Guide to Vietnam Data Center Regulations

Q: What is the Government’s position on regulating data centers in Vietnam in terms of policy?

A: The Vietnamese Government actively promotes the development of data centers through a range of supportive policies and strategic initiatives. Recognizing data centers as a critical component of the country’s digital transformation, the Government has classified them as a high-priority technology for development and investment under the Law on Investment 2020 and the Prime Minister’s Decision 38/2020/QD-TTg of high technologies prioritized for development investment and development promotion. Furthermore, cloud computing, which plays an essential role in the operation and optimization of data centers, has been designated as a key digital technology for research, development, and application. This recognition is part of the Government’s broader strategy to enhance Vietnam’s participation in the Fourth Industrial Revolution, as outlined in Decision 2117/QD-TTg.

Q: Are data centers and data center services officially regulated in Vietnam?

A: Yes. "Data center services" officially became a category of value-added telecommunications services regulated under the Law on Telecommunications No. 24/2023/QH15 issued by the National Assembly on 24 November 2023, taking effect on 1 July 2024. Specifically:

• A “data center” is defined as a telecommunications facility, including buildings, stations, cable systems, computer systems, electrical systems, and auxiliary equipment installed to process, store, and manage data for one or multiple organizations or individuals.
• “Data center service” is a telecommunications service that provides processing, storage, and retrieval capabilities for users over telecommunications networks by leasing part or all a data center.
• "Data center service" is listed under "value-added telecommunications services" in Decree 163/2024/ND-CP.

Q: What are the main data center laws and regulations in Vietnam?

A: Various laws, regulations and standards regulate the development and operation of data centers, as well as the provision of data center services in Vietnam. The following are especially relevant:

• Law on Telecommunications No. 24/2023/QH15 of the National Assembly dated 24 November 2023 (“Telecoms Law”).
• Law on Investment No. 61/2020/QH14 of the National Assembly dated 17 June 2020 (“Investment Law”).
• Law on Network Information Security No. 86/2015/QH13 of the National Assembly dated 19 November 2015 (“Network Information Security Law”).
• Law on Cybersecurity No. 24/2018/QH14 of the National Assembly dated 12 June 2018 (“Cybersecurity Law”).
• Law on Land No. 31/2024/QH15 of the National Assembly dated 18 January 2024 (“Land Law”).
• Law on Data No. 60/2024/QH15 of the National Assembly dated 30 November 2024 (“Data Law”).
• Decree No. 163/2024/ND-CP of the Government dated 24 December 2024 on elaboration of some articles and measures for enforcement of the Law on Telecommunications (“Decree 163”).
• Decree No. 147/2024/ND-CP of the Government dated 9 November 2024 on the management, provision, and use of Internet services and online information (“Decree 147”).
• Decree No. 85/2016/ND-CP of the Government dated July 01, 2016, on the security of information systems by classification (“Decree 85”).
• Decree No. 53/2022/ND-CP of the Government dated 15 August 2022 elaborating a number of articles of Law on Cybersecurity (“Decree 53”).
• Circular No. 03/2013/TT-BTTTT of the Ministry of Information and Communication dated 22 January 2013 prescribing application of technical regulations and standards to data centers, as amended by Circular No. 23/2022/TT-BTTTT of the Ministry of Information and Communication dated 13 February 2023 (“Circular 03”).
• Circular No. 07/2024/TT-BTTTT of the Ministry of Information and Communication dated 2 July 2024 guiding the mechanism, principles of price control, and pricing methods for leasing the use of cable networks in buildings, rental prices for passive telecommunications infrastructure between telecommunications enterprises, organizations, and individuals owning telecommunications works (“Circular 07”).
• Circular 12/2022/TT-BTTTT guiding Decree 85/2016/ND-CP on ensuring information system security at all levels issued by the Minister of Information and Communications (“Circular 12”).

Q: What options are available to foreign investors for investing in data centers in Vietnam?

