Vietnam: Ministry of Public Security closes consultation on draft decree on cybersecurity protection for information systems including cybersecurity authority governance

On 26 March 2026, the Ministry of Public Security closes the consultation on the draft decree on cybersecurity protection for information systems. The decree applies to agencies and organisations involved in building, managing, operating, upgrading, or expanding information systems in Vietnam, including systems used to provide online services. The decree defines terms including information processing, information system operators, specialised cyber security units, and online services, and establishes roles and responsibilities between system managers and operators. It sets out principles requiring cybersecurity to be ensured continuously across the system lifecycle, aligned with technical standards, and implemented in a coordinated and resource-efficient manner with priority given to higher-risk systems. The Decree sets out procedures and requirements for cybersecurity inspection and assessment of information systems. It provides that specialised cyber security protection forces conduct inspections through a defined process, including prior notification, establishment of inspection teams, coordination with system managers, documentation of findings, and communication of results, with the possibility of suspension where necessary for investigations or remediation. It establishes that inspections assess legal compliance, the effectiveness of cyber security measures and incident response plans, and the detection of vulnerabilities, malicious code, and system weaknesses through black box, grey box, and white box testing. The Decree further specifies detailed assessment criteria covering compliance by system managers, specialised units, and operators, as well as evaluation of system design, configuration, operational processes, and security controls, and requires remediation plans to address identified vulnerabilities and deficiencies.