1. Introduction
The rapid digital transformation of Viet Nam in recent years has made it one of the most dynamic South-East Asian nations in developing internet, e-commerce, and fintech enterprises.Footnote 1 This digital transformation has been supported by a proliferation of new cyber security and cybercrime laws and policies. Across the various sectors of Vietnamese law, legislative changes have been enacted to seek to regulate the rapid evolution of the digital economy (Nguyen, Reference Nguyen and Kimura2023, pp. 317–9). The overarching objective of such enactments has been to safeguard digital sovereignty and social order (Bui and Lee, Reference Bui and Lee2023, p. 640). In this paper, “data sovereignty” is defined as the state’s exercise of its sovereign authority over digital infrastructure and data within or passing through its jurisdiction, including control of cross-border data flows, localisation, access, and data use where such control aligns with national interests and security (Chander and Sun, Reference Chander and Sun2023, p. 6; Shokri, Reference Shokri2025, pp. 29–30). Viet Nam’s 2018 Law on Cyber Security (“2018 LCS”) marks an early and explicit move towards data sovereignty in the country’s regulation of cyberspace. By defining its goal as protecting “national cyberspace” and extending “cyber security” to national security, social order, and the lawful rights and interests of organisations and individuals online (Art. 6), the law treats Vietnamese cyberspace as a governable extension of state authority rather than a borderless realm beyond control (Chander and Sun, Reference Chander and Sun2023, p.3). Recent legislative enactments to support data sovereignty, and cyber security more generally, include the 2025 Law on Electronic Transactions, the 2025 Law on Data, the 2025 Law on Personal Data Protection, and the 2025 Law on Digital Technology Industry. Of special significance for the present analysis is the Law on Science, Technology and Innovation 2025 and, most recently, the newly adopted 2025 Cyber Security Law (“2025 LCS”) (passed 10 December 2025, effective 1 July 2026), which consolidates the 2015 Law on Cyber Information Security (“LCIS”) and the 2018 LCS into a single unified statute, together with the new Artificial Intelligence (“AI”) Law which will enter into force on 1 March 2026. Such recent legislation builds upon established enactments of the 2015 LCIS, and the 2018 LCS, with supporting decrees such as Decree 53/2022/ND-CP (on elaborating the 2018 LCS) and Decree 13/2023/ND-CP (on personal data protection), and the 2015 Penal Code.
However, despite the volume and the rapid pace of enactment of these new cyber security and cybercrime laws, as well as amendments to existing general-purpose laws, it is far from clear whether they achieve the objectives sought. This is because it is not clear whether these legal instruments, aimed at securing digital economy and social order, have created a regulatory environment that is fragmented, overreaching, and potentially harmful to the very economic and technological progress that they seek to promote. Hence, there may be an intrinsic tension in these laws between the upholding of the rule of law and data sovereignty and the digital environment required to promote the digital economy.
In such a vexed context, the central objective of this paper is to critically analyse the effectiveness of Viet Nam’s complex matrix of cyber security and cybercrime laws. In doing so, the paper will apply a previously developed normative framework for evaluating the “effectiveness” of such law (Do and Selvadurai, Reference Do and Selvadurai2025). This normative model is based on the idea that cyber security and cybercrime law can only be effective if they both protect cyber security and data sovereignty and advance the success of the digital economy. Grounded in the integration of four fundamental theories of criminal law, deterrence theory, retributive justice, restorative justice, and utilitarianism, the model provides four normative criteria for evaluating the effectiveness of cyber security and cybercrime legal frameworks. These criteria are: (a) the clarity of legal definitions and scope of cyber security and cybercrime obligations; (b) the proportionality and consistency of cybercrime penalties; (c) the restorative mechanisms to support commercial resilience; and (d) the balance of legal certainty and flexibility to technological changes. Applying these criteria, the paper analyses the effectiveness of Vietnamese laws, assessing their ability to advance cyber security and respond to the challenges of the digital economy. The challenges to be addressed include potential harm caused by automation and artificial intelligence (AI), ransomware attacks, and legal consequences of cross-border data flows on digital commerce.
The paper begins by considering the extent to which the existing cyber security and cybercrime legislation provide clear definitions and delineations of the obligations of individuals, organisations, and state authorities. This analysis also considers how these rules shape the core elements of data sovereignty used in this paper: cross-border data flows, localisation, access, and data use. Specifically, the paper considers whether differences in legal definitions between legislative enactments, such as between the 2025 LCS and the 2018 LCS, and overlapping regulatory authority, have created an inconsistent framework. Moving beyond substantive laws to their enforcement, the paper considers whether cybercrime penalties are proportional to the nature and severity of the offence, particularly in the context of transnational ransomware attacks and AI-enabled crime. In this regard, the paper considers whether the legal system remains overly punitive, emphasising criminal sanctions but lacking comprehensive mechanisms for victim recovery and support, thereby limiting the resilience of the digital economy. The issue of proportionality in penalties is also explored, considering the appropriateness of the severity of sanctions and the extent to which they adequately reflect the sophistication and cross-border elements of the targeted behaviours. Institutional and enforcement challenges are identified, including the effects of overlapping functions between ministries on investment and the digital economy. Widening the analysis, the paper progresses to consider whether Viet Nam’s present cyber security and cybercrime laws are flexible enough to adapt to new threats from emerging technologies, notably AI and ransomware attacks, while still maintaining legal certainty. This includes whether the framework can recalibrate these data-sovereignty levers without undermining digital economy connectivity. Is there an inherent structural inflexibility, such that the laws are unable to rapidly adapt to new threats such as AI-enabled crime and cross-border ransomware attacks?
The above analysis is structured in four parts. The first part of the paper outlines the historical evolution of Viet Nam’s cyber security legislation, drawing upon the specific context and objectives associated with the construction of a rule-of-law state in Viet Nam and the notion of data sovereignty. This discussion establishes a contextual framework for understanding the formation of Viet Nam’s legal architecture. It also identifies the principal influences on legislative reasoning and context applying to the evolving domain of cyber security and cybercrime law.Footnote 2 The second part of the paper maps the complex matrix of existing relevant laws, outlining the objectives and ambit of operation of such laws. The third part of the paper applies the above-mentioned normative criteria to assess the effectiveness and limitations of Viet Nam’s present cyber security and cybercrime laws. The final part synthesises these findings, explains the underlying causes of the gaps, and presents the recommendations of the paper.Footnote 3
Through this holistic and comprehensive analysis, the paper seeks to progress understanding of the effectiveness of present Vietnamese cyber security and cybercrime law and provide a platform for reform and refinement of such laws so that they can meet the cyber security and cybercrime challenges of the contemporary digital economy. While focused on Viet Nam, it is hoped that the paper will be of interest to scholars and law and policy makers around the world who are involved in a critical enterprise of our time—developing effective cyber security and cybercrime laws and policies that calibrate the need to uphold national sovereignty with the need to advance the digital economy.
2. The enduring tension between data sovereignty and digital economy in the evolution of Viet Nam’s Cyber Security Law
The evolution of Viet Nam’s cyber security framework is not just a development of technical standards but also a reflection of a deep-rooted dialectic between political security and economic modernisation. This tension can be understood through two clear stages: first, the building of a sovereignty-based legal foundation aimed at countering political threats, and second, the ongoing effort to modify this rigid framework to meet the borderless requirements of the digital economy.
2.1. Constructing cyber sovereignty: the “socialist law-based state” in cyberspace
The core of Viet Nam’s cyber security strength is based on the doctrine of “cyber sovereignty,” which acts as a digital extension of the “socialist law-based state” (Nhà nước pháp quyền xã hội chủ nghĩa). Since the early 1990s, the Communist Party of Viet Nam has promoted this idea as both a goal and a framework for governance, marking a gradual shift from “socialist legality,” in which law existed alongside revolutionary morality, Footnote 4 to a formal legal system influenced by selectiveFootnote 5 market-oriented reforms (Bui, Reference Bui2014, p. 79; Pham and Do, Reference Pham, Do, Fu, Gillespie, Nicholson and Partlett2018, p. 105; Gillespie, Reference Gillespie, Gillespie and Nicholson2005, p. 52; Sidel, Reference Sidel, Gillespie and Nicholson2008, p. 19).
In the digital context, this transition is critical because it explains why “data sovereignty” has become a key principle of Vietnamese law. The “socialist law-based state” is constitutionally defined as a state “of the People, by the People, and for the People” (Constitution, 2013, Art. 2), yet it is fundamentally built on the idea that state power is exercised through legal means (Nguyen, Reference Nguyen2022c, p. 58) to guarantee the regime’s collective stability. Therefore, asserting “data sovereignty”—the right of the state to control the data created within its borders—is not just a policy decision but a constitutional obligation to ensure that the “institutional structure” and “supremacy of law” that uphold the rule of law (Hoang, Reference Hoang2002, pp. 50–52) also function in cyberspace. From this perspective, the “rule of law” in Viet Nam does not imply a liberal limitation on state power, but rather the “supremacy of the spirit of law” in managing society (Nguyen, Reference Nguyễn2014, p. 56). This logic states that a law-based internet is one where the state possesses the legal authority to intervene proactively against cyber threats. As former President Tran Dai Quang explained: “National sovereignty in cyberspace is the supreme, absolute, complete, and exclusive right of the State over its cyberspace territory, in accordance with international law” (Tran, Reference Tran2017, p. 67).Footnote 6
It is discussed that the four elements constituting cyber sovereignty and reflecting the nation’s level of development as well as its capacity to master and defend cyberspace comprise law and policy, technological capacity, information content, and the organisational structure and users; these elements interact with and mutually transform one another (Tran, Reference Tran2017, p. 109). Among these, according to the author, the law and policy element is the most decisive factor in achieving balance, harmony, and consistency between security needs and development demands, as well as in protecting sovereignty, the regime, and a peaceful environment, within the context of leveraging the power and benefits derived from the internet (Tran, Reference Tran2017, p. 99). Similarly, in Cyber-sovereignty: The Requirements of the Times and National Obligations, General To Lam’s posits that cyber security is a “national obligation” and a “quantitative value” that must underpin all societal development (To, Reference To2022, pp. 97–8).
Therefore, to prevent creating legal gaps that hostile forces could exploit, it is essential to develop cyber security regulations carefully so they can effectively achieve these strategic goals. The idea of data sovereignty thus acts as the operational mechanism of the socialist law-based state in the digital sphere: it offers the legal foundation for the state to claim jurisdiction over cross-border information flows, turning what might otherwise be arbitrary political control into formal “sovereign” authority.
However, leading scholars warn that a mindset focused on “procedural correctness” (đúng quy trình) rather than the “true spirit of the law” (tinh thần pháp luật) can cause significant gaps between legislative intent and social reality (Nguyen, Reference Nguyễn2014, p. 58; see Tran, Reference Tran2025). In the realm of cyber security, this indicates that although legal frameworks for data sovereignty are strong, their effectiveness may be compromised if they are used only as procedural checklists instead of offering meaningful protections for citizens’ rights. This inadequacy may lead to a serious erosion of the efficacy of any legal document, regardless of the comprehensiveness and rigour involved in its design and drafting. As a result, data sovereignty may be strictly enforced against foreign entities to safeguard the regime yet still fail to provide genuine substantive protection for the individual data rights of Vietnamese citizens (see Tran, Reference Tran2025).
2.2. The digital economy paradox
Beyond the foundation of sovereignty, Viet Nam’s legal framework is defined by its ambitious attempt to align strict state control with the dynamic needs of a modern digital economy. While often framed by external observers as a conflict between openness and control, Viet Nam’s approach is better understood as a deliberate “regulatory rule-of-law” model (pháp quyền điều tiết). In this hybrid structure, the legal system functions not just to limit state power but as an active instrument of governance, designed to both secure the regime and manage digital economic development (Nguyen, 2022, p. 82; see Truong and Dang, Reference Truong and Dang2024). This dual-purpose strategy explains the seeming paradox of Viet Nam’s cyber
security policies. Far from being solely restrictive, the regulatory framework, from the LNIS to the 2018 LCS, was designed to create a multifunctional legal structure. Its aim is to balance two separate goals: (a) safeguarding national security and social order and (b) fostering digital transformation (2018 LCS, Art. 3; Decision 749/QĐ-TTg). By establishing data sovereignty through measures like data localisation and local presence requirements, the government seeks to create a governed digital space where market forces are subject to the same sovereign oversight as the physical economy.
