Today's Focus: Cybersecurity, Data Security & Cloud Security — Monday, June 29, 2026
Today's Top Story — Vietnam's Unified Cyber Law Goes Live July 1
Vietnam's Law on Cybersecurity 2025 (No. 116/2025/QH15) takes full effect on 1 July (2 days), consolidating the Law on Cyber Information Security 2015 and the Law on Cybersecurity 2018 into a single 45-article framework. It retains data-localization requirements, mandates content takedown within 24 hours (6 hours in urgent cases) on order of the Ministry of Public Security, bans AI-generated forgery of images, voices, and videos for illegal purposes, and adds child-protection account-registration duties. Critically, it applies extraterritorially to any platform serving Vietnamese users — and the implementing decree is still in draft, so expect detail to follow.
Also Today
FedRAMP CR26 finalizes tomorrow. The Consolidated Rules for 2026 are due to finalize 30 June, renaming the "Authorized" designation to "Certified" and replacing FIPS-199 impact levels with Certification Classes A–D. Optional adoption opens 1 July with a transition window extending to 1 Jan 2027. Map your current Rev5 packages to the new Certification Class model now. Source
NIS2 first compliance-audit deadline also lands 30 June. Cloud and digital-infrastructure providers classed as "essential" entities must demonstrate risk-management measures, incident-reporting capability, and governance accountability; 22 of 27 member states have now transposed. Confirm your national-portal registration and assemble audit evidence today. Source
China's energy-sector data-security measures take effect July 1. The National Energy Administration's trial measures grade energy data into General, Important, and Core tiers — the first sector-specific energy data-security instrument under the Data Security Law. Energy operators should confirm graded-data controls and named accountability. Source
EU CER Directive designation clock runs to July 17. Member states must designate critical entities across 11 sectors by 17 July (18 days); designated entities face their own resilience assessments and a 24-hour incident-reporting duty. Check whether national authorities have designated any group entity as "critical." Source
⏰ Deadline Alert (next 14 days)
30 Jun — FedRAMP CR26 finalization · NIS2 first compliance audit
1 Jul — Vietnam Law on Cybersecurity 2025 · China energy data-security measures
4 Jul — EO 14390 anti-cybercrime 120-day action plan due
17 Jul — EU CER Directive critical-entity designation
✅ One Thing to Do Today
If you operate any platform or process data for Vietnamese users, confirm your data-localization storage and 24-hour / 6-hour content-takedown response capability before 1 July.
🔭 Tomorrow's Focus
Privacy & personal data protection — enforcement actions, new state laws, and cross-border transfer developments.
CyberEyeQ — Actionable Regulatory Intelligence. Questions or feedback: [email protected]