Decree No. 58/2016/ND-CP, issued in July 2016, regulates the sale and provision of civil encryption products and services, as well as the export and import of such products. Under this Decree, corporations seeking to export or import civil encryption products must obtain an export and import licence.
Annex 1 of the Decree specifies the products and services within its scope, including:
-Biometric encryption products, encryption key management or storage items;
-Cryptographic components of a PKI system;
-Stored data security products;
-Online data security products;
-IP and channel security products;
-Analog and digital voice security products;
-Wireless security products;
-Facsimile and telegraph security products;
-Information protection services utilising civil
encryption products;
-Civil encryption testing and evaluation services;
-Network data security consulting services utilising civil encryption products.
Annex 2 outlines civil encryption products requiring export/import licences, listed under the following HS codes: HS 8443, HS 8471, HS 8473, HS 8517, HS 8523, HS 8525, HS 8526, HS 8529, HS 8542, and HS 854.
The National Agency of Cryptography and Information Security (NACIS) is currently drafting a new decree to amend Decree No. 58/2016/ND-CP, addressing various issues related to cyber information security, including the export and import of civil encryption products.

Law No. 86/2015/QH13 imposes restrictions and conditions on entities engaging in the import, export, and trade of various network information security products with encryption capabilities. It has been reported that applications for import permits are cumbersome and involve licenses, certificates of conformity, product specifications, copies of commercial invoices, and copies of commercial contracts or documentary evidence. In addition, Decree No.108/2016/ND-CP stipulates in detail the conditions for trade in network information security products and services related to Law No. 86/2015/Qh13. According to Art. 4.2 of the Decree, the Vietnamese Ministry of Information and Communications (MIC) is assigned to make a list of network information security products to be imported upon license. Upon the Decree, MIC issued Circular No.13/2018/TT-BTTTT. The Circular regulates the list of network information security products to be imported upon licenses and procedures, as well as dossiers for import licensing. The information network security products to be imported upon license include (i) HS847130 (portable digital automatic data processing machines); (ii) HS847141 (automatic data processing machines and units); (iii) HS847149 (digital automatic data processing machines and units).

Decree No. 58/2016/ND-CP dated July 2016 regulates the sale and provision of civil encryption products and services as well as the export or import of civil encryption products. According to the Decree, corporations who want to export and import civil encryption products are requested to apply for the export and import license. Annex 1 of the Decree lists products and services within the scope of the decree, including:
-Biometric encryption products, encryption key management or storage items;
-Cryptographic components of a PKI system;
-Stored data security products;
-Online data security products;
-IP and channel security products;
-Analog and digital voice security products;
-Wireless security products;
-Facsimile and telegraph security products;
-Information protection services utilising civil
encryption products;
-Civil encryption testing and evaluation services;
-Network data security consulting services utilising civil encryption products.
In addition, Annex 2 of the Decree lists civil encryption products to be exported and imported under license: HS8443, HS 8471, HS8473, HS 8517, HS8523, HS8525, HS8526, HS 8529, HS8542, HS854.
The National Agency of Cryptography and Information Security (NACIS) is currently drafting a new decree to amend Decree No. 58/2016/ND-CP, addressing various issues related to cyber information security, including the export and import of civil encryption products.

Self-certification is allowed in the country for radio transmission, electromagnetic interference (EMI) or electromagnetic compatibility (EMC). Vietnam allows foreign companies to self-certify that they comply with these standards, through a Supplier Declaration of Conformity (SDoC). The National technical regulation QCVN 118:2018/BTTTT requires conformity testing and conformity declaration. The supplier or manufacturer of the equipment declares the equipment meets the technical and administrative requirements. A testing laboratory recognized by the regulator tests the equipment, and the supplier registers this equipment with the regulator. These procedures are based on ISO/IEC 17050, with some modifications and requirements to be in line with the legislation framework of goods and products quality control of Vietnam.