A: In accordance with Vietnam’s WTO Commitment, Investment Law, and Telecoms Law, foreign investors can consider these investment options when investing in data centers:

• Establish a foreign-invested entity (FIE) that is fully owned by the foreign investor.
• Form a data center joint venture with a Vietnamese enterprise through capital contribution or purchase of shares/stakes in Vietnamese enterprises without any limitation on foreign capital.
• Enter a business cooperation contract (BCC) with a Vietnamese enterprise, which allows them to operate a data center without the necessity of establishing a business organization.

Q: Are there approval and licensing requirements for building new data centers in your country?

A: Yes. Foreign investors seeking to establish companies in Vietnam to operate data centers must first comply with the country’s investment and enterprise registration procedures. This process includes obtaining an Investment Registration Certificate (IRC), which serves as formal approval for foreign investment projects, and an Enterprise Registration Certificate (ERC), which legalizes the business entity under Vietnamese law. These certificates are issued by the provincial Department of Finance (DOF) (formerly the Department of Planning and Investment) where the data center business is to be located. In special cases, investors may be required to obtain an In-Principal Investment Approval, particularly for data center projects that involve land allocation, leasing without auction, transfer, or conversion of land use for construction purposes. Furthermore, an M&A (Merger and Acquisition) Approval is necessary for foreign investors acquiring shares in an existing enterprise operating a data center project, as data center services are classified as telecoms services—a sector subject to conditional investment regulations for foreign investors under the specialized regulations.

After obtaining the IRC and ERC, enterprises offering data center services must register as telecommunication service providers under the Telecoms Law. Data center service providers based in Vietnam are required to register with the Ministry of Science and Technology (MOST) (formerly the Ministry of Information and Communications). The registration process includes:

• Documentation requirements:
  • A completed application form (Form No. 25 of the Decree 163).
  • Enterprise Registration Certificate or Investment Registration Certificate.
  • A technical plan demonstrating compliance with infrastructure safety, security, and technical standards.
• Application details: The application form should include information about the enterprise (name, address, registration details, and contact information), a description of telecommunication services to be offered, and infrastructure specifics (e.g., location, capacity, standards, internet connectivity, and security measures).
• Statutory timeline: The MOST will review applications within three (3) business days and issue a certificate within five (5) business days if the requirements are met. However, actual timeline may vary. Re-registration is necessary in the event of changes to the company’s name or infrastructure.

Prior to operating the data centers, data center service providers must declare on the data center’s conformity with national technical standards and regulations according to prevailing  regulations. Regarding the declaration on the data center’s conformity with national technical standards and regulations:

• In case the data centers with technical assurance level of 3 or 4: Enterprises shall select an assessment and certification organization to evaluate and certify the data center’s compliance.
• In case the data centers with technical assurance level of 1 or 2: Enterprises may either self-assess or select an assessment and certification organization to evaluate the data center’s compliance.

Q: What are the regulations for land acquisition and construction for data centers in Vietnam?

A: Several key regulations must be carefully reviewed concerning land use and construction for data centers:

• Land use rights: Governed by the Land Law and its implementing regulations, foreign investors can acquire land use rights through the following general methods:
  • Industrial zones or high-tech parks: Investors can lease land within designated industrial zones or high-tech parks, governed by industrial zone or high-tech park management authority, where the land is specifically allocated for industrial or high-tech activities.
  • The industrial park infrastructure developer, or the management authority of the high-tech park, shall oversee land allocation.
  • Outside of industrial zones and high-tech parks: The competent People's Committee of the relevant locality where the data center is located are authorized to lease land for data center construction. This must be in accordance with national information and communication infrastructure planning, passive telecommunication technical infrastructure planning, and land use planning.
• Construction: A construction permit from the relevant People's Committee or the management authority of the industrial zone or high-tech park is required for data center construction, in accordance with the Law on Construction No. 50/2024/QH13 and its implementing guidelines.
• Technical infrastructure and physical standards: Data centers must comply with the technical regulations outlined in Circular 03, which mandates adherence to several national and international standards, including:
  • TCVN 9250:2021 (or ANSI/TIA-942-B:2017) or Uptime Institute’s Tier Standards for data center classification.
  • National Technical Regulation on Lightning Protection for Telecommunications Stations and External Telecommunications Networks (QCVN 32:2020/BTTTT).
  • National Technical Regulation on Grounding for Telecommunications Stations (QCVN 9:2016/BTTTT).
  • National Technical Regulation on Fire Safety for Buildings and Structures (QCVN 06:2021/BXD).

