banner

MINISTRY OF PUBLIC SECURITY SEEKS PUBLIC COMMENTS ON THE DRAFT LAW ON ELECTRONIC IDENTIFICATION AND AUTHENTICATION |

MINISTRY OF PUBLIC SECURITY SEEKS PUBLIC COMMENTS ON THE DRAFT LAW ON ELECTRONIC IDENTIFICATION AND AUTHENTICATION

VCI Legal – July 7, 2026

In the era of comprehensive digital transformation, electronic identification has evolved beyond a modern administrative management tool to become a fundamental enabler of the digital economy, aligning Vietnam with global digital development trends. The development and public consultation of the Draft Law on Electronic Identification and Authentication 2026 (the “Draft Law“) marks a significant legislative milestone, laying the foundation for a reliable, transparent, and secure national digital identity ecosystem to support online transactions and identity verification.

To ensure that the Draft Law can be effectively implemented in practice, however, it is essential to assess its feasibility from multiple perspectives and examine its consistency with the existing legal framework. This article highlights several noteworthy provisions introduced under the Draft Law.

Key Highlights

The Draft Law significantly expands the scope of electronic identification beyond individuals, organizations, and state agencies to include products, goods, devices, databases, applications, digital assets, property rights, transactions, events, locations, digital spaces, and other identifiable objects;

Identification codes are classified into two categories: (i) National Identification Codes, issued by the State for subjects falling within the State’s identification authority; and (ii) Self-Sovereign Identification Codes, issued by qualified organizations and enterprises for subjects under their identification systems;

Electronic identity information must be retained: (i) permanently for national electronic identities maintained within the national database; and (ii) for a minimum period of five (05) years for self-sovereign electronic identities, unless otherwise required by law to be deleted.

Key Provisions of the Draft Law on Electronic Identification and Authentication

1. Scope of Electronic Identification

Under Article 3.2 of the Draft Law, electronic identification refers to the process of assigning a unique identification code together with a set of identifying information to distinguish a specific subject from all other subjects in the digital environment.

Article 7 provides a comprehensive classification of subjects eligible for electronic identification. In addition to state agencies, organizations, and individuals, the Draft Law extends electronic identification to:

  • Physical objects, including products, goods, equipment, and other tangible assets;
  • Intangible objects, including:
    • Data and digital resources such as databases, datasets, images, videos, and other digital content;
    • Domain names, network addresses, applications, software, and digital services;
    • Property rights and intellectual property rights, including copyrights, related rights, patents, trademarks, industrial designs, and other property rights recognized by law;
    • Digital assets as defined under the legislation governing the digital technology industry;
    • Intangible cultural heritage; and
    • Other intangible objects as prescribed by law;
  • Activities, events, transactions, conduct, and interactions among identified subjects;
  • Locations and digital spaces.

This provision reflects a progressive legislative approach that departs from the traditional concept of identification, which has primarily focused on the identity of natural and legal persons. By extending identification to intangible assets, digital resources, transactions, events, and interactions, the Draft Law establishes a much-needed legal framework to facilitate the development of the digital economy.

Such an approach is expected to enhance transparency, security, and traceability in e-commerce transactions, digital asset transfers, and online intellectual property protection. From a regulatory perspective, it also provides the legal basis for establishing a comprehensive traceability system capable of monitoring the lifecycle and activities of identified objects in the digital environment, thereby enabling competent authorities to verify, audit, retrieve, and reconcile information whenever necessary.

Regarding the authorities responsible for electronic identification, Article 8 provides that the State shall directly conduct electronic identification for state agencies, organizations, individuals, locations, digital spaces, and other subjects of particular importance to national interests, including core data, critical data, assets whose ownership or use rights are certified by the State, and objects classified as state secrets. Electronic identification of other eligible subjects may be carried out by qualified organizations and enterprises in accordance with the law.

2. Electronic Identification Framework

Registration for Electronic Identification (Article 10)

Electronic identification registration refers to the process whereby an electronic identity holder submits an application together with the required registration information to the competent electronic identification authority or organization.

The Draft Law recognizes two registration methods:

  • Online registration through designated electronic applications; and
  • In-person registration at the competent authority or organization.

Issuance of Identification Codes (Article 12)

An identification code is defined as a unique, non-duplicable, and non-reissuable sequence of characters assigned to a specific subject (Article 3.3).

The Draft Law distinguishes between:

  • National Identification Codes, issued by the State; and
  • Self-Sovereign Identification Codes, issued by qualified organizations and enterprises.

For both tangible and intangible objects, as well as locations and digital spaces, the assigned identification code must be capable of being linked to the identification code of the lawful owner or manager.

Storage of Electronic Identity Information (Article 14)

Electronic identity information must be stored completely and consistently, with appropriate backup, disaster recovery, and redundancy measures.

Any modification to electronic identity information must be fully recorded together with:

  • the timestamp;
  • the identification code of the authority, organization, or individual making the modification; and
  • the reason for such modification.

The Draft Law further requires the storage system to enable identity holders to independently store, control, share, and verify their electronic identities without relying exclusively on centralized databases.

Retention periods include:

  • Permanent retention for national electronic identities maintained within the national database; and
  • A minimum retention period of five (05) years for self-sovereign electronic identities, unless otherwise required by law.

Legal Value and Use of Electronic Identities (Article 16)

For state agencies, organizations, and individuals, an electronic identity possesses legal validity equivalent to presenting information or official documents containing such information when conducting administrative procedures, public services, commercial transactions, and other legal activities.

