The cyber security law should be built on a careful assessment of its impacts on businesses and ensure the development of information technology and telecommunications, according to experts at a workshop in Ha Noi on Tuesday.

The draft law on cyber security is expected to be submitted to the National Assembly for discussion at the end of this month.

Nguyen Quang Dong, an expert from the Institute for Policy Studies and Media Development, said the draft law could directly regulate and affect the rights and interests of three enterprise groups, including enterprises that produce and sell cyber security devices and technological solutions, enterprises that provide financial technology services and enterprises that provide digital solutions and services.

“We believe that the proposed regulations in the draft would increase operation costs of the mentioned enterprise groups, including compliance costs, licence and administrative procedures costs,” he said.

The draft law required enterprises to store data and information within Viet Nam, which had the characteristics of “data localisation”, he said, adding that this could hinder data flows between Viet Nam and other countries, and increase business costs for both domestic and foreign enterprises.

The draft law’s regulations on cyber security inspection and assessment require enterprises to suspend or stop selling their products in case such products affect cyber security. The regulation is unclear and may lead to serious risks of violations of legal rights and interests, according to Dong.

This was a critical issue and needed to be considered carefully as strict enforcement of such regulations would have profound impacts on the interests and operation of enterprises, he said.

He stressed that the State, enterprises and users were the three key pillars ensuring cyber security.

Participants also suggested the drafting committee should clarify the concept of the term “critical information systems to national security”.

Concerning cyber security standards applied to enterprises’ information systems and organisations within the private sector, they recommended that solid standards should not be forced on all enterprises. Instead, regulatory bodies should require enterprises to disclose their cyber security standards to users and customers.

In terms of approach to the law, they recommended developing the cyber security law in a way that problems can be addressed individually, instead of conducting a general cyber security law. The draft should be narrowed down and adjusted to regulate cyber security of public sector only. Equally, it is necessary to consider a separate law on data protection.

At the workshop on cyber security, international experience and recommendations from multi-stakeholders in Viet Nam, participants also discussed the trend of global cyber security, the importance of cross-border data flows in Asia and the development of the digital economy.

According to Jon Austin, Principal Solutions Architect of Amazon Web Services, security is not related to the physical location of the data. The internet is global so any system connected to the internet, directly or indirectly, is vulnerable to attacks.

“In today’s world, cyber security is really about two things: the security of the physical infrastructure where data is stored and who owns and controls the data,” he said.

Lim May-Ann, Executive Director of the Asia Cloud Computing Association, said digital policies were often viewed with a risk-management lens, but regulators needed to move from this stance to one that facilitates economic growth by enabling cross-sectoral compliance and cross-jurisdictional interoperability.

She recommended a holistic approach to policy design and regulatory co-ordination and accelerated progress in technical infrastructure.