Recent policy statements, such as Resolution 57-NQ/TW (2024), support this approach by designating cyber security as a “pillar of digital transformation,” explicitly viewing strict legal control as a necessary step for, rather than an obstacle to, economic growth. This framing marks a shift in how the state governs: recognising that in the digital era, effective law is one that successfully aligns the technological infrastructure of the internet with the market forces of the digital economy (see Lessig, Reference Lessig2000; Reidenberg, Reference Reidenberg1998, p. 586). As a result, regulations that may seem burdensome to foreign firms are justified at home as essential “regulatory layers” that enable the state to manage risks, safeguard citizens online, and steer the development of the digital economy towards national growth objectives (OECD, 2024, p. 9; Yeung, Reference Yeung2016, p. 119). However, the challenge remains in implementing this model. While the state views these regulations as essential for stability, they create a high-compliance environment that can impede global integration. The enduring tension, therefore, lies in the state’s ongoing effort to calibrate this “regulatory rule-of-law:” ensuring that the tools used to assert sovereignty do not inadvertently stifle the very digital innovation they are intended to govern.
2.3. Data sovereignty: dimensions and an effectiveness lens
It is submitted that data sovereignty is a multi-element concept, not a single outcome. Agreeing with Belli et al. on the analysis of BRICS countries,Footnote 7 it is suggested that data sovereignty does not merely relate to where data sits, but also relates to the capacity to understand how and why data are processed and by whom, to develop data-processing capabilities, and to regulate processing in ways that preserve self-determination and control (Belli et al., Reference Belli, Gaspar and Jaswant2024, p. 9). This capacity has an individual dimension, which may include informational self-determination and effective control over personal data, and also a collective dimension that includes the state’s capability to steer economic, social, and cultural development, including choices about how data is collected, processed, stored, and where it generates value (Belli et al., Reference Belli, Gaspar and Jaswant2024, pp. 7–11). It is often argued that data sovereignty cannot be reduced to the physical location of storage, because data residency rules are typically defended as cyber security and anti-surveillance measures while the deeper regulatory contest concerns who can exercise jurisdictional leverage over access and processing, and who retains structural advantages in information infrastructure and signals-intelligence capacity (Selby, Reference Selby2017, pp. 231–2). In other words, data residency might increase a country’s influence, but it does not guarantee transparency, accountability, or effective control over data processing. These outcomes depend on additional institutional capacities and legal safeguards that govern who can access data, under what procedures, and with what oversight. Belli et al. persuasively show that data sovereignty debates operate across multiple policy logics, including cyber security protection, strategic autonomy, and economic priorities, which often coexist in practice (Belli et al., Reference Belli, Gaspar and Jaswant2024, p. 13). This framing is helpful for Viet Nam, where these logics are simultaneously visible in cyber security regulation and digital-economy strategy, and where claims of necessity for restricting data flows must be assessed against the interplay between security rationales and development objectives—while also questioning whether localisation style measures are being used as a blunt territorial substitute for more tailored governance of data processing, security controls, and accountable state access.
Data sovereignty is increasingly debated as a strand of the broader digital sovereignty discourse. Digital sovereignty has become a globally political buzzword, with diverse actors lending the term, and “connected terms such as … data sovereignty,” their own meanings across different political contexts (Pohle et al., Reference Pohle, Nanni and Santaniello2024, p. 666). This discursive expansion matters for legal analysis because sovereignty talk often promises an “ordered, regulated, and secure digital sphere” that claims to reconcile rights, security, enforceability, and economic competition, yet the concept’s breadth also makes it easy to aggregate distinct policy goals under a single label (Pohle et al., Reference Pohle, Nanni and Santaniello2024, p. 666). Moreover, strengthening sovereignty can mean creating central control points for digital infrastructures and applications, which heightens the need to scrutinise how such powers are structured and held accountable (Pohle et al., Reference Pohle, Nanni and Santaniello2024, p. 668). That accountability concern sits at the heart of the internet-governance literature, which has long treated the question of “who controls the internet” as a political question rather than a purely technical one (Glen, Reference Glen2014). Glen explains that internet governance has historically been shaped by decentralised, mix of technical actors and governments, but that security and policy controversies have pushed states to territorialise cyberspace and reassert authority over key infrastructures (Glen, Reference Glen2014, p. 637). In Viet Nam’s context of rapid and complex digitalisation, these sovereignty terms are not merely slogans. They serve as practical guides for legal-policy design that shape development trajectories with tangible effects on individuals and firms. Because the same measures may be justified as cyber security safeguards, industrial policy, or governance consolidation, the analysis must specify which element of data sovereignty is being pursued and through what legal mechanisms and constraints. Accordingly, this article uses an effectiveness lens focused on four data-sovereignty levers: cross-border data flows, localisation, state access, and data security governance. The analysis aims to ask whether Viet Nam’s laws provide workable rules and institutional pathways for each lever. On this view, legal and policy effectiveness is reflected first in whether these instruments achieve their functional objectives, but it must also be assessed across these distinct elements and the way they are specified and constrained in practice. This approach treats digital infrastructure as a cross-cutting dimension, since many data-governance controls operate through platforms, networks, and storage systems. Finally, it avoids equating sovereignty with insulation as Belli et al. stress, “being sovereign does not mean being isolated,” but retaining awareness, self-determination, and control (Belli et al., Reference Belli, Gaspar and Jaswant2024, p. 14), so effectiveness must be assessed in light of both security rationales and the developmental imperative to remain connected to global digital value chains.
The next section of this article examines the effectiveness of Viet Nam’s cyber security and cybercrime laws within the wider legal data stack, then assesses, lever by lever, whether they provide workable pathways for governing cross-border flows, localisation, access, and data use without undermining digital-economy connectivity.
3. Viet Nam’s existing legal framework for cyber security and cybercrime
3.1. Introducing digital Viet Nam
Viet Nam is at a critical point in its digital development, where massive technological growth meets significant governance and security issues. From its first experimental internet connection in 1991 (Diaz, Reference Diaz2024) to today’s advances in AI, blockchain, Internet of Things (IoT), cloud computing, Viet Nam’s digital transformation has fundamentally changed its economy, society, and government (UNDP, 2025, p. 9). With a population exceeding 101 million and more than 79.8 million internet users in 2025 (Kemp, Reference Kemp2025), the country’s digital penetration now surpasses 78.8%, and 76.2 million social-media accounts (Kemp, Reference Kemp2025) show a highly connected society. Its digital economy is expected to reach USD 45 billion by 2025 and account for more than 12% of the national gross domestic product (GDP) in 2023 (International Trade Administration, 2024).
This impressive digital rise is neither spontaneous nor accidental. It reflects a deliberate, government-led transformation guided by the National Digital Transformation Program (Decision 749/QĐ-TTg 2020), which aims for Viet Nam to become a “prosperous digital nation” (“quốc gia số thịnh vượng”) by 2030. The use of the Digital Transformation Index (DTI) by ministries and provinces shows a strong institutional commitment to measurable progress (Open Development Viet Nam, 2023). The achievement of most socio-economic objectives in recent years further demonstrates the effectiveness of Viet Nam’s government under a performance-based regulatory rule-of-law approach (Le, Reference Le2012, p. 158). Nevertheless, as the digital economy becomes more interconnected in everyday life, cyber security has transformed from a technological problem to a critical matter of sovereignty, stability, and legitimacy (Chatinakrob, Reference Chatinakrob2024, p. 26). This digital connectivity has fostered public discourse, stimulated e-commerce, and sparked innovation, empowering entrepreneurs (OpenGov Asia, 2025). However, this same infrastructure has also facilitated cybercrime, including fraud, gambling, data theft, and AI-driven impersonation, which pose significant threats to social order and financial integrity (Viet Nam News, 2025). It is reported that cybercrime now affects nearly all provinces (VietnamNet Global, 2025) and often involve cross-border syndicates operating from neighbouring countries (UNODC, 2025). These realities highlight the urgent need for a cohesive legal framework that balances innovation with resilience and digital economy governance into a unified system. In essence, the digital Viet Nam, driven by a young, connected population and strong state leadership, now faces the paradox of needing its centralised model to adapt to new global legal challenges. Understanding this context is critical for any analysis of Viet Nam’s evolving legal framework on cybercrime and cyber security, where technological ambition meets the need for rule-of-law consolidation in the digital age.
3.2. An analysis of existing cybercrime and Cyber Security Laws
Viet Nam’s regulation of cyberspace is best read as a layered legal data stack in which cybercrime enforcement and cyber security governance intersect with data, digital transactions, and sectoral rules, together shaping the state’s levers of data sovereignty. On one side, the Criminal Code and Criminal Procedure Code define and prosecute information technology related offences; on the other, the 2025 LCS sets out preventive responsibilities, incident response, and government coordination for safeguarding critical systems. Moreover, the 2023 Telecommunications Law, the 2024 Data Law, and the 2025 Personal Data Protection Law are all examples of related laws that come into play when cases contain personal data, cross-border evidence, or cloud or internet-based service providers. These instruments collectively illustrate a modified, performance-based rule of law that emphasises security and rapid coordination, while progressively formalising procedures and safeguards to conform to due process and international cooperation requirements. The multi-tiered sources of law—from constitutional foundations and sectoral statutes to implementing decrees, circulars, strategies, and international instruments governing cybercrime and cyber security in Viet Nam—can be presented in Table 1.
Viet Nam’s cyber security, cybercrime, and data sovereignty framework (as of December 2025)

Table 1. Long description
The table presents Viet Nam’s cyber security, cybercrime, and data sovereignty framework, structured into several groups and key instruments. It includes columns for Key instruments, Scope/core functions, Notes, and Data sovereignty implications. The table has multiple rows detailing various laws, decrees, and policies. Row 1: 2013 Constitution; Law on National Security 2004, Principles, mandates, and forces for safeguarding national security, including cyberspace, Sets direction for Cyber Security Law, Penal Code, Criminal Procedure Code, Indirect constitutional foundations for sovereignty, privacy and secrecy, and rights limitations prescribed by law for national security purposes (Constitution Arts 1, 14, 21), together with an integration and treaty orientation that shapes the context for cross-border data governance (Arts 12 and 50).Operational levers centre on state access to information and infrastructure control (Law on National Security 2004, Arts 24 and 27). Row 2: Law on Cyber Security 2025 (the consolidation and amendment of Law on Cyber Security 2018 and Law on Cyberinformation Security 2015); Law on Information Technology 2023; Law on E-Transactions 2023 (consolidated 2025);8 Law on E-commerce 2025; Law on Digital Technology Industry 2025; Law on AI 2025, Obligations for cyber security; secure information processing; legal migration to digital transactions, Cyber Security LawImplementing guidelines by Decree 53/2022; Cyberinformation security Law and Decree 85/2016 (system security levels), These laws extend data sovereignty beyond classic cyber security controls. Cyber security and telecommunications rules strengthen infrastructure protection and state-access pathways, e-transactions rules build trusted domestic digital rails, and digital-technology and AI frameworks support strategic autonomy through capability-building and governance of emerging technologies.However, due to the fragmentation between primary laws and the proliferation of implementing decrees and circulars, this framework can increase uncertainty at the boundaries of scope and implementation, which is examined in the later analysis. Row 3: Law on Data 2024; Law on Personal Data Protection Law 2025; Decree 13/2023 (Personal Data Protection); Law on Telecommunications 2023; Lawon Identity 2023, Governs data classification, transfer, storage, protection, telecommunications infrastructure, subscriber and communications secrecy, digital identity, and interconnection of national databases, Cross-cutting duties for digital platforms; cross-border data issues, These laws concentrate Viet Nam’s most direct data sovereignty levers by combining cross-border transfer control, state access pathways, centralised data and identity infrastructure, and baseline rules for data use and protection, though they also deepen the layered and potentially fragmented character of the overall framework. Row 4: Penal Code 2015 (amended 2025); Criminal Procedure Code 2015 (amended 2021), Cybercrime offences; electronic evidence; digital procedural measures, Provides the enforcement and adjudicative layer of Viet Nam’s cyber and data regime.Needs clear guidance on collection, preservation of electronic evidence, These codes are central to the access, enforcement, and deterrence dimensions of data sovereignty. Row 5: Law on Handling of Administrative Violations 2012 (amended 2020); Decree 15/2020 (amended by Decree 14/2022), Administrative penalties for violations in networks/Information technology/e-transactions, Runs in parallel with criminal enforcement and technical obligations, These instruments support compliance with cyber and data-related obligations by imposing fines and corrective measures on data use, security governance, and service control. Row 6: Decree 53/2022 (guiding Cyber Security Law); Decree 72/2013 (amended by 27/2018) (the management, provision, and use of internet services and online information); Decree 85/2016 (system security levels); Decree 25/2014 (the prevention and combat of crimes and other violations involving the use of high technology); Decree 91/2020 (anti-spam messages, spam emails, and spam calls); Decree179/2025 (prescribing support levels for personnel specialised in digital transformation, cyber information security, and cyber security), Detailed rules for cyber security; internet and online content management; security levels for information systems; combating high-tech crime; anti-spam; support for digital transformation and cyber security, Implements technical and market governance for cyber security services, These decrees translate Cyber Security Laws into practical sovereignty tools by strengthening control over online services, system security, cybercrime prevention, spam communications, and cyber capacity-building. Row 7: Circular 20/2017/TT-BTTTT (National incident coordination and response); Circular 31/2017/TT-BTTTT (Security monitoring); Circular 13/2018/TT-BTTTT, Circular 10/2022/TT-BTTTT (import of cyber security products); Circular 03/2017 (classification by information system security level), Technical procedures; Computer Security Incident Response Team (CSIRT) and Security Operations Center (SOC) roles; technical standards, Governing interlinks Authority of Information Security (The former MIC), A05 (MPS), and system owners, Focusing on operational level: incident coordination and response, security monitoring, information system security-level classification, and controls on imported cyber security products. Together, these circulars and technical standards strengthen data sovereignty by enhancing the States practical capacity to secure digital infrastructure and shape data-handling environments. Row 8: Decision 964/Q-TTg (National Cyber Safety and Security Strategy); Resolution 57-NQ/TW 2024 (breakthrough development of science, technology, innovation and national digital transformation with vision to 2045); Decision 749/Q-TTg (2020); Decision 127/Q-TTg (2021); Decision 49/Q-TTg 2021 (issuance of the plan for monitoring the implementation of laws in key and interdisciplinary areas in 2021); Resolution 36-NQ/TW 2014 (Promoting the Application and Development of Information Technology to Meet the Requirements of Sustainable Development and International Integration), National directions on digital transformation, AI, workforce development, protection of critical information systems, Strategic umbrella for legislative revision and budgeting, Focusing on national cyber security, digital transformation, science and technology development, legal implementation, and international integration, these strategies and policies shape the directional logic of data sovereignty by linking cyber security with state capacity, digital infrastructure, and long-term strategic autonomy. Row 9: United Nation Cybercrime Convention 2024 (Hanoi Convention); Association of Southeast Asian Nations (ASEAN) instruments; MLAT, extradition, mutual legal assistance; 19 UN counter-terrorism conventions, Minimum criminalisation, 24/7 cooperation, data preservation, e-MLA, Requires alignment of Criminal Procedure provisions and data protection rules, These instruments add an international cooperation layer to data sovereignty. They require Viet Nam to align its domestic cyber-security and procedural laws with cross-border evidence preservation, mutual legal assistance, extradition, 24/7 cooperation, and regional information-sharing, while still allowing refusal on grounds such as sovereignty, public order, essential interests, and data protection. Row 10: 2018 Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP); 2020 Regional Comprehensive Economic Partnership (RCEP); 2019 ASEAN Agreement on Electronic Commerce; 2019 European UnionViet Nam Free Trade Agreement (EVFTA), Governs aspects of electronic commerce, cross-border digital trade, electronic transactions, personal information protection, cyber security cooperation, and market access conditions for digital business, Provides the external treaty context within which Viet Nam’s cyber security and data laws operate, The CPTPP contains the strongest digital-trade constraints on cross-border transfers, localisation, and source code, subject to exceptions; The RCEP contains similar rules on cross-border transfers and the location of computing facilities, but in a more flexible and less stringent form; The ASEAN Agreement on Electronic Commerce adopts softer regional commitments to facilitate data flows, minimise barriers, avoid localisation requirements, protect personal information, and promote cooperation on cyber security, all subject to domestic law; The EVFTA supports e-commerce, prohibits customs duties on electronic transmissions, and links e-commerce development to international data-protection standards, but it does not replicate the CPTPPs stronger rules on localisation or source code.
