, until July 2026
Since June 2018, entry into force in January 2019, until July 2026
Pillar Domestic data policies |
Indicator Requirement to allow the government to access personal data collected
Law on Cybersecurity No. 116/2025/QH15 (Luật số 116/2025/QH15 của Quốc hội: Luật An ninh mạng)
Law on Cybersecurity No. 24/2018/QH14 (Luật số 24/2018/QH14 của Quốc hội: Luật an ninh mạng)
Law on Cybersecurity No. 24/2018/QH14 (Luật số 24/2018/QH14 của Quốc hội: Luật an ninh mạng)
Art. 25.2.a of the Law on Cybersecurity stipulates that both domestic and foreign enterprises providing services on telecommunications networks, the Internet, and other value‑added services in cyberspace within Vietnam are under an obligation to supply user information to the specialised cybersecurity protection forces under the Ministry of Public Security within 24 hours of receiving a request, which may be made in written form, by email, by telephone, or through any other verified means of communication, for the purposes of verification, investigation, and the handling of cybersecurity law violations; in circumstances involving an emergency that threatens national security or human life, such information must be provided within three hours. The provision does not expressly indicate whether compliance with such requests is contingent upon the prior issuance of a court order, and a broadly comparable requirement was previously set out in Art. 26.2.a of the earlier Law on Cybersecurity.
Coverage Horizontal
Sources
- https://web.archive.org/web/20260421200308/https://www.qtsc.com.vn/uploads/files/2026/02/02/116_2025_QH15_688491.pdf
- https://web.archive.org/web/20260421195751/https://datafiles.chinhphu.vn/cpp/files/vbpq/2026/01/luat116-2025.pdf
- https://web.archive.org/web/20241125165607/https://cyrilla.org/api/files/1597413928626du5wglw8kff.pdf
- https://web.archive.org/web/20241125165634/https://datafiles.chinhphu.vn/cpp/files/vbpq/2022/07/24-2018-qh14..pdf
- Show more...
VIETNAM
Since November 2015, entry into force in July 2016
Pillar Domestic data policies |
Indicator Requirement to allow the government to access personal data collected
Law on Cyber Information Security No. 86/2015/QH13 (Luật số 86/2015/QH13 An Toàn Thông Tin Mạng)
Art. 17.1.c of the Law on Cyber Information Security No. 86/2015/QH13 requires technology companies to share user data at the request of competent state agencies. It also mandates that authorities be given decryption keys on request, and it introduces licensing requirements for tools that offer encryption as a primary function. There is no mention of a requirement for a court order.
Coverage Horizontal
VIETNAM
Since April 2023
Pillar Intermediary liability |
Indicator Safe harbour for intermediaries for copyright infringement
Decree No. 17/2023/ND-CP, guiding a number of articles of the Amended IP Law with regard to copyright and related rights (Nghị định quy định chi tiết một số điều và biện pháp thi hành Luật Đấu thầu về lựa chọn nhà thầu)
Decree No. 17/2023/ND-CP establishes a safe harbour regime for intermediaries for copyright infringements. According to the Decree, to benefit from this safe harbour, Internet Service Providers (ISPs) must act promptly to remove or block content upon acquiring "knowledge" of copyright infringement. While Decree No. 17 does not define "knowledge," it considers takedown notices from authorities or rights holders as evidence of ISPs' "knowledge" without specifying whether such notices must be substantiated (Arts. 113.3 and 114.5).
Additionally, Decree No. 17 outlines the required information and documents for takedown notices and counter-responses, indicating that ISPs must take appropriate action—such as removal, blocking, or restoration—upon receipt of the complete set of required information and documents (Art. 111.4).
Additionally, Decree No. 17 outlines the required information and documents for takedown notices and counter-responses, indicating that ISPs must take appropriate action—such as removal, blocking, or restoration—upon receipt of the complete set of required information and documents (Art. 111.4).
Coverage Internet intermediaries
Sources
- https://web.archive.org/web/20231001051709/https://vietanlaw.com/decree-no-17-2023-nd-cp-elaborating-the-law-on-intellectual-property-regarding-copyrights-and-related-rights/
- https://web.archive.org/web/20230830164510/https://datafiles.chinhphu.vn/cpp/files/vbpq/2023/5/17-cp.signed.pdf
- https://web.archive.org/web/20231202023909/https://rouse.com/insights/news/2023/intermediary-service-providers-liabilities-under-the-amended-ip-law-and-decree-on-copyright#_ftn13
- Show more...
