When Vietnam's National Assembly passed Law No. 60/2024/QH15 — the Law on Data — in late 2024, it positioned Hanoi alongside Beijing in a small but growing club of governments that classify private-sector data into tiered national-security categories. The law took effect on 1 July 2025, and the implementing decrees being finalised through 2025 and into 2026 will determine how heavily it actually bites. For European companies operating under the EU-Vietnam Free Trade Agreement (EVFTA), the answer is already shaping up to be: quite hard.
EuroCham Vietnam and EU member-state embassies in Hanoi have, by their own account, made repeated representations to the Ministry of Public Security and the Ministry of Information and Communications, warning that the draft decrees raise compliance costs, duplicate obligations already covered by Vietnam's 2023 Personal Data Protection Decree, and sit uneasily with the digital trade chapter of the EVFTA. The pushback is not anti-regulation. It is a request for the kind of proportionate, risk-based rulemaking that good data governance requires.
What the Law on Data actually does
The Law on Data is broader than its name suggests. It is not a privacy statute — Vietnam already has the 2023 Personal Data Protection Decree (Decree 13/2023/ND-CP) and a Personal Data Protection Law that began taking effect in stages from 2025. Instead, the new law builds a state-led data classification regime sitting on top of those privacy rules.
Two new categories matter most for foreign firms:
- Core data — data deemed to bear on national defence, security, or 'major national interests'. Transfer abroad is tightly restricted and, in some cases, prohibited outright. Storage on Vietnamese territory is the default.
- Important data — a broader bucket covering sectors the state considers strategic. Cross-border transfer is permitted but conditional on security assessment and, depending on the implementing decree, prior approval.
The structural resemblance to China's Data Security Law (2021) is unmistakable. So is the resemblance to the cross-border transfer mechanisms in China's Personal Information Protection Law. That is the source of European unease: the EU has spent five years negotiating the EVFTA on the premise that Vietnam was moving toward a rules-based, predictable digital economy, not toward Beijing's data-sovereignty template.
The EVFTA collision
The EU-Vietnam Free Trade Agreement, in force since August 2020, is one of the most ambitious deals the EU has ever signed with a developing-country partner. Its provisions on electronic commerce commit both sides to keeping cross-border data flows open and to refraining from data localisation requirements that are unnecessary or disproportionate. Those words — 'unnecessary' and 'disproportionate' — are doing a lot of work, and they are exactly where the disagreement lives.
Vietnamese officials argue the Law on Data is a legitimate national security measure carved out of the EVFTA's general exceptions. European negotiators counter that a regime which can in principle reclassify any commercial dataset as 'important' is not narrowly tailored. EuroCham's 2025 Whitebook flagged data localisation, ambiguous classification criteria, and unpredictable approval timelines as among the most damaging issues for European investment in Vietnam.
The problem is not that Vietnam regulates data. The problem is that the rules are written so broadly that compliance becomes a guessing game.
Why proportionate rules matter for Vietnam itself
Vietnam is not just any APAC market for European firms. It is the EU's largest trading partner in ASEAN by some measures, a key node in the China+1 manufacturing strategy, and a country that has staked its growth model on integration with global supply chains and digital services. Heavy-handed data rules cut against that strategy in three concrete ways.
First, cloud economics. A blanket localisation default forces firms to build or rent Vietnamese infrastructure even for workloads — analytics, fraud detection, customer support tooling — that gain nothing from being on-shore. The cost falls on Vietnamese consumers and Vietnamese SMEs that buy global SaaS.
Second, AI capacity. Training and fine-tuning modern models is a cross-border activity by design. A regime that requires security review for ordinary commercial data transfers will, at the margin, push AI investment toward Singapore, Malaysia, and the Philippines.
Third, FDI signalling. The European Commission has already had to defend the EVFTA against domestic critics who argued the EU gave away too much for too little. If Vietnam is seen to be unwinding the deal's digital commitments through implementing decrees, the political space for future EU trade agreements in the region narrows.
A better path through the decrees
The implementing decrees are still being drafted. There is room for a landing zone that protects genuine national-security interests without breaking the EVFTA's digital trade chapter.
- Narrow the 'important data' definition to sectors with a defensible security nexus — defence contractors, critical infrastructure, certain health and biometric datasets — rather than leaving it open-ended.
- Adopt an EU-style adequacy or whitelist mechanism so transfers to jurisdictions with comparable protections (the EU itself, the UK, Japan, South Korea) move through a lighter-touch channel.
- Publish clear timelines for security assessments. Indefinite review is, in practice, prohibition.
- Coordinate with the existing Personal Data Protection Law so firms are not subject to two overlapping cross-border transfer regimes administered by different ministries.
These are not anti-sovereignty asks. China itself has been quietly walking back the strictest readings of its Data Security Law for foreign firms operating in Free Trade Zones, precisely because the costs of overbroad rules became visible. Vietnam can learn from that arc without having to repeat it.
The bigger pattern
Vietnam's Law on Data is part of an APAC pattern — Indonesia's PDP Law, India's DPDP Act and its localisation carve-outs for payments data, Thailand's PDPA — in which the region is writing its own digital rulebook rather than importing GDPR wholesale. That is healthy. Regulatory diversity is how good ideas get tested. But diversity is different from fragmentation, and fragmentation is what European businesses face when each market layers a bespoke classification regime onto already-complex privacy rules.
The EU's job over the next six months is to use the EVFTA's joint committees and dispute mechanisms as designed: not to challenge Vietnam's right to regulate, but to insist that the implementing decrees match the proportionality both sides signed up to. Hanoi's job is to write decrees that protect what genuinely needs protecting and leave the rest of the digital economy alone. Done well, the Law on Data can be a credible national-security instrument and a livable framework for European investors. Done badly, it becomes the first serious test of whether the EU's trade deals in Asia can deliver on their digital promises.