Vietnam Draft Decree on administrative penalties in cybersecurity & personal data protection 2026

The Draft Decree addresses a longstanding gap in Vietnam's regulatory framework, where sanctioning provisions in these two areas have remained fragmented across sectoral regulations, including those on telecommunications and consumer protection, or embedded in primary legislation such as the law on cybersecurity and the law on personal data protection without accompanying penalty mechanisms. 

The subjects of application include both Vietnamese and foreign organizations and individuals committing administrative violations in these fields in Vietnam.

Key provisions 

1. Statute of limitations 

The statutory limitation period for imposing administrative penalties in both fields is one (1) year from the date the violation is confirmed as terminated. For individuals, this is the date obligations are fulfilled; for organizations, it is the date obligations are fulfilled under applicable regulations or the date a competent authority confirms the violation has ceased in cyberspace. The determination of whether a violation is ongoing or has terminated is based on the documentation and specific circumstances of each case.

2. Penalty levels & maximum fines

In the field of cybersecurity, the maximum fine is VND 100,000,000 for individuals and VND 200,000,000 for organizations. 

In the field of personal data protection (PDP), the following fines apply: 

• General violations: up to VND 1,500,000,000 for individuals and VND 3,000,000,000 for organizations 
• Buying or selling personal data: a fine equal to 10× the amount derived from the violation 
• Cross-border transfer violations: 5% of the organization's prior fiscal year total turnover, with a fixed minimum fine of VND 3,000,000,000 where no turnover exists or where the turnover-based fine would be lower 

For particularly serious violations, penalty multipliers apply based on the number of affected data subjects: 

• 100,000 to under 1,000,000 data subjects: 2× the prescribed fine 
• 1,000,000 to under 5,000,000 data subjects: 5× the prescribed fine 
• 5,000,000 data subjects or more: 5% of prior fiscal year total turnover 

These multipliers apply to acts resulting in the disclosure, loss, or unauthorized cross-border transfer of personal data of Vietnamese citizens. Additionally, repeat violations of PDP regulations in advertising services and unlawful data collection, transfer, purchase, or sale trigger a fine of 5% of prior fiscal year total turnover from the second violation onwards. 

3. Authority to impose administrative penalties 

Sanctioning authority is vested in the People's Public Security forces and People's Committees at various administrative levels, with fines ranging from VND 10,000,000 (officers on duty) up to VND 100,000,000 (Directors General of specialized departments and Chairpersons of provincial-level People's Committees).  

Directors General may additionally impose aggravated fines of up to 5× the base fine, or turnover-based fines of 5% for the most serious organizational violations. The Border Guard and Vietnam Coast Guard are also granted sanctioning authority for certain specific violations within their jurisdictions.

4. Status & next steps

No official promulgation date has been announced. Forvis Mazars Vietnam will continue to monitor developments and publish updates as the decree progresses. 

---

Contact our Legal team 

For consultation on the Draft Decree or Vietnam's cybersecurity and personal data protection compliance framework, please reach out to our legal team. 

📄 Download the full legal alert (PDF) below.