Q: Are there any regulations on rental prices for in-building cable networks?

A: Yes. The rental of in-building cable networks is governed by Circular 07, issued by the Ministry of Information and Communications, which establishes price control mechanisms and methodologies for determining rental prices. The pricing must follow a regulatory formula and cannot be arbitrarily set, incorporating components such as construction investment costs, operation and management expenses, maintenance and repair costs, other legal expenses, and expected profit. The rental price is calculated as the sum of these costs divided by the rental units, ensuring transparency and compliance with financial regulations. The construction cost is based on depreciation rules from the Ministry of Finance, while profit is determined by past financial performance. Rental units are defined based on infrastructure type, such as cables, pipes, or rental areas, ensuring a standardized approach to pricing in-building telecom infrastructure.

Q: Are there any environmental requirements apply to data centers? What are they?

A: Under the Vietnamese laws, data centers must comply with various environmental regulations, including:

• Environmental Impact Assessment (EIA):
  Data center projects are classified by environmental impact under the Law on Environment Protection. Projects with moderate to high risks need an approved Environmental Impact Assessment (EIA) before construction begins.
• Electricity efficiency:
  According to the Law on Economical and Efficient Use of Energy and its guiding documents, data centers with a total annual energy consumption of one thousand tons of oil equivalent (1,000 TOE) or higher are required to implement energy-saving measures. These units must report their energy consumption and adhere to the energy-saving standards established by the Ministry of Industry and Trade. The law also mandates enterprises to conduct energy audits and adopt modern technologies to reduce energy consumption.
• Water use:
  In accordance with the Law on Water Resources, data centers utilizing water for cooling purposes are required to adhere to regulations governing water use, including efficient and economical use of water.
  
  Wastewater:
  The National Technical Regulation on Industrial Wastewater No. QCVN 40:2011/BTNMT requires data centers to ensure that treated wastewater meets the standards for pollutants within allowable limits (color, pH, BOD, COD, heavy metals, microorganisms, etc.). Depending on the discharge location (rivers, lakes, public drainage systems), wastewater standards are different in accordance with the prevailing regulations.

Q: What are the key laws and regulations governing data protection in Vietnam?

A: Yes. Decree 13/2023/ND-CP (Decree 13) is Vietnam's main regulation on personal data processing, establishing rules for data collection, use, and disclosure. It aligns with GDPR principles like lawfulness, transparency, purpose limitation, and security. Decree 13 outlines data processing roles (Data Controller and Data Processor), prescribes formats for privacy notices and consent forms, and defines lawful bases like consent and public interest. It grants data subjects rights such as access, deletion, and restriction. It also requires processing impact assessments and data breach reporting to the Ministry of Public Security.

Despite its alignment with GDPR principles, Decree 13 contains discrepancies that create regulatory gaps.

In addition, a data center handling Core and Critical Data under the Data Law must meet strict protection standards set by the law and its regulations. Core Data includes information that impacts national defense, security, foreign affairs, macroeconomics, social stability, public health, and safety, while Important Data may potentially influence these areas.

Other laws also govern data processing in Vietnam. The Law on Network Information Security (LNIS) sets principles for securing domestic information systems, including networks and servers. Decree 85/2016 and Circular 12/2022 mandate detailed security standards for systems supporting online services or government functions. These include technical measures like system design, maintenance, and incident reporting, as well as organizational measures such as security policies, resource allocation, and management of system operations.

Q: Are there specific requirements in Vietnam regarding where and how data must be stored, such as mandates to keep data within company premises or restrictions on outsourcing and cloud storage?

