THE GOVERNMENT
__________ No. 169/2025/ND-CP | THE SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom - Happiness
_____________________ Hanoi, June 30, 2025 |
DECREE
Providing for scientific and technological activities and innovation,
data products and services
______________
Pursuant to the Law on Organization of the Government dated February 18, 2025;
Pursuant to the Law on Identity dated November 27, 2023;
Pursuant to the Law on Data dated November 30, 2024;
At the request of Minister of Public Security;
The Government promulgates the Decree providing for scientific and technological activities and innovation, data products and services.
Chapter I
GENERAL PROVISIONS
Article 1. Scope of regulation
This Decree defines the scientific and technological activities and innovation in building, development, protection, administration, processing and use of data; regulatory sandbox activities in building, development, protection, administration, processing and use of data; data intermediation products and services; data analysis and synthesis products and services; data exchanges; the competence, dossiers, order, and procedures for the grant, renewal, re-grant and revocation of Certificates of eligibility for business on data exchanges, Certificates of eligibility for business of data intermediation products and services, Certificates of eligibility for business of data analysis and synthesis products and services, and Certificates of eligibility for provision of data analysis and synthesis products and services.
Article 2. Subject of application
1. Vietnamese agencies, organizations and individuals.
2. Foreign agencies, organizations and individuals in Vietnam.
3. Foreign agencies, organizations and individuals directly engaged in, or related to, activities concerning digital data in Vietnam.
Article 3. Interpretation of terms
In this Decree, the following terms are construed as follows:
1. Data products and services mean the products and services that are created from data or use data as the main resource for development, application or transaction.
2. Regulatory sandbox activities in building, development, protection, administration, processing and use of data (hereinafter referred to as regulatory sandbox activities) mean a state agency permitting organizations or individuals to conduct regulatory sandbox of data products and services for which there are no law regulations, or where the law regulations are incomplete.
3. Risks in regulatory sandbox activities mean uncertain or indeterminate factors that can cause negative impacts, disrupt or affect the implementation process, the achieved results or the applicability of projects and initiatives, or have a negative impact on the environment and information safety.
4. Scientific and technological activities and innovation in building, development, protection, administration, processing and use of data (hereinafter referred to as scientific and technological activities and innovation related to data) mean the activities of basic research, applied research, experimental development, trial production, technological application, creation of data products and services, promotion of initiative, or other creative activities aimed to develop science and technology in building, development, protection, administration, processing, and use of data, and creating added economic value, bringing socio-economic efficiency.
Article 4. International cooperation in scientific and technological activities and innovation related to data
1. The Ministry of Public Security shall be the focal point for managing international cooperation activities in scientific and technological activities and innovation related to data for important data, core data, and data from the national synthetic database as defined by the Law on Data, except for Clause 2 of this Article.
2. The Ministry of National Defence shall be the focal point for implementation of international cooperation in scientific and technological activities and innovation related to data within its scope of management.
3. Ministries, ministerial-level agencies, and People's Committees of provinces and centrally-run cities shall carry out international cooperation in scientific and technological activities and innovation related to data within their assigned functions and tasks.
4. Promote international cooperation in scientific research and technology development with countries with advanced capabilities of science, technology, and innovation related to data; prioritize the fields of artificial intelligence, cloud computing, blockchain, data communications, the Internet of Things, big data, and other modern technologies.
Article 5. Development of scientific and technological activities and innovation related to data
1. Prioritize investment, development, and improvement of the quality of education and training to ensure a high-quality human resources that meet the development requirements of scientific and technological activities and innovation related to data; build, connect, and develop a network of domestic and foreign data experts, scientists, and science and technology organizations; organize the establishment of research centers for research of data science and innovation that apply artificial intelligence, cloud computing, blockchain, data communications, the Internet of Things, big data, and other modern technologies in building, development, protection, administration, processing and use of data.
2. Formulate specific mechanisms to attract overseas Vietnamese and highly-qualified foreigners in the fields of information technology, cyber security, data science, and artificial intelligence to work for state agencies.
3. The Ministry of Public Security shall assume the prime responsibility for, and coordinate with relevant ministries, agencies, and organizations in, supporting the incubation and development of the innovative startup ecosystem in science, technology and innovation related to data.
Article 6. Training of human resources and fostering of talents for science, technology and innovation related to data
1. The Ministry of Public Security shall assume the prime responsibility for, and coordinate with the Ministry of Education and Training, the Ministry of Science and Technology, and other relevant ministries and sectors in, training, fostering, and enhancing the professional qualifications of human resources for scientific and technological activities and innovation related to data nationwide.