3.2.1. The 2015 Law on Cyber Information Security (LCIS) and the 2018 Cyber Security Law (2018 LCS)
The Viet Nam’s LCIS established the first comprehensive framework for protecting data, cryptography, and online communication integrity in the country. The 2018 LCS is the central legal instrument governing the protection of national security and social order in cyberspace (Art. 1). The law has a broad scope, covering: the protection of information systems critical to national security (Arts 10–15); the prevention and combatting of acts that infringe upon cyber security (Arts 16–29); and the management of personal data and the operations of cross-border service providers (Art. 26(3)). It is the foundational legal document establishing national digital sovereignty and creating a strong legal mechanism for the Ministry of Public Security (“MPS”). However, it has been criticised for its overly broad scope and lack of specific technical guidance (Nguyen, Reference Nguyen2022a, p. 195), particularly regarding the definition of acts “infringing upon cyber security” and the handling of cross-border data (Bui and Lee, Reference Bui and Lee2023, pp. 659–60).
Building on long-standing concerns about overlapping statutes, Viet Nam is now operationalising a single, consolidated Cyber Security Law. Legal discourse since the 2018 Cyber Security Law has consistently warned that two parallel instruments cause duplication and uncertainty, calling for a unified statute to streamline regulation, reduce compliance burdens, and improve legal clarity and coordination (see Hai, Reference Hai2018). In practice, the MPS has merged the two laws into a single 2025 statute, which now consists of 8 chapters and 45 articles and will take effect from 1 July 2026. It is described as ensuring that it does not alter the functions and duties of ministries and sectors, does not create new policies, and is consistent with Resolution 18 on streamlining the state apparatus (Government Online, 2025). Notably, the Law does not address technical matters that are subject to frequent change, as these will be provided in a framework form and delegated to the Government for detailed guidance. The version of the Law adopted on 10 December 2025 removes the provisions on “cyber security insurance” and “cyber security certification” contained in the 31 October 2025 draft, yet retains provisions aimed at addressing long-noted gaps by: (a) adding a regime on data-security (an ninh dữ liệu)—Art. 26; (b) imposing a clear duty to identify IP addresses and furnish them to specialised cyber security authorities (định danh địa chỉ IP)—Art. 41(5); and (c) specifying budgeting obligations for cyber security across state agencies, state-owned enterprises, and political organisations, with a minimum allocation of 15% of the total programme implementation budget (kinh phí bảo vệ an ninh mạng)—Art. 38. Taken together, these measures give concrete effect to the unification rationale: streamlining compliance, enhancing regulatory coherence, and aligning the legal architecture with the MPS contemporary cyber security remit.
Despite the establishment of a unified management department within the MPS’s Cyber Security Department (A05), several significant constraints and limitations must be carefully considered when implementing the consolidated 2025 LCS. There are still problems in understanding the boundaries of “cyber security” and “cyber information security” within the law. According to von Solms and van Niekerk, cyber security and information security are not analogous concepts but rather overlapping yet fundamentally distinct domains (see von Solms and van Niekerk, Reference von Solms and van Niekerk2013, p. 97). Yet Art. 25 of the Draft Cyber Security Law 2025 appears to embed irreconcilable tensions between these two concepts, which require closer examination to clarify the legislature’s underlying rationale.
3.2.1.1. The technical feasibility and legal clarity of the Art. 25 the 2025 LCS
Regarding the definition of protected asset, Arts 25(2d) and 25(3), require businesses to store “IP addresses of access, users’ personal data, and other relevant data.” From an information security perspective, data and IP addresses are the key assets that must be protected, due to their inherent the triangle CIA (confidentiality, integrity, availability) properties (von Solms and van Niekerk, Reference von Solms and van Niekerk2013, p. 98). From a cyber security perspective, it is clear that in cyber security, the individual (the user) is the primary asset, not information (von Solms and van Niekerk, Reference von Solms and van Niekerk2013, pp. 99–100). This means that IP address is simply a tool to protect the real assets, namely, people and social order in cyberspace. When a person is attacked online, the harm is not only the loss of information confidentiality, but an attack on the individual themselves (Agrafiotis et al., Reference Agrafiotis, Nurse, Goldsmith, Creese and Upton2018, pp. 2–3). However, Art. 25(2) requires “the provision of user information to the specialized cyber security force… no later than 24 hours” to “serve the investigation and handling of violations of the law on cyber security; In emergency cases posing a threat to national security, human life, the requested information must be provided no later than 03 hours.” The determination of which violations require identification of individuals via IP address is still ambiguous. Moreover, this provision does not clearly differentiate between two scenarios presented in Table 2.
The technical feasibility and legal clarity of Article 25 the 2025 LCS

The legal ambiguities identified above may result from the law’s failure to distinguish the roles IP addresses play across different security contexts. The legislation treats IP addresses as uniform information assets that require blanket protection, overlooking the crucial distinction that IP addresses act as a security tool in cyber security, while only being considered protected assets within organisational information security frameworks. The scope of assets in cyber security extends well beyond organisational data, covering any individual or infrastructure accessible via cyberspace (von Solms and van Niekerk, Reference von Solms and van Niekerk2013, p. 100), making a blanket protection of IP addresses both overly broad and inconsistent.
Regarding the aim of information security and cyber security, the design of Art. 25 reveals a lack of clarity by not clearly differentiating between the two core aims of information security and cyber security. Generally, information security focuses on maintaining business continuity and reducing operational harm (von Solms, Reference von Solms1998, p. 225; Taherdoost, Reference Taherdoost2022, p. 485); thus, processing time requirements, such as the 24-hour limit which may suit goals related to system stability or technical risk management. On the other hand, cyber security has a broader goal: safeguarding individuals, society, and ethical values (non-information-based assets) from malicious acts in cyberspace (von Solms and van Niekerk, Reference von Solms and van Niekerk2013, p. 101). These are of higher urgency because acts such as deepfakes, hate speech, or violations of human dignity can spread and cause harm within the first few hours. However, Art. 25(2)(b) merely sets a fixed deadline: “no later than 24 hours” to remove, prevent, or handle infringing information without clearly defining the type of risk or the nature of the incident targeted. The provision tends to focus more on cyber security violations as a legal measure of regulating online content than on safeguarding business continuity or mitigating operational harm. Moreover, applying a single deadline for both purposes, which have fundamentally different natures and urgency levels, creates a serious imbalance: for ethical breaches or threats to human dignity, 24 hours is too slow; for technical issues related to service availability, it may be appropriate. As a result, Art. 25 becomes a measure that cannot effectively serve either goal: being too sluggish for urgent ethical issues yet inflexible enough to hinder technical operations. It can be concluded that the merger of two separate objectives into one strict deadline exposes flaws in legislative approach and fails to reflect the layered realities of cyber security. The provision of Art. 25 may become ineffective in both cases: unable to protect society from urgent harmful acts or to support businesses in managing operational risks.
Regarding the scope of assets, information security has a finite, clearly defined scope: the information assets belonging to a specific organisation (Whitman and Mattord, Reference Whitman and Mattord2018, p. 175). By contrast, in cyber security, the scope of assets is unlimited and undefined. It can mean “anyone or anything that can be accessed through cyberspace” (von Solms and van Niekerk, Reference von Solms and van Niekerk2013, p. 101). Article 25(3) requires businesses to “implement data protection measures… and store this data in Viet Nam.” However, the law does not clearly specify which user data should be protected. One may question that are there all user’s data, or only data related to national security should be made available copy in Viet Nam? In practice, Decree 147/2024/NĐ-CP (on the management, provision and use of internet services and online information) has already taken effect to govern the storage of user data in Viet Nam. The decree stresses that social networks must store users’ data in Viet Nam and provide access to authorities, as well as verify user identities and quickly remove content that violates Vietnamese law. Art. 25(2)(a) requires service providers to provide “user information” to the specialized cyber security force upon requested, but the provision leaves some uncertainty as to the scope of that term. In particular, it is not clear whether “user information” refers only to basic account-identifying data, or whether it may also include service-use records, payment information, user-generated data, and other related data. Without a clear legal definition, enterprises can easily violate their own privacy policies or other data protection laws and may even conflict with the 2025 LCS’s own principle of protecting individuals’ lawful rights and interests (Art. 4(3)).Footnote 13 This lack of clarity arises as a cyber security issue because the law conflates the scope of assets across the two approaches, even though they are fundamentally different.
Regarding the processing time frame, Art. 25 distinguishes between two critical situations: a normal case within 24-hour response for “investigation and handling of cyber security violations;” and an emergency within 3 hours for cases “threatening national security, human life.” This distinction can create a gatekeeping problem that allows authorities to unilaterally decide which incidents qualify as emergencies. There is no further specific provision to decide what constitutes “threatening human life” or “national security” within the text of the 2025 Law. In fact, “threatening human life” could include: active attacks on medical device networks; ransomware on hospitals blocking treatment; DDoS attacks on emergency services; fraud targeting vulnerable elderly populations; cyberbullying leading to self-harm (Williams and Woodward, Reference Williams and Woodward2015, pp. 307–8; Luxton et al., Reference Luxton, June and Fairall2012, p. S195; John et al., Reference John, Glendenning, Marchant, Montgomery, Stewart, Wood, Lloyd and Hawton2018; Reed, Reference Reed2025). Meanwhile, the definition of national security in Viet Nam is extremely broad and encompasses (a) political regime stability; (b) economic regime stability; (c) territorial integrity; and (d) socialist ideology protection (Art. 3(1) National Security Law 2004). In terms of cyber security threat, the law defines: “a situation in cyberspace where there are indications of a threat to violate national security, or to cause severe damage to social order and safety, as well as the legitimate rights and interests of agencies, organizations, and individuals” (Art. 2(16)). One may argue that such terms “national security” and “social order and safety” remain broadly framed and insufficiently defined, giving wide discretion to executive authorities (Nguyen et al., Reference Nguyen, Bui and Phung2022, pp. 970–5). Such ambiguity could allow authorities to classify nearly any cybercrime as an emergency. However, a fuller understanding of why such provisions are embedded in the Vietnamese laws requires an examination of the underlying rationale advanced by state authorities (Section 3.2.1.2.).
