In a new government Decree detailing a number of articles in the Law on Cybersecurity, which has recently been promulgated and will take effect from October 1, there is a chapter on data storage and setting up branches or representative offices of foreign enterprises in Vietnam.

The new regulations state that data must be stored in Vietnam, including data on the personal information of service users in Vietnam, data generated by service users in Vietnam, and data on the relationship of service users in Vietnam, such as friends and groups with which the user connects or interacts.

The Decree also specifies the order and procedures for data storage by foreign businesses. The form of data storage in Vietnam is decided by the enterprise. The data storage period specified in Article 26 of the Decree starts from the time the enterprise receives the data storage request until the end of the request. The minimum storage period is 24 months.

Under the Decree, the Minister of Public Security makes decisions requiring data storage and on setting up a branch or representative office in Vietnam. The Department of Cybersecurity and High-Tech Crime Prevention and Control at the Ministry of Public Security will notify, guide, monitor, supervise, and urge enterprises to comply with data storage requirements, and at the same time notify relevant agencies to perform State management functions in line with their authority.

The new Decree also stipulates the implementation of a number of cybersecurity protection activities in State agencies and central and local political organizations. It requires State agencies and political and socio-political organizations to develop regulations on the use, management, and security of internal computer networks and computer networks connected to the internet.

The plan to ensure network security for information systems includes regulations on ensuring network security in the design and construction of information systems, meeting basic requirements such as management, technical and professional requirements, network security assessments, testing and monitoring, preventing, responding to, and overcoming incidents and dangerous situations, and risk management and end of operations, exploitation, repair, liquidation, and cancellation.