A: Yes. Under the Cybersecurity Law and Decree 53, domestic enterprises providing services on the telecoms network, the Internet, and value-added services in the cyberspace of Vietnam are obligated to localize in Vietnam (i) data on personal information of service users in Vietnam; (ii) data generated by service users in Vietnam, including account names, service use times, credit card information, emails, IP addresses from the last login or logout session, and registered phone numbers associated with accounts or data; and (iii) data on relationships of service users in Vietnam, such as friends and groups with whom users have connected or interacted, with a minimum storage period of 24 months. This localization requirement may also apply to foreign enterprises if they fail to cooperate with the Ministry of Public Security's requests to address cybersecurity violations occurring on their online platforms.

The method of data storage is determined by the enterprise.

Q: Is the use of third-party data processors permitted? If yes, what are the requirements to allow for use of data processors?

A: Yes, the usage of third-party data processors is permitted under Decree 13 on contractual basis. The Decree requires:

1. Contract or agreement on the processing of personal data between Controller and Processor; and
2. Processor shall have appropriate measures for protecting personal data (i.e., DPO appointment, documentation, organizational and technical measures adopted, data protection standard (recommended), cybersecurity examination).

In the banking sector, Circular No. 09/2020/TT-NHNN outlines principles and requirements for the use of third-party IT services to ensure continuous service provision, business process control, and information security responsibilities are maintained. It mandates risk assessments for IT and operational risks, especially for systems at level 3 and above or those handling customer data, covering threat identification, service continuity, regulatory compliance, role clarity, and risk mitigation strategies. For cloud services, additional requirements include classifying activities, creating backup plans, setting third-party criteria, and ensuring information security measures. When outsourcing complete management of level 3 systems or customer information, a risk assessment report must be submitted to the State Bank of Vietnam.

Q: Is there a regulatory authority that oversees the implementation and enforcement of data protection regulations in your country? If so, how active are they in enforcement?

A: In Vietnam, the Ministry of Public Security, through its Department of Cyber Security and Crime Prevention (A05), oversees the enforcement of personal data protection regulations, ensuring compliance, addressing violations, and developing PDP policies. The Ministry of Information and Communication, which recently merged into the Ministry of Science and Technology, is responsible for laws on network information security. It sets standards for data protection in digital platforms and online services.

Both authorities actively conduct periodic compliance inspections.

Q: Are there regulations for government access to company data?

A: Yes, regulations exist for government access to company data. Decree 53/2022/ND-CP, guiding the Cybersecurity Law, allows the Ministry of Public Security and the Ministry of Defense to collect electronic data to investigate violations affecting national security, public order, or legal rights. This process must follow legal protocols, maintain data integrity, and involve authorized personnel, with proper documentation and, if necessary, third-party witnesses. Data storage and transmission devices may also be seized under legal provisions.

Under the Data Law, organizations and individuals, domestic and foreign, are encouraged to voluntarily share data with state authorities for public benefits like healthcare or climate action. In emergencies, national security threats, or disasters, data must be provided without data subject consent upon a formal request from competent authorities. These requests must specify the type, purpose, and duration of data use, follow documented procedures, and respect the legal rights of data owners. Data must be deleted when no longer needed, and providers must be notified unless the data is classified. Further details and processes are outlined in the Draft Decree guiding the Data Law.

The requirements for submitting information and data to competent authorities for the purposes of inspection and investigation are also delineated in other sector-specific regulations.

Q: Are approvals required for data processing?

A: The current PDP regulations do not require companies to seek approval for processing personal data. However, Data Controllers or Processors must submit regulatory reports, such as a Processing Impact Assessment (PIA) or Transfer Impact Assessment (TIA), to the Ministry of Public Security regarding their data processing and transfer activities. Notably, the draft PDP Law proposes a future requirement for organizations processing sensitive personal data to undergo credibility assessments by certified personal data protection rating service providers.