It is evident from the issues identified above that Art. 25 of the 2025 LCS Law fails to meet essential requirements of technical feasibility, legal clarity, and practical predictability in the context of emerging technologies. Conceptually, it blurs the boundaries between the two core concepts of cyber security and information security. It seems to address all types of data and risks under the umbrella of national security. However, there are underlying reasons behind these limitations, which help explain the deliberate design of an information-security provision within a cyber security statute. Beyond the mechanical merger of the LCIS and the 2018 LCS, Art. 25 requires a more comprehensive explanation.
3.2.1.2. Examining the national security rationale (and the dual role of the Ministry of Public Security as drafter and enforcer)
To understand the breadth of Viet Nam’s cyber security provisions, it is essential to situate them within the state’s own national security logic. In Viet Nam, from the socialist state’s perspective, national security also means the survival of the political system, territorial integrity, social stability, and economic sovereignty (Dang and Nguyen, Reference Dang and Nguyen2023, p. 95; Nguyen, Reference Nguyen2011, p. 5). That’s deliberately wider than the classic Westphalian defence against armed attack (Chan, Reference Chan2013, p. 408). It is believed that Viet Nam’s 20th-century history, characterised by colonial struggles, conflicts with major powers (Kwon, Reference Kwon, Hinton and Hinton2014, p. 45), internal divisions, and regional clashes (Phan and To, Reference Phan and To2023, p. 2; Yin and Path, Reference Yin and Path2021, p. 11), fostered a strong belief that existential threats often develop gradually, indirectly, and through non-military means (Nguyen, Reference Nguyen2016, pp. 1–2). This socialist state’s interpretation of “national security” can justify broad clauses in Cyber Security Laws, framing cyberspace as a unique extension of the nation’s territory—the fifth domain of warfare, alongside the four traditional domains: land, sea, air, and space (MOST, 2023a). Therefore, the state tends to perceive ambiguity as necessary to manage latent or non-traditional threats. Contemporary debates on data sovereignty reinforce this logic, as states increasingly claim that control over data flows, user identifiers, and algorithmic infrastructures is essential to protecting national security and maintaining strategic independence from foreign platforms and governments (Santaniello, Reference Santaniello2025, pp. 2–3; Gu, Reference Gu2024, pp. 593–7; Pohle and Santaniello, Reference Pohle and Santaniello2024, pp. 676, 685). In this framing, the obligations on service providers to retain logs and disclose IP addresses (De Busser, Reference De Busser2018, pp. 1254–55) or account details are seen as essential tools for attributing cyberattacks and monitoring anonymous online activity (as argued by Hollis (Reference Hollis2011), states, ISPs, internet companies must develop the “duty to assist” when it comes to facilitate identification and attribution of cyberattacks (Hollis, Reference Hollis2011, pp. 378, 422)). For countries that prioritise the national security above all else, such as Viet Nam, such anonymous activities in cyberspace are viewed as a potential channel for foreign interference or subversion. Yet these justifications intersect with a structural concern: the MSP acts both as the drafter and enforcer of cyber security legislation (Decree No. 02/2025/NĐ-CP on the functions, tasks, powers, and organisational structure of the MPS). This dual role creates institutional incentives to retain vague provisions like Art. 25, which grants MPS unilateral authority to define emergencies, require rapid data access in efforts to counter anonymity employed to undermine the State (see National Assembly of Viet Nam Online, 2025; Hoang et al., Reference Hoang, Nguyen and Do2024). Although framed as expressions of data sovereignty and essential for national survival, these mechanisms mainly serve as investigation-support tools rather than genuine and effective cyber security safeguards. The challenge, therefore, is to distinguish legitimate national security needs from institutional convenience under the name of data sovereignty, cyber sovereignty, or digital sovereignty and the emerging concept of AI sovereignty (Repetto, Reference Repetto2025, p. 1). It is essential to align Viet Nam’s cyber security framework with principles of legal certainty and clarity, proportionality, and rule-of-law governance.
3.2.2. Penal Code 2015 (amended 2025) and its relevant cybercrime provisions
The Penal Code 2015, amended 2025, and subjected to another amendment expected to complete in 2027 (see Tuyet Thu, 2025), specifies cybercrimes across seven dedicated provisions, from Art. 285 to Art. 291 (Section 2. Crimes in the Field of Information Technology and Telecommunications Networks, in Chapter XXI. Crimes Infringing upon Public Safety and Public Order) along with other number of articles related to cyberspace. These provisions focus on handling acts that violate the law using information technology as a means of conduct. Although the Code has internalised many modern cyber threats, the up-to-datedness and foresight of the laws still have many limitations. A full examination and brief remark on selected cybercrime articles are provided in the Table 3.
Cybercrime-related offences under the 2015 Vietnamese Penal Code

It can be observed that the Vietnamese Criminal Code has structurally identified several core categories of conduct. However, its technological adequacy and capacity for foresight remain limited. The current framework is only partially fit for a digital, platform-based economy. Substantively, the offences defined in Arts 286–291 and the property offences (Arts 174, 175) are fundamentally based on device counts, monetary loss, and analogue heuristics, hence creating vulnerabilities for cloud/SaaS, API misuse, DeFi/crypto transactions, ransomware, deepfakes, and bot-facilitated mass deception. The lines between malware distribution, operational interruption, and illegal access (Arts 286, 287, 289) make it hard to decide what to charge someone with. The overlaps with Arts 290, 291 and administrative fines make the law less clear. The framework doesn’t include detailed, technology-specific requirements for integrity, hashing, preservation, and cross-border acquisition of electronic evidence, which makes it harder to attribute and judge cases on a large scale. It is worth noting that whether Art. 290 (on using networks, telecom, electronic means to appropriate property) should be included in the chapter on public-interest offences. Given that the protected interest is proprietary—the victim’s claim to funds—it would make more sense to put it in the chapter on property offences, where mens rea, harm, and proportionality are all more closely related. There are risks of charge-stacking and misclassification, such as crypto transfers, bitcoin theft (Kunzelman, Reference Kunzelman2024), or intrusions into life-support systems that cause death, because of overlaps with Arts 286–289 (malware dissemination, disruption, and unlawful access). The administrative-criminal boundary and duplication with Art. 291 on bank-card data make it hard to predict what will happen. Article 290 doesn’t cover APP scams, pig-butchering, money-mule stacks, and DeFi or bridge-based laundering that obtain consent without “intrusion.” This means that (a) there need to be clearer elements on digital deceit and traceability, (b) there need to be coordination clauses with sectoral duties (banks/platforms: due diligence, notice-and-action, conditional restitution), and (c) there needs to be interpretive guidance to separate system-security harms from network-enabled property appropriation, which will make the criminal law more clear, fair, and easy to enforce.
Regarding the current provisions that govern child sexual exploitation, the scope of the Code is extensive but often unclear, and the lack of explicit online aspects and precise definitions tends to weaken legal transparency and predictability for investigators, courts, platforms, and users. In terms of proportionality and consistency in penalties, sentencing ranges are high and generally aligned with the severity of physical sexual abuse, but there is little tailored differentiation for purely online, non-contact, or lower-harm conduct. Restorative mechanisms are often missing from these criminal law provisions, which tend to focus on punishment and public order rather than victim-centric remedies. Regarding legal certainty and adaptability, the technology-neutral language offers flexibility to address new digital offending methods, but terms like “illegal information”Footnote 18 and “depraved life” (lối sống sa đoạ)Footnote 19 and the absence of online-specific elements lean the balance away from legal certainty, creating the potential for subjective and selective enforcement instead of a clear, predictable framework for cyber-enabled offences.
Simultaneously, this Penal Code should be read alongside Viet Nam’s sectoral child-protection framework, which manages online risks through preventive and regulatory duties that interact with both Cyber Security Law and the digital economy. The Law on Children defines “child exploitation” and “child sexual abuse” in terms that explicitly include using children for prostitution or pornography, providing interpretive guidance that may influence how online sexual exploitation is understood across the broader legal system (Law on Children 2016, Art. 4(7)–(8)). It also mandates that agencies and online service providers implement measures to safeguard children’s safety and privacy on the internet (Law on Children 2016, Art. 54). Decree 56/2017 further operationalises this by requiring providers to utilise tools to protect children’s private information, issue warnings when children supply or alter private information, and remove children’s private data upon request to ensure children’s safety and best interests (Decree 56/2017, Art. 36). In short, sectoral laws such as the Law on Children strengthen preventive online governance, through platform duties, data-handling requirements, and sectoral infrastructure rules, but they leave unresolved key rule-of-law questions about foreseeable legal responsibility in cyberspace, including offence specificity for online conduct, evidentiary standards for electronic data, and proportional differentiation of penalties and remedies.
3.2.3. Law on Electronic Transactions 2025, Circular 50/2024/TT-NHNN on security in banking online services, and Decree 52/2024/ND-CP on non-cash payments
The Law on Electronic Transactions 2025 regulates digital signatures, electronic contracts, and trust services. It establishes a legal framework for digital transactions without intervening in the content of the transactions, thereby promoting digital transformation (Nguyễn, Reference Nguyễn2024a). Article 6 prohibits the misuse of digital technologies to infringe upon national interests, national security, social order, or the lawful rights of individuals and organisations. More specifically, it forbids obstructing or damaging information systems used for electronic transactions; unlawfully collecting, using, or disseminating data; falsifying, altering, deleting, or copying data messages without authorisation; generating data for the purpose of committing unlawful acts; engaging in fraud or unlawfully appropriating electronic transaction accounts, electronic certificates, or electronic signatures; and interfering with users’ freedom to choose their preferred method of transaction. The prohibitions under Art. 6 demonstrate an extremely broad regulatory approach, covering from infringements on national interests and social order to various forms of violations of assets, data, and authentication tools in the digital environment. Substantively, this provision integrates three layers of protection: safeguarding public interests (national security, social order), protecting infrastructure and technical processes (information systems, processes for creating, sending, receiving, and storing data messages), and defending the private rights and interests of transaction parties (data, accounts, certificates, and electronic signatures). In terms of regulatory trends, this reflects the typical structure of new-generation electronic transaction laws: shifting from being sceptical of legal validity of electronic signaturesFootnote 20 to one focused on risk management and abuse prevention, with fraud, account takeover, and data misuse as primary concerns (Omotubora and Basu, Reference Omotubora and Basu2018, p. 281; Wolters and Jacobs, Reference Wolters and Jacobs2019, pp. 39–40).
Its comprehensiveness is further demonstrated by the fact that it addresses not only infringements on existing data but also the act of “creating data messages” to commit unlawful acts. This approach effectively covers new methods of fraud, such as the fabrication of fake data, deepfakes, or automated violations. Finally, the inclusion of an “open-ended clause” regarding acts prohibited under other laws reflects a deliberate design for a prohibition framework capable of “self-updating” and aligning with specialised fields (cyber security, personal data protection), rather than requiring amendments to the Law whenever new techniques or behaviours emerge.
In the banking sector, regulations such as Circular 50/2024/TT-NHNN (security of online banking) and Decree 52/2024/ND-CP (non-cash payments) focus on the security of online services, the management of electronic payment systems, and mechanisms for testing new technologies like Open API. For the digital business sector, Decree 117/2025/ND-CP regulates tax management for activities on e-commerce and digital platforms. Initially, Viet Nam’s technology-finance legal system has established the principle that cyber security equals financial safety (Viet Nam Lawyer E-Magazine, 2025). However, it still lacks interconnectedness and mechanisms for sharing incident information among banks, regulatory agencies, and enterprises. As observed in the recent cyberattack targeting the Credit Information Centre (“CIC”), an agency under the State Bank of Viet Nam, although both the State Bank and financial institutions coordinated their response, the report emphasised that the technology systems of credit institutions operate completely independently (The Communist Party Journal, 2025), and that information sharing and incident reporting remain fragmented, lacking a direct coordination channel. Therefore, there is a need for a specific legal framework for financial cyber security to ensure effective law enforcement in these specialised sectors and to protect the primary structural foundation of the national digital economy (Murrar et al., Reference Murrar, Asfour and Paz2024, p. 335).
