When information in cyberspace is identified by competent agencies to have contents that infringe upon national security, disseminate information that sabotages the Socialist Republic of Vietnam, incite riots, and disrupt public security and order according to regulations of the law;

1. What Decree 53/2022/ND-CP Detailing a Number of
Articles of the Law on Cybersecurity 2018 Cover?
Cybersecurity is one of the important issues for every country in the increasingly strong
development of the internet. Although this development brings great benefits in many
areas of life, it is accompanied by challenges to national security such as cybercriminals
that appropriate and steal data of the user; taking advantage of the internet to spread false
information against the state. Therefore, the promulgation of policies and laws on
cybersecurity as a basis for management and optimal measures in order to protect
national cybersecurity, eliminating illegal acts in cyberspace is extremely necessary. On
August 15th
, 2022, the Government issued Decree 53/2022/ND-CP detailing a number of
articles of the Law on Cybersecurity 2018. The Decree will take effect from October 1st
,
2022 with the following:
Cybersecurity Lawyers in Vietnam
Measures to protect network security: Request the removal of illegal or false
information in cyberspace that infringes upon national security, social order and
safety, and legitimate rights and benefits of agencies, organizations, and individuals
Requesting the removal of illegal or false information in cyberspace is one of the
cybersecurity protection measures specified in the 2018 Law on Cybersecurity.

2. Accordingly, Decree 53/2022/ND-CP has detailed regulations, listing specific cases
where this measure can be applied as follows:
-When information in cyberspace is identified by competent agencies to have contents
that infringe upon national security, disseminate information that sabotages the Socialist
Republic of Vietnam, incite riots, and disrupt public security and order according to
regulations of the law;
-When there are legal bases to determine that information in cyberspace has humiliating
and slanderous contents; infringes upon the order of the economic management;
fabricates and falsifies information, causing confusion among the people and severe
damage to socio-economic activities to the extent that such information must be removed;
-When other information in cyberspace has contents including: Distortion of history,
denial of revolutionary achievements, undermining national solidarity, blasphemy,
discrimination by gender or race; Prostitution, vice, human trafficking; posting
pornographic or criminal information; damaging Vietnam’s good traditions, social ethics
or public health; Enticing, persuading or tempting others to commits crimes.
The information listed in the above cases are all illegal and false information, and the
person who uses cyberspace to spread the above negative information is an act of
violation strictly prohibited under the 2018 Cybersecurity Law. Once the above
information is widely spread and publicized online, it will adversely affect the security,
social order and safety of the country. Therefore, the regulation to apply the measure to
request the deletion of the above information is practical for the above cases. The
Director of the Department of CyberSecurity and Hi-tech Crime Prevention of the
Ministry of Public Security of Vietnam and Directors of competent agencies of the
Ministry of Information and Communications are the ones who have the authority to
decide on the application of measures to remove these information.
Measures to collect data related to acts of infringing upon national security, social
order and safety, and legitimate rights and benefits of agencies, organizations, and
individuals in cyberspace
The collection of data (data is information in the form of symbols, letters, numbers,
images, sounds or equivalences) related to activities infringing upon national security,
social order and safety, legitimate rights and interests of agencies, organizations and
individuals in cyberspace shall comply with the provisions of law, and at the same time
ensure the following requirements:
-Maintenance of the status of digital devices and data;

