GOVERNMENT ----------------- No. 108-2016-ND-CP

SOCIALIST REPUBLIC OF VIETNAM Independence – Freedom – Happiness   Ha Noi, 1 July 2016

DECREE REGULATING IN DETAIL BUSINESS CONDITIONS FOR NETWORK INFORMATION ["CYBER"] SECURITY PRODUCTS AND SERVICES

 

Pursuant to the Law on Organization of the Government dated 19 June 2015; Pursuant to the Law on Cybersecurity dated 19 November 2015;

Pursuant to the Law on Investment dated 26 November 2014; Pursuant to the Law on Enterprises dated 26 November 2014;

On the proposal of the Minister of Information and Communications ["Minister of Information"];

 

The Government hereby issues a Decree regulating in detail business conditions for cybersecurity products and services.

 

CHAPTER 1

GENERAL PROVISIONS

 

Article 1       Governing scope

1.                     This Decree regulates:

(a)                     The conditions, sequence, procedures and application file for issuance of a licence to conduct business in cybersecurity products and services;

(b)                    Cybersecurity products and services;

(c)                     Cybersecurity products imported pursuant to permits.

2.                     This Decree does not govern business in civil cryptographic products and services, or digital and electronic signature authentication services.

 

Article 2       Applicable entities

This Decree applies to organizations and enterprises directly participating in or related to activities of manufacture and import of cybersecurity products and supply of cybersecurity services in Vietnam.

 

Article 3       Cybersecurity products and services

1.                     Cybersecurity products comprise:

(a)                     Cybersecurity testing and evaluation products being hardware and software with the following basic functions namely scanning, inspecting and analysing configuration, status quo and data logs of an information system; detecting flaws and weaknesses [or vulnerabilities]; and providing assessments of cybersecurity risks;

(b)                    Cybersecurity surveillance products being hardware and software with the following basic functions namely surveillance and analysis of data transmitted on information systems; collation and analysis of data logs in real-time; and detection and warning about abnormal occurrences which may result in loss of cybersecurity;

(c)                     Attack prevention products being hardware and software with the basic function of preventing attacks on an information system.

2.                     Cybersecurity services comprise:

(a)                     Cybersecurity surveillance services being surveillance and analysis of data transmitted on information systems; collation and analysis of data logs in real-time; and detection and warning about abnormal occurrences which may result in loss of cybersecurity;

(b)                    Network attack prevention services being services of blocking attacks on an information system via surveillance, collation and analysis of events occurring on the information system;

(c)                     Cybersecurity consultancy services being services of support by way of advice, inspection, assessment, implementation, design and formulation of solutions to ensure cybersecurity;

(d)                    Cybersecurity breakdown response services being services of promptly dealing with and remedying any events resulting in loss of cybersecurity of an information system;

(dd)  Data recovery services being services of recovering data which has been erased or damaged on an information system;

(e)                     Cybersecurity testing and evaluation services being services of scanning, inspecting and analysing configuration, status quo and data logs of an information system; detecting flaws and weaknesses [or vulnerabilities] and providing assessments of cybersecurity risks;

(g)             Information confidentiality services without using civil cryptography being services of assisting users  to ensure confidentiality of information and of an information system without using a civil cryptographic system.

 

Article 4       List of cybersecurity products imported pursuant to a permit

1.                     Cybersecurity products which are [only permitted to be] imported pursuant to a permit comprise:

(a)                     Cybersecurity testing and evaluation products;

(b)                    Cybersecurity surveillance products;

(c)                     Attack prevention products.

2.                     The Ministry of Information shall formulate a detailed List of cybersecurity products imported  pursuant to a permit as prescribed in clause 1 above.

3.                     Enterprises importing cybersecurity products not prescribed in clause 1 above are not required to have a permit to import same.

 

CHAPTER 2

ISSUANCE OF LICENCE TO CONDUCT BUSINESS IN CYBERSECURITY PRODUCTS AND SERVICES

 

Article 5         Licence to conduct business in cybersecurity products and services [licence]

1.                      The Ministry of Information issues licences to conduct business in cybersecurity products and services [licences].

2.                      A licence shall be issued to an enterprise for a term of ten (10) years on the standard form in Appendix 1 issued with this Decree.

 

Article 6       Conditions for issuance of a licence

1.                      An enterprise shall be issued with a licence to conduct business in the cybersecurity products and/or services prescribed in article 3 of this Decree on satisfaction of all the conditions  prescribed  in  article 42 of the Law on Cybersecurity and the conditions in this Decree.

