Global Data Privacy and Cybersecurity Handbook

Vietnam

Select a Topic
Start Comparison
Security Requirements
Jump to
Security Requirements Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: 5 January 2024

Yes.

☒         general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒         obligation to take specific security measures e.g., encryption

☐         requirement to undertake third party due diligence (security assessment of third party providers)

        other

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: 5 January 2024

Yes.

      public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks)

☒      network information security requirements (broader than telecommunications)

      health regulatory requirements

☒      financial services requirements

      telecommunication requirements

      providers of critical infrastructure

      other

If yes, please provide brief details of the relevant law or regulation.

Cyber information security laws stipulate several requirements for the protection of cyber information security for both critical and non-critical information systems. Enterprises providing services in cyberspace in Vietnam are also responsible for implementing different cybersecurity measures such as alerting cybersecurity risk, developing an incident response plan, implementing appropriate response measures in light of an actual incident, reporting and cooperation. Banking regulations also prescribe protection measures in relation to information safety and cybersecurity. The Law 2023 on Telecommunications also requires compliance with cybersecurity laws when rendering telecom services. Law 2023 on Medical Examination and Treatment also makes general reference to the obligation to apply security measures atmedical establishments, which can be broadly interpreted to necessitate the adoption of cybersecurity measures to protect patients' health-related information. Information safety and security, which can potentially be infringed by a cybersecurity incident, are also regulated under other domains of laws such as consumer protection, e-commerce, information technology, etc.

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

      Data privacy
      Securities or public company
      network information security
      health
      financial services
      telecommunications
      critical infrastructure
      other

{{ $store.state.loadingScreen.message }} ...