This change not only fills legal loopholes but also imposes stringent technical barriers, requiring organization leaders to have cybersecurity certifications and ending the era of "easy" data collection by businesses.

Data has become a matter of national survival.

At the seminar "Cybersecurity Law 2025: A Step Forward in Protecting Data Security" organized by the National Cybersecurity Association on the afternoon of November 24th, experts unanimously agreed that the old legal framework had completed its initial mission but was not comprehensive enough to handle the current pace of digital transformation.

Lieutenant Colonel Nguyen Dinh Do Thi, Deputy Head of the Cyber ​​Security Department (Cyber ​​Security and High-Tech Crime Prevention and Control Department - Ministry of Public Security), emphasized the shift in state management thinking, viewing data as the "blood" of the digital economy and identifying key state policies on ensuring cybersecurity and data security.

Firstly, prioritize cybersecurity protection in national defense, security, socio-economic development, science and technology, and foreign affairs. Secondly, build a safe cyberspace that does not harm national security and social order.

Third, focus resources on building specialized forces, developing high-quality human resources, and promoting research and development in cybersecurity technology. Fourth, encourage organizations and individuals to participate in risk management and cooperate with relevant authorities. Fifth, prioritize the use of Vietnamese cybersecurity products and services. Sixth, strengthen international cooperation in cybersecurity protection.

The urgency of legalizing data security stems from the reality of increasingly serious security risks.

Lieutenant Colonel Thi pointed out that in 2024 alone, Vietnam recorded more than 600,000 cyberattacks, tens of thousands of which targeted government systems.

Furthermore, ransomware attacks have forced many Vietnamese businesses to pay millions of dollars in ransom for data loss, similar to incidents in the US that reached up to $40 million. The buying and selling of data is openly taking place, exemplified by the case in February where a group involved in the illegal trading of 6 million personal data records was dismantled.

Sharing the same view, Mr. Vu Ngoc Son - Head of the Research, Consulting, Technology Development and International Cooperation Department (National Cybersecurity Association), assessed that the addition of the concept of "data security" is a great success of the bill, placing data at the center of security assurance work.

According to Mr. Son, the new regulations will create a rigorous screening process, dividing the market into two distinct groups: those that "do things genuinely" and those that "just go through the motions".

Previously, organizations could freely collect and store data without investing in security. However, the bill is expected to put an end to this situation. Organizations that do not ensure adequate cybersecurity infrastructure and solutions will not be allowed to collect and store data.

Mr. Son used an analogy, comparing data to money; people only deposit money in banks that meet security standards, and similarly, they will not provide data to organizations that lack the capacity to guarantee security.

“This shift will spur the emergence of a new economic sector: the data industry, alongside the cybersecurity industry. Businesses that are not qualified to protect their own data will have to switch to purchasing services, connecting to national databases, or participating in reputable data exchanges instead of collecting data themselves.”

"This helps optimize social resources, reduce dispersed investment costs, and limit leakage risks," Mr. Son added. 

Facial authentication alone is not enough to combat Deepfake.

Mr. Tran Cong Quynh Lan, Deputy General Director of Vietnam Joint Stock Commercial Bank for Industry and Trade (Vietinbank), said that currently 99% of transactions at the bank are conducted through digital channels.

To meet the new requirements, VietinBank has implemented a multi-layered security model , applying the 4-factor authentication system currently in use:

Levels 1 and 2: Username/password and OTP code.

Level 3: Biometrics (facial).

Level 4: Authentication via chip-embedded Citizen Identity Card using NFC technology (Near Field Communication).

Mr. Lan emphasized the role of the fourth layer of protection in combating deepfake identity fraud. For example, for money transfer transactions exceeding 1 billion VND, the system requires users to scan their chip-embedded citizen identity cards for verification, instead of relying solely on facial recognition.

In particular, when customers change their phone devices – a high-risk behavior – banks also apply NFC authentication to ensure ownership.

Besides technical solutions, Mr. Lan pointed out the major operational challenges posed by the bill:

Data classification: Banks must classify and label data for millions of transactions every day. Biometric data, financial data , and behavioral data must have different protection mechanisms and access control policies.

24-Hour Incident Reporting: The requirement to report cybersecurity incidents within 24 hours, along with proposed solutions, places significant pressure on response procedures.

"Not trusting anyone" is the safest way to protect yourself.

Regarding network infrastructure, Mr. Le Cong Trung, Head of the Cybersecurity BU (MobiFone), presented on the application of the Zero Trust architecture – trusting no one – to meet the new cybersecurity standards.

This model is based on five pillars of control: Identity, device, network, application, and data. All access must be re-authenticated repeatedly. 

Another key point is controlling supply chain risks.

"MobiFone is accelerating its strategy of technological self-reliance, manufacturing its own cybersecurity equipment such as firewalls and 'Make in Vietnam' identity solutions to avoid dependence on third parties," Mr. Trung shared. 

MobiFone representatives also highly appreciated the fact that the Cybersecurity Bill closely adheres to the TCVN 11423 standard on cybersecurity, providing businesses with specific quantitative metrics (15 requirements for state agency systems, 18 requirements for nationally critical systems) to implement technical solutions.

One groundbreaking new point in the 2025 Cybersecurity Law, which Mr. Vu Ngoc Son particularly emphasized, is the requirement for the head of the organization.

Unlike the old law which only stipulated general responsibilities, the draft law requires the head of the organization to have knowledge and certification in cybersecurity management. Mr. Son believes this is an important step towards changing the organizational culture, because if leaders lack knowledge, they cannot make effective investment decisions.

"Internet users also need to shift their mindset from 'enjoyment' to 'responsibility.' Carelessly and uncontrolledly sharing personal data is like leaving assets unprotected, indirectly encouraging criminal activity," Mr. Son added.

Sharing international experience, Mr. Son cited the model of South Korea - a country that was once the most frequently targeted by cyberattacks in the world. South Korea has built a system of universal cybersecurity certifications from elementary school to postgraduate level. 

"Thanks to this systematic training, the people and personnel of South Korea have very good defensive skills, creating a solid 'shield' for the nation when all parties have knowledge and invest in cybersecurity," Mr. Son cited as an example.