Vietnam: Ministry of Public Security closes consultation on draft decree on cybersecurity protection for information systems including cybersecurity regulation

On 26 March 2026, the Ministry of Public Security closes the consultation on the draft decree on cybersecurity protection for information systems. The decree applies to agencies and organisations involved in building, managing, operating, upgrading, or expanding information systems in Vietnam, including systems used to provide online services. The decree defines terms including information processing, information system operators, specialised cyber security units, and online services, and establishes roles and responsibilities between system managers and operators. They set out principles requiring cybersecurity to be ensured continuously across the system lifecycle, aligned with technical standards, and implemented in a coordinated and resource-efficient manner with priority given to higher-risk systems. They also outline criteria for determining system levels based on the type and sensitivity of information processed, system functions, scale, user base, operational dependence, and the potential impact of disruption, supported by mandatory cybersecurity risk assessments. It introduces a framework to classify information systems from level 1 to level 5 based on the type of information processed, the system’s function, the scale of operations, and the potential impact of disruption or compromise. It also requires risk assessments, level proposal dossiers, official appraisal and approval procedures, and cybersecurity protection measures corresponding to each level. In addition, it imposes obligations on information system managers and operators to conduct inspections, monitor risks, report serious incidents, carry out vulnerability scans and penetration tests, and connect certain systems to national or provincial cybersecurity monitoring centres.