Pursuant to Art. 37 of Decree No. 147/2024/ND-CP, enterprises are permitted to release online G1 video games provided that they have obtained both a licence to provide such services and a decision authorising their release; G1 games are defined as those involving simultaneous interaction among multiple players through the enterprise’s game server systems. By contrast, enterprises may release online G2, G3, and G4 video games where they possess written confirmation both of their eligibility to provide such services and of their notification of the release, with G2 games involving interaction between players and the enterprise’s game server systems, G3 games involving interaction among multiple players without interaction with such server systems, and G4 games being those downloaded via networks without any interaction either among players or between players and the enterprise’s game server systems. Art. 39 sets out the conditions for the grant of licences to provide online G1 video game services, while Art. 48 prescribes the requirements to be satisfied by enterprises seeking certificates for the provision of online G2, G3, and G4 video game services.

It is reported that Vietnam prohibits the commercial importation of some products, including encryption devices and encryption software.

In November 2013, the Government of Vietnam issued Decree No. 187/2013/ND-CP, implementing the Commercial Law on international trade in goods and the activities of international agents involved in buying, selling, outsourcing, and transiting goods. The Decree outlined products that were either banned from importation or required an import licence, assigning regulatory oversight to specific entities. Annex 1 of the Decree identified goods banned from import, including:
(i) Used electronic products, regulated by the Ministry of Industry and Trade (MOIT);
(ii) Used IT products, regulated by the Ministry of Information and Communications (MIC);
(iii) Specific radio equipment and radio wave-applied devices, also regulated by MIC.
To facilitate the implementation of this Decree, MOIT issued Circular No. 04/2014/TT-BCT in January 2014, which provided additional details and a more specific list of used products prohibited from import. Annexe 1 of the Circular included:
(i) Personal laptops (HS 8471);
(ii) Cellphones (HS 8517);
(iii) Digital cameras (HS 8525);
(iv) Video game consoles and machines (HS 9504).
In May 2018, the Government introduced Decree No. 69/2018/ND-CP, which replaced Decree No. 187/2013/ND-CP and reallocated the list of import licensing requirements to Annex 3. Subsequently, on 15 June 2018, MOIT replaced Circular No. 04/2014/TT-BCT with Circular No. 12/2018/TT-BCT, though the list of banned electronic products remained unchanged.

Art. 25.2.a of the Law on Cybersecurity stipulates that both domestic and foreign enterprises providing services on telecommunications networks, the Internet, and other value‑added services in cyberspace within Vietnam are under an obligation to supply user information to the specialised cybersecurity protection forces under the Ministry of Public Security within 24 hours of receiving a request, which may be made in written form, by email, by telephone, or through any other verified means of communication, for the purposes of verification, investigation, and the handling of cybersecurity law violations; in circumstances involving an emergency that threatens national security or human life, such information must be provided within three hours. The provision does not expressly indicate whether compliance with such requests is contingent upon the prior issuance of a court order, and a broadly comparable requirement was previously set out in Art. 26.2.a of the earlier Law on Cybersecurity.

Art. 17.1.c of the Law on Cyber Information Security No. 86/2015/QH13 requires technology companies to share user data at the request of competent state agencies. It also mandates that authorities be given decryption keys on request, and it introduces licensing requirements for tools that offer encryption as a primary function. There is no mention of a requirement for a court order.

Decree No. 17/2023/ND-CP establishes a safe harbour regime for intermediaries for copyright infringements. According to the Decree, to benefit from this safe harbour, Internet Service Providers (ISPs) must act promptly to remove or block content upon acquiring "knowledge" of copyright infringement. While Decree No. 17 does not define "knowledge," it considers takedown notices from authorities or rights holders as evidence of ISPs' "knowledge" without specifying whether such notices must be substantiated (Arts. 113.3 and 114.5).
Additionally, Decree No. 17 outlines the required information and documents for takedown notices and counter-responses, indicating that ISPs must take appropriate action—such as removal, blocking, or restoration—upon receipt of the complete set of required information and documents (Art. 111.4).

A basic legal framework on intermediary liability beyond copyright infringement is absent in Vietnam's law and jurisprudence.

Art. 25.2.a of the Law on Cybersecurity stipulates that domestic and foreign enterprises providing services on telecommunications networks, the Internet, and value‑added services in cyberspace in Vietnam are required to verify user information at the time of registration of digital accounts. Under Art. 2.19, a “digital account” is defined as information employed for the purposes of authentication, verification, and authorisation in relation to the use of applications and services in cyberspace. A comparable obligation is also provided for in Art. 26.2.a of the previous Law on Cybersecurity.

