Viet Nam stands as the fastest-growing digital economy in Southeast Asia, maintaining this position from 2022 through 2023, with projections to lead until 2025. The country's digital transformation is marked by significant mobile internet penetration, with smartphone users expected to reach 67.3 million by 2026, representing 96.9% of internet users.

The Government of Viet Nam remains committed to advancing its Digital Economy. Through its National Digital Transformation Program, Viet Nam has established comprehensive digital development goals for 2025, with a long-term vision extending to 2030. The program focuses on four pillars: the IT industry, industrial digitisation, digital administration, and digital data.

But what do Viet Nam’s digital policies stand for? Our Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Viet Nam-specific points of emphasis.

• Data governance: Viet Nam is deliberating on bills to regulate the processing of personal and non-personal data, and has implemented cybersecurity rules focusing on critical infrastructure.

• Content moderation: Viet Nam adopted rules to address illegal content online and implemented the Consumer Law, which establishes transparency requirements for digital platforms regarding content moderation and targeting algorithms.

• Competition policy: Viet Nam issued guidelines for assessing anti-competitive agreements and mergers. 

• Artificial intelligence: Viet Nam is deliberating legislation that would prohibit deceptive AI practices, establish risk-based categories for AI systems, require machine-readable labels for AI-generated products, and implement controlled testing mechanisms.

• Viet Nam’s points of emphasis include licensing and registration requirements and taxation.

Jump directly to the section that interests you most:

Discover the details of Viet Nam's regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service. 

Written by Maria Buza and Luca Scheiwiler. Edited by Tommaso Giardini.

The Decree on Protection of Personal Data (PDPD), enacted in July 2023, is Viet Nam's comprehensive data protection framework. It defines "personal data" and "sensitive personal data" and establishes rights to access, correct, and delete personal data, as well as to object to data processing. The processing of personal data must be based on legal grounds such as consent, contractual obligations or public interest. Data controllers and processors must submit an impact assessment and report data breaches within 72 hours. Additionally, data controllers processing sensitive data must also appoint a data protection officer. In May 2024, the Ministry of Justice proposed penalties of up to VND 100 million (approx. USD 3,970) for violations of PDPD.

In September 2024, the Ministry of Public Security (MPS) issued the draft for a new Law on Personal Data Protection. The draft establishes personal data protection rules for additional sectors, including marketing services, behavioural advertising, big data processing, artificial intelligence, cloud computing, labour monitoring and recruitment.

Since July 2024, Viet Nam is considering two draft laws on non-personal data processing. 

• The draft Data Law aims to establish a framework for data activities, including a national data centre. It regulates data intermediary services and the data market, requiring businesses to register and comply with data protection rules. It broadens the definition of data processing and distinguishes between "core data" and "important data," setting distinct rules for their storage, processing, and transfer.

• The draft Law on Digital Technology Industry distinguishes between digital data inputs, which support production and services, and digital data outputs, generated through industrial activities. To promote data accessibility, the draft law requires government agencies to make open data available and establishes the right to data portability.

Cybersecurity is primarily governed by two laws.

• The Law on Cyber Information Security, in effect since July 2016, requires internet service providers to implement measures to manage, detect, and stop the spread of malware as directed by state authorities. Furthermore, enterprises involved in trading cyber information security products and services must obtain a licence, and those importing such products are required to obtain a permit.

• The Law on Cybersecurity, enacted in January 2019, establishes obligations to protect critical information systems related to national security. It mandates the evaluation and assessment of cybersecurity conditions, along with regular inspections and proactive supervision. Decree 53 further clarifies obligations, empowering the cybersecurity task force to ensure compliance and coordinate with relevant authorities. Additionally, the MPS can suspend or terminate the operation of information systems or revoke domain names when they are found to violate national security and cybersecurity laws. In June 2024, the MPS released a draft standard to establish additional obligations for critical information systems that impact national security.

Viet Nam mandates entities providing services over telecommunications networks, the Internet, or cyberspace-related platforms within its borders to store data locally. Decree 53, implemented in October 2022, clarifies data localisation requirements under the Cybersecurity Law and mandates specific service providers—such as telecommunications, e-commerce, online payment, and social media platforms—to retain “captured data” within Viet Nam. This includes personal information, user-generated content, and records of user interactions. Personal data classified as a state secret must also be stored domestically. Foreign entities providing the captured services on a cross-border basis in Viet Nam must comply with data localisation if the MPS issues a formal request. Upon notification, these companies have 12 months to establish data storage in Viet Nam and set up a local branch or representative office. 

