DFDL Vietnam Legal Alert: Rising Cybersecurity Concerns in Vietnam Prompt Prime Ministerial Directive

n recent weeks, cyber-attacks, particularly ransomware attacks, in Vietnam are on the rise and anticipated to become potentially more complex in the near term, posing a serious risk to both economic and social development activities. Specifically, since late March, Vietnam has witnessed at least three large-scale data encryption attacks targeting major companies such as VnDirect, PVOil, and a telecommunications service provider, along with incidents affecting smaller businesses.

Government agencies assess that hackers continue targeting critical entities with increasingly sophisticated methods. These hacks have the potential to disrupt entire operations, and transactions, making sensitive data irrecoverable once it falls into the hands of hackers.

Given this situation, on 8 April 2024, the Prime Minister of Vietnam issued a directive requesting ministries, sectoral, and local government agencies to review and assess the current cybersecurity situation.

Specifically, the Prime Minister noted and admitted that certain sectors and areas have not implemented cybersecurity regulations effectively, resulting in incidents and potential risks to Vietnam’s cyberspace safety. Consequently, the Prime Minister directed as follows:

  • Ministers, heads of ministerial-level agencies, and heads of central-affiliated cities and provinces to oversee directly and ensure cybersecurity within their scope of supervision.
  • State agencies, organizations, and state-owned enterprises are required to review comprehensively and assess the cybersecurity status of systems under their management, as guided by the Ministry of Information and Communications.
  • In the event of a cyberattack, agencies, organizations, and enterprises are required to report incidents, comply with the coordination and instructions of the National Coordination Agency (i.e. Vietnam Cybersecurity Emergency Response Teams/Coordination Centre – VNCERT/CC), collect and analyze information, address and mitigate incidents, investigate causes and trace origins, and issue statements and disclosures.
  • The Ministry of Information and Communications is tasked with guiding ministries, sectors, and localities in reviewing and evaluating the cybersecurity status of state agencies, organizations, and enterprises’ information systems prior to 11 April 2024.
With this new directive, as soon as guidance from the Ministry of Information and Communications is sent to businesses, they need to conduct immediately a review of their information systems, and report/notify VNCERT/CC and relevant agencies/parties when any incident occurs that affects their systems in Vietnam.