- within Law Department Performance topic(s)
Q: What’s the most underestimated risk for foreign data center operators entering Vietnam right now?
OM: I believe that the most underestimated risks for foreign data center operators in Vietnam in 2026 is the “System Security Level 4” trap and the practicalities of hardware maintenance.
Under the Law on Digital Technology Industry (DTI Law) and the 2025 Cybersecurity Law, data centers hosting critical infrastructure or significant financial/digital asset data are often pushed into Level 4 Information System Security. Level 4 requires zero-downtime, seamless backup and localized control. Most global hyperscale models rely on regional “Cloud HSMs” or central hubs (like Singapore). Thus, adopting a standard global architecture may make it impossible to meet the Level 4 mandate, which requires that failure must not impact national security. Foreign operators often underestimate the cost of building this specific, highly redundant local architecture from scratch. It is important that foreign investors are well aware of the classification under the laws of Vietnam to understand the risks clearly.
Further, according to the prevailing regulations, the Ministry of Public Security has the authority to physically inspect hardware and verify data sovereignty. Many foreign operators utilize proprietary, “black-box” hardware or modular data center designs. If the Ministry requires a physical audit of the encryption modules or server architecture to ensure no “backdoors” exist or to verify data hasn’t been mirrored abroad illegally, the operator faces a choice: compromise global security protocols or face license suspension.
Moreover, Vietnam has set a mandatory Power Usage Effectiveness (PUE) below 1.3 by 2030, which is extremely aggressive given the country’s tropical climate. While the Direct Power Purchase Agreement (DPPA) framework was launched to allow clean energy sourcing, the grid infrastructure and the regulations on DPPA are still catching up. Operators may find themselves in a “Green Trap”: legally required to meet low PUE and high green-energy targets to satisfy ESG and Law on Investment 2025 incentives, but physically unable to secure a stable, 24/7 green-load without massive, unbudgeted investments in local battery storage (BESS). A bankable Direct Power Purchase Agreement is what foreign investors need to meet international finance standards as well as the regulations of Vietnam.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]