Vietnam has initiated significant plans to establish a national cybersecurity firewall, a move articulated by Public Security Minister Lương Tam Quang on February 7. This announcement followed the conclusion of the Communist Party of Vietnam’s 14th National Congress. The introduction of such a cybersecurity framework marks a pivotal moment, showcasing the government’s commitment to enhancing its digital governance policies.
Significantly, this is the first instance where a high-ranking official has explicitly mentioned the term “cybersecurity firewall” in relation to the nation’s online policies. Historically, Vietnam has been perceived as maintaining one of the most controlled and surveilled online environments worldwide. However, before this declaration, the government had never openly conveyed an intention to construct what they are now conceptualizing as a national cybersecurity firewall.
This announcement comes at a time when sweeping reforms are underway regarding the country’s cybersecurity laws. The recent legislative changes reflect a broader strategy aimed at refining how digital governance is approached in Vietnam.
### A New Cybersecurity Law Anchors Digital Governance
On December 10, 2025, the 15th National Assembly ratified a new Cybersecurity Law, which is set to become effective on July 1, 2026. This legislative piece, orchestrated by the Ministry of Public Security (MPS), will replace both the existing 2018 Cybersecurity Law and the 2015 Law on Information Security.
The newly instituted cybersecurity law introduces novel terminology into Vietnam’s framework for digital governance. Particularly noteworthy is the stipulation in Point d, Clause 2, Article 10, which indicates that authorities will initiate studies on the development of a national firewall system. This terminology has entered the formal legal lexicon for the first time, effectively institutionalizing the concept of a cybersecurity firewall within Vietnamese law.
The inclusion of this provision signifies a structural transformation in how cybersecurity regulations are framed within the nation. It elevates the significance of technical filtering and monitoring mechanisms, treating them as essential components of national policy objectives to bolster digital sovereignty and security.
### Draft Technical Standards Outline Cybersecurity Firewall Requirements
Just two months post-law passage, the MPS put forth a draft regulation for public discourse titled “National Technical Standard on Cybersecurity—Firewall—Basic Technical Requirements.” This document outlines the anticipated technical architecture for the cybersecurity firewall.
According to the draft, firewall systems that adhere to national standards would constitute compulsory infrastructure for monitoring and filtering internet activities. These systems are tasked with adeptly filtering traffic and performing deep packet inspection (DPI) — a critical requirement for securing the digital landscape.
Moreover, the proposal incorporates the necessity for SSL/TLS inspection capabilities. SSL/TLS protocols, identified by the “https” prefix in web addresses, are widely utilized to encrypt user-website communications. Under the proposed framework, firewall systems would have the capacity to decrypt such encrypted communications, inspect their contents, and subsequently re-encrypt the data before forwarding it, raising concerns about privacy and user rights.
Additionally, the draft suggests the integration of user identity data into bespoke control policies. This include web-filtering mechanisms that would leverage expansive blacklists containing at least 100,000 domain names, which would identify and block undesirable content under the auspices of national security.
### Data Logging, Risk Assessment, and Centralized Oversight
Beyond filtering capabilities, the proposed cybersecurity firewall mandates that network devices maintain detailed logs for every user session. This logged data would include timestamps, source and destination addresses, protocols employed, and respective system responses.
The assessment of user activity will involve the establishment of a “risk level.” If predefined limits are surpassed, automated controls or alerts will be activated, directing notifications to relevant cybersecurity authorities. This risk-based monitoring paradigm introduces complexity into Vietnam’s digital governance framework, intertwining surveillance elements with automated enforcement mechanisms.
Furthermore, various proposed regulations stemming from the 2025 cybersecurity law would impose additional responsibilities on telecommunications and internet service providers. They would be obligated to retain IP address identification data linked to subscriber information for a minimum of 12 months. Companies would also need to create direct technical linkages to facilitate the transfer of IP data to the MPS’s specialized cybersecurity units.
Under the outlined regulations, user information must be made available within 24 hours upon request, and within three hours in cases deemed urgent. All user data is expected to be stored domestically at the MPS’s National Data Center.
### Conclusion
Vietnam’s approach to cybersecurity, particularly through the establishment of a national firewall, reflects a concerted effort to enhance its digital governance landscape. While such measures aim to bolster national security, they also raise pertinent questions around privacy, civil liberties, and the implications of a closely monitored cyber environment. As the nation strides forward with these reforms, a delicate balance must be struck between safeguarding citizens and ensuring freedom in the digital realm.