VIETNAM
N/A
Pillar Intermediary liability |
Indicator Safe harbour for intermediaries for any activity other than copyright infringement
Lack of intermediary liability framework in place beyond copyright infringement
A basic legal framework on intermediary liability beyond copyright infringement is absent in Vietnam's law and jurisprudence.
Coverage Internet intermediaries
VIETNAM
Since December 2025, entry into force in July 2026
Since June 2018, entry into force in January 2019, until July 2026
Since June 2018, entry into force in January 2019, until July 2026
Pillar Intermediary liability |
Indicator User identity requirement
Law on Cybersecurity No. 116/2025/QH15 (Luật số 116/2025/QH15 của Quốc hội: Luật An ninh mạng)
Law on Cybersecurity No. 24/2018/QH14 (Luật số 24/2018/QH14 của Quốc hội: Luật an ninh mạng)
Law on Cybersecurity No. 24/2018/QH14 (Luật số 24/2018/QH14 của Quốc hội: Luật an ninh mạng)
Art. 25.2.a of the Law on Cybersecurity stipulates that domestic and foreign enterprises providing services on telecommunications networks, the Internet, and value‑added services in cyberspace in Vietnam are required to verify user information at the time of registration of digital accounts. Under Art. 2.19, a “digital account” is defined as information employed for the purposes of authentication, verification, and authorisation in relation to the use of applications and services in cyberspace. A comparable obligation is also provided for in Art. 26.2.a of the previous Law on Cybersecurity.
Coverage Horizontal
Sources
- https://web.archive.org/web/20260421200308/https://www.qtsc.com.vn/uploads/files/2026/02/02/116_2025_QH15_688491.pdf
- https://web.archive.org/web/20260421195751/https://datafiles.chinhphu.vn/cpp/files/vbpq/2026/01/luat116-2025.pdf
- https://web.archive.org/web/20241125165607/https://cyrilla.org/api/files/1597413928626du5wglw8kff.pdf
- https://web.archive.org/web/20241125165634/https://datafiles.chinhphu.vn/cpp/files/vbpq/2022/07/24-2018-qh14..pdf
- Show more...
VIETNAM
Since November 2024, entry into force in December 2024
Pillar Intermediary liability |
Indicator User identity requirement
Decree No. 147/2024/ND-CP on the Management, Provision and Use of Internet Services and Information in Cyberspace (Nghị định số 147/2024/NĐ-CP của Chính phủ: Quản lý, cung cấp, sử dụng dịch vụ internet và thông tin trên mạng)
Art. 23.3.e of Decree No. 147/2024/ND-CP provides that only foreign organisations, enterprises, and individuals engaged in the provision of cross-border information services to entities in Vietnam, either through the leasing of data storage services within Vietnam or by attaining a total of 100,000 or more regular monthly visits from Vietnam, calculated as an average over six consecutive months, are subject to specific obligations, namely that they must verify user accounts using Vietnamese telephone numbers. Foreign providers of social networking services may alternatively verify accounts through personal identification numbers, where users declare, in accordance with the law on electronic identification and authentication, that they do not possess a Vietnamese telephone number. Such providers are further required to verify accounts through personal identification numbers where users employ livestream features for commercial purposes under the same legal framework; and, in all cases, only duly verified accounts are permitted to post content, including articles, comments, and livestream sessions, or otherwise share information on social networking platforms.
Coverage Horizontal
Sources
- https://web.archive.org/web/20260510172751/https://datafiles.chinhphu.vn/cpp/files/vbpq/2024/11/147-nd.signed.pdf
- https://web.archive.org/web/20260328221458/https://www.qtsc.com.vn/uploads/files/2024/12/30/147_2024_ND-CP_636187-eng.pdf
- https://web.archive.org/web/20260510230308/https://www.allenandgledhill.com/perspectives/articles/29440/vnkh-introduces-additional-requirements-relating-to-provision-of-information-and-internet-servic...
- Show more...