2. The Ministry of Education and Training shall assume the prime responsibility for, and coordinate with relevant ministries, sectors, agencies, and organizations in, organizing and developing training programs, innovating, and improving the quality of education and training to ensure the high-quality human resources that meet the development requirements of scientific and technological activities and innovation related to data; establishing incentive mechanisms for training programs that satisfy international standards and are linked with foreign educational institutions; promoting the exchange of students, lecturers, and data experts; developing online training platforms; and formulating mechanisms and policies on credit, scholarships, and tuition fees to attract students, and specific mechanisms for public-private partnership in training for the fields of information technology, cyber security, data science, and artificial intelligence.
3. The Ministry of Science and Technology shall coordinate with the Ministry of Public Security in training, fostering, and enhancing the professional qualifications of human resources for scientific and technological activities and innovation related to data.
Article 7. Incentive policies for the development of scientific and technological activities and innovation related to data
1. Organizations and individuals engaging in scientific and technological activities and innovation related to data shall enjoy policies for scientific and technological activities and innovation in accordance with the law regulations; and shall be given priority to receive the highest specific support regime in the industries and fields similar to high-tech industries.
2. Incubators, other organizations and individuals that research and apply science, technology, and innovation in the building, development, protection, administration, processing, and use of data shall be given priority to receive funding, support, loans, and loan guarantees from state extra-budgetary financial fund, other lawful financial sources and funding sources in accordance with the law regulations.
3. State agencies, organizations, and individuals assigned by the state to perform scientific and technological research and innovation related to data shall be encouraged, supported, and given priority to use state-invested infrastructure and equipment for scientific and technological activities and innovation to conduct such research.
Chapter II
REGULATORY SANDBOX ACTIVITIES IN BUILDING, DEVELOPMENT, PROTECTION, ADMINISTRATION, PROCESSING AND USE OF DATA
Article 8. Principles for regulatory sandbox activities
1. Ensure compliance with the Constitution, the Law on Data, and relevant law regulations on scientific and technological activities and innovation. In cases where relevant laws define different provisions on regulatory sandbox activities, the relevant laws shall apply.
2. Build a testing environment to assess the risks, costs, and benefits of products and services of innovative related to data; support the building and development of products and services of innovative related to data that are suitable for market needs, legal frameworks, and management regulations.
3. Limit risks upon use of products and services of innovative related to data provided by organizations and individuals engaged in regulatory sandbox activities.
4. The results of regulatory sandbox activities shall be the basis for state agencies to consider and evaluate potential risks before deciding on official application and determining appropriate adjustment and management mechanisms.
5. Ensure transparency in the process of evaluating, selecting, and approving organizations and individuals engaged in regulatory sandbox activities.
6. For scientific, technological, and innovative products and services not yet regulated by law, organizations and individuals that have a need and meet the conditions and criteria for registration may be approved and granted a Certificate of eligibility for regulatory sandbox activities in accordance with this Decree.
7. The limited scope regarding space, time, scale, and subjects of the regulatory sandbox activities shall be proposed to be suitable with the control capacity of the competent state agency in building, development, protection, administration, processing, and use of data.
8. State agencies in charge of building, development, protection, administration, processing and use of data shall be responsible for conducting regulatory sandbox activities within their assigned functions, tasks, and powers.
Article 9. Conditions for participation in regulatory sandbox activities
An organization or individual may be granted a Certificate of eligibility for regulatory sandbox activity if he/she/it meets the following conditions:
1. The organization is a legal entity established and operating lawfully in the territory of Vietnam; is not in the process of division, separation, consolidation, merger, conversion, dissolution, or bankruptcy according to a decision that has been issued; and its staff implementing the pilot solution has professional qualifications in the assigned field.
The at-law representative of the organization requesting to participate in the regulatory sandbox activity must be a Vietnamese citizen, residing permanently in Vietnam, and not fall into one of the following cases:
a) Have been subject to initiation of criminal proceedings against the accused by a proceeding-conducting body;
b) Have been convicted of the offenses against national security or other offenses with intentional fault of imprisonment of 3 years or more and have not had his/her criminal record expunged; be permitted to postpone serving an imprisonment sentence; be serving a non-custodian reform penalty; be subject to probation, prohibition of residence, prohibition from holding certain positions or prohibition from dealing in conditional business lines according to the Court’s decision;
c) Have been administratively sanctioned in the fields of data, cyber security, information technology, and electronic transactions while the time limit upon the expiration of which the organization is regarded as having never been administratively sanctioned has not expired. Be subject to administrative handling measures or be in the pending period for the application of administrative handling measures; have been subject to administrative handling measures while the time limit upon the expiration of which the organization is regarded as having never been administratively sanctioned has not expired.