3.3. Relevant legal institutions
3.3.1. The Ministry of Justice
The Ministry of Justice (MOJ) primarily performs the state management function regarding law development and enforcement, which encompasses the inspection of legal normative documents, the dissemination of legal education, and the management of judgment execution.Footnote 21 In the domain of cyber security and cybercrime, the Ministry’s authority is focused on developing, managing, and deploying internal network security and information safety monitoring systems. It is also responsible for connecting and sharing information with national systems and maintaining its own specialised Cyber security Department to ensure the cyber security and information safety of the MOJ (Decree No. 39/2025/ND-CP on the functions, tasks, powers, and organisational structure of the MOJ).Footnote 22 However, the MOJ’s role is primarily to provide legal support, its limited authority, confined mainly to coordinating issues, results in a passive role in joint drafting cyber security legislations, and cyber incident response, making it dependent on other institutions. This dependence can potentially delay the legislative process in updating laws to address emerging threats like ransomware attacks and AI-generated crime. Given its potential for legal coordination, the practical fight against cybercrime necessitates a stronger inter-agency mechanism. This is essential to enable the MOJ to strengthen the legislative framework for international cooperation and for incorporating cybercrime-related international commitments into domestic law.
3.3.2. The Ministry of Science and Technology
The Ministry of Science and Technology (“MOST”) is now the unified agency resulting from the merger of the two previous ministries: The former Ministry of Science and Technology and the Ministry of Information and Communications (“MIC”) (Government Office of Viet Nam, Plan 141/KH-BCĐTKNQ18 on orientation for streamlining and restructuring the organisational apparatus of the Government, 6 December 2024). The merged ministry establishes itself as the multisectoral state management authority responsible for science and technology, innovation, and national digital transformation (Government Online, 2024). The Ministry has a supporting role in technology research and application, such as developing AI tools for detecting security vulnerabilities, building early warning systems, or coordinating with the MPS on projects to establish a Vietnamese cyber security industry (see National Agency for Science and Technology Information and Statistics, 2024). The Ministry participates in developing the national strategy for information safety, but only from the technical perspective of science, technology, and innovation. However, the transfer of responsibility for cyber/network information security management to MSP may narrow the practical role of MOST and could contribute to overlapping mandates or coordination challenges (Pham, Reference Pham2025). For example, while MOST may continue to lead research on anti-attack technologies, it relies on the MPS for enforcement. This institutional arrangement may, in some cases, slow timely responses to real-time threats such as sophisticated technological fraud (Braithwaite, Reference Braithwaite2024, p. 178). In a context where cybercrime is causing substantial harm, such constraints could create pockets of under-enforcement, particularly in relation to emerging technologies such as AI, blockchain, and IoT, where MOST has significant technical expertise but may not exercise full jurisdiction.
3.3.3. The Ministry of Public Security
Within the current legal framework, the MPS functions as the strategic lead agency for state management of cyber security (Decree No. 53/2022/ND-CP, Art. 2(9)(a)), while simultaneously being directly responsible for preventing, combating, and prosecuting cybercrime (2018 LCS, Art. 18). This role will be further consolidated and its authority expanded in the 2025 LCS. The MPS is responsible to the Government for executing the state management of cyber security, which encompasses policy development, planning, and security protection schemes (2018 LCS, Art. 36); preventing and combating infringement activities in cyberspace (2018 LCS, Art. 19(4)a); and conducting inspection, examination, and violation handling.Footnote 23 The draft consolidated Cyber Security Law 2025 continues to shape a unified management mechanism by transferring additional responsibilities for network information safety assurance from the former Ministry of Information and Communications to the MPS, thereby centralising the lead agency for national direction and coordination.
Regarding authority over investigation and combating cybercrime, the MPS is described in the policy discussions and legal discourse in Viet Nam as being situated within a comprehensive relationship: under the leadership of the Party and through inter-agency coordination, yet the police force remains the key agency (Tô, Reference To2023). The Cyber Security and High-Tech Crime Prevention Department (A05) serves as the specialised central hub (2018 LCS, Art. 23). Furthermore, guiding documents indicate that A05 issues advisories and coordinates investigations, demonstrating its organisational capacity and specialised intelligence (Decree No. 53/2022/ND-CP, Art. 2(9)(a)). Within the scope of its authority, the MPS deploys numerous professional and operational measures for prevention, including system monitoring, dismantling online gambling rings, transnational fraud and disguised online lending schemes, and the trafficking of personal data (MPS, 2025a).
However, the biggest challenge in the process of investigating and handling cybercrime cases has long been affirmed to stem from the lack of legislative synchronisation and the absence of detailed regulations concerning electronic evidence (Nguyen et al., Reference Nguyen, Bui and Phung2022, p. 240), posing significant difficulties for the police force in the activities of collecting and preserving data. On the other hand, instead of focusing on a mechanism for recovery and providing support for victims or harmed enterprises, the current approach is heavily skewed towards prevention and enforcement. MPS has a very broad package of powers, spanning almost every stage of the policy cycle: from drafting and strategic planning to public communication, implementation, inspection, supervision, and sanctioning. This design places the MPS at the “centre of power” in cyber security governance, blurring the boundaries between policymaking, administrative management, and coercive enforcement. Meanwhile, the constitutional ideals of separation of powers, judicial independence, and checks and balances have long been articulated at the conceptual level (Bui, Reference Bui2012, pp. 425–6), but they remain weakly institutionalised in practice (Le Van Cam, 2010, p. 899; Van Kien, 2020). Such that contemporary concerns about expansive administrative powers in the Cyber Security Law clearly reflect a broader historical pattern of concentrated authority. Almost all issues relating to cyber security have been securitised, and the line between security management and civil matters has become increasingly indistinct.
3.3.4. Coordination mechanisms
Following the administrative restructuring efforts of 2025 (Resolution No. 176/2025/QH15 on the Organisational Structure of the Government for the 15th National Assembly Term, 18 February 2025), the coordination mechanism between the MPS, MOST, and MOJ became critical in maintaining cyber security and combating cybercrime. The MPS has become the sole authority responsible for state management of cyber security (Law on the People’s Public Security Forces 2025, Art. 12(2)). This role now integrates incident response coordination, the development of technical standards, and the orchestration of inter-agency efforts, effectively replacing the previous decentralised model, with constant shifting and overlaying authorities (Huynh, Reference Huynh2024, p. 549), which was marked by fragmentation, overlap, and inefficiency. The MOST is responsible for developing technology, technical standards, and data security measures (National Agency for Science and Technology Information and Statistics, 2024), while the MOJ handles the assessment, codification, and validation of the constitutionality and consistency of legal documents (Decree No. 39/2025/NĐ-CP). The private sector, particularly companies providing digital infrastructure, intermediary services, and finance, serves as both a regulated entity and an essential partner with the capacity to proactively detect and report incidents, share data, and implement technical safeguards.
This coordination between ministries and the private sector is demonstrated across three main areas: (a) setting technical standards, developing digital forensics capabilities, and using advanced technologies for investigations between the MPS and MOST (Xuan Truong, 2023; Hien Minh, 2025); (b) between the MPS and MOJ in amending the Criminal Procedure Code and creating protocols for collecting, preserving, and using electronic evidence to ensure legality and admissibility in court, as virtually all investigations now involve digital evidence (Kleijssen and Perri, Reference Kleijssen, Perri, Kuijer and Werner2017, p. 149); and (d) between the MOJ and MOST in assessing and standardising regulations relating to data, digital transformation, and AI, ensuring they align with the broader legal framework on human rights, privacy, and personal data protection.Footnote 24 Against this backdrop, enterprises are integrated into the cooperation mechanism through obligations to report, share data, and participate in incident response networks.Footnote 25 In all cases, what is required is strict compliance with clearly articulated coordination mandates and safeguards, based on the principles of legality and the rule of law, as well as privacy and data protection, that govern how these institutions and private-sector entities share information, allocate responsibilities, and implement measures for cyber security and cybercrime prevention (Abraha, Reference Abraha2021, p. 134; Brilingaitė et al., Reference Brilingaitė, Bukauskas, Juozapavičius and Kutka2022, p. 3).
3.4. Data sovereignty levers across Viet Nam’s data stack
In Viet Nam, data sovereignty is strategically utilised as a mechanism for the state to maintain national security, ensure social order, and govern the digital economy. Instead of focusing solely on individual privacy rights, Viet Nam’s legal framework prioritises state oversight and centralised control over information flows to safeguard collective interests and cyberspace security (Huynh, Reference Huynh2024, p. 530). To enforce this digital sovereignty, the state employs a variety of legislative and regulatory levers across its data stack, which can be categorised into four primary dimensions.
3.4.1. Cross-border transfer controls
The regulation of data flowing outside of Viet Nam has recently undergone a significant transition from a decree-based system to a more rigorous statute-based framework, highlighted by the introduction of the 2024 Data Law and the 2025 Personal Data Protection Law (Nguyen et al., Reference Nguyen, Le and Nguyen2025, p. 55). The 2025 Law on Personal Data Protection now broadly covers cross-border transfers, including the export of data stored in Viet Nam, transfers to foreign entities, and the use of offshore platforms to process personal data collected in Viet Nam. It requires entities engaging in such transfers to prepare a cross-border transfer impact assessment dossier and submit it to the specialised personal-data protection authority within 60 days from the first transfer (Art. 21(1)); that assessment is generally made once for the duration of the activity but must be updated when relevant circumstances change, and transfers may be suspended where the transferred data is used in ways that could harm national defence or national security. At the same time, the 2024 Data Law extends the logic of sovereign control beyond personal data by specifically regulating the cross-border transfer and processing of “core data” and “important data” (Arts 23, 27(3)), while requiring such activity to remain consistent with national defence, national security, public interests, and the lawful rights of data subjects and data owners. Together, these laws show that cross-border transfer is no longer conceived merely as a commercial or technical act, but as a legally supervised exercise situated within the state’s broader data-sovereignty architecture.
3.4.2. Localisation and local presence
Data localisation and local presence are key tools in Viet Nam’s digital sovereignty strategy. However, they are now more explicitly grounded in legislation through the 2025 LCS, rather than relying mainly on secondary regulation (Decree 13/2023 on personal data protection). The new law mandates that domestic and foreign enterprises offering services on telecommunications networks, the internet, and value-added cyberspace in Viet Nam, when collecting, exploiting, analysing, or processing personal data, user-relationship data, or user-generated data of users in Viet Nam, must implement legally required data-protection measures and store this data in Viet Nam for a government-specified period. Foreign enterprises in this category are also required to establish a branch or representative office in Viet Nam (Art. 25(3)). This framework affirms that localisation is not just about storage geography, it is a jurisdictional tool through which the state extends its regulatory reach over user-generated data and enhances its ability to enforce domestic cyber security and public-order regulations against offshore platforms (Han, Reference Han2024, p. 269).
3.4.3. State access and mandatory cooperation
Viet Nam’s legal framework also heightens the state’s powers to access data and imposes mandatory cooperation duties on digital intermediaries. Under the 2025 LCS, when cyberattacks threaten sovereignty, national interests, security, or significantly disrupt social order and safety, specialised cyber security forces may require service providers to block or filter information and to supply comprehensive and timely data relevant to the incident (Art. 25(2)(c)). More broadly, enterprises delivering online services in Viet Nam must comply with requests to suspend services for those spreading prohibited content, retain various categories of user data, including account details, usage times, payment information, IP addresses, and related data, and identify IP addresses for the specialised cyber security forces. They must also report incidents immediately and work technically with authorities by establishing system connections and transmission arrangements when required for investigation and enforcement (Art. 41(3)). Simultaneously, the 2024 Data Law authorises competent state authorities to decrypt data without the consent of the data owner or manager in emergencies, threats to national security, disasters, and anti-riot or anti-terrorism situations (Art. 22(4)). Collectively, these provisions demonstrate a sovereignty model based not only on territorial control over data but also on legally structured and operationally continuous access to platforms, networks, and intermediary-held information.
3.4.4. Governance duties: security, retention, and reporting
At the compliance level, Viet Nam’s data sovereignty framework now enforces a more formal set of governance duties covering documentation, risk management, breach reporting, and technical protection. The 2025 Personal Data Protection Law requires controllers and controller-processors to prepare and retain personal data processing impact assessment dossiers, submit them to the specialised authority within 60 days of the first processing activity, and update these dossiers when significant changes occur (Art. 20). It also mandates a 72-hour notification duty if breaches could impact national security, public order, or the life, health, dignity, honour, property, or other lawful interests of data subjects (Art. 23(1)). The 2024 Data Law complements this by requiring data managers to assess risks, implement protective measures, address emerging risks, and, for core and important data, carry out periodic risk assessments and notify specialised cyber security and information-security units under the MSP, and other relevant agencies (Art. 25(4)). The 2025 LCS additionally obliges service providers to warn users of cyber security risks, prepare emergency response plans, report incidents immediately, and enforce technical measures to secure data-processing activities (Art. 41(2)–(4)). Meanwhile, the 2023 Telecommunications Law explicitly subjects cloud and data centre providers to cyber security, information-security, and personal data protection laws (Art. 29(2)(h); Art. 29(4)). The overall effect is a governance system in which security, retention, and reporting obligations are not mere compliance formalities but vital mechanisms through which the state enacts digital sovereignty in everyday data management.
