Some positive impacts of the Draft Law on Cybersecurity 2025 on businesses

In the context that Vietnam is promoting national digital transformation and deep integration into the global economy, cyberspace has become an important driving force for economic and social development, but at the same time, it also poses many challenges in cybersecurity. The Draft Law on Cyber Security 2025, developed to consolidate the Law on Cyber Information Security 2015 and the Law on Cyber Security 2018[1] (the "Draft"), not only aims to protect national sovereignty in cyberspace but also create significant changes in the business environment,  especially for businesses operating in the fields of information technology, network services, and cybersecurity. This article will analyze the impacts of the draft law on business operations, from simplifying administrative procedures, improving the business environment, to new challenges that businesses need to face.

1. Background and objectives of the Draft Law on Cyber Security 2025

Vietnam is currently one of the countries with the highest Internet development rate in the world, with the number of social network users and cross-border data traffic in the top 10 globally[2]. However, this development comes with increasingly sophisticated cybersecurity threats, such as cyberattacks, personal data breaches, and high-tech crimes. According to statistics from the Department of Cyber Security and High-tech Crime Prevention (A05), every year more than 2,600 web pages/portals are hacked, hundreds of terabytes of data are appropriated, and thousands of gigabytes of personal data are illegally[3] traded.

The Law on Cyber Information Security 2015 and the Law on Cyber Security 2018 have laid the foundation for cyber protection, but the overlap in regulations and complex administrative procedures has caused many difficulties for businesses. The draft Cybersecurity Law 2025 is proposed to merge these two laws, with the goal of creating a unified, transparent, and effective legal framework. For businesses, the draft law brings both opportunities and challenges, directly affecting business activities, from product development, legal compliance, to competition in the market.

2. Significant impacts of the Draft on businesses

2.1 Simplifying administrative procedures and improving the business environment

One of the main objectives of the Draft is to minimize administrative procedures, overcome the overlap between the provisions of the Law on Cyber Information Security 2015 and the Law on Cyber Security 2018. Currently, businesses providing cybersecurity products and services have to carry out many similar procedures at different regulatory agencies, such as certification of conformity or declaration of standard conformity, leading to increased compliance costs and time to market.

The draft Law on Cyber Security 2025 proposes to consolidate these processes, requiring businesses to only need to comply with a uniform set of procedures. Specifically, chapter V of the draft (from Article 38 to Article 42) regulates business activities, import and export of cybersecurity products and services, with procedures designed to be simpler and more transparent. This can bring many benefits to businesses such as:

Reduced costs and compliance time: Businesses, especially small and medium-sized businesses, will save on costs associated with carrying out overlapping administrative procedures. For example, instead of having to apply for certification from both the Ministry of Public Security and the Ministry of Information and Communications (now the Ministry of Science and Technology), businesses only need to work with a focal agency, the Ministry of Public Security.

Increased transparency and predictability: A unified legal framework makes it easier for businesses to grasp legal requirements, which in turn makes business planning more effective. This is especially important for startups in the cybersecurity sector, which often struggle to comply with complex regulations.

Promote innovation: A more transparent and simplified legal environment encourages businesses to invest in research and development of cybersecurity products and services, thereby improving the competitiveness of the domestic cybersecurity industry.

2.2 Draft introduction of the new concept of "cyber security label"

An important new content of the Draft is the concept of "cyber security labels". According to the Draft, a cybersecurity label is defined as a certification issued by the Ministry of Public Security for cybersecurity products and services that meet standards and regulations. This is a step forward from the Law on Cybersecurity 2018, which does not have specific regulations on standardization and certification of cybersecurity products.

The introduction of new regulations on cybersecurity labels will help (1) Improve product reputation and quality. Cybersecurity labels help businesses prove that their products and services meet national cybersecurity standards, thereby increasing the trust of customers and partners. (2)Promote the domestic market. Vietnamese businesses have the opportunity to compete better in the domestic market, especially when cybersecurity labels become an important criterion in public bidding packages or contracts with state agencies. (3) Support export activities. Products and services with the cybersecurity label can meet international requirements, creating conditions for Vietnamese businesses to participate in the global supply chain in the field of cybersecurity.

However, this new regulation is also a significant challenge for businesses operating in this field. Since the process of applying for a cybersecurity label can require investment in technology, testing processes, and compliance with strict standards, this can be difficult for small businesses with limited resources. In addition, the new regulation will promote competition between businesses will be more fierce when cybersecurity labels become standard, businesses that do not achieve certification may lose their competitive advantage, especially in areas that require high reliability such as providing services for information systems of national importance.