2. The individual is a Vietnamese citizen, resides permanently in Vietnam, has a university degree or higher suitable for the related field of regulatory sandbox activities, and does not fall into one of the cases specified at Points a, b, and c, Clause 1 of this Article.
3. A proposed solution for participation in regulatory sandbox activities must meet the following criteria:
a) Be innovative, bring benefits and added value to service users in Vietnam, especially solutions related to scientific and technological activities and innovation related to data;
b) Have a designed and established framework for risk management of privacy and data security, financial risks, social and ethical risks, and national security risks; has a formulated plan to handle and remedy risks that occur during the testing process;
c) Have been fully reviewed and evaluated by the organization or individual engaged in regulatory sandbox activities on the aspects of operation, function, utility, and usefulness;
d) Be feasible for application after the completion of the testing process.
Article 10. Scope of regulatory sandbox activities
1. The sandbox space includes: physical space (physical servers), cyberspace (using local area network (LAN), wide area network (WAN), the Internet, and cloud services), geographical space (deployment at the location of the organization or individual conducting the sandbox, deployment at a location approved by the data-governing unit or the Ministry of Public Security).
2. The duration for conducting regulatory sandbox activities shall not exceed 02 years according to the appraised plan and may be extended once for a period not exceeding the approved testing time.
Article 11. Regulatory sandbox plan for scientific and technological activities and innovation related to data
An organization or individual registering to participate in regulatory sandbox activity must prepare a plan that includes the following main contents:
1. The name of the regulatory sandbox plan.
2. Information about the organization or individual assuming the prime responsibility for the regulatory sandbox plan and other organizations and individuals engaged in the regulatory sandbox activity:
a) Information about personal records of the individual, the at-law representative of the organization, and information about the business registration or the establishment decision of the organization;
b) Information about personal records, diplomas, and certificates of the individuals participating in the regulatory sandbox activity.
3. The necessity and objectives of the regulatory sandbox activities.
4. Description of the solution to implement the regulatory sandbox activity, risk assessment, rights and responsibilities of the parties, control measures, and detailed risk control measures for: privacy and data security risks, financial risks, social and ethical risks, and national security risks.
5. Scope, time, and funding for implementation.
6. Expected results.
7. Explanatory documents clarifying the contents and information presented in the plan.
Article 12. Grant of Certificates of eligibility for regulatory sandbox activities
1. Competence to grant Certificates of eligibility for regulatory sandbox activities
a) Ministers, heads of ministerial-level agencies, heads of government-attached agencies, and chairpersons of People's Committees of provinces and centrally-run cities shall have the competence to grant or may decentralize or authorize affiliated agencies and units to grant Certificates of eligibility for regulatory sandbox activities in cases where such regulatory sandbox activities only use data sources managed by their own ministries, sectors or localities under their management;
b) The Minister of Public Security shall have the competence to grant or may decentralize or authorize affiliated agencies and units to grant Certificates of eligibility for regulatory sandbox activities in cases where data sources from 02 or more ministries, sectors, or localities are used, except for the case specified in Point c of this Clause;
c) The Minister of National Defence shall have the competence to grant or may decentralize or authorize affiliated agencies and units to grant Certificates of eligibility for regulatory sandbox activities in cases where data sources in the field of national defense or cipher are used.
2. Such a dossier must comprise:
a) A written request for the grant of a Certificate of eligibility for regulatory sandbox activity for an organization or individual (made using the form HDTN01 or HDTN02 in the Appendix issued together with this Decree);
b) The regulatory sandbox plan.
