On 17 March 2025, the Ministry of Public Security concluded its consultation on a draft Decree implementing the Data Law (No. 2025/QH15). The Data Law, adopted on 30 November 2024, establishes a legal framework for data governance, covering data classification, protection, processing and cross-border transfers. The Decree stipulates the implementation of cybersecurity controls, encompassing risk monitoring, encryption, intrusion detection, and incident response protocols. Organisations that process core or important data are obligated to implement security controls, conduct regular security audits, and maintain incident response plans to mitigate cyber threats. The Ministry of Public Security is responsible for monitoring data breaches, unauthorised access, and cyberattacks, with organisations required to report security incidents. Furthermore, the decree serves to reinforce national security provisions by means of authentication measures for access to critical databases and mandatory encryption for the transmission of sensitive information. Furthermore, the Decree requires organisations to conduct cybersecurity risk assessments, train personnel on security best practices, and maintain detailed logs of all data processing activities to ensure compliance.
Original source