Art. 36 of Law No. 86/2015/QH13 states that the responsibilities of users of cryptographic products and services include providing the necessary information on cryptographic keys to the competent state authorities upon request. The Law also introduces licensing requirements for tools that offer encryption as a primary function.

Sections 35 and 60 of Decree No. 52/2013/ND-CP provide that certain E-commerce services need to be licensed by the Ministry of Industry and Trade: E-commerce websites that permit participants to sell and purchase goods according to the method of goods exchange; evaluation and certification of personal data protection policies of traders, organisations and individuals participating in e-commerce activities; and certification of e-contracts.
In addition, Art. 44 states that traders and organisations providing online auction services must register the provision of auction services, and under Art. 52, traders, organisations or individuals may set up sales e-commerce websites if, among other conditions, they have notified the Ministry of Industry and Trade. Also, pursuant to the provisions of Art. 61, one of the conditions for conducting credit rating of e-commerce websites is being a trader or an organisation established under Vietnamese law.

The Ministry of Industry and Trade (MOIT) issued Circular No.59/2015/TT-BCT to regulate the management of e-commerce activities via mobile applications. The circular strictly regulates the operation of e-commerce on mobile applications, which requires registration to MOIT. The circular applies to all Vietnamese individuals and organisations, foreigners who reside in Vietnam, and foreigners and organisations who have a presence in Vietnam through investment, setting up branches, or representative offices.

Decree No. 72 establishes the management of Internet service and online networks. In March 2018, the Vietnamese government issued Decree No.27/2018/ND-CP to amend and enhance Decree 72 partially. Data retention requirements for online networks are listed in Art. 23(c). The regulation requires data on account users, log-in and log-off time, user IP address, and data processing log to be stored for at least two years.

Vietnam has licensing requirements from the Ministry of Information and Communication (MIC) in place for online social networks, general information websites, mobile telecoms network-based services, and certain online games services under Decree No. 72/2013/ND-CP and its amendment Decree No. 27/2018/ND-CP. These contemplate that companies must be established in Vietnam in order to fulfil the licensing and registration requirements. According to Arts. 22, 25, 28, and 34 of Decree No. 72, providers of websites, social networks, information on the mobile network, and online games, respectively, have to have at least one server inside the country "serving the inspection, storage, and provision of information at the request of competent state management agencies".

Art. 28 of Decree No. 13/2023/ND-CP requires a data controller and/or a data processor to appoint a department to protect personal data and to appoint a DPO if there is sensitive personal data involved. The information of such DPO must be notified to the Cybersecurity Department.

Art. 19 of Decree No. 72 of 2013, and its extension in Decree 27/2018, regulates that "organisations and individuals that use Internet resources shall provide information and cooperate with competent state management agencies at the latter’s request".

The Law on Cybersecurity stipulates that businesses have to provide users’ data to the Ministry of Public Security upon receipt of requests in writing in cases where any infringement of the cybersecurity law is being investigated (Art. 26).

Art. 17.1.c of the Law on Cyber Information Security No. 86/2015/QH13 requires technology companies to share user data at the request of competent state agencies. It also mandates that authorities be given decryption keys on request, and it introduces licensing requirements for tools that offer encryption as a primary function. There is no mention of a requirement for a court order.

Decree No. 17/2023/ND-CP establishes a safe harbour regime for intermediaries for copyright infringements. According to the Decree, to benefit from this safe harbour, Internet Service Providers (ISPs) must act promptly to remove or block content upon acquiring "knowledge" of copyright infringement. While Decree No. 17 does not define "knowledge," it considers takedown notices from authorities or rights holders as evidence of ISPs' "knowledge" without specifying whether such notices must be substantiated (Arts. 113.3 and 114.5).
Additionally, Decree No. 17 outlines the required information and documents for takedown notices and counter-responses, indicating that ISPs must take appropriate action—such as removal, blocking, or restoration—upon receipt of the complete set of required information and documents (Art. 111.4).

A basic legal framework on intermediary liability beyond copyright infringement is absent in Vietnam's law and jurisprudence.

According to Art. 26 of Vietnam's Law on Cybersecurity, owners or organisations in charge of websites must authenticate information when a user registers a digital account, ensure confidentiality of user information and accounts, provide user information to the task force in charge of network security protection under the Ministry of Public Security upon written request to serve the investigation and handling of violations of the law on network security.

According to Art. 3.16 and 25.9 of the Decree No.72/2013/ND-CP and its amendment and extension of Decree No.27/2018/ND-CP, online social network service suppliers are required to ensure that only individuals who have supplied "accurate and complete personal information as required by law", including the government-issued card number, may create blogs or provide information on online social networks.

Pursuant to Art. 15.1 of Decree No. 25/2011/ND-CP, individuals subscribing to telecommunications services are required to provide telecommunication enterprises with specific information. This includes the subscriber's full name, date of birth, and, for Vietnamese citizens, the identity card number, along with the date and place of issuance. For foreign citizens, passport details must be provided.

According to Art. 41 of Vietnam's Cybersecurity Law, Internet service providers (ISPs), websites and information systems administrators/owners are responsible for:
- Controlling information content transmitted by users so that such content will not harm or prejudice children or the children’s rights; and
- Preventing the sharing of content and deleting any content that harms or prejudices children or the children’s rights.
In addition, pursuant to Art. 16, information system administrators/owners, telecoms and Internet service providers are required to coordinate with the competent authorities to handle illegal content closely. The ISPs have 24 hours to remove content after they receive a notice from the government authorities.
It is reported that intermediaries—including those based overseas—to regulate third-party contributors in cooperation with the state, and to “eliminate or prevent information” that opposes the republic, threatens national security and the social order, or defies national traditions, among other broadly worded provisions. The laws hold cybercafé owners responsible if their customers are caught visiting prohibited websites.