Only a limited subset of foreign companies providing services over in Vietnam’s cyberspace are subject to data localisation requirements in Vietnam under the recent Decree 53/2022. However, any foreign company providing services in Vietnam’s cyberspace will need to comply other obligations under the Law on Cybersecurity 2018 and its implementing regulations. These obligations include, among other things, the following:

·         To give warnings of the possibility of a loss of cybersecurity during use of the services in cyberspace provided by such enterprise and to provide guidelines on preventive measures;

·         To formulate plans and solutions to quickly respond to cybersecurity incidents;

·         To immediately deal with any security weaknesses or vulnerabilities, malicious codes, cyberattacks, cyber intrusions/infringements or other security risks;

·         When a cybersecurity incident occurs, to immediately implement appropriate emergency plans and response measures, and at the same time provide a report thereon to the Cybersecurity Task Force of Vietnam;

·         To apply technical solutions and other necessary measures to ensure security during the process of collecting information;

·         To prevent the risk of revelation, damage to or loss of data;

·         In the case of occurrence or possible occurrence of the revelation, damage to or loss of data about user information, to immediately provide response solutions, and at the same time notify the user and report to the CTF;

·         To co-ordinate with and facilitate CTFs to conduct their cybersecurity protective activities.

·         To authenticate information when a user registers a digital account;

·         To maintain confidentiality of information and accounts of users;

·         To provide user information to the CTF when so requested in writing in order to serve investigation of and dealing with breaches of the law on cybersecurity;

·         To prevent the sharing of information and to delete information with the  certain contents on services no later than 24 hours after the time of a request from the CTF or from a competent agency;

·         To save/maintain system logs in order to serve investigation of and dealing with breaches of the law on cybersecurity within a specified period stipulated by the Government;

·         Not to provide or to cease provision of services on telecom networks and on the Internet and other value added services to organizations and individuals who upload in cyberspace information with the violating contents when requested by the CTF or by a competent agency;

·         To control information on their information systems or on services provided by them, in order not to cause harm to or mistreatment of children or infringing children's rights; and

·         To block the sharing of and to delete information the contents of which may cause harm to or mistreat children or infringe their rights.

This post is written by Nguyen Quang Vu with researches assistance by Trinh Phuong Thao and Nguyen Thu Giang.