3. -The copying and recording of data shall be done according to correct procedures via
recognized devices and software that are verifiable and can protect the integrity of data
stored in such devices;
-The process of restoring data or search data shall be recorded via minutes, images, and
videos. The process may be repeated if it is necessary for presentation at a court;
-Data collectors shall be specialized officials assigned to collect data.
The principles of copying and restoring data related to acts of infringing upon national
security, social order and safety, and legitimate rights and benefits of organizations,
organizations, and individuals in cyberspace shall follow: If the data is considered
necessary to be copied or restored or there is a request to copy and restore the data for the
purpose of proving the commission of a crime, the assigned person shall be authorized to
copy and restore such data and acquire a decision on approval of competent authority
according to regulations of the law. In addition, to make a record for the copying and
recovery activities of the electronic evidence, the case may be invited to an independent
third party, witness and certification of this process.
The Director of the Department of Cyber Security and Hi-tech Crime Prevention of the
Ministry of Public Security of Vietnam shall decide to take this measure.
Internal computer networks have the storage and transmission of state secrets must
be completely separated from the network of computers and devices and electronic
devices connected to the internet
The decree clearly specifies that state agencies and the political organization at central
and local levels must develop regulations on the use, management and security of internal
computer networks and computer networks connected to the Internet. agencies or
organizations they manage. This is an activity to protect network security in state
agencies, central and local political organizations.
Regulations on the use and assurance of computer network security by state agencies and
political organizations at central and local levels must include the following basic
contents: Identify major information and information network systems to be prioritized
for cybersecurity assurance. Elaborate on prohibitions and principles of management and
use and ensure cybersecurity and internal computer networks that store or transmit state
confidentiality shall have a complete physical separation from computer networks,
devices, and electronic means with Internet connection, other cases shall ensure
compliance with regulations of laws on state confidentiality protection. Have procedures
for professional and technical management in operating, using, and ensuring
cybersecurity of data and technical infrastructure. Such procedures shall satisfy basic

4. requirements for information system safety assurance. Ensure the personnel conditions
for network management and operation and security of cyber information security,
information safety and handling of violations of regulations on assurance of network
security.
Thus, to ensure confidentiality of the internal data of the state agency, the internal
computer network shall have the state secrets which are required to separate completely
from the computer network or the equipment and electronic devices connected to the
internet. This is the regulation for managing agencies to control, minimize the risk of
internal data that is spread out into the electronic environment, causing serious impact on
national security issues.
Will data must be stored in Vietnam ?
The decree has stipulated a separate chapter to clarify the storage of data and set the
branch or representative office of foreign enterprises in Vietnam.
The following data must be stored in Vietnam:
-Data on personal information of service users in Vietnam;
-Data created by service users in Vietnam: account names, service use time, information
on credit cards, emails, IP addresses of the last login or logout session, and registered
phone numbers in association with accounts or data;
-Data on relationships of service users in Vietnam: friends and groups such users have
connected or interacted with.
Domestic enterprises and foreign enterprises are the subjects that must store the above
data. In particular, it only applies to foreign enterprises doing business in Vietnam in one
of the following fields:
–Telecommunication services in Vietnam;
-Storage and sharing of data in cyberspace;
-Provision of national or international domain names for service users in Vietnam;
-E-commerce; Online payment in Vietnam;

5. -Payment intermediaries; Services of connection and transportation in cyberspace in
Vietnam;
-Social media and social communication in Vietnam;
-Online video games in Vietnam;
Services of provision, management, or operation other information in cyberspace in
forms of messages, calls, video calls, emails, online chatting in Vietnam.
However, not at all foreign enterprises is required to store data according to regulations.
Decree 53/2022/ND-CP also sets conditions for the storage of data in Vietnam,
specifically as follows: services provided by such foreign enterprises are used for
violations of laws on cybersecurity, notified and requested for cooperation, prevention,
investigation, and handling in writing by the Department of Cyber Security and Hi-tech
Crime Prevention of the Ministry of Public Security of Vietnam but they fail to comply
or incompletely comply with such documents or prevent, obstruct, disable, or nullify the
effect of cybersecurity protection measures performed by cybersecurity protection forces;
In case of an exception to the conditions for force majeure circumstances, the foreign
enterprise cannot comply with the requirements of the law on cyber security, the foreign
enterprise shall notify the Cybersecurity Department and high-tech crime prevention and
control under the Ministry of Public Security within 03 working days for inspection of
the verification of such force majeure. In this case, the enterprise will have 30 days to
adopt remedial methods.
For the form of data storage, Decree 53/2022/ND-CP does not provide any specific
requirements, but allows businesses to decide for themselves how to store their data in
Vietnam, whether domestic or foreign enterprises.
For the time duration for data storage: for domestic enterprises, it automatically stores
data; for foreign enterprises starting when the enterprise receives the request to store data
from the Minister of Public Security until the end of the request; Minimum storage period
is 24 months.
The Decree stipulates more specifically and strictly on the order and procedures for
applying measures to ensure network security as well as the rights and obligations of state
agencies in data security, building a network security system management system to
ensure internal network security at the agency. Companies operating in the internet
business should take into consideration of the new regulations and ensure compliance. It
is important to engage cybersecurity lawyers in Vietnam for legal advice and update.