4. Evaluating the effectiveness of cyber security and cybercrime legislation
Applying the above discussed theoretical model, this section evaluates the effectiveness of Viet Nam’s existing cybercrime and cyber security framework in a doctrinal and normative manner. As mentioned, the criteria include (a) the clarity of legal definitions and scope of cyber security and cybercrime obligations; (b) the proportionality and consistency of cybercrime penalties; (c) the restorative mechanisms to support commercial resilience; and (d) the balance of legal certainty and flexibility to technological changes. Building on this foundation, Section 4 analyses all the components of Viet Nam’s cyber security and cybercrime laws to assess how well they meet these criteria in practice.
4.1. Clarity of definition and scope
Vietnamese laws have initially established the concept through the definition provided that cybercrime refers to the use of cyberspace, information technology, or electronic devices to commit acts that constitute criminal offences as defined in the Penal Code (2018 LCS, Art. 2(7)). The approach specifies the scope as the means or environment and uses the Penal Code as the point of reference for the “actions stipulated therein.” That is to say, it primarily outlines the legal framework but has not yet materialised the content regarding the purpose and form of the crime, creating ambiguity and controversy when distinguishing between conventional crime and cybercrime, particularly during investigation and in the crime statistics compilation. Investigative forces encounter significant difficulties and impasses when attempting to prove an act occurred within the internet environment, especially when all digital traces have been concealed or anonymised (Nguyen et al., Reference Nguyen, Truong and Lai2022, p. 240). The consequence is that implementers are forced to trace offences back to Arts 285–291 of the Penal Code to identify the crime, while many emerging technological acts, such as DDoS attacks, ransomware, deepfake fraud, or unauthorised IoT intrusion, remain outside the scope of legal coverage. This presents a clear paradox: the definition is sufficient to name the field, but insufficient to clearly draw the legal boundaries. Regarding the scope of obligations, the 2018 cybercrime definition primarily assigns a general responsibility to state agencies for prevention and combatting, exhibiting a tendency towards political-administrative management but lacking specific guidance for enterprises and individuals (Bui and Lee, Reference Bui and Lee2023, p. 670).
Moving to the concept outlined in the 2025 LCS, its main strength is that, by emphasising cyberspace and the use of information technology or electronic means, it sets a basic technical standard to differentiate such conduct from offences occurring entirely in the physical world: “Cybercrime is socially dangerous conduct prescribed in the Penal Code, committed by individuals or organisations in cyberspace through the use of information technology or electronic means” (Art. 2(12)). However, when it comes to clarity, the phrase “socially dangerous conduct prescribed in the Penal Code” is, logically, a very broad and circular statement: essentially, all offences are considered “socially dangerous conduct prescribed in the Penal Code.” The definition does not clarify how cybercrime differs from other offences beyond mentioning “cyberspace” and “electronic means.” The terms “cyberspace,” “information technology,” and “electronic means” are themselves broad and can overlap, with no clear criteria to distinguish them: for instance, should fraud carried out via mobile phones, SMS, or traditional telecommunications networks (without using the internet) be regarded as occurring “in cyberspace”? This ambiguity reduces the foreseeability of compliance. In terms of scope, the definition does not clearly differentiate between cyber-dependent offences, like cyberattacks, unlawful access, and interference with systems, and cyber-enabled offences, such as fraud, money laundering, or drug trafficking carried out online. As a result, it is difficult to draw precise boundaries: how many provisions in the Penal Code should be classified as “cybercrime”? Because of these vague terms, it may easily result in disparities in interpretation among enforcement agencies, leading to the risk of power abuse and legal uncertainty as these agencies tend to interpret the provisions in their own favour (Vermeule, Reference Vermeule2015, p. 675). As Dickerson noted, ambiguity is inherently the “disease” of legal language (Dickerson, Reference Dickerson1964, p. 5); but when this disease is not treated by a guiding mechanism, it transforms into a vulnerability that threatens the fundamental rule-of-law principles: that laws must be prospective, open and clear, enabling people to understand and follow the law without ambiguity or confusion (Raz, Reference Raz1979, p. 214).
In practice, this lack of clarity has created a double-edged sword situation: on one hand, the broad scope helps to encompass dangerous behaviours; on the other hand, it also allows prosecutorial agencies to engage in subjective interpretation, thereby expanding their control (Phillips et al., Reference Phillips, Davidson, Farr, Burkhardt, Caneppele and Aiken2022, pp. 379–80). This constitutes not just a risk in legislative technique, but a political risk, where ambiguous language is utilised as a tool for governance (Vermeule, Reference Vermeule2015, p. 686–8) rather than for ensuring justice and fairness. Therefore, clarity is not merely a technical requirement; it is also a warning about the responsibility of lawmakers. For the law to become a “guiding compass” rather than a “network of uncertainty,” several steps are essential: the Penal Code must be amended to incorporate criminal offences relevant to the digital reality, a guiding resolution must be issued by the Council of Judges to define and quantify key terminology, and the mechanism for digital evidence must be synchronised with the Cyber Security Law. Only when legal norms achieve a degree of transparency, unambiguousness, and consistency can the law effectively prevent the abuse of power, safeguard justice, and, critically, build society’s trust in the fairness of the legal order. Such demands for clarity become even more urgent as Viet Nam develops a wider strategic framework of data, cyber, and AI sovereignty through the new Law on Data 2025 and the 2025 AI Law. Both are seen as tools to ensure “digital sovereignty” and to establish AI as essential national infrastructure (AI Law 2025, Arts 17–19). Recent efforts on digital and AI sovereignty also highlight that sovereignty, which is understood as legitimate authority over data and algorithmic systems, must be exercised using precise and contestable legal standards rather than vague security clauses (Shokri, Reference Shokri2025, p. 1; Hummel et al., Reference Hummel, Braun, Tretter and Dabrock2021, p. 1; Santaniello, Reference Santaniello2025, p. 16). In the Vietnamese context, this means that any future measures related to data or AI sovereignty should still adhere to the principle of clear definitions and scope, so that the pursuit of sovereignty does not lead to legal uncertainty or unregulated discretionary power.
4.2. Proportionality and consistency of cybercrime penalty
If the clarity of legal norms is a prerequisite for accurately determining criminal behaviour and limiting criminal responsibility, then the proportionality and consistency of penalties are the measure used to ensure that justice is implemented in practice (Bagaric, Reference Bagaric2000, pp. 159–61). From a formal perspective, the Penal Code has established a fairly consistent penalty framework for offences within the group of Arts 285–291, ranging from fines and non-custodial rehabilitation to fixed-term imprisonment. The punitive levels increase based on the damage caused, the quantity of telecommunications equipment compromised, or the illicit profits gained. This is to ensure consistency and minimum differentiation (Marique and Marique, Reference Marique and Marique2020, pp. 1, 6–12). However, from a substantive perspective, several shortcomings indicate that the current penalties do not ensure proportionality commensurate with the nature and consequences of the criminal act. Research indicates a situation of “normative competition” between Art. 286 (disseminating harmful software) and Art. 287 (illegally obstructing or disrupting the operation) (Nguyễn Thị Phương Hoa, Reference Nguyễn2024). These two articles regulate an act of the same underlying nature, “unauthorized access,” yet have nearly identical aggravating frameworks and supplementary penalties, results in the level of punishment for large-scale malware dissemination and the narrow act of system disruption not being truly distinctly differentiated.
Furthermore, the quantitative thresholds concerning “damage” or “illicit gain,” which serve as the basis for differentiating criminal responsibility (Nguyễn Quý Khuyến, Reference Nguyễn2019), currently fail to keep pace with the reality of emerging cybercrime, resulting in a paradoxical relationship between the dangerous nature of the act and the level of punishment. For instance, behaviour posing a serious cyber security risk, such as a DDoS attack under Art. 287(1c), illustrates scenarios where the attack time ranges from 30 minutes to under 24 hours, while Art. 287(1d) stipulates downtime from 24 hours to under 72 hours. The question then arises: What is the criminal liability for attacks that fall below the 30-minute quantitative threshold?
Incident severity escalates rapidly, with service disruption intensifying in under 20 seconds and infrastructure failing within 60 seconds unless automated intervention occurs. This rapid progression means that a 30-minute detection window guarantees substantial damage if response is not instantaneous (Sinner, Reference Sinner2022). Practical examples are: Fortune Global 500 RDDoS teaser causing outages in less than 30 minutes (Industry Survey, 2021), “Cozy Bear” imposters’ 30-minute proof attacks (Akamai SIRT, 2019), GitHub 2018 memcached attack in less than 20 minutes (Newman, Reference Newman2018). Meanwhile, cases involving the appropriation of digital assets with significant value face difficulties in valuation, thereby impeding the fair quantification of penalties (Cao Viet Hoang, 2025).
Another issue is that the laws for various domains don’t always work well with criminal law. The Law on Cyber Security and Decree No. 53/2022 impose extensive management obligations and strong administrative sanctions. However, the mechanism for transforming into criminal responsibility in serious cases remains unclear. This gap diminishes the consistency of the entire system of sanctions and affects the predictability of the law. Furthermore, although the penalty framework for crimes involving “online appropriation of assets” can extend up to 20 years in prison, reflecting a strong deterrent trend, the MPS reflects that, in practice, certain penalties, particularly those for cyberattacks, organising gambling and football betting, online gaming services with illegal content, and predatory online lending, are considered “insufficiently deterrent.” This inadequacy leads to a mentality of accepting the fine rather than complying with the law (Như Nguyệt, 2024).
Notably, Vietnamese law currently does not establish separate penalty frameworks for specific crime channels such as finance or politics; instead, it classifies offences based on the protected legal object (Lê Cảm, 2018, pp. 2–3). Accordingly, online financial crimes (digital asset appropriation, fraud, money laundering) are processed under Arts 285–291 of the Criminal Code, with escalating frameworks based on damage and illicit gain. Meanwhile, political crimes concerning national security (Art. 109—activities aimed at overthrowing the government, Art. 117—propaganda against the State, Art. 331—abusing democratic freedoms) are subject to stricter penalties (prison sentences ranging from 5 to 20 years, and in certain cases, the death penalty), determined primarily by the degree of social danger and the organisational role involved (Viet Nam News, 2023). The factor of “technology” or “AI” is treated merely as a means to commit the crime, without constituting an independent offence; thus, acts using AI or deepfake technology for fraud are still prosecuted as asset appropriation, while technology used to infringe upon national security applies the framework of more serious security crimes. Consequently, the proportionality of the penalty is designed according to the protected legal object rather than the technological tool used, reflecting consistency within the Penal Code system.
The level of transparency in sentencing practices still faces numerous limitations. Although mechanisms for the public announcement of judgments and online trials have expanded access to justice (Resolution No. 03/2017/NQ-HĐTP on the Publication of Judgments and Decisions on the Courts’ Online Portal by the Council of Judges of the Supreme People’s Court), the publication is inconsistent, with cases being excluded and specialised thematic data being deficient (Nguyen, Reference Nguyen2022b). This makes it difficult to establish uniform standards and diminishes predictability, thereby impacting public trust in fairness. Enhancing judicial transparency should be prioritised, for example: expanding the public announcement of judgments, establishing specialised thematic databases to ensure deterrence and fairness in handling cybercrime.
4.3. Restorative measures, compliance burdens, commercial resilience in the digital economy
With the Vietnamese Government’s firm commitment to advancing data sovereignty and the digital economy, the nation’s economic, social, and administrative activities are becoming increasingly reliant on cyberspace infrastructure. Empirical research on ransomware, which forces victims to pay to regain access or safeguard their data’s confidentiality, shows that such attacks not only cause immediate financial losses but also directly weaken a company’s resilience and business continuity in data-dependent environments (Chung, Reference Chung2019, p. 8; see Gassmann et al., Reference Gassmann, Beck, Gourmelon and Benenson2025). Meanwhile, the main concern of Viet Nam’s specialised cyber security agencies lies in safeguarding cyber sovereignty, and national cyber infrastructure (MOST, 2023b; MPS, b), conducting investigations, prosecutions, and arrests of cyberattackers, and enhancing laws on cybercrime prevention and control, with a particular focus on clarifying rules surrounding electronic data evidence (Nguyen et al., Reference Nguyen, Truong and Lai2022, pp. 240–1).
Today, the central issue is no longer simply prosecuting the attacker, but rather how businesses and victims can restore operations and recover after a cyber incident, how long recovery takes, at what cost, with what level of legal risk, and to what extent the legal system provides post-incident support. According to Judge Trần Văn Độ (2022), criminal justice policy should prioritise restitution and remediation over punitive sanctions in economic-crime cases (Trần Văn Độ, 2022). From this perspective, the current cyber security and cybercrime legal framework reveals a paradox: the criminal enforcement axis is relatively comprehensive, whereas the recovery and commercial resilience axis remains thin, fragmented, and weakly binding, particularly in the private sector (notably in e-commerce). In other words, the sword of deterrence and punishment is far sharper than the shield of recovery, redress, and business continuity. From the perspective of restorative support, compliance burdens, and commercial resilience, the analysis presented in Table 4 highlights several recurrent gaps in the current legal framework.
