Draft Law on Cyber ​​Security puts an end to lax data collection

This change not only fills legal gaps but also sets strict technical barriers, requires heads of organizations to have cybersecurity certification and ends the era of "easy" data collection by businesses.

Data becomes a matter of national survival

At the seminar "Cybersecurity Law 2025: A step forward in protecting data security" organized by the National Cybersecurity Association on the afternoon of November 24, experts unanimously agreed that the old legal framework had completed its initial mission but was not comprehensive enough to meet the current speed of digital transformation.

Lieutenant Colonel Nguyen Dinh Do Thi, Deputy Head of the Cyber ​​Security Department (Department of Cyber ​​Security and High-Tech Crime Prevention and Control - Ministry of Public Security ) emphasized the change in state management thinking when considering data as the "blood" of the digital economy and identifying the State's key policies on ensuring cyber security and data security.

First, prioritize cybersecurity in national defense, security, socio- economics , science and technology, and foreign affairs. Second, build a safe cyberspace that does not harm national security and social order.

Third, focus resources on building specialized forces, developing high-quality human resources, and promoting research and development of cybersecurity technology . Fourth, encourage organizations and individuals to participate in handling risks and coordinate with competent authorities. Fifth, prioritize the use of Vietnamese cybersecurity industry products and services. Sixth, strengthen international cooperation to protect cybersecurity.

The urgency of data security legislation stems from the fact that the risk of insecurity is increasingly serious.

Colonel Thi pointed out that in 2024 alone, Vietnam recorded more than 600,000 cyber attacks, of which tens of thousands targeted state agency systems.

In addition, ransomware attacks have forced many Vietnamese businesses to pay millions of dollars in ransom for data, similar to cases in the US that cost up to 40 million dollars. The situation of buying and selling data is happening openly, typically the case of dismantling a group of subjects illegally buying and selling up to 6 million personal data in February.

Sharing the same view, Mr. Vu Ngoc Son - Head of the Department of Research, Consulting, Technology Development and International Cooperation (National Cyber ​​Security Association), assessed that the addition of the concept of "data security" is a great success of the bill, putting data at the center of security work.

According to Mr. Son, the new regulation will create a strict screening process, separating the market into two distinct groups: "real" units and "fake" units.

Previously, entities could freely collect and store data without investing in security. However, the bill is expected to end this situation. Those entities that do not ensure infrastructure and cybersecurity solutions will not be allowed to collect and store data.

Mr. Son likened data to money, people only deposit money in banks that meet protection standards and similarly, they will not provide data to organizations that lack the capacity to ensure security.

“This change will spur the emergence of a new economic sector: the data industry, alongside the cybersecurity industry. Businesses that are not qualified to protect their data themselves will have to switch to purchasing services, connecting to national databases or participating in reputable data exchanges instead of collecting them themselves.

This helps optimize social resources, reduce decentralized investment costs and limit leakage risks,” Mr. Son added.

Facial authentication is not enough to fight deepfake

Mr. Tran Cong Quynh Lan - Deputy General Director of Vietnam Joint Stock Commercial Bank for Industry and Trade (Vietinbank) said that currently 99% of transactions at this bank are done through digital channels.

To meet the new requirements, VietinBank has deployed a multi-layer security model, applying the 4-layer authentication that is currently being applied:

Layer 1 and 2: Username/password and OTP code.

Class 3: Biometrics (face).

Layer 4: Authentication via Citizen Identification Card with chip using NFC technology (short-range wireless communication technology).

Mr. Lan emphasized the role of the fourth layer of protection in combating identity fraud (Deepfake). For example, with money transfers over 1 billion VND, the system requires users to scan their chip-embedded citizen identification cards for verification, instead of relying solely on their faces.

Notably, when customers change their phone devices - a high-risk behavior - the bank also applies NFC authentication to ensure authenticity.

Besides the technical solution, Mr. Lan pointed out the major operational challenges posed by the bill:

Data Classification: Banks must perform data classification and labeling for millions of transactions every day. Biometric data, financial data, and behavioral data must have different protection mechanisms and access authorizations.

24-Hour Incident Reporting: The requirement to report cybersecurity incidents within 24 hours with a response plan places a huge strain on the response process.

"Trust no one" is the safest protection

Regarding network infrastructure, Mr. Le Cong Trung, Head of Network Security BU (MobiFone), presented the application of Zero Trust architecture - not trusting anyone - to meet new network security standards.

This model controls based on 5 pillars: Identity, device, network, application and data. Every access must be continuously re-authenticated.

Another key point is controlling supply chain risks.

"MobiFone is promoting its technology autonomy strategy, self-producing network security devices such as firewalls and "Make in Vietnam" identification solutions to avoid dependence on third parties," Mr. Trung shared.

MobiFone representative also highly appreciated the fact that the Cyber ​​Security Bill closely follows the TCVN 11423 standards on cyber security, helping businesses have specific quantitative measures (15 requirements for state agency systems, 18 requirements for important national systems) to deploy technical solutions.

A new breakthrough point in the 2025 Cyber ​​Security Law that Mr. Vu Ngoc Son especially emphasized is the requirement for the leader.

Unlike the old law which only stipulated general responsibilities, the bill requires the head of the organization to have knowledge and certification in cybersecurity management. Mr. Son said this is an important step to change the organizational culture, because if the leader does not understand, he cannot make effective investment decisions.

“Internet users also need to change their mindset from “enjoyment” to “responsibility”. Sharing personal data carelessly and without control is like leaving assets unprotected, indirectly encouraging criminal activities,” Mr. Son added.

Sharing international experience, Mr. Son cited the model of South Korea - the country that was once the most attacked by cyberattacks in the world. South Korea has built a universal cybersecurity certification system from elementary school to post-graduate level.

“Thanks to this thorough training, Korean people and personnel have very good defense skills, creating a solid "shield" for the country when all parties have knowledge and investment in cybersecurity,” Mr. Son cited.

Source: https://dantri.com.vn/cong-nghe/du-thao-luat-an-ninh-mang-cham-dut-tinh-trang-thu-thap-du-lieu-de-dai-20251124225636608.htm