What Do Businesses Need to Note When the Law on Cybersecurity 2025 Takes Effect?

“What do businesses need to note when the Law on Cybersecurity 2025 takes effect?” is a question raised in the context that production and business activities increasingly depend deeply on the digital environment and network data. This document establishes strict technical barriers related to user identity verification, data storage in Vietnam, and coordination mechanisms with the Department of Cybersecurity and High-Tech Crime Prevention. The following article by Long Phan Consulting will analyze in detail the obligations of businesses and compliance.

What should internet service providers keep in mind?

Based on the regulations in Clause 2 and Clause 3, Article 25 of the Law on Cybersecurity 2025, domestic and foreign enterprises providing services on telecommunications networks, the Internet, and value-added services in cyberspace in Vietnam need to note the following responsibilities for ensuring network information security:

1. User Verification & Information Provision: Verify information when users register digital accounts; secure user information and accounts; provide user information to the specialized cybersecurity force under the Ministry of Public Security no later than 24 hours from the request for verification/investigation of violations. In emergencies threatening national security or human life, the deadline is no later than 03 hours.
2. Content Removal: Prevent sharing, delete information, and remove services/applications violating the Law on Cybersecurity 2025 no later than 24 hours from the request of the specialized force and store system logs. In emergencies threatening national security, the deadline is no later than 06 hours.
3. Service Suspension: Do not provide or stop providing services to organizations/individuals posting prohibited content (violating national security, social order, state policies, etc.) upon request of the specialized force (prescribed in Article 13 and Article 14).
4. Data Storage: Store personal information of service users and user-generated data (account name, service usage time, payment info, IP address, etc.) for the time prescribed by law after users end service usage.

Data Localization & Local Presence: Domestic and foreign enterprises collecting/analyzing/processing personal data, relationship data, or user-generated data in Vietnam must store this data in Vietnam for the time prescribed by the Government. Foreign enterprises under this scope must establish a branch or representative office in Vietnam.

>>> See more: Data processing services: Consulting on investment registration industry codes

What responsibilities do businesses have in preventing cybersecurity threats?

According to Clause 2, Article 20 of the Law on Cybersecurity 2025:

1. Specialized Force: Coordinates with owners of information systems important to national security to deploy technical solutions to prevent/detect/handle dangerous situations.
2. Businesses: Telecommunications, Internet, IT enterprises, and service providers on cyberspace are responsible for coordinating with the specialized cybersecurity force under the Ministry of Public Security in preventing, detecting, and handling dangerous cybersecurity situations.

Regulations on the responsibilities of businesses providing services in cyberspace.

Based on Article 41 of the Law on Cybersecurity 2025:

1. Compliance: Comply with cybersecurity laws.
2. Warnings & Emergency Plans: Warn users of potential security risks and guide preventive measures; build emergency response plans to proactively handle vulnerabilities and incidents.
3. Incident Response: Immediately deploy emergency response plans upon incidents and report immediately to the specialized force.
4. Technical Measures: Apply technical measures to ensure cybersecurity for data processing and personal data processing according to laws.
5. IP Identification: Be responsible for identifying IP addresses of service users and providing this identification info to the specialized force for security measures.
6. Coordination: Coordinate under the guidance of the specialized force to set up connection systems and technical transmission lines to deploy security solutions for investigation/verification purposes upon request.
7. Service Provider Obligations: Enterprises providing telecom/Internet/value-added services in Vietnam must implement regulations in Article 41, Clause 2, and Clause 3 of Article 25.

>>> See more: List of Sensitive Personal Data Effective from January 1, 2026

Legal consulting services in the field of cybersecurity at Long Phan Consulting.

In the context of increasingly stringent legal frameworks regarding cybersecurity, businesses attempting to navigate complex regulations on their own face significant risks of violations. Long Phan Consulting provides comprehensive legal consulting services, helping clients translate the requirements of the 2025 Cybersecurity Law into effective operational processes.

We combine in-depth legal knowledge with expertise in digital infrastructure to deliver optimal solutions for each specific business model. Long Phan Consulting’s services are manifested through the following activities:

• Assess the impact of the 2025 Cybersecurity Law on your current business model and propose a suitable adjustment roadmap.
• We provide ongoing consultation on issues arising related to personal data protection, crisis communication management, and cyber disputes.
• Providing advice on administrative procedures for obtaining various sub-licenses and certificates of eligibility for security and order requirements for conditional online business sectors.
• Providing consultancy on the development and review of internal regulations and procedures regarding information management, content control, and the receipt and processing of requests to remove information as required by competent cybersecurity authorities.
• Representing or providing legal support to businesses during the process of working with, explaining, and providing documents and data to specialized cybersecurity forces and competent state agencies when inspections, audits, or violations are detected.

Frequently Asked Questions

Below are some frequently asked questions about cybersecurity; please refer to them:

How long are businesses required to provide user information to authorities when an urgent request is made?

In emergency situations threatening national security or human life, businesses providing telecommunications and internet services must provide user information within a maximum of 3 hours of receiving the request. For normal cases serving investigations and verification of violations, this timeframe is 24 hours.

(Legal basis: Point a, Clause 2, Article 25 of the Cybersecurity Law 2025.)

Are foreign businesses providing services in Vietnam required to establish a representative office?

Yes. Foreign businesses providing telecommunications and Internet services in Vietnam that collect, exploit, analyze, or process personal information or relationship data of users are required to establish a branch or representative office in Vietnam and store this data domestically.

(Legal basis: Clause 3, Article 25 of the Cybersecurity Law 2025.)

What types of user data must be stored after they cease using the service?

Businesses must continue to store information including account names, service usage times, payment information, access IP addresses, and other related data for the periods prescribed by law, even after users have ceased using the service.

(Legal basis: Point d, Clause 2, Article 25 of the Cybersecurity Law 2025.)

What is the maximum time limit for a business to remove content that violates the law when requested?

Businesses must prevent the sharing or deletion of infringing information or remove infringing applications and services within 24 hours of receiving a request from the relevant authorities. In emergency situations threatening national security, this request must be fulfilled within 6 hours.

(Legal basis: Point b, Clause 2, Article 25 of the Cybersecurity Law 2025.)

What are the regulations regarding the responsibility of Internet service providers in identifying IP addresses?

Businesses are obligated to identify the IP addresses of organizations and individuals using their internet services. This identifying information must be transferred to specialized cybersecurity forces upon request to implement security protection measures.

(Legal basis: Clause 5, Article 41 of the Cybersecurity Law 2025.)

When a system experiences a cybersecurity incident, what is the first procedure a business should follow?

Upon detecting an incident, the business must immediately implement the pre-established emergency response plan to address the risk and report it.rightwith the specialized cybersecurity force under the Ministry of Public Security.

(Legal basis: Clause 3, Article 41 of the Cybersecurity Law 2025.)

>>> See more: License for an Online Social Network in Vietnam

Conclusion

Compliance with the Law on Cybersecurity 2025 is a prerequisite for sustainable business operation. Clients need to proactively review processes and prepare technical plans now.

Please contact Long Phan Consulting Company via Hotline 1900636389 for detailed advice on a compliance roadmap suitable for your business.