Vietnam has announced plans to focus on building a cybersecurity firewall. The statement was delivered by Public Security Minister Lương Tam Quang on Feb. 7, following the closing session of the Communist Party of Vietnam’s 14th National Congress.
It was the first time a senior official explicitly used the term “cybersecurity firewall” to describe the country’s direction in digital governance. While Vietnam has long been regarded internationally as operating one of the most tightly controlled online environments, authorities had not previously declared an intention to construct what they now describe as a national cybersecurity firewall.
The announcement coincides with sweeping reforms to the country’s cybersecurity law framework.
A New Cybersecurity Law Anchors the Digital Governance Strategy
On Dec. 10, 2025, the 15th National Assembly passed a new Cybersecurity Law that will take effect on July 1, 2026. Drafted by the Ministry of Public Security (MPS), the legislation replaces both the 2018 Cybersecurity Law and the 2015 Law on Information Security.
The 2025 cybersecurity law introduces new language into Vietnam’s digital governance architecture. Notably, Point d, Clause 2, Article 10 states that authorities will “study the development of a national firewall system.” This is the first time such terminology has appeared in Vietnamese legislation, formally embedding the concept of a cybersecurity firewall within statutory law.
The inclusion of this provision represents a structural shift in how cybersecurity law is framed in the country, elevating technical filtering and monitoring infrastructure to the level of national policy objectives, as reported by The Vietnamese Magazine.
Draft Technical Standards Outline Cybersecurity Firewall Requirements
Approximately two months after the law’s passage, the Ministry of Public Security released a draft regulation for public comment titled “National Technical Standard on Cybersecurity—Firewall—Basic Technical Requirements.” The document provides insight into the proposed technical architecture of the cybersecurity firewall.
According to the draft, firewall systems meeting national standards would be mandatory infrastructure for monitoring and filtering internet activity. These devices would be capable of filtering traffic and conducting deep packet inspection (DPI).
The proposal also includes SSL/TLS inspection capabilities. SSL/TLS protocols—indicated by the “https” prefix in web addresses—are commonly used to encrypt communications between users and websites. Under the draft framework, firewall systems would be able to decrypt encrypted communications, inspect their contents, and then re-encrypt them before forwarding the data.
In addition, the draft calls for integrating user identity data into individualized control policies. Web-filtering mechanisms would rely on blacklists containing at least 100,000 domain names. These blacklists are defined as collections of IP addresses, domains, and URLs subject to restriction under information security policies, aimed at blocking content or activity considered “undesirable.”
Data Logging, Risk Assessment, and Centralized Oversight
Beyond filtering capabilities, the proposed cybersecurity firewall would require network devices to log detailed information for every user session. Logged data would include time stamps, source and destination addresses, protocols used, and system responses.
User activity would then be assessed and assigned a “risk level.” If defined thresholds are exceeded, automated controls or alerts would be triggered and transmitted to cybersecurity authorities. This risk-based monitoring model adds another layer to the country’s digital governance structure, combining surveillance mechanisms with automated enforcement tools.
Separate draft regulations implementing the 2025 cybersecurity law would further obligate telecommunications and internet service providers to retain IP address identification data linked to subscriber information for a minimum of 12 months. Companies would also be required to establish direct technical connections enabling the transfer of IP data to the Ministry’s specialized cybersecurity force.
Under the proposed rules, user information must be provided within 24 hours upon request, or within three hours in urgent cases. All user data would be stored domestically at the MPS’s National Data Center.
