Vietnam is undergoing a rapid digital transformation, with more than 80 million internet users around the country and fast-growing digital ecosystems spanning smartphones, computers, and smart homes. But alongside these benefits come significant risks, as cybercriminals shift to organized attack models and deploy cutting-edge technologies to commit fraud, penetrate systems, and steal data.
More than 600,000 cyberattacks were recorded in Vietnam in 2024, a number that underscores the immense pressure on government agencies and businesses. As the country prepares to expand 5G connectivity, the attack surface is expected to grow exponentially. The draft Law on Cybersecurity 2025, meanwhile, seeks to address existing legal gaps and strengthen national autonomy by fostering a domestic market that encourages Vietnamese enterprises to develop new technologies.
Domestic defense layer
Most Vietnamese businesses and organizations still rely heavily on foreign cybersecurity products. A survey by the National Cybersecurity Association (NCA) found that in a typical organization using ten security solutions, only two come from Vietnamese providers. Even then, domestic tools are often used only for non-critical services or when foreign vendors have no local representatives, forcing organizations to turn to local companies.
At the recent “Cybersecurity Law 2025: Strengthening Technological Autonomy” seminar, Associate Professor Nguyen Ai Viet, Director of the Institute for Generative Intelligence Technology and Education (IGNITE) noted a sobering reality: many banks, corporations, and major institutions remain reluctant to adopt local products. The main reason, he believes, is a persistent preference for foreign brands and a tendency to underestimate domestic capabilities.
According to the Associate Professor, the deeper issue is a lack of cybersecurity awareness at the leadership level. Many executives leave such decisions to subordinates, who in turn avoid responsibility. He acknowledged that domestic products may not yet match foreign equivalents in all respects, but they offer clear strengths: faster response, closer technical support, Vietnamese-language interfaces tailored to local administrators, and the ability to integrate flexibly with international standards.
Foreign products, meanwhile, benefit from strong technology platforms and years of global market testing, while Vietnamese solutions struggle simply because local users hesitate to adopt them. This creates a cycle of limited capital and limited market access, stunting the growth of even capable domestic providers.
Mr. Nguyen Minh Duc, Head of the Cybersecurity Services Club and CEO of CyRadar, echoed this view. “If Vietnamese products don’t get real-world deployment, they can’t improve,” he said. “Development is costly, and without revenue, companies can’t reinvest. It’s a ‘chicken-and-egg’ scenario,” he said.
Another major risk of relying on foreign cybersecurity products is the potential for legally mandated backdoors in their home countries. He added that global solutions, while strong, are designed for worldwide markets, not Vietnam’s specific threat environment.
Push for autonomy
To build more autonomous and resilient cybersecurity infrastructure, and to spur the growth of Vietnam’s cybersecurity industry, the draft Law updates and expands on provisions from the Law on Cybersecurity 2018 and the Law on Cyberinformation Security 2015, adding rules that reflect today’s digital and economic realities.
Senior Lieutenant Nguyen Dinh Do Thi, Deputy Head of the Network Information Security Division at the Ministry of Public Security, said the draft aims to address new challenges in information technology (IT), especially the rise of breakthrough tools such as AI that are reshaping cyberspace and daily life.
The draft also seeks to clear longstanding legal bottlenecks and eliminate overlapping authority between ministries, creating a unified, transparent, and enforceable framework. A stronger legal foundation, he said, would help authorities better protect national sovereignty, security, and the rights of organizations and individuals online.
One of the most widely supported elements of the draft is its focus on national cybersecurity autonomy. The Law on Cybersecurity 2025 would encourage the research and development of Vietnamese-made cybersecurity products and solutions, while the government works to improve the business environment and support domestic companies as they develop and deploy them.
The Law also encourages agencies, organizations, and individuals to use locally-developed products and services. It requires cybersecurity monitoring systems to connect to the National Cybersecurity Center or provincial centers, enabling data sharing, early-warning capabilities, and a unified database of threats, vulnerabilities, and malware. This “big-picture view” is expected to improve early detection and reduce risks across the ecosystem.
From a business standpoint, Mr. Duc said the draft Law will not only be a tool to safeguard digital sovereignty but also a key driver for the market’s growth. Crucially, it mandates that at least 10 per cent of the annual IT budget for public-sector projects be allocated to cybersecurity
While the draft prioritizes domestic providers, it places strict emphasis on quality. Cybersecurity products, IT services, and connected devices must meet national technical standards to be sold in Vietnam. Once local solutions meet these benchmarks and prove their effectiveness at home, they will be better positioned to compete internationally.
Building a stronger framework
Associate Professor Viet agreed that strengthening national technological autonomy in cybersecurity requires a large enough market for “Made in Vietnam” products. But he also noted a paradox: “The market is huge, yet many companies keep building the same products, while several critical areas have no developers at all. This shows how limited market awareness still is.”
He suggested the government issue guidance on a comprehensive cybersecurity architecture, giving businesses a clearer view of market needs so they can diversify rather than crowd into the same niches. To ensure product quality, he said, solutions should have intellectual property rights, patents, proof-of-concept testing, and certifications from independent evaluators.
The Associate Professor also proposed allowing controlled network-data collection to identify attack patterns and develop detection rules, with provisions ensuring secure data transfer. He further recommended opening a legal pathway for white-hat hackers to run penetration tests and attack simulations to boost system “immunity”, as well as encouraging tools and products that support white-hat activities.
Mr. Tran Quoc Chinh, CEO of CMC Cyber Security, agreed that having two separate laws - the Law on Cyberinformation Security 2015 and the Law on Cybersecurity 2018 - created confusion for companies trying to identify the right legal grounds for compliance. Their consolidation, he said, will produce a unified and more transparent framework, easing investment and compliance while reducing regulatory overlap.
He also called for clearer rules on assessing cybersecurity maturity. At present, assessments are divided into five levels, with Levels 1-3 mostly self-assessed and confirmed by supervising agencies, and only Levels 4-5 requiring direct oversight from authorities. He recommended allowing licensed and certified cybersecurity service providers to independently verify Levels 1-3, with the government issuing criteria for post-assessment oversight. This would ease pressure on regulators, improve assessment quality, and ensure a more objective and transparent market.
Mr. Chinh also proposed developing a cybersecurity rating and benchmarking framework for organizations, similar to international models like CMMI. This would help units assess their own maturity and allow regulators to monitor capabilities by sector, enabling routine oversight with inspections triggered only when incidents occur.
Mr. Vu Ngoc Son, Head of the Research, Consulting, Technology Development, and International Cooperation Department at the NCA, said the draft Law on Cybersecurity 2025 marks a major step for Vietnam in building a modern legal framework to safeguard cyberspace, which is now deeply embedded in economic and social life. He believes the Law will create a unified, flexible framework aligned with global trends, protect digital sovereignty, strengthen defenses, ensure data security, reduce dependence on foreign technologies, and fuel the growth of Vietnam’s cybersecurity ecosystem.
Google translate