According to Art. 41 of the Vietnam's Cybersecurity Law, Internet service providers (ISPs), websites and information systems administrators/owners are responsible for:
- Controlling information content transmitted by users, so that such content will not harm or prejudice children or the children’s rights; and
- Preventing the sharing of content and deleting any content that harms or prejudices children or the children’s rights.
In addition, pursuant to Art. 16 of the law, information system administrators/owners, telecoms and Internet service providers are required to closely coordinate with the competent authorities to handle illegal content. The ISPs have 24h to remove content after they receive a notice by the government authorities.

Intermediary liability was formalized in 2013 with Decree 72 on the Management, Provision, Use of Internet Services and Internet Content Online. According to the Decree, intermediaries—including those based overseas— are required to regulate third-party contributors in cooperation with the state, and to “eliminate or prevent information” that opposes the republic, threatens national security and the social order, or defies national traditions, among other broadly worded provisions. The decree holds cybercafé owners responsible if their customers are caught surfing “bad” websites. The regulation process was articulated in Circular 09/2014/TT-BTTTT, issued in 2014, which requires website owners to eliminate “incorrect” content “within three hours” of its detection or receipt of a request from a competent authority in the form of an email, text message, or phone call.

According to Art. 26 of the Vietnam's Law on Cybersecurity (entered into force in January 2019), owners or organizations in charge of websites must: authenticate information when a user registers a digital account; ensure confidentiality of user information and accounts; provide user information to the task force in charge of network security protection under the Ministry of Public Security upon written request to serve the investigation and handling of violations of the law on network security.

According to Art. 3.16 and 25.9 of the Decree No.72/2013/ND-CP and its amendment and extension of Decree No.27/2018/ND-CP, online social network service suppliers are required to ensure that only individuals who have supplied "accurate and complete personal information as required by law", including the government-issued card number, may create blogs or provide information on online social networks.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Vietnam's law and jurisprudence.

Art. 17.1.c of the Law on Cyber Information Security No. 86/2015/QH13 requires technology companies to share user data at the request of competent state agencies. It also mandates that authorities be given decryption keys on request and it introduces licensing requirements for tools that offer encryption as a primary function. There is no mention of a requirement for a court order.

The Joint Circular on the Liabilities of Intermediary Service Suppliers in Protection of Copyrights and Related Rights on the Internet and Telecommunications Network Environment No. 07/2012/TTLT-BTTTT-BVHTTDL establishes a safe harbour regime for intermediaries for copyright infringements. According to the Joint Circular No.7, internet intermediaries are only liable for infringing content in limited circumstances, e.g. when they initiate the posting, transmission or provision of the infringing content over the Internet; modify or copy the content, deliberately circumvent technology measures applied by rights owners or operate as secondary distributors of the infringing content.

Art. 19 of the Decree No. 72 of 2013, and its extension in Decree 27/2018, regulates that "organizations and individuals that use Internet resources shall provide information and cooperate with competent state management agencies at the latter’s request".

The Law on Cybersecurity, which entered into force in January 2019, stipulates that businesses have to provide users’ data to the Ministry of Public Security upon receipt of requests in writing, in cases where any infringement of the cybersecurity law is being investigated (Art. 26).

Decree No. 72 establishes the management of Internet service and online network. In March 2018, Vietnamese government issued Decree No.27/2018/ND-CP to partially amend and enhance Decree 72. Data retention requirements for online networks are listed in Art. 23(c). The regulation requires data on account users, log-in and log-off time, user IP address, and data processing log to be stored for at least two years.

According to Decree No. 72 of 2013, aggregated information websites are required to store the information for at least 90 days from the date it is posted on the website (Article 24). Electronic information page (website) is an information system used to establish one or more information pages presented in the form of symbols, numbers, words, images, sounds and other forms of information in service of provision and use of information on the Internet (Art. 3.21). In March 2018, Vietnamese government issued Decree No. 27/2018/ND-CP to partially amend and enhance Decree No. 72. Requirement on data retention remains at least 90 days from the date it is posted on the website. Also, data processing log is required to be stored for at least two years.

Regulations on data protection are fragmented in many Law and supporting documents in Vietnamese legal system. The most comprehensive legal framework on data protection is the Law on Network Information Security (Law No. 86/2015/QH13 or Law 86), which entered into force in July 2016. The Law 86 only applies to information provided, transferred, collected and processed over telecommunications and computer networks (Art. 3.2). Personal data protection is also regulated in Arts. 16-20 of the Law No. 24/2018/QH14 on Cybersecurity. Other regulations on data protection are to be found in different law, for example Law on Information Technology, Law on E-commerce Transactions, Law on Consumers' Protection, and other Decrees.

Vietnam has joined an agreement with binding commitments to open transfers of data across borders: the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11). However, the country has been given a period of five years to comply with the requirement.

Decree No. 72 establishes the management of Internet services and online networks. Arts. 22, 25, 28 and 34 require providers of websites, social networks, information on mobile network and online games, respectively, to have at least one server inside the country "serving the inspection, storage, and provision of information at the request of competent state management agencies". In March 2018, the Vietnamese government issued Decree No. 27/2018/ND-CP to partially amend and enhance Decree No. 72. Requirements on local servers remain.

In February 2020, the Vietnamese government issued Decree No. 15/2020/ND-CP to regulate administrative violations on post-telecommunications, radio frequency, IT and electronic transactions. Art. 44.1(d) of the Decree regulates penalties for not storing information at the server system with IP address in Vietnam for electronic newspapers, general websites or web portal and social networks subject to the license. Art. 95.3 regulates penalties for advertising email and internet message services using servers not located in Vietnam.