Chapter 2 of the Law on Cybersecurity, which entered into force in January 2019, regulates information systems for national security. Article 10.2 defines important information systems for national security, including:
- Military, security, diplomatic and cypher information systems;
- Information systems that store and process information belonging to state secrets;
- The information system serving the storage and preservation of artefacts and documents of significant value;
- Information systems serving the preservation of materials and substances particularly dangerous to humans and the ecological environment;
- Information systems serving the preservation, manufacturing and management of facilities of other special importance related to national security;
- Important information systems serving operations of central agencies and organisations;
- National information systems in the fields of energy, finance, banking, telecommunications, transportation, natural resources and environment, chemicals, health, culture, and journalism;
- Automatic control and monitoring systems at important works related to national security, an important goal of national security.
According to Arts. 11-13, important information systems need impact assessment, inspection, and control conducted by special forces to protect network security from the Ministry of Public Security, the Ministry of Defence, and the Government Cipher Committee.

Art. 36 of Law No. 86/2015/QH13 states that the responsibilities of users of cryptographic products and services include providing the necessary information on cryptographic keys to the competent state authorities upon request. The Law also introduces licensing requirements for tools that offer encryption as a primary function.

Sections 35 and 60 of Decree No. 52/2013/ND-CP provide that certain E-commerce services need to be licensed by the Ministry of Industry and Trade: E-commerce websites that permit participants to sell and purchase goods according to the method of goods exchange; evaluation and certification of personal data protection policies of traders, organisations and individuals participating in e-commerce activities; and certification of e-contracts.
In addition, Art. 44 states that traders and organisations providing online auction services must register the provision of auction services, and under Art. 52, traders, organisations or individuals may set up sales e-commerce websites if, among other conditions, they have notified the Ministry of Industry and Trade. Also, pursuant to the provisions of Art. 61, one of the conditions for conducting credit rating of e-commerce websites is being a trader or an organisation established under Vietnamese law.

The Ministry of Industry and Trade (MOIT) issued Circular No.59/2015/TT-BCT to regulate the management of e-commerce activities via mobile applications. The circular strictly regulates the operation of e-commerce on mobile applications, which requires registration to MOIT. The circular applies to all Vietnamese individuals and organisations, foreigners who reside in Vietnam, and foreigners and organisations who have a presence in Vietnam through investment, setting up branches, or representative offices.

It is reported that Vietnam prohibits commercial importation of some products, including encryption devices and encryption software. This applies despite Vietnam's agreement in its WTO Accession Protocol to the principle of no restriction or regulation on commercially traded goods equipped with encryption technology.

Art. 19 of Decree No. 72 of 2013, and its extension in Decree 27/2018, regulates that "organisations and individuals that use Internet resources shall provide information and cooperate with competent state management agencies at the latter’s request".

The Law on Cybersecurity stipulates that businesses have to provide users’ data to the Ministry of Public Security upon receipt of requests in writing in cases where any infringement of the cybersecurity law is being investigated (Art. 26).

Art. 17.1.c of the Law on Cyber Information Security No. 86/2015/QH13 requires technology companies to share user data at the request of competent state agencies. It also mandates that authorities be given decryption keys on request, and it introduces licensing requirements for tools that offer encryption as a primary function. There is no mention of a requirement for a court order.

Decree No. 17/2023/ND-CP establishes a safe harbour regime for intermediaries for copyright infringements. According to the Decree, to benefit from this safe harbour, Internet Service Providers (ISPs) must act promptly to remove or block content upon acquiring "knowledge" of copyright infringement. While Decree No. 17 does not define "knowledge," it considers takedown notices from authorities or rights holders as evidence of ISPs' "knowledge" without specifying whether such notices must be substantiated (Arts. 113.3 and 114.5).
Additionally, Decree No. 17 outlines the required information and documents for takedown notices and counter-responses, indicating that ISPs must take appropriate action—such as removal, blocking, or restoration—upon receipt of the complete set of required information and documents (Art. 111.4).

A basic legal framework on intermediary liability beyond copyright infringement is absent in Vietnam's law and jurisprudence.

According to Art. 26 of Vietnam's Law on Cybersecurity, owners or organisations in charge of websites must authenticate information when a user registers a digital account, ensure confidentiality of user information and accounts, provide user information to the task force in charge of network security protection under the Ministry of Public Security upon written request to serve the investigation and handling of violations of the law on network security.