Decree No. 108/2016/ND-CP dated July o1, 2016 of the Government on detailing conditions for provision of cybersecurity products and services

DECREE

Detailing conditions for provision of cybersecurity products and services[1]

Pursuant to the June 19, 2015 Law on Organization of the Government;

Pursuant to the November 19, 2015 Law on Cybersecurity;

Pursuant to the November 26, 2014 Law on Investment;

Pursuant to the November 26, 2014 Law on Enterprises;

At the proposal of the Minister of Information and Communications;

The Government promulgates the Decree detailing conditions for provision of cybersecurity products and services.

Chapter I

GENERAL PROVISIONS

Article 1.Scope of regulation

1. This Decree prescribes:

a/ Conditions, process, procedures and dossier for grant of licenses for provision of cybersecurity products and services;

b/ Cybersecurity products and services;

c/ Cybersecurity products subject to import permit.

2. This Decree does not regulate the trading in civil cryptographic products and services, and e-signature certification services.

Article 2.Subjects of application

This Decree applies to organizations and enterprises directly engaged in or related to the manufacture and import of cybersecurity products and provision of cybersecurity services in manufacture.

Article 3.Cybersecurity products and services

1. Cybersecurity products include:

a/ Cybersecurity testing and assessment products, which are hardware and software with the following basic functions: scanning, checking, analyzing configuration, current state and data logs of an information system; detecting vulnerabilities and weaknesses; and making assessments of cybersecurity risks;

b/ Cybersecurity surveillance products, which are hardware and software with the following basic functions: monitoring and analyzing data transmitted on an information system; collecting and analyzing real-time data logs; and detecting and issuing warnings of abnormal events which may cause cybersecurity risks;

c/ Anti-attack and -hacking products, which are hardware and software with the basic functions of preventing attacks on and unauthorized access to an information system.

2. Cybersecurity services include:

a/ Cybersecurity surveillance service, which monitors and analyzes data transmitted in an information system; collects and analyzes real-time data logs; and detects and issues warnings of abnormal events which may cause cybersecurity risks;

b/ Anti-cyber attack service, which prevents acts of attacking and hacking an information system via surveillance, collection and analysis of events occurring in an information system;

c/ Cybersecurity counseling service, which supports counseling, examination and assessment, development, design and formulation of solutions to ensure cybersecurity;

d/ Cybersecurity incident response service, which timely handles and remedies incidents that cause cybersecurity risks to an information system;

dd/ Data recovery service, which restores deleted or damaged data in an information system;

e/ Cybersecurity testing and assessment service, which scans, examines, analyzes configuration, current state and data logs of an information system; detects vulnerabilities and weaknesses; and makes assessments of cybersecurity risks;

g/ Information confidentiality service without using civil cryptography, which assists users in ensuring confidentiality of information and information system without using a civil cryptography system.

Article 4.List of cybersecurity products subject to import permit

1. Cybersecurity products subject to import permit include:

a/ Cybersecurity testing and assessment products;

b/ Cybersecurity surveillance products;

c/ Anti-attack and -hacking products.

2. The Ministry of Information and Communications shall draw up a detailed list of cybersecurity products subject to import permit referred to in Clause 1 of this Article.

3. No cybersecurity product import permit shall be required for enterprises importing cybersecurity products that are not prescribed in Clause 1 of this Article.

Chapter II

GRANT OF LICENSES FOR PROVISION OF CYBERSECURITY PRODUCTS AND CYBERSECURITY SERVICES

Article 5.Licenses for provision of cybersecurity products and services

1. The Ministry of Information and Communications shall grant licenses for provision of cybersecurity products and services.

2. A license for provision of cybersecurity products and services granted to an enterprise, made according to Form No. 1 in the Appendix to this Decree, is valid for 10 years.

Article 6.Conditions for grant of licenses for provision of cybersecurity products and services

1. An enterprise shall be granted a license for provision of cybersecurity products and services prescribed in Article 3 of this Decree when fully meeting the conditions prescribed in Article 42 of the Law on Cybersecurity and this Decree.