2.                      In order to import the cybersecurity products defined in article 3.1 of this Decree, an enterprise must satisfy the conditions in clause 1 above and in article 42.1(c) and (d) of the Law on Cybersecurity which are stipulated in detail as follows:

(a)                     Managers and operators must satisfy requirements on cybersecurity expertise and qualifications; and the main technicians responsible must have a university degree in the specialized [IT] branch, a cybersecurity certificate, an IT certificate or an electronics-telecom certificate; and there must be a sufficient number of such staff to satisfy the scale and requirements of the business plan;

(b)                    There must be an appropriate business plan with contents comprising the purpose of import; the scope of supply and who will supply the products; how each type of product satisfies technical criteria and specifications; and details of the basic technical functions of the products.

3.                      In order to produce the cybersecurity products defined in article 3.1 of this Decree, an enterprise  must satisfy the conditions in clause 1 above and in article 42.1(b), (c) and (d) of the Law on Cybersecurity which are stipulated in detail as follows:

(a)                     There must be a system of equipment, material facilities and production technology which is appropriate for the business plan on production of the cybersecurity products;

(b)                    Managers and operators must satisfy requirements on cybersecurity expertise and qualifications; and technicians must have a university degree in the specialized [IT] branch, a cybersecurity certificate, an IT certificate or an electronics-telecom certificate; and there must be a sufficient number of technicians to satisfy the scale and requirements of the business plan;

(c)                     There must be an appropriate business plan with contents comprising the scope of supply and who will supply the products; the type of products proposed to be produced; how each type of product satisfies technical criteria and specifications; and details of the basic technical functions of the products.

4.                      In order to supply the cybersecurity services defined in article 3.2(a), (b), (c), (d) and (dd) of this Decree, an enterprise must satisfy the conditions in clause 1 above and in article 42.1(b), (c) and (d) of the Law on Cybersecurity which are stipulated in detail as follows:

(a)                     There must be a system of equipment and material facilities appropriate for the scale of service supply and the business plan;

 

(b)                    Managers and operators must satisfy requirements on cybersecurity expertise and qualifications; and technicians must have a university degree in the specialized [IT] branch, a cybersecurity certificate, an IT certificate or an electronics-telecom certificate; and there must be a sufficient number of technicians to satisfy the scale and requirements of the business plan;

(c)                     There must be an appropriate business plan with contents comprising the scope of supply and who will supply the products; the type of products proposed to be supplied; a plan on preserving confidentiality of customers' information; and a plan on ensuring quality of services.

5.                      In order to provide cybersecurity testing and evaluation services, [an enterprise] must satisfy the conditions prescribed in article 42.2 of the Law on Cybersecurity. In order to provide information confidentiality services without using civil cryptography, [an enterprise] must satisfy the conditions prescribed in article 42.2 of the Law on Cybersecurity. Details of the conditions in sub-clauses (a)  and (d) of article 42.2 of the Law on Cybersecurity are as follows:

(a)                     The conditions prescribed in clause 4 above of this article;

(b)                    There must be an appropriate technical plan with contents being an overall description of  the technical system; how each type of service it is proposed to supply corresponds to system functions; and how the compulsory technical specifications and criteria which apply to the system will be met.

 

Article 7       Application file, sequence and procedures for issuance of a licence

The application file, sequence and procedures for issuance, amendment, addition to, extension, temporary suspension, withdrawal and reissuance of a licence to conduct business in cybersecurity products and services are as prescribed in articles 43, 44 and 45 of the Law on Cybersecurity.

 

Article 8       Receipt of application file requesting issuance of a licence

1.                     An enterprise shall lodge an application file requesting issuance of a licence to conduct business in cybersecurity products and services [licence] with the Ministry of Information by one of the following methods:

(a)                     Lodging the file in person with the unit receiving application files;

(b)                    Sending the file in the post;

(c)                     Lodging the file online by using the website of the Ministry of Information.

2.                     The unit receiving application files shall provide confirmation of receipt by either sending a letter or  an email to the enterprise within one (1) business day after receipt of the application file.

3.                     In the case of lodging the file in person, the date of receipt is the date on which the unit actually receives the application file from the enterprise.

4.                     In the case of sending the file in the post, the date of receipt is the date on which the unit receives  the application file as delivered by the postal service.

5.                     In the case of lodging the file online, the Ministry of Information shall issue a licence in accordance with the Government's schedule on provision of online public services.

