Cybersecurity Law 2025: New points businesses need to pay special attention to

Cybersecurity Law 2025 (No. 116/2025/QH15) is considered one of the most important laws in the field of technology and data management today.

The law will come into effect on July 1, 2026 and replace:

• Law on Cybersecurity 2018;
• Cyberinformation Security Law 2015.

The enactment of a new law is not merely a technical modification, but reflects a great change in the state management mindset on cyberspace, data and digital technology.

1. Merge the two legal areas into a unified management framework

The fundamental change of the Cybersecurity Law 2025 is the consolidation:

• “Cybersecurity” (protection of national sovereignty and security in cyberspace);
• “Cyberinformation security” (data protection, prevention of cyber attacks, information leaks).

The goal of consolidation

The development of a unified legislation aims to:

• Eliminate overlap between previous regulations;
• clarify the management responsibilities of state agencies;
• Simplify compliance obligations for businesses.

A significant expansion

The new law includes:

• 08 chapters;
• 58 things

(Increasing by 15 compared to the old law system), showing that the scope of regulation has been strongly expanded to keep up with the development of:

• who;
• digital data;
• online platform;
• cross-border technology.

2. For the first time clearly define the liability for AI and Deepfake

One of the most notable points of the Cybersecurity Law 2025 is the official introduction of artificial intelligence (AI) into the scope of regulation.

Prohibit the use of AI to fake the law

The law prohibits the act of:

• Use AI to spoof images;
• fake videos;
• fake voice;
• Create content to deceive users.

This provision provides a legal basis for handling:

• deepfake;
• high-tech scam;
• Manipulating information on digital environments.

Impact on technology and communication enterprises

Companies operating in the field of:

• who;
• communication;
• marketing;
• Digital platform

will have to build:

• content censorship mechanism;
• information authentication process;
• AI risk management system.

This is considered an inevitable trend in the context of AI technology that develops quickly and is difficult to control.

3. Strengthening the protection of children and disadvantaged groups in cyberspace

The Cybersecurity Law 2025 first established its own protection mechanism for:

• children;
• elderly people;
• people with cognitive difficulties.

New obligations of an online service provider

Digital service providers and platforms must:

• building a content control system;
• Prevent malicious content;
• reduce the risk of fraud, manipulation or abuse on the network environment.

This means:

• The responsibility of the digital platform will be greater;
• Enterprises cannot just act as a ‘technical intermediary’ as before.

4. Increase investment requirements and responsibility for ensuring network security

Increase the minimum budget

The new law raises the ratio of cybersecurity funding:

• from a minimum of 10%;
• at least 15% of the total budget spent on information systems.

This rule applies mainly to:

• State agencies;
• important information system management unit;
• some specific areas.

Responsibilities of the system management unit

The law also requires stricter requirements for:

• network security assessment;
• Check security holes;
• incident response;
• Coordinate with specialized forces.

This shows the tendency to move from “response after incident” to “active risk management”.

5. Expanding incentives for the cybersecurity industry

Another notable point is:

• Investment in construction of cybersecurity industrial infrastructure is classified as a special industry with special investment incentives.

Offers are applicable

Companies that meet the conditions may be entitled to:

• tax incentives;
• land incentives;
• investment support policy.

This is considered an incentive:

• Domestic network security technology;
• technology startup;
• Developing a strategic technology ecosystem in Vietnam.

6. What should businesses pay attention to?

Cybersecurity Law 2025 will operate in parallel with the Law on Protection of Personal Data

This is a particularly important point.

Enterprises must not only ensure:

• system security;
• information security;

but also to comply:

• regulations on processing of personal data;
• rights of data subjects;
• Data storage and sharing mechanism.

If the internal process is not synchronized, the business may arise:

• legal risks;
• administrative sanctions;
• data dispute.

7. Corporate compliance checklist to be deployed before 01/07/2026

In order to limit risks when the law takes effect, businesses should actively prepare early.

Reviewing the information system

• inventory of all digital infrastructure;
• Classification of systems according to network security level.

Update internal regulations

• privacy policy;
• regulations on use of equipment;
• Data and AI regulations.

Personnel training

• dissemination of prohibited behavior;
• AI risk identification training and cyber scams;
• Raise awareness of personal data protection.

Review contracts and relationships with partners

• additional data security clauses;
• clearly define the responsibility when a network incident occurs;
• Check the obligation to share and store data.

The Cybersecurity Law 2025 marks a major shift in cyber management policy in Vietnam, with a focus:

• Consolidate information security and security management;
• AI risk control;
• increase the responsibility of the digital platform;
• Protect data and users on the network environment.

For businesses, this is no longer an “internal IT” story, but has become an issue:

• legal management;
• risk management;
• Data management and business operations.

Early preparation before July 1, 2026 will help businesses significantly reduce compliance costs and legal risks in the current digital policy transformation period.