Opportunities and challenges from Vietnam's list of important and core data

On July 1, 2025, the Prime Minister issued Decision 20/2025/QD-TTg, officially announcing the list of important data and core data of Vietnam. This is an important step in the context that Vietnam is promoting digital transformation, building e-Government and protecting cyber security according to the Data Law 2024. The list clearly distinguishes which types of data are considered critical and which are considered core data with different protection requirements. With 26 types of core data and 43 types of important data, this Decision reflects the State's priority in protecting national interests, security and socio-economic development.

Clause 7, Article 3 of the Data Law stipulates: "Core data is important data that directly impacts national defense, security, foreign relations, macroeconomy, social stability, public health and safety on the list issued by the Prime Minister". Core data is understood as information with the highest level of sensitivity, directly affecting national security, defense and social stability if exposed or exploited for the wrong purpose. Meanwhile, important data is defined in Clause 6, Article 3 of the Data Law as: "Important data is data that can affect national defense, security, foreign relations, macro-economy, social stability, public health and safety on the list issued by the Prime Minister",  including core data plus other types of information, which have a broad impact on the economy, health, education and other areas of people's livelihood. The Government's promulgation of this list not only helps state agencies manage more effectively, but also sets clear limits and requirements for businesses, especially technology, finance and data services companies in complying with data protection in the process of doing business in Vietnam.

Contents of the list of core and important data

Based on Decision 20/2025/QD-TTg, the core data category includes 26 types, mainly focusing on the fields of defense, security and national resources. This list builds on the previous draft, but has been added to be more comprehensive. Concrete:

1. Data on national borders and territorial sovereignty collected and managed by state agencies have not been made public.
2. Data on strategies, schemes and projects on scientific and technological development and innovation in the field of national defense, security and cipher of state agencies have not been made public.
3. Data on defense and security industry activities have not been made public.
4. Data on investment and procurement activities in the fields of national defense, security, cipher and national reserves have not been made public.
5. Data on military, defense, security, cipher works, and important works related to national security have not been made public.
6. Data on strategies, policies, processes and activities of monitoring, preventing and responding to cyber security incidents and protecting critical information infrastructure of state agencies have not been made public.
7. Data on radio frequency planning for national defense, security and cipher tasks, Party agencies have not been made public.
8. Statistical data on the environment in service of national defense and security activities collected and managed by state agencies have not been made public.
9. Statistical data on hydrometeorology in service of national defense and security activities collected and managed by state agencies have not been made public.
10. Data on Party activities are collected and managed by Party agencies and have not been made public.
11. Data on external information of state agencies has not been made public.
12. Data transferred by foreign agencies, organizations and international organizations under treaties to which the Socialist Republic of Vietnam is a contracting party need to be protected and have not been made public.
13. Data on activities of overseas Vietnamese representative missions managed by state agencies have not been made public.
14. Data on the organizational structure scheme of ministries, sectors and localities has not been made public.
15. Data on cadres, civil servants, state employees, people's armed forces, and people working in key organizations have not been made public.
16. Data on ethnicity, beliefs and religions managed by state agencies have not been made public.
17. Data on water resources and rare precious minerals collected and managed by state agencies have not been made public.
18. Geospatial data, aerial image data and remote sensing image data on key areas and places in service of national defense, security and cipher collected and managed by state agencies have not yet been made public.
19. Data on land, sea and islands collected and managed by state agencies have not been made public.
20. Data in the field of finance and budget collected and managed by state agencies have not been made public.
21. Data on the number and operation area of fishing and fishing vessels for aquatic and marine resources collected and managed by state agencies have not been made public.
22. Data on development plans, strategies, schemes and projects for ethnic minorities collected and managed by state agencies have not been made public.
23. Data on activities of the People's Court, the People's Procuracy and the State Audit Office collected and managed by state agencies have not been made public.
24. Data on atomic energy, radiation and nuclear safety, national energy, plans, strategies, schemes and projects on national energy development collected and managed by state agencies have not been made public.
25. Health data collected and managed by state agencies has not been made public.
26. Data on organizations and citizens has not been made public.