VIETNAM
Since June 2011, last amended in July 2016
Pillar Intermediary liability |
Indicator User identity requirement
Decree No. 25/2011/ND-CP Detailing and Guiding the Implementation of a Number of Articles of the Telecommunications Law (Nghị định Quy định chi tiết và hướng dẫn thi hành một số điều của Luật Viễn thông Số: 25/2011/NĐ-CP)
Pursuant to Art. 15.1 of Decree No. 25/2011/ND-CP, individuals subscribing to telecommunications services are required to provide telecommunication enterprises with specific information. This includes the subscriber's full name, date of birth, and, for Vietnamese citizens, the identity card number, along with the date and place of issuance. For foreign citizens, passport details must be provided.
Coverage Telecommunications sector
Sources
- https://web.archive.org/web/20240605142745/https://thuvienphapluat.vn/van-ban/EN/Cong-nghe-thong-tin/Decree-No-25-2011-ND-CP-detailing-and-guiding-the-implementation/123358/tieng-anh.aspx
- https://web.archive.org/web/20230206234135/https://www.globalcompliancenews.com/2021/09/09/vietnam-telecommunication-draft-decree-significant-proposed-amendments/
VIETNAM
Since December 2025, entry into force in July 2026
Pillar Intermediary liability |
Indicator Monitoring requirement
Law on Cybersecurity No. 116/2025/QH15 (Luật số 116/2025/QH15 của Quốc hội: Luật An ninh mạng)
Art. 14 of the Law on Cybersecurity provides that administrators of information systems, defined in Art. 2.8 as agencies, organisations, or individuals with direct management authority over an information system, together with domestic and foreign enterprises offering services on telecommunications networks, the Internet, and value added services in cyberspace, are required to implement managerial and technical measures to prevent, detect, block, and remove information containing the forms of content specified in Art. 13, whether on systems under their control or upon the request of specialised cybersecurity protection authorities; such content includes material propagandising against the State, inciting unrest, undermining security, or disrupting public order, as well as content that seeks to sabotage policies on national unity and socio economic development, or that infringes upon the lawful rights and interests of organisations and individuals.
Coverage Horizontal
VIETNAM
Since November 2024, entry into force in December 2024
Since July 2013, until December 2024
Since July 2013, until December 2024
Pillar Cross-border data policies |
Indicator Infrastructure requirement
Decree No. 147/2024/ND-CP on the management, provision and use of internet services and online information (Nghị định số 147/2024/NĐ-CP của Chính phủ: Quản lý, cung cấp, sử dụng dịch vụ internet và thông tin trên mạng)
Decree No. 72/2013/ND-CP: Management, Provision and Use of Internet Services and Online Information (Nghị định số 72/2013/NĐ-CP của Chính phủ: Quản lý, cung cấp, sử dụng dịch vụ Internet và thông tin trên mạng)
Decree No. 72/2013/ND-CP: Management, Provision and Use of Internet Services and Online Information (Nghị định số 72/2013/NĐ-CP của Chính phủ: Quản lý, cung cấp, sử dụng dịch vụ Internet và thông tin trên mạng)
Art. 27 of Decree No. 147/2024/ND-CP mandates that general electronic information websites and social networking platforms must store user data on servers utilising Internet Protocol (IP) addresses located within the territory of Vietnam. In addition, it requires the presence of at least one server situated in Vietnam for the purposes of inspection and data provision. Art. 3 defines a general information website as an electronic information website of an agency, organisation, or enterprise that provides general information.
Decree No. 147/2024/ND-CP supersedes Decree No. 72/2013/ND-CP, which, in Arts. 24, 25, 28, and 34, previously imposed similar requirements on providers of websites, social networks, mobile network-based information services, and online gaming services, respectively, stipulating that they maintain at least one server within the country.
Decree No. 147/2024/ND-CP supersedes Decree No. 72/2013/ND-CP, which, in Arts. 24, 25, 28, and 34, previously imposed similar requirements on providers of websites, social networks, mobile network-based information services, and online gaming services, respectively, stipulating that they maintain at least one server within the country.
Coverage General electronic information websites and social networking platforms
Sources
- https://web.archive.org/web/20250411012816/https://thuvienphapluat.vn/van-ban/Cong-nghe-thong-tin/Nghi-dinh-147-2024-ND-CP-quan-ly-cung-cap-su-dung-dich-vu-Internet-thong-tin-tren-mang-480755.aspx
- https://web.archive.org/web/20250411011448/https://thuvienphapluat.vn/van-ban/Cong-nghe-thong-tin/Nghi-dinh-72-2013-ND-CP-quan-ly-cung-cap-su-dung-dich-vu-Internet-va-thong-tin-tren-mang-201110.aspx
- https://web.archive.org/web/20250411013141/https://digitalpolicyalert.org/event/24801-implemented-decree-1472024nd-cp-on-the-management-provision-and-use-of-internet-services-and-online-information-in...
