One of the most notable provisions of the 2025 Draft Law on Cybersecurity is the requirement for heads of agencies, organizations, and enterprises to hold a certificate in cybersecurity management - underscoring their special role and responsibility in safeguarding digital infrastructure.

At the roundtable discussion “Cybersecurity Law 2025: A leap forward in data protection” held on November 24, Vu Ngoc Son, Head of Research, Consulting, Technology Development and International Cooperation at the National Cybersecurity Association, highlighted this groundbreaking change.

This is not a technical certification for cybersecurity professionals but rather a certificate in cybersecurity governance and management.

Once the law is passed, official guidance and specific standards will be issued, with the Association supporting implementation and compliance.

“This requirement reflects a practical reality,” said Mr. Son. “Cybersecurity is only effective when it is prioritized at the leadership level and integrated into decision-making.”

Without leadership awareness, investments in technology, personnel, and security protocols may become superficial or misaligned with actual risks.

On the other hand, when leaders possess sufficient understanding and skills, they can guide cybersecurity strategies, allocate resources effectively, structure data governance, and ensure operational sustainability.

The draft law also places stronger emphasis on personal data protection and controlled information sharing, reflecting a shift in public responsibility.

“Just like we take steps to secure physical property with locks or fences, individuals are now expected to take responsibility for their digital assets,” Son explained.

Government warns of real risks and proposes criminal liability

At a previous roundtable with the media in July 2025, Lieutenant Colonel Le Xuan Thuy, Director of the National Cybersecurity Center (A05 Department, Ministry of Public Security), affirmed that despite existing standards, Vietnam’s digital infrastructure remains frequently targeted by cyberattacks.

These attacks span across government, energy, banking, and industrial sectors - proving that current regulatory frameworks fall short of ensuring protection.

He noted two primary groups targeted by the law:

First, critical information systems in national security sectors. If these systems are breached, the consequences extend beyond the managing organization to the wider community.

He cited energy systems as an example - cyberattacks here would compromise national energy security. Attacks on telecom and banking systems also pose immense danger to society.

Second, state-owned information systems, especially those containing government secrets or serving public services.

“These systems often include neglected IT assets - unpatched, unmonitored, and poorly maintained,” said Lieutenant Colonel Thuy. “Such vulnerabilities serve as stepping stones for hackers to penetrate more critical infrastructures.”

Criminal liability looms for negligent leadership

Major Tran Trung Hieu, Deputy Director of the National Cybersecurity Center (A05), added that security threats have surged in recent years, yet many agency and enterprise heads remain unaware of incidents occurring under their watch.

“Too many leaders are still not giving cybersecurity the attention it demands,” he warned. “We’ve dealt with numerous cases where hackers stole organizational and personal data - including state secrets.”

The Ministry has repeatedly issued formal warnings. If a cybersecurity breach impacts national security or results in leaked state documents, legal consequences - including criminal charges - may follow.

"We are considering prosecuting cases under laws related to criminal negligence or deliberate misconduct," Major Hieu said.

The message is clear: cybersecurity can no longer be relegated to IT departments alone. It must become a core responsibility of leadership, embedded in national governance and corporate culture.

Thai Khang