The category of important data is more extensive, including all 26 types of core data plus 17 others, for a total of 43 types. Additional types focus on administrative, economic, and social areas, such as:

1. Data on inspection, settlement of complaints and denunciations and corruption prevention and control collected and managed by state agencies have not been made public.
2. Data on activities of investigation, struggle and prevention of crimes, infringement of national security and handling of administrative violations collected and managed by state agencies have not been made public.
3. Data in the field of internal affairs collected and managed by state agencies has not been made public.
4. Data in the field of transportation collected and managed by state agencies has not been made public.
5. Data on works and performances collected and managed by the State as representatives of copyright owners and related rights holders collected and managed by state agencies have not been made public.
6. Data on scientific, technological and innovation activities collected and managed by state agencies have not been made public.
7. Data on investigation and settlement of environmental incidents have not been concluded by competent state agencies.
8. Data in the field of finance and banking of state agencies have not been made public.
9. Data on social insurance, health insurance, and unemployment insurance funds collected and managed by state agencies have not been made public.
10. Data in the field of industry and strategic goods collected and managed by state agencies has not been made public.
11. Data in the field of agriculture and rural development collected and managed by state agencies has not been made public.
12. Data on outward investment of state-owned enterprises has not been made public.
13. Data in the field of information and communication collected and managed by state agencies have not been made public.
14. Data in the field of education and training collected and managed by state agencies has not been made public.
15. Data on biosafety collected and managed by state agencies have not been made public.
16. Data in the field of labor, people with meritorious services and social affairs collected and managed by state agencies have not been made public.
17. Data on organizations and citizens has not been made public.

These data are defined under the Data Law, where critical data is information that can impact national defense, security, foreign affairs, macroeconomics, social stability, and public health if misused. They must be protected by high-tech measures, stored in the country and only transferred abroad with the permission of state agencies.

Consultation workshop on Drafting Sub-law Regulations under the Data Law, March 10, 2025. Source: The Congress Office

Impact on business operations in Vietnam

The issuance of this list brings opportunities and challenges for businesses, especially in the context that Vietnam is attracting foreign investment in the field of digital technology. First of all, in terms of legal compliance, businesses that process data in this category face stricter compliance requirements. According to the Data Law 2024 and the Decree guiding it, data service business becomes a conditional industry, requiring a license from the Ministry of Public Security or the Ministry of Science and Technology. For example, technology companies such as Google, Amazon or Vietnamese technology companies such as VNG and FPT if processing medical, financial or residential data (belonging to core data) must build a security system that meets national standards, report periodically and accept inspection at any time.

This leads to increased operating costs. According to estimates from the Vietnam Cyber Security Association, large enterprises may have to spend an additional 10-20% of their IT budget on upgrading data storage infrastructure in the country. Foreign companies, especially from the US or Europe, may struggle with the requirement of "data localization"[1], where critical data is not moved across borders without approval. This affects the global cloud model, forcing them to invest in data centers in Vietnam,  as is the case with Microsoft and AWS expanding their infrastructure here. For small and medium-sized enterprises, compliance costs can be up to hundreds of millions of VND/year, leading to facing many difficulties in compliance activities if not prepared in time.

Second, data protection compliance has the potential to greatly impact day-to-day business operations. In the field of finance and banking, banks such as Vietcombank, Viettinbank or fintechs such as Momo and Finhay must strengthen the security of customer data, avoid leaking national criminal or financial record information. This can slow down the process of approving new products, like online loan applications, as data risk assessments are required. Similarly, in healthcare, companies such as Vinmec, Long Chau or Pharmacity must ensure patient data is not exploited, resulting in limited application of disease diagnosis AI if sensitive data is involved.

However, not all of them are negative. This list creates an opportunity for local businesses to develop security technology. Companies such as BKAV or Viettel can benefit from the high demand for cybersecurity solutions, with the market expected to grow strongly in the near future. Moreover, important data protection helps improve consumer trust, promote e-commerce and the digital economy. According to a report by the World Bank, Vietnam can increase its GDP by 1.1% thanks to safe digital transformation, where well-compliant businesses will have a competitive advantage.

For foreign-invested enterprises in Vietnam, this list may reduce its short-term attractiveness due to strict regulations on cross-border data transfers. According to the Global Data Alliance (GDA), in the draft response, they are concerned that a broad definition of critical data could hinder the free flow of data, affecting agreements such as the CPTPP or EVFTA[2]. However, in the long term, it strengthens the stable business environment, attracting investment in the field of data security. For example, companies such as Huawei or Samsung have plans to adjust their strategies in compliance and expand production in Vietnam.

In addition, this list may affect the global supply chain. Exporting enterprises such as in the field of electronics or textiles, if using geographical or environmental data, must ensure that there is no violation when sharing with foreign partners. This can increase logistics time but also promote domestic digitalization, reducing dependence on foreign platforms.

The list of important and core data issued by Vietnam is a testament to the commitment to protect digital sovereignty in the 4.0 era. From 26 core categories focused on national security to 43 important categories covering the socio-economy, it not only helps the State manage risks but also reshapes business operations. While it presents cost and compliance challenges, it opens up opportunities for innovation and sustainable growth. To take advantage of it, businesses need to invest in technology, train personnel and cooperate with the government. In the future, with the update of the list according to technological advances, Vietnam can become a model for data protection in Southeast Asia, balancing security and economic development.