Additionally, Decree 72, effective since September 2013, mandates that entities operating general or social networking websites maintain at least one server within the country to enable state authority inspections. A subsequent amendment also requires the use of at least one “.vn” domain and storage data on a server with a local IP address.

Regarding personal data transfers, the PDPD requires data controllers to conduct an overseas data transfer impact assessment. The impact assessment must include contact details, processing objectives, data types, consent proof, and documents on binding responsibilities between the transferor and transferee on the protection of data. The assessment should be submitted to the Department of Cybersecurity and High-Tech Crime Prevention under the MPS within 60 days of initiating the transfer, with the notification required upon completion. The MPS can inspect and prohibit transfers that threaten Viet Nam's national interests or fail to meet impact assessment requirements.

The draft Data Law currently under consideration aims to establish regulations for data transfers. It requires businesses to obtain approval from the Prime Minister for transferring core data and from the MPS for important data transfers. Companies must meet specific conditions before proceeding, including passing a security assessment and signing a contract with the foreign recipient. Core data encompasses information that may directly impact political security, while important data refers to information whose compromise could threaten national security, economic stability, social order, and public health.

The Department of Cybersecurity and High-Tech Crime Prevention, a specialised unit within the MPS, is responsible for enforcing privacy rules and issuing advisory guidelines. Currently, there are no public official sources on enforcement or guidelines.

Viet Nam's Law on Cybersecurity, effective since January 2019, establishes the primary framework for regulating illegal online content. It prohibits online activities that threaten the state, disseminate false information, incite crime, or involve cyberterrorism, espionage, or attacks. Telecommunications and internet service providers are required to detect and remove such content and collaborate with authorities. In October 2022, Decree 53 clarified the procedures for removing illegal content. It empowers the Cybersecurity and High-tech Crime Prevention Department and the Ministry of Information and Communications (MIC) to request the removal of content that threatens national security or public safety.

In addition to these rules, online providers must adhere to further requirements.

• Decree 142 mandates telecommunications and internet providers to manage online conflicts by filtering data related to national security threats and complying with official requests from authorities. 

• Decree 72, amended by Decree 27 in April 2018, requires social networks and aggregated information websites to monitor and remove illegal content, including material that could harm national security or undermine national unity. Providers must remove such content within 3 hours of detection. 

In July 2023, the MIC issued a draft decree intended to replace Decree 72. The draft requires social network service providers to actively monitor and remove illegal content within 24 hours of detection or upon the MIC's request. Similarly, app store providers are required to remove illegal applications within the same timeframe. In matters concerning national security, the MIC may demand the immediate removal of illegal content, services, or applications. Furthermore, the draft decree introduces user identification measures and empowers the MIC to block access to illegal content if providers fail to comply.

The Law on Protection of Consumer Rights, implemented in July 2024, establishes specific obligations for large intermediary digital platforms with over 3 million users. Platforms are required to create an advertising archive, evaluate content moderation and targeting algorithms, and ensure compliance regarding fake accounts and artificial intelligence use.

In September 2021, Vietnam implemented Decree 70 to regulate online advertising. The decree requires foreign advertising providers to register with the MIC at least 15 days before starting operations. Additionally, domestic providers collaborating with foreign entities are required to submit regular reports. Service providers must block advertisements that violate the Cybersecurity Law or Intellectual Property Law within 24 hours of receiving a request from the MIC. Furthermore, the MIC maintains a blacklist of non-compliant websites, prohibiting advertising service providers and advertisers from collaborating with these sites.

The MIC enforces online content regulations, with the authority to issue sanctions such as warnings, fines, suspensions, blockings, and deregistrations. Since March 2023, the MIC has intensified its monitoring of online content, establishing the National Cyber Safety Monitoring Center and the Viet Nam Anti-Fake News Center to combat false and malicious information. 

• In October 2023, the MIC stated that TikTok's content moderation policies fail to detect and remove harmful content for children effectively. Additionally, MIC specified that TikTok’s assessment and classification of online material for children is inadequate. The MIC requested TikTok to rectify these violations.