Gaps in Viet Nam’s cyber security and cybercrime laws on restorative measures and commercial resilience

Viet Nam’s cybercrime and Cyber Security Law has made meaningful progress in strengthening institutional response capacity and deterrence. The criminal-law axis has been modernised through expanded offence coverage and harsher penalties. Centralised authority of A05 and the National Cyber-Security Operation System of the MPS have made the organisational structure stronger. Formal incident response processes and technical handbooks that cover things like how to avoid ransomware, how to back up data, how to set up MFA, the responsibilities to search and patch network vulnerabilities, and promote awareness of threats all help to make this institution strong. For example, ministerial-level agencies oversaw and controlled the rehabilitation process after large-scale attacks on enterprises like PVOil and VNDirect (Nhi Anh, 2024). These successes create a solid support framework for responding to crises promptly. However, the commercial recovery lever is weak because post-incident restoration and compensation still sit largely outside the cyber security statute, and instead depend on dispersed civil, procedural, data-protection, and sectoral rules.
Viet Nam’s 2025 Cyber Security Law reinforces deterrence and state control, but it remains comparatively thin on restorative support for victims and business recovery. Because restorative remedies and business continuity are governed across civil liability, criminal procedure, data protection, and sectoral regulation, this assessment reads the 2025 LCS alongside these adjacent regimes rather than treating it as a standalone recovery framework. The 2025 LSC expands platform-facing incident governance by requiring providers to warn users of cyber security risks and guide prevention measures, maintain emergency response plans, and report incidents to the specialised cyber security force (Art. 41(2)–(3)). It also strengthens system-level security through a five-tier classification of information systems (Art. 8). However, the Law does not establish a dedicated cyber-victim support regime (funds, technical recovery assistance, or legal aid), nor does it prescribe measurable remediation services for affected individuals and firms; instead, recovery costs and proof burdens are largely left to general civil-liability pathways and private capacity (Civil Code 2015, Arts 584–590). Where recovery depends on proving digital harm, the evidentiary burden is also shaped by criminal procedure: electronic data is recognised as a source of evidence and its probative value is assessed through integrity tests (Criminal Procedure Code 2015, Arts 87(1)(c), 99(3)), while investigative capacity may rely on special measures, including covert collection of electronic data (Criminal Procedure Code 2015, Art. 223(3)). In parallel, remediation duties after incidents are fragmented across data regimes: the Personal Data Protection Law requires cross-border transfer impact dossiers (Personal Data Protection Law 2025, Art. 20) and periodic updates (Art. 22), and the Law on Data permits compulsory data provision and decryption in defined emergency and national-security risk scenarios (Law on Data 2024, Arts 18(2), 22(4)) and defines cross-border transfer and processing of core and important data (Art. 23). These rules strengthen control and access, but they do not by themselves translate into predictable recovery assistance for firms or consumers.
Commercial resilience weaknesses are most visible in cross-border recovery and evidentiary capacity. The 2025 LCS recognises and promotes international cooperation on cyber security and cybercrime (Art. 6(2)). Still, it does not create expedited, cyber-specific asset-recovery mechanisms to trace and freeze ransomware proceeds or stolen crypto. In practice, recovery also depends on whether criminal offences and procedures can be quickly activated against cyber-enabled theft and fraud, such as using computer or telecom networks to appropriate property and e-commerce fraud (Penal Code 2015 (amended 2025), Art. 290) and malware-related offences (Art. 286). At the same time, the 2025 LCS’s localisation and local-presence requirements for certain service providers can complicate incident investigation and recovery workflows that depend on cloud data access and rapid cross-border coordination (Art. 25(3)). Finally, although the 2025 LCS empowers authorities to apply broad protective measures, including the collection of electronic data related to violations (Art. 5(1)(l)), it does not provide a dedicated statutory framework on digital evidence reliability presumptions or crypto, digital-asset valuation for restitution. Sectoral telecommunications regulations strengthen compliance duties at the infrastructure level, particularly for data centre and cloud services, which must follow cyber security and personal data protection laws and meet data-handling and disclosure requirements (Telecommunications Law 2023, Art. 29(2)(b), (h)). However, these requirements mainly serve as governance controls rather than recovery mechanisms. For e-commerce, the combined effect is slower recovery and persistent uncertainty over liability, evidence, and compensation outcomes, even as compliance-trigger timelines tighten during incidents.
The consolidated 2025 LSC shifts frontline governance burdens onto platforms by turning ordinary service provision into a compliance and enforcement interface. Enterprises providing services on telecommunications networks, the internet, and value-added cyberspace services in Viet Nam must authenticate user information at account registration and provide user information to the MPS’s specialised cyber force within 24 hours, or 3 hours in urgent cases (Art. 25(2)(a)). They must also prevent the sharing of unlawful information and remove unlawful information, services, or applications within 24 hours, or 6 hours in urgent national-security cases, while retaining system logs for verification, investigation, and handling of violations (Art. 25(2)(b); Art. 2(11)). They must further store user personal information and user-generated data including account name, service-use time, payment information, IP address, and related data for a legally prescribed period after the user stops using the service (Art. 25(2)(d)). The burden shift deepens because the Law embeds continuing compliance costs through localisation, incident response, and technical cooperation duties. Where domestic or foreign enterprises collect, exploit, analyse, or process data on Vietnamese users’ personal information, relationship data, or user-generated data, they must apply data-protection measures and store that data in Viet Nam for the period prescribed by the Government; foreign enterprises in this category must also establish a branch or representative office in Viet Nam (Art. 25(3)). Beyond storage, enterprises providing cyberspace services must warn users about cyber risks, prepare emergency response plans, immediately deploy response measures and report incidents, apply technical measures to secure data and personal-data processing, identify and provide IP identification information, and establish technical connections and data transmission lines as guided by the specialised force (Art. 41(2)–(6)). System owners are similarly required to connect monitoring and malware-prevention systems to national or provincial cyber centres and report incidents to specialised authorities, which also externalises monitoring and reporting burdens into routine operations (Art. 40(1)(b)–(c)).
These obligations are broad and technology-neutral because the 2025 LCS defines “cyberspace” by reference to interconnected infrastructure (telecommunications networks, the internet, computer networks, information systems, and databases), rather than any single technology or business model (Art. 2(5)). They also sit within a framework of extensive administrative discretion; authorities may require information removal, service suspension, and collection of electronic data as “cyber security measures,” and the Law allows compliance requests to be transmitted via written documents, email, telephone, or other verified forms (Art. 5(1)(i)–(m); Art. 25(2)(a)). Implementing guidance on the predecessor regime shows how this can translate into business-facing compliance pressure, including broad service categories, local storage and local presence triggers, and takedown or disclosure enforcement tools (KPMG, 2022, pp. 1–2). Early practitioner commentary on the 2025 Law likewise highlights that the short deadlines are retained and tightened in urgent cases, reinforcing why firms experience these rules as continuous governance burdens rather than purely ex post enforcement (Ha and Tran, Reference Ha and Tran2026).
However, Viet Nam’s legal system has many instruments for penalties, but it lacks mechanisms to support individuals in recovering and sustaining their businesses. To pivot towards recovery measures for business, reform priorities should include: (a) establish a cyber victim support programme that includes compensation funds, technical assistance, and legal aid.; (b) establishing minimum BCP/DR standards for e-commerce platforms based on risk classification; (c) establish safe harbours for enterprises that report incidents and cooperate fully within 24 hours; (d) integrate cyber insurance into the regulatory framework: mandate coverage for critical sectors, standardise terminology, and acknowledge it as a key risk-management tool; (e) establish a specialised cyber asset recovery unit within law enforcement, with cross-border MLA coordination; and (f) establish digital asset and cryptocurrency valuation standards for sentencing and restitution (Russo et al., Reference Russo, Reis and Mamede2023, pp. 62–6; Mott et al., Reference Mott, Turner, Nurse, MacColl, Sullivan, Cartwright and Cartwright2023, p. 2; INTERPOL, 2025). Businesses and victims will be able to overcome cyberattacks when the shield of recovery and resilience is as strong as the sword of deterrence. This will make the digital ecosystem more resistant to more advanced cyberattacks.
4.4. Legal certainty and adaptability of the law
The legal certainty of Viet Nam’s cybercrime and cyber security framework is being strengthened and expanded due to the development towards law consolidation and the enhancement of compliance obligations. A significant progressive feature of the law in terms of legal clarity is Art. 8’s classification of information systems into five levels based on the degree of harm, thereby providing a more transparent framework for differentiated protection requirements. However, the framework’s adaptability is still limited by its high level of centralised authority, regulatory procedures that focus on information security/content control, and procedural requirements that are inadequate for effective oversight (Huynh, Reference Huynh2024, p. 541; Trinh, Reference Trinh2024, pp. 179–82). Several key factors need careful consideration to improve the law’s clarity and flexibility. First, the definition of “cyber security” appears to have increased its scope compared to the 2018 Law by highlighting the components of “the stability, security, and safety of cyberspace” (Art. 2(1)). Furthermore, the addition of the dimension concerning the protection of “the legitimate rights and interests of agencies, organizations, and individuals” indicates a shift away from a “national security-centric” perspective and towards a more balanced approach that aligns the interests of the State, businesses, and citizens (Dieu Anh, 2025). However, these new points also expose limitations that demand careful consideration. To begin, the draft dated 26 June 2025, the 2025 LCS introduced the term “sustainability” in the concept of “cyber security”; however, this term was removed in the passed version of the Law. It appears that this removal represents a missed opportunity to establish legal clarity on post-incident resilience and technological adaptability. Second, despite acknowledging the protection of the “legitimate rights and interests” of individuals, the concept of cyber security still lacks a clear connection between cyber security and data privacy rights and freedom of information. These issues have been discussed to be essential pillars in the context of the development of IoT, AI, and the digital economy (Feldman and Haber, Reference Feldman and Haber2020, pp. 197–200; Pinto et al., Reference Pinto, Donta, Dustdar and Prazeres2024).
A revealing aspect of the law’s limited adaptability is its underlying conception of “network.” In the drafting process, the 2025 bill explicitly defined as an information environment exchanged through telecommunications networks and computer networks (Draft Law on Cyber Security of 31 October 2025, Art. 3(2)—a formulation closely tied to fixed internet and traditional broadband infrastructure. Although this definition was ultimately excluded from the adopted text, no alternative that was more functional or technology-neutral was introduced instead. The drafting history therefore still reveals an infrastructure-focused mindset: it views cyberspace as primarily a layer built on traditional telecoms and IP networks, rather than as a complex web of cyber-physical systems. As Peppet (Reference Peppet2014) explained:
… these policies seem to have been shaped by the needs and expectations relevant to the normal Internet, not the IoT. Not surprisingly, at the dawn of the IoT, there may not yet have been much real consideration of the special issues that IoT privacy policies should address. (Peppet, Reference Peppet2014, p. 145)
Similarly, Fenwick et al. (Reference Fenwick, Kaal and Vermeulen2017, p. 582) observe that the risks of producing rules that do not fit new technological patterns, such as device-to-device connectivity outside fixed broadband, leaving law mismatched to the realities of the IoT. Perhaps the most compelling account of this “pacing problem” is Marchant’s: legal frameworks are typically constructed on a static, rather than dynamic, conception of technology, while regulatory institutions adapt their processes and capacities only slowly to continuous technological change (Marchant, Reference Marchant, Marchant, Allenby and Herkert2011, pp. 21–23). In contemporary IoT environments, data is not only transmitted via public internet and carrier networks but also through specialised and non-traditional channels such as Bluetooth (Yin et al., Reference Yin, Yin, Yang, Cao, Liu, Zhou and Wu2019, pp. 1–2), Zigbee protocols (Baronti et al., Reference Baronti, Pillai, Chook, Chessa, Gotta and Fun Hu2007, p. 1660), low-power wide-area networks (LPWANs), and satellite IoT links (Sundaram et al., Reference Sundaram, Du and Zhao2020, pp. 371–2; Jiang, Reference Jiang2023, pp. 1243–4). Taken together, these accounts suggest that when lawmakers stick to static, infrastructure-focused ideas of “network,” they recreate the classic timing issue: rules are tuned for yesterday’s technologies, making today’s IoT realities either mismatched, under-regulated, or subject to inconsistent, overly broad application.
