On April 27, 2026, Vietnam's Ministry of Public Security (MPS) sent the Ministry of Justice a revised draft decree implementing the country's new Law on Cybersecurity (No. 116/2025/QH15), which the National Assembly passed on December 10, 2025 and which takes effect July 1, 2026. The redraft quietly dropped the most internationally contentious provisions — state control over cross-border data transfers and prescriptive technical requirements for data-processing systems — while keeping two others intact: mandatory in-country data storage and a requirement that certain foreign providers establish a local branch or representative office.
The deletions are real liberalization and worth crediting. But Vietnam kept the half of the regime that the economic literature flags as the costliest.
Start with the regulator's strongest case
Vietnam's security interest is not invented. For years, scams, payment fraud, and coordinated disinformation have migrated onto offshore platforms that historically ignored Vietnamese legal requests, leaving investigators without records or a domestic point of contact. The new law answers this with "golden-hour" obligations: service providers must remove flagged content within 24 hours — six hours in urgent cases — and hand over subscriber identity and IP data within 24 hours, or three hours where national security is implicated. A locally accountable legal representative and locally retained records are a coherent enforcement tool, not arbitrary harassment. The decree is also legally compelled: Prime Minister Pham Minh Chinh's Decision 437/QD-TTg, signed March 16, 2026, ordered MPS to issue implementing decrees before the law takes effect.
That is the case to beat. It is strongest on lawful access and weakest on storage location.
Why dropping transfer controls is the right call
The removed provisions were precisely the ones that threatened to turn Vietnam into a data island. Case-by-case state pre-approval of every outbound transfer is the mechanism that strangles cloud computing, digital payments, and the routine back-office flows that connect a modern economy to global supply chains. Stripping them out — along with prescriptive mandates dictating how data-processing systems must be built — signals that MPS heard objections from industry and trading partners. It is genuine, if unheralded, deregulation.
The expensive half it retained
Data localization is the provision the evidence singles out. ECIPE's GTAP modeling found that economy-wide localization requirements would cut Vietnam's GDP by 1.7% and domestic investment by 3.1% — among the steepest losses of any economy it studied. ITIF's 2022 cross-country analysis went further, calling Vietnam's data-restriction regime "the most restrictive" of the five Asian economies it examined and projecting that trade volume would run 9% lower, imports 10.8% lower, and import prices 2.5% higher within five years.
The mechanism is unglamorous. Forcing a mid-size software firm to stand up Vietnamese data centers, or contract local hosting and open a registered office, imposes fixed costs that large incumbents absorb and small entrants cannot. Localization rarely makes data more secure — encryption and access controls do that regardless of where servers sit — but it reliably makes data more expensive and fragments the cloud architectures that deliver scale.
The continuity matters because the burden is not new. Decree 53/2022/ND-CP, effective October 1, 2022, already required covered telecom, internet, and value-added service providers to store user data inside Vietnam and, on a formal MPS request, to complete localization and establish a branch or representative office within 12 months, retaining data for at least 24 months. Decree 53 lapses June 30, 2026 — the day before the new law begins — so this redraft is the instrument carrying localization forward into the next regime.
The digital-trade contradiction
Here lies the tension. Vietnam is courting exactly the data-intensive investment that localization deters. It is a member of the CPTPP, whose digital-trade chapter discourages both data-localization mandates and forced local presence as conditions of doing business. It is actively pitching itself as a destination for hyperscale cloud and semiconductor investment as firms diversify away from China. A storage mandate that the country's own trade commitments advise against, kept largely for the convenience of domestic enforcement, taxes the very foreign investment Hanoi is working to attract.
The proportionate path is already visible
The pro-innovation objection is not "no rules." Steelmanned, the enforcement interest is legitimate — the question is which tool meets it at least cost. Targeted, legally grounded data-access requests, backed by a domestic legal representative, get authorities the evidence and the takedowns they need without forcing every platform to replicate its infrastructure inside the country. That is, in fact, the logic of the decree's own deletions: by removing blanket transfer pre-approval, MPS implicitly accepted that data can flow across borders so long as lawful access on request is preserved. Localization-by-default is the blunt instrument; access-on-request is the scalpel.
Vietnam's redraft moved in the right direction, and the government deserves credit for listening on transfer controls. By keeping localization, however, it preserved the one provision its own economists' models, its trade agreements, and its investment strategy all point against. The Ministry of Justice's review before July 1 is the moment to finish the job — to keep the lawful-access architecture that serves security and retire the storage mandate that mostly serves cost.