- Show more...
VIETNAM
Since June 2025, entry into force in January 2026
Since April 2023, entry into force in July 2023, until January 2026
Since April 2023, entry into force in July 2023, until January 2026
Pillar Cross-border data policies |
Indicator Conditional flow regime
Law No. 91/2025/QH15 on Personal Data Protection (Luật số 91/2025/QH15 của Quốc hội: Luật Bảo vệ dữ liệu cá nhân)
Decree No. 13/2023/ND-CP of the Government on Personal Data Protection (Nghị định số 13/2023/NĐ-CP của Chính phủ: Bảo vệ dữ liệu cá nhân)
Decree No. 13/2023/ND-CP of the Government on Personal Data Protection (Nghị định số 13/2023/NĐ-CP của Chính phủ: Bảo vệ dữ liệu cá nhân)
Art. 20 of the Law on Personal Data Protection stipulates that agencies, organisations and individuals engaging in specified forms of cross‑border personal data transfer must prepare an impact assessment dossier and submit one original copy to the authority responsible for personal data protection within 60 days of the initial transfer. These activities include transferring personal data stored in Vietnam to data systems located abroad, transferring personal data from Vietnam to foreign organisations or individuals, and processing personal data collected in Vietnam through platforms located outside the territory of Vietnam. Such an impact assessment is required to be conducted only once and remains valid for the entire duration of the operations of the relevant entity. The competent authority may decide to request the suspension of cross‑border personal data transfers where it determines that the use of the transferred data may adversely affect national defence or security. However, certain cases are exempt from the requirement to conduct a cross‑border transfer impact assessment, including transfers carried out by competent state authorities, the storage of employees’ personal data by agencies and organisations on cloud computing services, transfers initiated directly by the data subject, and other cases as prescribed by the Government.
Art. 25 of Decree No. 13/2023/ND-CP already contains substantially similar restrictions on cross‑border transfers of personal data. That Decree is scheduled to be repealed in 2026, concurrently with the entry into force of the Law on Personal Data Protection.
Art. 25 of Decree No. 13/2023/ND-CP already contains substantially similar restrictions on cross‑border transfers of personal data. That Decree is scheduled to be repealed in 2026, concurrently with the entry into force of the Law on Personal Data Protection.
Coverage Horizontal
VIETNAM
Since November 2024, entry into force in July 2025
Pillar Cross-border data policies |
Indicator Conditional flow regime
Data Law (Luật Dữ liệu)
Art. 23 of the Data Law provides that the cross-border transfer of core data or important data must be carried out in a manner that ensures national defence, security, and the protection of national interests, public interests, and the rights and legitimate interests of data subjects and data owners, in accordance with the laws of Vietnam and the international treaties to which Vietnam is a party. The cross-border transfer of core data or important data encompasses: (i) the transfer of data stored within the territory of Vietnam to data storage systems located outside Vietnam; (ii) the transfer of data by Vietnamese agencies, organisations, and individuals to foreign agencies, organisations, and individuals; and (iii) the use by Vietnamese agencies, organisations, and individuals of offshore platforms for data processing purposes.
Under the Data Law, important data refers to information the compromise of which may affect national defence, security, foreign relations, macroeconomic stability, social order, public health, or public safety, as specified in the list promulgated by the Prime Minister. Core data constitutes a specific subset of important data that has a direct and immediate impact on these areas.
It is not yet clear which conditions will apply to these transfers.
Under the Data Law, important data refers to information the compromise of which may affect national defence, security, foreign relations, macroeconomic stability, social order, public health, or public safety, as specified in the list promulgated by the Prime Minister. Core data constitutes a specific subset of important data that has a direct and immediate impact on these areas.
It is not yet clear which conditions will apply to these transfers.
Coverage Horizontal
VIETNAM
Signed in March 2018, entry into force in January 2019
Pillar Cross-border data policies |
Indicator Participation in trade agreements committing to open cross-border data flows
Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)
Vietnam has joined an agreement with binding commitments to open transfers of data across borders: the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11). However, the country has been given a period of five years to comply with the requirement.
