What the Law Does
Vietnam's National Assembly passed Law on Cybersecurity No. 116/2025/QH15 on December 10, 2025, and the statute came into operation on July 1, 2026. It consolidates two predecessors—the 2015 Law on Network Information Security (No. 86/2015/QH13) and the 2018 Cybersecurity Law (No. 24/2018/QH14)—into a single unified framework. On its face, consolidation is sensible policy: two overlapping statutes created genuine compliance confusion for companies subject to both simultaneously. Hanoi is right to clean that up.
But the new law does not merely codify what existed. Under Article 25, foreign enterprises providing services on "telecommunications networks, the internet, and value-added cyberspace services" in Vietnam must store user personal data domestically, establish a branch or representative office on Vietnamese soil, and respond to government requests for account information and system logs within 24 hours—or within three hours in cases authorities designate as urgent national security threats.
The 24-hour standard is demanding but not unprecedented in the region. The three-hour window is another matter.
The Three-Hour Problem
For a global platform, a three-hour data handover requirement demands one of two architectures: pre-positioned government access to production systems, or a dedicated local compliance team with always-on capability. Neither is cost-free, and both concentrate operational risk in ways that have little to do with genuine cybersecurity outcomes.
Vietnam has a legitimate case for fast-response cooperation. The country faces real cyberattack exposure from state and non-state actors across Southeast Asia's contested digital borders, and governments everywhere argue that real-time cooperation is essential during active security incidents. Emergency data-disclosure frameworks on compressed timelines exist in democratic jurisdictions too, and that argument deserves honest engagement rather than dismissal.
What it does not justify is the discretion the law leaves undefined. The Ministry of Public Security retains unilateral authority to designate "urgent cases involving national security" without statutory criteria. The same ministry that issues urgent data requests also governs content removal: Article 25(2)(b) requires platforms to remove government-designated prohibited content within 24 hours, or six hours in urgent cases. Analysis from Allen & Gledhill notes the law restricts "information opposing the State" and "false information"—categories Vietnamese enforcement has historically applied to political speech rather than demonstrable harm. The three-hour window, in that context, is not an emergency mechanism. It is infrastructure for accelerated surveillance.
Who Is Covered
The law explicitly captures ten service categories: social networks, messaging and voice/video communications, online gaming, e-commerce, online payments, telecommunications, data storage, domain name services, transportation platforms, and internet search. That list encompasses every significant US platform operating in Vietnam—Meta (Facebook, Instagram, WhatsApp), Google (YouTube, Search, Maps), Apple (App Store, iCloud), and effectively any US-based platform serving Vietnamese users at scale.
Vietnam's market size makes exit economically irrational. DataReportal's 2026 report counts 85.6 million internet users in Vietnam—a penetration rate of 84.2%. The country's digital economy reached approximately $39 billion in gross merchandise value in 2025, growing at roughly 19% annually, the fastest trajectory in ASEAN. Compliance under duress is the rational platform calculus. That is precisely the leverage the law is designed to create.
The Infrastructure Bind
The domestic data storage mandate cannot be solved by a server-room addition alone. Global cloud architectures—where sharding, encryption key management, and CDN routing are optimized at network scale—cannot segment Vietnamese user data without fragmenting pipelines and incurring performance costs. Compliance requires building or contracting Vietnamese data center capacity, restructuring global data routing, and potentially renegotiating cloud agreements across the Asia-Pacific stack.
ITIF's March 2025 analysis of Vietnam's predecessor Decree 53/2022 documented the structural disadvantages these requirements impose on US platforms: duplicated infrastructure investment, multi-jurisdictional compliance overhead, and the competitive advantage they grant regional competitors with simpler cross-border data obligations. The new law builds on that decree's 24-month minimum data retention requirement and extends its local presence obligations into a statute with explicit enforcement authority.
The local office requirement adds a second layer of friction. A Vietnamese branch office triggers corporate registration, local employment law obligations, and potential personal liability for in-country staff in content moderation disputes. These are manageable obstacles for Meta or Google. They are meaningful deterrents for mid-size US platforms considering first entry into the market.
The US Trade Contradiction
The law's July 1, 2026 effective date arrives at a diplomatically awkward moment. In October 2025, USTR announced a bilateral trade framework with Vietnam in which Hanoi "affirmed that it does not require licenses for cross-border data transfers out of Vietnam." That commitment sits in visible tension with the unified cybersecurity law: platforms may transfer data out without a license, but must first maintain a local copy. The Computer & Communications Industry Association flagged Vietnam's data localization provisions in its 2026 USTR National Trade Estimate submission as a structural digital trade barrier.
Vietnam has shown it will enforce its demands. The May 2025 blockade of Telegram—for refusing data access requests—was an unambiguous market signal. Whether implementing regulations will narrow the law's scope for US platforms remains open, but Hanoi's track record offers little basis for optimism.
What Proportionate Regulation Would Look Like
A cybersecurity framework genuinely focused on security outcomes—rather than data sovereignty or surveillance infrastructure—would achieve most of Vietnam's stated objectives without local storage mandates or three-hour access clocks. Breach disclosure requirements, vulnerability reporting frameworks, interoperability with regional CERT networks, and mutual legal assistance treaty channels for cross-border law enforcement data requests deliver real operational cooperation. Singapore's Cybersecurity Act of 2018 and its 2023 amendments demonstrate that a high-security posture and cross-border data flows are compatible policy goals, not a binary choice.
The precedent Vietnam is setting will be watched across APAC. When a country of 85 million internet users insists that security requires servers, offices, and three-hour access windows—and enforces that position by blocking major platforms—it provides a template for governments with less democratic governance and equally elastic definitions of national security. That is the real regulatory export risk embedded in Law 116/2025/QH15.