• In April 2024, WPP Communications was fined VND 55 million (approx. USD 2,180) for violating advertising regulations on YouTube. Additionally, FPT Telecom was fined VND 85 million (approx. USD 3,374) for promoting illegal betting websites. 

• In March 2023, MIC stated that between 2021 to December 2022, it examined 141 cases, issued 589 administrative sanctions for violations of electronic information activities, and imposed a total fine of VND 5.9 billion (approx. USD 235,000).

Viet Nam has not enacted specific rules to regulate digital markets and instead applies the Competition Law, which took effect in July 2019. The Competition Law prohibits restrictive agreements, unfair competition practices and mergers that could lead to significant anti-competitive effects.

Decree 35, effective from March 2020, provides a framework for assessing anti-competitive agreements and mergers.

• Anti-competitive agreements are prohibited if they significantly harm competition but are exempt if the combined market share is below 5% in the same market or below 15% across different supply chain stages.

• Mergers must be reported to the Viet Nam Competition Commission (VCC) when the parties have a combined market share of 20% or total assets or turnover exceeding VND 3 billion (approximately USD 119,100) in the previous fiscal year.

• Companies may request an exemption from the VCC for agreements or mergers that could negatively impact competition if they promote technological advancements, enhance international competitiveness, or harmonise trading conditions.

Decree 75 specifies penalties for violations of competition regulations, with maximum fines of up to 10% of total turnover for anti-competitive agreements and abuses of dominant positions, and 5% for violations related to economic concentration. 

The VCC was established in April 2023 and has the power to investigate unfair practices, assess proposed mergers, grant exemptions from prohibited anti-competitive agreements, and handle appeals regarding competition case decisions. Currently, there are no publicly available official sources on the VCC’s enforcement of the Competition Law and its decrees against companies in digital markets.

In July 2024, the Ministry of Information and Communications (MIC) published the draft Law on Digital Technology Industry, which regulates several technology subsectors, including artificial intelligence (AI).

• The draft prohibits AI systems that manipulate behaviour without users' awareness, exploit vulnerabilities, or classify individuals based on sensitive inferences (social scoring). It also bans the use of indiscriminate facial recognition databases and emotional inference practices in workplaces.

• AI systems are classified by their risk level, taking into account their potential impact on health, rights, safety, and critical infrastructure. The MIC will provide rules on determining risk levels, as well as on obligations and mitigation measures.

• AI-generated digital products must be labelled in a machine-readable format to indicate their artificial creation or manipulation based on the MIC’s guidelines.

• The draft also establishes controlled testing mechanisms (sandboxes) for new digital products and services. Entities complying with the specified conditions will be exempt from liability.

In June 2024, the Ministry of Science and Technology issued a guide on the research and development of responsible AI systems. The guide establishes voluntary standards and includes 9 principles that entities should follow: cooperation and innovation promotion, transparency, controllability, safety, security, privacy, respect for human rights and dignity, user support, and accountability. Additionally, the guide includes recommendations for implementing these principles.

In November 2023, Viet Nam amended its Telecommunications Law to broaden its scope to cover digital infrastructure. The law classifies data centres, cloud computing, and over-the-top (OTT) services as distinct categories of telecom services. Entities offering these services do not need a licence but must follow registration and notification procedures, which will be further specified by the government. These obligations will take effect in January 2025. 

In January 2023, the Ministry of Information and Communications implemented Decree 71 which requires over-the-top (OTT) and video-on-demand (VOD) service providers to register and obtain a licence to provide their services. The providers are required to set up a local entity or form a joint venture and comply with laws regarding the classification of the news and films.

Decree 72 of September 2013 and its subsequent amendment from April 2018 require aggregated information websites, social networks, and providers of information content services on mobile telecommunications networks and electronic games to obtain a licence. Since July 2023, the government plans to update Decree 72 to require social networks operating in Viet Nam that meet specific user thresholds to obtain a licence to allow only licensed providers to offer online video streaming and other revenue-generating activities.

In January 2022, Viet Nam implemented tax obligations for foreign e-commerce and digital service providers that operate without permanent establishments. Providers have to register for taxes electronically, file quarterly declarations, and pay taxes based on their revenue. The tax is based on the revenue earned by these suppliers, with different corporate income tax (CIT) and value-added tax (VAT) rates depending on the type of service. VAT rates range from 1% to 5% of total revenue, while CIT rates vary between 0.1% and 10%.