Coverage Horizontal
VIETNAM
Since June 2025, entry into force in January 2026
Since December 2025, entry into force in January 2026
Since April 2023, entry into force in July 2023, until January 2026
Since December 2025, entry into force in January 2026
Since April 2023, entry into force in July 2023, until January 2026
Pillar Domestic data policies |
Indicator Framework for data protection
Law No. 91/2025/QH15 on Personal Data Protection (Luật số 91/2025/QH15 của Quốc hội: Luật Bảo vệ dữ liệu cá nhân)
Decree No. 356/2025/ND-CP of the Government Elaborating on Certain Articles and Implementation Measures of Law on Personal Data Protection (Nghị định số 356/2025/NĐ-CP của Chính phủ: Quy định chi tiết một số điều và biện pháp thi hành Luật Bảo vệ dữ liệu cá nhân)
Decree No. 13/2023/ND-CP of the Government on Personal Data Protection (Nghị định số 13/2023/NĐ-CP của Chính phủ: Bảo vệ dữ liệu cá nhân)
Decree No. 356/2025/ND-CP of the Government Elaborating on Certain Articles and Implementation Measures of Law on Personal Data Protection (Nghị định số 356/2025/NĐ-CP của Chính phủ: Quy định chi tiết một số điều và biện pháp thi hành Luật Bảo vệ dữ liệu cá nhân)
Decree No. 13/2023/ND-CP of the Government on Personal Data Protection (Nghị định số 13/2023/NĐ-CP của Chính phủ: Bảo vệ dữ liệu cá nhân)
The Law on Personal Data Protection establishes a comprehensive framework for data protection in Vietnam. Decree No. 356/2025/ND-CP was promulgated to provide detailed guidance on the implementation of the Law and formally superseded Decree No. 13/2023/ND-CP on Personal Data Protection. The 2025 legislation thereby elevated the regulatory framework from decree‑level regulation to statutory law.
Coverage Horizontal
Sources
- https://web.archive.org/web/20260122125428/https://datafiles.chinhphu.vn/cpp/files/vbpq/2025/7/91qh.signed.pdf
- https://web.archive.org/web/20260420151430/https://datafiles.chinhphu.vn/cpp/files/vbpq/2026/01/356-nd.signed.pdf
- https://web.archive.org/web/20260115025312/https://datafiles.chinhphu.vn/cpp/files/vbpq/2023/4/13nd.signed.pdf
- https://web.archive.org/web/20260420145352/https://www.dlapiperdataprotection.com/?t=law&c=VN
- Show more...
VIETNAM
Since November 2024, entry into force in December 2024
Pillar Domestic data policies |
Indicator Minimum period for data retention
Decree No. 147/2024/ND-CP on the Management, Provision and Use of Internet Services and Information in Cyberspace (Nghị định số 147/2024/NĐ-CP của Chính phủ: Quản lý, cung cấp, sử dụng dịch vụ internet và thông tin trên mạng)
Art. 23.3.dd of Decree No. 147/2024/ND-CP provides that foreign organisations, enterprises, and individuals engaged in the cross-border provision of information to entities in Vietnam, where such activities involve the use of data storage leasing services within Vietnam or where total regular monthly visits from Vietnam, calculated as an average over six consecutive months, reach 100,000 or more, are subject to specific obligations. These include the requirement to retain information about service users in Vietnam upon account registration, including full name, date of birth, and a Vietnamese telephone number or personal identification number. For users of social networking services who are minors (under 16 years of age), their parents or legal guardians must register the accounts using their own information. Additionally, such entities are obliged to provide user information to the Ministry of Information and Communications, the Ministry of Public Security, and other competent authorities upon receipt of a written request, for the purposes of state management, investigation, and the handling of legal violations concerning the management, provision, and use of Internet services and cyber information.
Coverage Horizontal
Sources
- https://web.archive.org/web/20260510172751/https://datafiles.chinhphu.vn/cpp/files/vbpq/2024/11/147-nd.signed.pdf
- https://web.archive.org/web/20260328221458/https://www.qtsc.com.vn/uploads/files/2024/12/30/147_2024_ND-CP_636187-eng.pdf
- https://web.archive.org/web/20251222121741/https://www.lexology.com/library/detail.aspx?g=9fd61153-5006-4059-b8c7-2186fae1a13b
- Show more...