Electronic identities may be accessed and used through the National Digital Identity Application.

Information systems operated by state authorities, political organizations, and other connected entities may access and utilize national database information to process administrative procedures, provide public services electronically, and perform state management functions.

For tangible and intangible objects, an electronic identity serves as legally equivalent evidence of ownership or lawful management.

For activities, events, transactions, and interactions, an electronic identity records the identity of the relevant activity or transaction together with the corresponding time and location.

For locations and digital spaces, an electronic identity establishes their identity, positioning, and distinguishability within the digital environment.

Termination of Electronic Identity Validity (Article 18)

The validity of an electronic identity may be terminated under five circumstances:

  • Upon request of the electronic identity holder;
  • Upon the death of an individual identity holder;
  • Upon dissolution, liquidation, bankruptcy, or cessation of operations of an identified organization or enterprise;
  • Where the identified tangible or intangible object no longer exists; or
  • Upon request of a competent judicial or other authorized authority.

3. Electronic Authentication Framework

Article 3.5 defines electronic authentication as the process of confirming that a specific identified subject is genuinely participating in a particular transaction or legal procedure at a specified time and within a defined context.

Pursuant to Article 20, every electronically identified subject may undergo electronic authentication through one of three authentication models:

  • Centralized authentication;
  • Intermediary authentication; or
  • Self-sovereign authentication.

The national electronic authentication process consists of six stages.

Stage 1 – Receiving Authentication Requests and Identifying the Authentication Subject (Article 23)

Stage 2 – Determining the Authentication Assurance Level (Article 24)

The Draft Law establishes three authentication levels:

  • Level 1: Single-factor authentication;
  • Level 2: Two-factor authentication using knowledge-based and possession-based authentication factors; and
  • Level 3: Authentication using at least two authentication factors, including at least one inherence-based (biometric) factor.

Stage 3 – Selection of Authentication Means (Article 25)

Depending on the authentication model:

  • Centralized authentication: the authentication method must establish an online connection with the national electronic identification system for real-time verification;
  • Intermediary authentication: authentication tools store and transmit authentication information and verified authentication results;
  • Self-sovereign authentication: authentication tools remain under the direct control of the electronic identity holder and allow independent verification by relying parties without connecting to the national identification and authentication system.

Stage 4 – Verification of Authentication Means (Article 26)

Authentication tools are verified to ensure their validity before authentication results are generated.

Stage 5 – Recording and Storage of Authentication Results (Article 27)

For centralized and intermediary authentication, authentication records are stored by the authentication service provider and synchronized with the National Electronic Identification and Authentication System.

For self-sovereign authentication, authentication records are stored by the relying party and the authentication logs must be synchronized with the National Electronic Identification and Authentication System within twenty-four (24) hours after authentication. Such synchronization is limited to authentication logs and expressly excludes the content of the underlying transaction.

Stage 6 – Use of Authentication Results (Article 28)

Electronic authentication results may be used in the following circumstances:

  • Authentication service providers provide authentication results to relying parties for electronic transactions or legal procedures;
  • Authentication service providers provide authentication results to third parties upon the request of the electronic identity holder; and
  • Relying parties directly collect and use authentication results generated through their own self-sovereign authentication processes.

About VCI Legal:

VCI Legal is an award-winning business law firm in Vietnam with a wide range of legal and corporate services, among other things, corporate, banking & finance, tax, labor & HR, real estate and dispute resolution with special focus on international investment disputes, We also offer our specialized type of service called “In-House Counsel Service” with the aim of assisting our clients in dealing with all types of internal and external issues arising from their day-to-day operations and business activities. With our offices in both Hanoi and Ho Chi Minh City, we have a tremendous depth of experience in providing well-reasoned and comprehensive legal advice to not only multinationals and Fortune 500 companies, but also small and medium enterprises.

Our professional team comprises one of the leading law firms in Vietnam with service quality highly recommended and acknowledged by international legal service reviewers such as: The Legal 500, AsiaLaw Profiles, IFLR, KPMG’s Tax Directors’ Handbook, Acquisition International, ACQ Global, Global Law Experts, Finance Monthly, and Chambers & Partners.

For many years, VCI Legal has been ranked among the top law firms in Vietnam for corporate, finance, insurance, taxation, employment, intellectual property and investment. With a “Can Do Attitude” combined with a “Know How” capacity, our firm is big enough to provide comprehensive legal support for any in-house legal matters, yet small enough to care about each of our clients. We undertake each engagement with the mindset of a long-term relationship, with the will to give whatever it takes to understand and fulfill your needs.


Ho Chi Minh City

Suite P7-42.18, Vinhomes Central Park, 720A Dien Bien Phu, Thanh My Tay Ward, Ho Chi Minh City, Vietnam

Tel.: (+84) 028 3827 2029 Fax: (+84) 028 3823 4436


Hanoi

Suite 1903, Floor 19, W1 Tower, Vinhomes Westpoint, Pham Hung, Tu Liem Ward, Hanoi City, Vietnam

Tel.: (+84) 024 3936 4985 – (+84) 024 3936 4987

Affiliated Offices: Beijing – Shanghai – Hanoi – Ho Chi Minh City – Singapore – New Delhi – Dubai – Doha – Zurich – Paris – Rome – Brescia – Washington D.C. – Los Angeles

Go to
  • Expertise
  • People
  • Cases
  • Courses