Another concept worth noting is “data security” (Art. 2(3)), which represents an ambitious effort to broadly manage data across multiple content layers, making it complex and challenging to implement in practice. This definition blends three conceptual levels that should be clearly distinguished: (a) the technical security and safety of information preventing unauthorised access, use, disclosure, alteration, or destruction (Cremer et al., Reference Cremer, Sheehan, Fortmann, Kia, Mullins, Murphy and Materne2022, p. 700); (b) data quality and lifecycle management, which involves ensuring the quality of data and the processes of data processing and use (Bernardo et al., Reference Bernardo, São Mamede, Barroso and Santos2024, pp. 2–4); and (c) macro-level policy aims that support socio-economic development and national digital transformation (Nguyen et al., Reference Nguyen, Nguyen and Le2021, p. 893). When “data security” functions as a technical state, a governance mechanism, and a tool for advancing development and national security goals, the concept becomes stretched, making its boundaries hard to define: what constitutes a data security breach, what is a civil dispute, what relates to data quality or contractual compliance. This complexity complicates legal certainty, as it becomes difficult for actors to predict which actions might be classified as a “threat to data security.”
Moreover, the definition continues to prioritise national security and public order and safety at the top of the normative hierarchy, yet it makes no mention of privacy, personal data protection, or individuals’ informational self-determination. In international practice, “data security” is usually the technical foundation of a data protection framework that balances security with human rights and is closely linked to “security by design” principles (Del-Real et al., Reference Del-Real, De Busser and van den Berg2025, p. 376). Here, however, “data security” is framed solely from a state-centric point of view, viewing data as a resource for development and national security, rather than considering the rights and interests of individuals and businesses. This perspective once again reinforces the securitisation of data under the banner of protecting national cyberspace, while sidelining individual rights and market interests. It should be noted that cyber security is not just about data or content security (Miller and Bossomaier, Reference Miller and Bossomaier2024, pp. 16–7). The vague and broad interpretation of concepts may further increase compliance costs and legal risks (Dunn Cavelty, Reference Dunn Cavelty2014, p. 701).
With respect to technological adaptability, the definition remains at a classical template: “unauthorised access, use, disclosure, alteration or destruction.” It does not yet address newer forms of data risk such as: (a) using data to train AI models that generate bias or discrimination (Barocas and Selbst, Reference Barocas and Selbst2016, p. 674); (b) data-extractive business models (surveillance capitalism, behavioural profiling) that erode informational self-determination (Curran, Reference Curran2023, pp. 3–6); (c) the leakage and trading of large-scale datasets (Cremer et al., Reference Cremer, Sheehan, Fortmann, Kia, Mullins, Murphy and Materne2022, p. 710; Edwards et al., Reference Edwards, Hofmeyr and Forrest2016, p. 3); (d) cross-border data flows and multi-region cloud storage (Balarabe, Reference Balarabe2025). In the text of the 2025 Law, “data security” is primarily framed as protecting the confidentiality and integrity of data in the service of the state and the economy, rather than as a dynamic concept that covers the entire data value chain within AI, cloud, and IoT ecosystems. Another issue is that the phrase “other acts that threaten or cause harm to national security, public order or social safety” is an entirely open-ended formulation. From a legislative drafting perspective, this is clearly a classic catch-all clause that can be used to cover any data-processing activity if the competent authority can relate a trigger threat to national security or public order. The intentional legislative drafting technique suggests that this phrase may be helpful to investigative bodies in specific emergencies. Still, in the long run, it seriously undermines foreseeability and the ability of courts, businesses, and users to check and control the exercise of state power.
Finally, this concept risks overlapping with “cyber security,” “network information security,” and “personal data protection,” but it does not clearly define functional boundaries. If every risk related to “data quality” and “data processing” in cyberspace is deemed a “security” issue, then the layered hierarchy among security law, personal data protection law, and civil/contract law will become increasingly difficult to manage. This is even more important as Viet Nam actively develops the discourse of “data sovereignty”: laws and policies assert that the State has the right to decide on the collection, storage, processing, and use of data related to individuals and organisations within its territory (Law on Data 2024, Arts 1, 3(15); Decree 53/2022/ND-CP, Art. 26); it can require platforms and businesses to place servers in Viet Nam, store copies of domestic user data, strictly control data transfer abroad, and apply special mechanisms to “core data” and “important data” to protect national interests, security, and digital sovereignty (Law on Data Arts 3(6), 3(7), 23, 31).
On a structural level, the 2025 LCS significantly improves legal certainty through the consolidation of laws, standardisation of definitions, and enhanced risk classification. However, as analysed above, its adaptability will remain limited if reform continues to prioritise information control and centralised authority without appropriate procedural safeguards. The durability of this framework depends on institutionalising mechanisms for public consultation, periodic review, and independent oversight of emergency powers (see Communist Party of Viet Nam (Political Bureau), 2025). The 2025 Penal Code (as analysed in Section 3.2.2) likewise formally identifies core categories of cyber-related conduct. However, its technological adequacy and foresight are still limited, as offences in Arts 286–291 and the general property offences still rely on device counts, analogue loss metrics and vague notions that create overlaps, gaps, and scope for selective enforcement. Taken together, this paper shows that Viet Nam’s core criminal-law and cyber security legislation still fall short of the standard of legal certainty and adaptability required for a mature digital economy.
In this context, a regulatory framework based on open standards, with active references to international standards would enable quick responses to new threats while maintaining legal predictability. Transparency tools such as published statistics on content removal, blocking, and data-access requests, along with effective appeal rights, would help rebuild legal trust. If these are institutionalised alongside legal consolidation and a national risk catalogue, these pillars could guide Viet Nam towards a cyber security governance model that is both certain and adaptive, aligning with the goals of protecting digital infrastructure and fostering innovation.
4.5. Gaps and limitations
The foregoing analysis, organised around four criteria for effective cyber security and cybercrime law, has not only highlighted several structural advances in Viet Nam’s 2025 LCS and the Penal Code, but it has also revealed persistent gaps and limitations that fall outside the immediate scope of doctrinal evaluation. This section synthesises those shortcomings in a more explicit way, focusing on areas where the current legal framework remains under-specified, fragmented, or normatively unsettled, and where the available evidence is too thin to support definitive conclusions. The aim is not to provide an exhaustive catalogue of defects, but to identify the most salient blind spots in terms of legal design, institutional capacity, and empirical knowledge. These gaps, set out in Table 5, form the basis for the reform proposals and future research directions.
Key gaps and limitations in Vietnamese cyber security and cybercrime law when evaluated under the four-criterion theoretical model (clarity, proportionality, restorative mechanisms, and flexibility)

Viewed through the four normative criteria, Viet Nam’s constantly evolving framework on cybercrime and cyber security presents a tension between rule-of-law goals and the challenging realities of digital regulation. Operating within a rule-of-law regulatory framework, the state has quickly enacted a comprehensive body of legislation to protect national security, data sovereignty, promote the digital economy, and maintain social order. However, key concepts of cybercrime and cyber security duties remain scattered across overlapping statutes and subordinate instruments, with limited distinction between cyber-dependent and cyber-enabled offences and only an overarching treatment of digital evidence. The current setup of criminal and administrative penalties does not fully reflect the varied harms caused by attacks on critical information infrastructure. At the same time, emerging problems such as AI-enabled fraud, ransomware, and online child sexual exploitation continue to be handled through traditional offence structures. These weaknesses reduce the clarity and proportionality of the regime. From a restorative and resilience perspective, the framework remains focused on information security and compliance. It has relatively underdeveloped mechanisms for prompt notification, compensation, cross-border asset recovery, and business continuity after major cyber incidents. Meanwhile, the rapid pace and volume of legislative activity have created a dense yet fragmented system of cyber security, data, and related laws. The extensive nature leads to foreseeable interpretive and institutional complexity for courts, regulators, and regulated entities. Procedural tools and institutional capacity for managing digital evidence, cross-border investigations, and AI-related risks develop more slowly than the technologies they aim to regulate. The result is a regulatory environment that, while grounded in rule-of-law principles and intended to guide digital development, risks overreaching and becoming internally inconsistent, thereby hindering the very economic and technological progress that Viet Nam’s cyber security and cybercrime laws seek to promote.
5. Conclusion
This article has attempted to articulate how Viet Nam’s pursuit of data sovereignty is reshaping the legal architecture of cyber security and cybercrime, and with it the conditions for a sustainable digital economy. To analyse the current legal framework, a four-criterion evaluative model was used, which includes: clarity of concepts and regulatory scope, proportionality and consistency of penalty, restorative mechanisms that support commercial and social resilience, and the balance between legal certainty and technological adaptability was used to analyse the current legal framework. It has demonstrated that the current framework only partly delivers on the promise of data sovereignty as legitimate authority over data and algorithmic systems, understood as the control over the access, use, storage, and sharing of data by states, organisations, and individuals (Hummel et al., Reference Hummel, Braun, Tretter and Dabrock2021, p. 1; Ryan et al., Reference Ryan, Gürtler and Bogucki2024, pp. 1–2, 17; Santaniello, Reference Santaniello2025, pp.1–2). Analysis of the 2018 LCS, the consolidated 2025 LCS, and relevant provisions of the Penal Code indicates that Viet Nam has chosen a maximising strategy of state data sovereignty, consistent with global trends that treat data sovereignty as an extension of territorial sovereignty and the highest authority of the state in the data domain (Li, Reference Li2025, p. 50; Shokri, Reference Shokri2025, p. 1). Extremely broad notions of cybercrime, “information in cyberspace,” “national security,” “data security,” “cyber security” enable the State to respond flexibly to emerging threats, but they also reproduce the definitional fragmentation and overlap that scholarship on digital and data sovereignty has identified in both sovereignty and data-governance discourses (Hummel et al., Reference Hummel, Braun, Tretter and Dabrock2021, p. 1; Pohle and Santaniello, Reference Pohle and Santaniello2024, pp. 684–7; Santaniello, Reference Santaniello2025; Lambach, Reference Lambach2020, p. 489). Broad sovereignty claims over infrastructure, data, and platforms, combined with extensive investigatory and content-control powers, mirror wider practices in which digital sovereignty is asserted against powerful technology firms and used to expand surveillance and protectionist control (Chander and Sun, Reference Chander and Sun2023, pp. 20–26).
These dynamics described in this paper may create legal uncertainty and institutional imbalance in practice. They reflect European experience where competing claims over cross-border data flows have led to power struggles, repeated invalidation of transfer regimes, and costly uncertainty for businesses (Ryan et al., Reference Ryan, Gürtler and Bogucki2024, p. 5). There have been growing concerns that an increasingly geopolitical, interventionist approach to internet governance could push the network towards “Balkanisation” unless it is anchored in a cooperative, good-faith regulatory stance (Nguyễn Hồng Hải Đăng, 2019). In Viet Nam, broad and overlapping claims of data and cyber sovereignty over networks, platforms, and cross-border data flows risk importing these tensions into the domestic legal system. They may undermine the very rule-of-law qualities—predictability, contestability, and measurability—that are vital to a growing digital economy.
From the standpoint of sanctions and remedies, the Vietnamese framework remains mainly punitive and preventive. Administrative and criminal controls place heavy liabilities on enterprises and users. Yet, restorative mechanisms for victims, small businesses, and communities, such as clear standards for digital duty of care, compensation and insurance schemes, obligations to assist recovery after major incidents, and robust reporting requirements, are underdeveloped. This is despite the data-sovereignty literature emphasising that sovereignty claims should be linked to inclusive discussion, accountability, and the protection of data subjects’ rights (Hummel et al., Reference Hummel, Braun, Tretter and Dabrock2021, p. 1; Li, Reference Li2025, pp. 50–51). In practice, cases of online child sexual abuse and large-scale fraud continue to burden mainly public authorities and families (Luong, Reference Luong2022). At the same time, platforms, financial intermediaries, and data-rich technology companies remain only loosely involved in prevention and remediation. This is despite increasing recognition that private actors now act as de facto “data sovereigns” whose power shifts the balance of authority within the data landscape (Gu, Reference Gu2024, pp. 591–2; Chander and Sun, Reference Chander and Sun2023, pp. 22–3). In this context, data sovereignty tends to benefit the investigative state more than it is discussed to protect the datafied lives (Sander, Reference Sander2020) and transactions that underpin Viet Nam’s digital economy.
In conclusion, the reform approach outlined in this article seeks to realign Viet Nam’s data sovereignty goals with rule-of-law standards and sustainable digital development. More specifically, tiered definitions, clearer safeguards for data access and transfer, stronger oversight, and duties of care based on design of platforms would clarify current ambiguities, enable redress, and foster a more resilient and restorative digital economy (Reins and Wijns, Reference Reins and Wijns2025, p. 96). These measures build on a legal system that has “travelled a road that is already fairly long but not yet completed” (Sidel, Reference Sidel, Gillespie and Nicholson2008, p. 66), where cyber security and cybercrime reform are central to balancing national security and economic development. The tensions, gaps, and paradoxes outlined in this article are therefore not unique to Viet Nam but resonate with broader global debates over the concept of cybercrime, the content of digital duties of care, and the role of law in shaping a more equitable and interoperable digital order.