In accordance with the draft decree guiding the Data Law, businesses handling Core Data and Critical Data must conduct impact assessments and risk assessments, and submit impact assessment reports to the Ministry of Public Security or the Ministry of National Defense. Additionally, cross-border transfers involving Core Data necessitate government approval of the impact assessment within a 10-day review period. For Critical Data transfers, a five-day prior notification regarding the impact assessment is required, and authorities reserve the right to halt transfers if any security risks are identified.

Q: Are there mandatory requirements to notify authorities and data subjects in the event of a data breach?

A: Yes, organizations must notify relevant authorities of data breaches. Under the Law on Cybersecurity, cybersecurity incidents must be reported to the Ministry of Public Security (MPS). Decree 13 requires Data Controllers to notify the MPS of personal data protection violations within 72 hours. Server system operators in Vietnam must inform the Ministry of Information and Communications within five days of detection or immediately for uncontrollable incidents, per Circular 20. While Decree 13 does not explicitly require notifying data subjects, provisions granting their right to be informed suggest a possible obligation to notify them of unauthorized data access, although no specific format or timeline is prescribed.

Q: What type of sanctions or penalties that may be imposed in data protection and cybersecurity?

A: Violations of personal data protection regulations in Vietnam can result in administrative, civil, and criminal sanctions. Administratively, the Draft Decree on Cybersecurity Administrative Sanctions (Draft CASD) proposes fines up to VND 200 million (USD 8,200), or 5% of annual revenue for severe cases, with penalties such as suspension of data processing activities, business license revocation, or confiscation of materials. Decree 13 allows authorities to halt non-compliant cross-border data transfers. Sectoral regulations, like Decrees 15/2020 and 24/2025, impose additional penalties, including fines and suspension of activities. Civilly, under Decree 13, data subjects can claim compensation for rights violations and seek enforcement of civil protection measures. Criminal offenses related to data may be prosecuted under the Penal Code, including charges such as data trafficking, unauthorized access, or infringement of banking data.

Q: Are data center service providers in Vietnam required to block or remove illegal content?

A: Yes. Decree 147 requires data center service providers to block or remove illegal content, services, and applications on the network within 24 hours upon receiving a formal request via written notice, phone, or email from the Ministry of Information and Communications (Authority of Information Security), the Ministry of Public Security (Cybersecurity and High-Tech Crime Prevention Department), or other competent authorities. Additionally, they are responsible for reporting violations, handling intellectual property complaints, suspending services for violators, and coordinating with authorities to enforce legal measures.

Q: What is the process for an investor to wind down or sell a data center in Vietnam?

A: The process of winding down or selling a data center can be carried out through various approaches, each requiring careful planning and compliance with legal and regulatory frameworks. The key methods include:

• Asset transfer: This involves selling or transferring ownership of physical facilities, infrastructure, or land use rights to another entity. Depending on the location and ownership structure, this may require government approvals.
• Share/stake transfer: Investors may choose to sell their shares or stakes in the data center entity through an M&A transaction.
• Company liquidation: If an investor opts to fully close operations, the business must go through a formal liquidation process. This involves settling all debts and liabilities, terminating contracts, complying with tax obligations, and deregistering the company with relevant authorities.

Q: How are disputes resolved in Vietnam?

A: According to Vietnamese law, disputes and litigation in Vietnam can be resolved through negotiation, mediation, arbitration, or court litigation:

• Negotiation: This is often the first step in dispute resolution and is encouraged to save time and resources.
• Mediation: Mediation involves a neutral third party, the mediator, who facilitates discussions between disputing parties to help them find a voluntary settlement. Mediation can be conducted privately or through organizations like the Vietnam International Commercial Mediation Center (VICMC).
• Arbitration: Arbitration is a popular method for commercial disputes in Vietnam, especially for foreign-related cases. The Vietnam International Arbitration Center (VIAC) is the primary institution that administers arbitration proceedings, where a neutral arbitrator or panel makes a binding decision.
• Court litigation: Dispute resolution through the court system is an option for civil, commercial, and criminal cases. Vietnam's court system consists of various levels, including district courts, provincial courts, and the Supreme People's Court.