2.3 Draft requirements for businesses to strengthen personal data protection

The draft Law on Cyber Security 2025 focuses on the protection of personal data, especially in the context of common cases of personal data leaks and transactions. Chapter III (from Article 29 to Article 34) details the prevention and combat of crimes using high technology, including acts of personal data infringement. This has a direct impact on the business and forces the business to:

First, increasing the responsibility to protect personal data

Businesses, especially companies that provide social networking, e-commerce, and data storage services, must implement strict technical measures and procedures to protect customers' personal data. This includes data encryption, access control, and ongoing cybersecurity monitoring.

Second, businesses have to spend more compliance costs

Meeting data protection requirements may require businesses to invest in technology infrastructure, specialized personnel, and advanced cybersecurity solutions. For small businesses, this can be a big challenge.

Third, businesses face legal risks when they do not comply/comply poorly

Businesses that do not comply with personal data protection regulations may face administrative penalties or legal liability, especially when data breaches occur. This is an issue of the times, which is being strengthened by Vietnam to strengthen mechanisms and legal frameworks to protect people's personal data.

However, strengthening the protection of personal data also brings opportunities for businesses, especially in building trust with customers. Businesses can take advantage of cybersecurity solutions with cybersecurity labels to improve their credibility and attract users.

Overview of the seminar “Cybersecurity in the New Era – Joining Forces to Protect Cyberspace” organized by NCA. Source: Government News

2.4 Draft encouragement for enterprises to research and develop domestic technology

Chapter VI of the draft (from Articles 43 to 51) provides for research, development, and improvement of cyber security autonomy. This is a new content compared to the Law on Cyber Security 2018, with policies to encourage businesses to invest in research and development of domestic cyber security products and services. This regulation will bring many new opportunities for businesses, especially technology companies and startups in the field of technology. Because Vietnamese startups and technology companies have the opportunity to receive support from the state, including research funding, tax incentives, and human resource training programs. At the same time, the development of domestic cybersecurity solutions helps businesses reduce technology import costs and increase competitiveness in the international market. This helps Vietnam reduce its dependence on foreign technology. However, the new regulations also bring challenges to businesses, specifically in terms of technological capacity. Because in order to meet the standards of cybersecurity labels and new regulations, businesses need to invest heavily in research and development, which requires financial resources and high-quality personnel.

3. Challenges and opportunities for businesses

With the changes, adjustments and supplements that the Draft is expected to be submitted to the National Assembly for consideration and approval at the 10th session (October 2025), we believe that businesses in the field of cybersecurity, technology, as well as enterprises operating related to cyberspace will face both opportunities and challenges when exceeding regulations effective and put into practice in practice.

3.1 What opportunities for businesses

It is clear that when the Draft Law on Cyber Security is passed, it will create a unified, transparent, non-overlapping and easy-to-comply legal framework for businesses. This helps improve the business environment, from simplifying administrative procedures, the support of a unified management agency to help businesses save costs and time, thereby focusing on innovation and product development. At the same time, when the Draft is approved, it will bring with it the expectation of promoting the development of Vietnam's cybersecurity industry. Policies to encourage research, development, and cybersecurity labels create opportunities for Vietnamese businesses to assert their position in the field of cybersecurity. At the same time, complying with regulations on personal data protection and obtaining a cybersecurity label helps businesses build their reputation and attract customers and partners. This helps businesses increase their reputation, expand the market and develop sustainably and long-term.

3.2 Challenges businesses may face

The first thing that businesses may face when the new Cybersecurity Law is passed is the increased cost of compliance. With the requirements for data protection, achieving cybersecurity label certification, and investing in research and development can put financial pressure on small businesses. In addition, with a transparent legal framework that promotes competition, Vietnamese businesses must face competition from experienced international businesses in this field. The participation of foreign enterprises and the requirement of international integration require Vietnamese enterprises to improve their technological capacity and service quality. In addition, businesses that do not fully comply with the new regulations may face administrative penalties, or lose the opportunity to participate in large projects or further criminal penalties for violations in this sensitive area.

For businesses, we believe that being prepared for new legal requirements, from investing in technology, training people, to building compliance processes, will be key to capitalizing on opportunities and overcoming challenges.

The draft Law on Cyber Security 2025 brings significant impacts on business operations, from simplifying administrative procedures, introducing cybersecurity labels, to strengthening personal data protection and encouraging domestic technology research and development. Despite the challenges of compliance costs and international competition, the draft law opens up great opportunities for Vietnamese enterprises to improve their competitiveness, participate in global supply chains, and contribute to building a secure cyberspace.  healthy. With careful preparation and support from the new legal framework, Vietnamese businesses can take advantage of these opportunities to develop sustainably in the digital era.