On July 1, 2026, Vietnam's Law on Cybersecurity No. 116/2025/QH15 came into force alongside new e-commerce and digital transformation statutes — part of a legislative package comprising 29 laws, two ordinances, and 34 decrees enacted simultaneously. Passed by the National Assembly on December 10, 2025, the statute consolidates two older frameworks — Law No. 86/2015/QH13 on cyber-information security and Law No. 24/2018/QH14 on cybersecurity — into a single unified regime. The consolidation resolves years of overlapping jurisdictional uncertainty. The obligations inside it are another matter.
Three Mandates, One Architecture
The law establishes three interlocking requirements for any provider operating in or accessible from Vietnamese cyberspace. Under Article 25(2)(b), platforms must delete flagged content or remove non-compliant services within 24 hours of a Ministry of Public Security (MPS) request, dropping to six hours in urgent national security cases. Article 25(2)(a) runs in parallel: user data — account names, usage logs, payment records, and IP addresses — must be disclosed to MPS within 24 hours, or three hours in emergencies. Article 25(3) requires foreign enterprises to establish a branch or representative office in Vietnam and store Vietnamese user data locally for a government-prescribed retention period, with implementing details still pending a Decree.
The Government's Case Deserves a Hearing
Vietnam's position is not unreasonable on its face. With 79.8 million internet users, the country faces genuine threats: cross-border fraud networks, documented cybercrime, and disinformation campaigns. A local legal presence gives regulators a meaningful enforcement point when platforms routinely ignore requests — a recurring frustration under the 2018 regime. Data localisation, in theory, limits exposure to foreign intelligence collection. The argument that global platforms cannot operate as jurisdiction-free zones is now mainstream in democratic internet governance debates, not exclusively an authoritarian talking point.
Where Proportionality Breaks Down
The problem is not the objective but the mechanism.
The 24-hour police takedown order contains no judicial checkpoint. MPS can demand content removal on its own authority, without a warrant, without an adversarial hearing, and without notifying the subject of the order. Vietnam used the 2018 predecessor statute systematically to demand removal of political criticism and independent journalism. Law 116/2025/QH15 does not narrow that authority — it consolidates and streamlines it.
The three-hour emergency user data window is structurally incompatible with meaningful due process. Three hours is insufficient for an international platform to authenticate a request, escalate to legal counsel, and assess compatibility with home-country data protection law. The operative result is an instruction to comply first and ask questions later. The law defines "emergency" as threats to national security or human life — a category broad enough to encompass virtually any politically sensitive investigation.
Data localisation compounds rather than addresses the privacy problem. Storing Vietnamese user data inside Vietnam does not protect it from state access — it guarantees access, since local storage falls under domestic law enforcement jurisdiction without requiring the international legal assistance treaties that would otherwise govern cross-border data requests. The EU's GDPR restricts data transfers to protect citizens from weaker foreign legal regimes; Vietnam's localisation mandate removes exactly that friction, ensuring police can compel local copies directly.
The branch office requirement is the enforcement lever that makes the rest credible: a registered local entity carries legal liability and leadership accountability. Non-compliant platforms face market exclusion — a serious consequence in a country of 79.8 million internet users.
Economic Stakes at a Pivotal Moment
The timing matters. The World Bank reclassified Vietnam as an upper-middle-income economy in 2026, with GNI per capita reaching US$4,970. Resolution 10-NQ/TW, adopted in June 2026, explicitly prioritises high-quality FDI in digital sectors including semiconductors and artificial intelligence. Yet Law 116/2025/QH15's compliance architecture creates friction that deters enterprise cloud, SaaS, and platform investment. ITIF has documented that data localisation mandates systematically raise compliance costs by forcing restructuring of global data architectures. Adjacent regulations — including Personal Data Protection Law No. 91/2025/QH15, in force since January 2026 — impose penalties of up to 5% of annual Vietnam revenue for cross-border data transfer violations. For mid-sized technology firms without Vietnamese subsidiaries, the combined obligations shift the risk calculus toward market caution over commitment.
What Proportionate Regulation Requires
Vietnam could meet its legitimate security objectives with substantially less damage to the open internet. Judicial authorisation for takedown orders — even via a fast-track administrative tribunal — would preserve procedural legitimacy without sacrificing response speed. Data retention scoped to active investigations, rather than blanket user storage, would address real law enforcement needs without building a standing surveillance database. A notification safe harbour permitting platforms to inform users before disclosure, where legally permissible, would bring the framework into alignment with international norms.
Law 116/2025/QH15 achieves the consolidation it set out to accomplish. Whether the unified framework becomes cybersecurity infrastructure or censorship infrastructure depends entirely on how MPS exercises the authority it now holds. The historical record under the 2018 law provides little cause for optimism.