2. In order to import cybersecurity products prescribed in Clause 1, Article 3 of this Decree, an enterprise must satisfy the conditions prescribed in Clause 1 of this Article. The conditions mentioned at Points c and d, Clause 1, Article 42 of the Law on Cybersecurity are specified as follows:

a/ Having managerial and administration staff members who meet professional requirements on cybersecurity; technicians assuming the main responsibility who  possess a university degree or a certificate in cybersecurity or information technology or telecommunications, with a number meeting the scale and requirements of its business plan;

b/ Having an appropriate business plan that specifies the purpose of import; the scope of provision and recipients of products; the satisfaction of standards and technical regulations applicable to each type of product; and basic technical features of each product.

3.  In order to manufacture cybersecurity products prescribed in Clause 1, Article 3 of this Decree, an enterprise must satisfy the conditions prescribed in Clause 1 of this Article. The conditions mentioned at Points b, c and d, Clause 1, Article 42 of the Law on Cybersecurity are specified as follows:

a/ Having equipment and physical foundations and production technologies suitable to the cybersecurity product business plan;

b/ Having managerial and administration staff members who meet professional requirements on cybersecurity; technical staff members who possess a university degree or a certificate in cyber security or information technology or telecommunications, with a number meeting the scale and requirements of its business plan;

c/ Having an appropriate business plan that specifies the scope of provision and recipients of products; types of to-be-manufactured products; the satisfaction of standards and technical regulations applicable to each type of product; basic technical features of each product.

4. In order to provide cybersecurity services prescribed at Points a, b, c, d, and dd, Clause 2, Article 3 of this Decree, an enterprise must satisfy the conditions prescribed in Clause 1 of this Article. The conditions mentioned at Points b, c and d, Clause 1, Article 42 of the Law on Cybersecurity are specified as follows:

a/ Having equipment and physical foundations suitable to the scale of provision of services and the product business plan;

b/ Having managerial and administration staff members who meet professional requirements on cybersecurity; technical staff members who possess a university degree or a certificate in cybersecurity or information technology or telecommunications, with a number meeting the scale and requirements of its business plan;

c/ Having an appropriate business plan that specifies the scope of provision and recipients of products; types of to-be-supplied products; a customer information confidentiality plan; and a plan to ensure service quality.

5. The provision of cybersecurity testing and assessment services must satisfy the conditions prescribed in Clause 2, Article 42 of the Law on Cybersecurity. The provision of information confidentiality services without using civil cryptography must satisfy the conditions prescribed in Clause 3, Article 42 of the Law on Cybersecurity. The conditions prescribed at Points a and d, Clause 2, Article 42 of the Law on Cybersecurity are specified as follows:

a/ The conditions prescribed in Clause 4 of this Article;

b/ Having an appropriate technical plan that specifies an overall technical system; the satisfaction of the system’s functions corresponding to types of services to be provided and compulsory application of corresponding technical regulations and standards.

Article 7.Dossier, order and procedures for grant of licenses for provision of cybersecurity products and services

The dossiers, order and procedures for grant, modification, supplementation, extension, temporary suspension, revocation and re-grant of a license for provision of cybersecurity products and services must comply with Articles 43, 44 and 45 of the Law on Cybersecurity.

Article 8.Receipt of a dossier of application for a license for provision of cybersecurity products and services

1. An enterprise may submit a dossier of application for a license for provision of cybersecurity products and services to the Ministry of Information and Communications by one of the following modes:

a/ Directly to the dossier-receiving unit;

b/ By post;

c/ Online via the e-portal of the Ministry of Information and Communications.

2. The dossier-receiving unit shall certify in writing or by email the receipt of the dossier within 1 (one) working day after receiving the dossier.

3. For a dossier submitted directly, the date of its receipt is the date the dossier-receiving unit receives the dossier from by the enterprise.

4. For a dossier sent by post, the date of its receipt is the date the dossier-receiving unit receives the dossier from the postal service provider.

5. For a dossier sent online, the Ministry of Information and Communications shall grant a license for provision of cybersecurity products and services according to the schedule of provision of the Government’s online public services.