 

Article 9       Checking validity of an application file for issuance of a licence

1.                      The application file for issuance of a licence to conduct business in cybersecurity products and services shall be prepared in Vietnamese, comprising one (1) original set and four (4) copy sets in the case of a request for issuance, and one (1) original set and only one (1) copy set in the case of a request to amend, add to or extend the licence. The original set must be signed and sealed by the enterprise, and if data prepared by the enterprise contains two (2) or more pages then there must be an overlapping seal on each page. Copies of the application file are not required to be sealed including certification of copies, but there must be the overlapping seal of the enterprise [on each page of copies].

2.                      Standard form 2 in the Appendix to this Decree is the standard form application file for issuance, amendment, addition to or extension of a licence; standard form 3 is the standard form business plan; standard form 4 is the standard form technical plan; and standard form 5 is the standard form report [by a licensed enterprise] on the status of implementation of the licence.

3.                      The Ministry of Information shall check the file and notify the enterprise of the file's validity within three (3) business days after receipt.

4.                      A check of the validity of an application file shall comprise:

(a)                     A check that the application file has been correctly prepared in accordance with clause 1 above;

(b)                    A check that all the data required by article 43 of the Law on Cybersecurity as applicable to each  type of application file has been provided;

(c)                     A check that the application file contains the required checklists and has been made on the appropriate standard form set out in the Appendix issued with this Decree.

5.                      If a file is invalid, the Ministry of Information shall send a written notice to the enterprise explaining why the file is invalid, and the enterprise then has the right to lodge a supplementary file or an explanatory letter. A check of the validity of any supplementary or re-lodged file shall be implemented in accordance with clause 4 above.

 

Article 10     Lodging  material,  providing  explanations  and  supplementing  an  application  file during the evaluation process

1.                      During the evaluation process, the Ministry of Information has the right to send a notice to the enterprise requiring it to amend its application file, to provide a written explanation or to attend to provide an explanation in person if the application file provides insufficient information or does not satisfy the conditions, but the Ministry is permitted to make such request on one occasion only.

2.                      The enterprise must, within ten (10) business days after receipt of the notice prescribed in clause 1 above, supplement its file or provide the explanation in accordance with the specific requirements set out in the notice from the Ministry. The time-limit for evaluation shall continue to run as from the time when the unit receiving application files receives the additional data or written explanation, or from the time when minutes of meeting [to provide the explanation] are signed.

3.                      If the enterprise fails to provide additional data or an explanation with the time-limit [ten (10) business days] as prescribed in clause 2 above and does not forward a letter requesting an extension of such time-limit, then the enterprise will be deemed to have abandoned its application. Receipt of a file after expiry of this time-limit or after the date to which the enterprise requested an extension shall be considered to be receipt of a new application file.

4.                      The deadline for initial evaluation of an application file and for evaluation of a supplemented file or of a written explanation and for issuance of a licence is as follows:

(a)                     No more than fifteen (15) business days from the date of receipt of a valid application file for  issuance of a licence;

(b)                    No more than ten (10) business days from the date of receipt of a valid application file to amend, supplement or extend the licence;

(c)                     No more than five (5) business days from the date of receipt of a valid application file for reissuance of a licence.

 

Article 11     Reporting regime applicable to enterprises conducting business in cybersecurity  products and services

Any enterprise issued with a licence to conduct business in cybersecurity products and services must provide one-off reports on request and annual reports (prior to 31 December each year) on the status of their business in cybersecurity products and services, to be sent to the Ministry of Information on standard form 5 in the Appendix issued with this Decree.

 

CHAPTER 3

IMPLEMENTING PROVISIONS

 

Article 12     Transitional provision

1.                      Any enterprise currently conducting business in cybersecurity products and services as prescribed in article 3 of this Decree must complete an application file and procedures for issuance of a licence no more than six (6) months after the effective date of this Decree.

2.                      Enterprises are permitted to continue to perform contractual items of any business contract for cybersecurity products and services which was signed and took effect prior to the effective date of this Decree.

 

Article 13     Effectiveness

This Decree is of full force and effect as from 1 July 2016.

 

Article 14     Responsibilities for implementation

1.                      The Minister of Information shall provide guidelines on and check implementation of this Decree.

2.                      Ministers, heads of ministerial equivalent and Government agencies, chairmen of provincial people's committees, and other organizations and individuals involved are responsible to implement this Decree.

 

 

ON BEHALF OF THE GOVERNMENT

PRIME MINISTER

NGUYEN XUAN PHUC