Vietnam: Implementing Regulations of Law on Personal Data Protection including cybersecurity requirement entered into force

On 1 January 2026, the Implementing Regulations of the Law on Personal Data Protection including cybersecurity requirements entered into force. The Implementing Regulations further specify the regulatory requirements established by the framework of the Law on Personal Data Protection. Articles 8 through 12 specify cybersecurity requirements for entities operating in finance, big data, AI, blockchain, and cloud computing. These include encryption, anonymisation, breach notifications, transparency in data use, regular security assessments, and upholding individuals' rights over their personal information. Certain processing activities are subject to specific requirements, such as a notification deadline of 72 hours for breaches of sensitive financial data and the prescription of multi-factor authentication in big data processing activities. In case of data breaches involving location or biometric data, Article 29 specifies that organisations must notify affected individuals within 72 hours of discovering a breach, detailing the incident and response measures, and also report to the relevant state agency. If direct notification is impossible, they must issue a public announcement and follow up as soon as possible, with failures to notify incurring legal penalties. All breach records must be retained for at least five years from the resolution date.