Art. 23.3.e of Decree No. 147/2024/ND-CP provides that only foreign organisations, enterprises, and individuals engaged in the provision of cross-border information services to entities in Vietnam, either through the leasing of data storage services within Vietnam or by attaining a total of 100,000 or more regular monthly visits from Vietnam, calculated as an average over six consecutive months, are subject to specific obligations, namely that they must verify user accounts using Vietnamese telephone numbers. Foreign providers of social networking services may alternatively verify accounts through personal identification numbers, where users declare, in accordance with the law on electronic identification and authentication, that they do not possess a Vietnamese telephone number. Such providers are further required to verify accounts through personal identification numbers where users employ livestream features for commercial purposes under the same legal framework; and, in all cases, only duly verified accounts are permitted to post content, including articles, comments, and livestream sessions, or otherwise share information on social networking platforms.

According to Art. 7.4 of Circular No. 24, electronic general information websites and social networking platforms licensed to operate in Vietnam are required to employ at least one ".vn" domain name and to store data on servers whose IP addresses are located within the territory of Vietnam. Art. 44.1(d) of Decree No. 15/2020/ND-CP stipulates penalties for failure to use the national domain name ".vn" or for failing to store information on a server system with an IP address in Vietnam. This provision applies to licensed electronic newspapers, general electronic information websites, electronic portals, and social networks.

Art. 30 of Decree 163 stipulates that data belonging to state authorities utilising data centre or cloud services must be stored exclusively within the territory of Vietnam. It is reported that this provision implies that a foreign data centre or cloud service provider seeking to contract with a state agency would be required to establish facilities within Vietnam.

Art. 27 of Decree No. 147/2024/ND-CP mandates that general electronic information websites and social networking platforms must store user data on servers utilising Internet Protocol (IP) addresses located within the territory of Vietnam. In addition, it requires the presence of at least one server situated in Vietnam for the purposes of inspection and data provision. Art. 3 defines a general information website as an electronic information website of an agency, organisation, or enterprise that provides general information.
Decree No. 147/2024/ND-CP supersedes Decree No. 72/2013/ND-CP, which, in Arts. 24, 25, 28, and 34, previously imposed similar requirements on providers of websites, social networks, mobile network-based information services, and online gaming services, respectively, stipulating that they maintain at least one server within the country.

Art. 20 of the Law on Personal Data Protection stipulates that agencies, organisations and individuals engaging in specified forms of cross‑border personal data transfer must prepare an impact assessment dossier and submit one original copy to the authority responsible for personal data protection within 60 days of the initial transfer. These activities include transferring personal data stored in Vietnam to data systems located abroad, transferring personal data from Vietnam to foreign organisations or individuals, and processing personal data collected in Vietnam through platforms located outside the territory of Vietnam. Such an impact assessment is required to be conducted only once and remains valid for the entire duration of the operations of the relevant entity. The competent authority may decide to request the suspension of cross‑border personal data transfers where it determines that the use of the transferred data may adversely affect national defence or security. However, certain cases are exempt from the requirement to conduct a cross‑border transfer impact assessment, including transfers carried out by competent state authorities, the storage of employees’ personal data by agencies and organisations on cloud computing services, transfers initiated directly by the data subject, and other cases as prescribed by the Government.
Art. 25 of Decree No. 13/2023/ND-CP already contains substantially similar restrictions on cross‑border transfers of personal data. That Decree is scheduled to be repealed in 2026, concurrently with the entry into force of the Law on Personal Data Protection.

Art. 23 of the Data Law provides that the cross-border transfer of core data or important data must be carried out in a manner that ensures national defence, security, and the protection of national interests, public interests, and the rights and legitimate interests of data subjects and data owners, in accordance with the laws of Vietnam and the international treaties to which Vietnam is a party. The cross-border transfer of core data or important data encompasses: (i) the transfer of data stored within the territory of Vietnam to data storage systems located outside Vietnam; (ii) the transfer of data by Vietnamese agencies, organisations, and individuals to foreign agencies, organisations, and individuals; and (iii) the use by Vietnamese agencies, organisations, and individuals of offshore platforms for data processing purposes.
Under the Data Law, important data refers to information the compromise of which may affect national defence, security, foreign relations, macroeconomic stability, social order, public health, or public safety, as specified in the list promulgated by the Prime Minister. Core data constitutes a specific subset of important data that has a direct and immediate impact on these areas.
It is not yet clear which conditions will apply to these transfers.

Vietnam has joined an agreement with binding commitments to open transfers of data across borders: the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11). However, the country has been given a period of five years to comply with the requirement.