Vietnam: Ministry of Public Security opened consultation on draft decree on cybersecurity protection for information systems including design requirements

On 16 March 2026, the Ministry of Public Security opened a consultation on the draft decree on cybersecurity protection for information systems, until 26 March 2026. The Decree applies to agencies and organisations involved in building, managing, operating, upgrading, or expanding information systems in Vietnam, including systems used to provide online services. The decree defines terms including information processing, information system operators, specialised cyber security units, and online services, and establishes roles and responsibilities between system managers and operators. It sets out principles requiring cybersecurity to be ensured continuously across the system lifecycle, aligned with technical standards, and implemented in a coordinated and resource-efficient manner with priority given to higher-risk systems. The Decree requires cybersecurity assurance plans to ensure system availability and minimise the impact of security incidents on the overall system when individual components are compromised. For level 3 and level 4 systems deployed using outsourced data centre or cloud services, it mandates logical separation from other systems, segmentation of network areas with access controls, and logically independent storage partitions. For level 5 systems or systems of national security importance, stricter requirements apply, including physical separation from other systems, physically independent storage partitions and main network equipment, and controlled access between system components. The decree also allows shared cybersecurity solutions for physically isolated systems only, where they are limited to monitoring, detection, warning, or edge protection functions and do not enable access to or control over internal system data or operations.