Article 9.Examination of the validity of dossiers of application for licenses for provision of cybersecurity products and services

1. A dossier of application for a license for provision of cybersecurity products and services shall be made in Vietnamese, comprising one original set and four copy sets of the valid dossier if applying for a license, one original set and one copy set of the valid dossier if requesting modification, supplementation or extension of a license. The original set must bear signatures and certification seals of the enterprise. A document made by the enterprise must bear seals appended on every two adjoining pages if having two or more papers. Copies of a valid dossier are not required to bear certification seals or authentication seals, but must have seals appended on every two adjoining pages by the dossier-filing enterprise.

2. An application for grant, re-grant, extension, modification and supplementation of a license for provision of cybersecurity products and services shall be made according to Form No. 2; a business plan, Form No. 3; a technical plan, Form No. 4; and a report on the implementation of the license for provision of cybersecurity products and services, Form No. 5, in the Appendix to this Decree.

3. Within three (3) working days after receiving the dossier, the Ministry of Information and Communications shall examine and inform the dossier-filing enterprise whether its dossier is valid.

4. Examination of the validity of a dossier shall be based on the following criteria:

a/ Whether it is properly made under Clause 1 of this Article;

b/ Whether it comprises all the documents required for each type of dossier of application for a license prescribed in Article 43 of the Law on Cybersecurity;

c/ Whether the documents contains all required information and are made according to the corresponding forms provided in the Appendix to this Decree.

5. For an invalid dossier, the Ministry of Information and Communications shall notify such in writing to the dossier-filing enterprise and clearly state improper contents.  The enterprise may supplement the dossier or give explanations about its validity. The examination of the validity of the supplemented dossier must comply with Clause 4 of this Article.

Article 10.Submission, explanation, supplementation of a dossier during the appraisal process

1. Within the time limit for the appraisal of a dossier of application for a license, the Ministry of Information and Communications shall issue a notice requesting the enterprise to supplement its dossier, give written or verbal explanations if the dossier fails to supply sufficient information or satisfy the prescribed conditions, but no more than once.

2. The enterprise shall send the supplemented dossier, give written or verbal explanations to the Ministry of Information and Communications according to the latter’s requirements within 10 (ten) working days after receiving the notice mentioned in Clause 1 of this Article. The time limit for appraisal shall be counted from the time the dossier-receiving unit receives the supplemented dossier or written explanations from the enterprise or from the date of signing of the minutes of the meeting for the enterprise to give verbal explanations.

3. Past the deadline for submission of the supplemented dossier and explanation prescribed in Clause 2 of this Article, if the enterprise fails to submit such dossier or give explanations but files a written request for the extension of such deadline, it shall be considered having abandoned its submission of the dossier. The dossier which is submitted after this deadline or after the date the enterprise files the above request shall be treated as a new one.

4. The time limit for appraisal of an initial dossier and the supplemented dossier and explanations and for grant of a license or notification of the refusal to grant a license must not exceed:

a/ Fifteen working days after receiving a valid dossier, for a dossier of application for a license;

b/ Ten working days after receiving a valid dossier, for a dossier of request for extension of the license or modification and supplementation of a license;

c/ Five working days after receiving a valid dossier, for a dossier of request for renewal of a license.

Article 11.Reporting regime for enterprises providing cybersecurity products and services

An enterprise that possesses a license for provision of cybersecurity products and services shall make irregular reports upon request and annual reports (before December 31) on the provision of cybersecurity products and services to the Ministry of Information and Communications, made according to Form No. 5 in the Appendix to this Decree.

Chapter III

IMPLEMENTATION PROVISIONS

Article 12.Transitional provisions

1. Enterprises that are providing cybersecurity products and services prescribed in Article 3 of this Decree shall complete dossiers and procedures to apply for licenses for provision of cybersecurity products and services within 6 months since the effective date of this Decree.

2. Enterprises may continue to implement contracts on provision of cybersecurity products and services that have been signed and became valid before the effective date of this Decree.

Article 13.Effect

This Decree takes effect on July 1, 2016.

Article 14.Implementation responsibilities

1. The Minister of Information and Communications shall guide and examine the implementation of this Decree.

2. Ministers, heads of ministerial-level agencies, heads of government-attached agencies, chairpersons of provincial-level People’s Committees, and related organizations and individuals shall implement this Decree.-

On behalf of the Government
Prime Minister
NGUYEN XUAN PHUC

* The Appendix to this Decree is not translated.