3. Order and time limit for handling cases using one data source from a data-governing unit
a) An organization or individual shall submit 01 dossier defined in Clause 2 of this Article, either online, in person, or via postal service, to the agency competent to grant the Certificate of eligibility for regulatory sandbox activity;
b) Within 03 working days from the date of receiving a complete and valid dossier, the dossier-receiving agency shall consult with the Ministry of Public Security (National Data Center) and other relevant units as a basis for dossier approval;
c) Within 10 days, the consulted units shall send a written opinion to the dossier-receiving agency;
d) Within 03 working days from the date of receiving all opinions from the units, the competent agency shall consider, appraise the dossier, and decide to grant a physical and an electronic version of the Certificate of eligibility for regulatory sandbox activity to the organization or individual (made using the Form HDTN03 or HDTN04 in the Appendix issued together with this Decree); in cases of refusal to grant a Certificate of eligibility for regulatory sandbox activity, the competent agency must send a written response, clearly stating the reason.
4. Order and time limit for handling cases using two data sources from two data-governing units
a) An organization or individual shall submit 01 dossier defined in Clause 2 of this Article, either online, in person, or via postal service, to the Ministry of Public Security (National Data Center);
b) Within 03 working days from the date of receiving a complete and valid dossier, the Ministry of Public Security (National Data Center) shall be responsible for sending a written request for opinions to the data-governing units, the Ministry of Science and Technology, and other relevant units. If necessary, the Ministry of Public Security may establish an advisory council to evaluate the regulatory sandbox activity.
The advisory council shall include: a representative of the leadership of the Ministry of Public Security, a representative of the leadership of the Ministry of Science and Technology, representatives of the leadership of information technology organizations and enterprises, experts and scientists in information technology, and representatives of other organizations and individuals as decided by the Minister of Public Security;
c) Within 10 days, the consulted units shall send a written opinion to the Ministry of Public Security;
d) Within 03 working days from the date of receiving all opinions from the units, the competent agency shall consider, appraise the dossier, and decide to grant a physical and an electronic version of the Certificate of eligibility for regulatory sandbox activity to the organization or individual (made using the Form HDTN03 or HDTN04 in the Appendix issued together with this Decree); in cases of refusal to grant a Certificate of eligibility for regulatory sandbox activity, the competent agency must send a written response, clearly stating the reason.
5. In case a Certificate of eligibility for regulatory sandbox activity is lost or damaged, the organization or individual shall use the electronic version; if he/she/it wishes to have a physical version re-granted, he/she/it shall complete an application for re-grant of certificate and submit it to the competent agency; within 03 working days from the date of receiving the application, the competent agency shall re-grant the Certificate of eligibility for regulatory sandbox activity; in cases of refusal to grant a Certificate of eligibility for regulatory sandbox activity, the competent agency must send a written response, clearly stating the reason.
6. The Minister of National Defence shall guide the order and procedures for granting the Certificate of eligibility for regulatory sandbox activities and shall be responsible for inspecting and supervising the research and application of science, technology and innovation in building, development, protection, administration, processing and use of data in the fields of national defense and cipher.
Article 13. Adjustment to the regulatory sandbox plan
1. In case there is an adjustment to the regulatory sandbox plan specified in Article 11 of this Decree, the organization or individual engaged in the sandbox must carry out the procedure for request of adjustment to the regulatory sandbox plan and may only implement the adjustment after receiving the approval from the agency granting the Certificate of eligibility for regulatory sandbox activity.
2. A dossier of request for adjustment to the regulatory sandbox plan must comprise:
a) A written request for adjustment to the regulatory sandbox plan for an organization or individual (made using the form HDTN05 or HDTN06 in the Appendix issued together with this Decree);
b) The regulatory sandbox plan after the adjustment;
c) In cases where the adjustment to the regulatory sandbox plan leads to an extension of the approved sandbox time, the organization or individual shall submit a Report on the results of the regulatory sandbox activity made using the form HDTN07, for individuals, or using the form HDTN08, for organizations, issued together with this Decree.
3. Order and method of implementation:
a) An organization or individual shall submit a dossier of request for adjustment to the regulatory sandbox plan, either online, in person, or via postal service, to the agency granting the Certificate of eligibility for regulatory sandbox activity;
b) Within 03 working days from the date of receiving a complete and valid dossier, the agency granting the Certificate of eligibility for regulatory sandbox activity shall seek opinions from relevant units as a basis for dossier approval.
If clarification or explanation is required, the agency granting the Certificate of eligibility for regulatory sandbox activity shall issue a written request for the organization or individual to provide an explanation and complete the dossier. After 05 working days from the issuance date of the written request for explanation or dossier completion, if the organization or individual fails to submit the written explanation or supplementary documents as required, the agency shall issue a written document on return of the dossier to the organization or individual. The time for explanation and dossier completion shall not be included in the dossier processing time;
c) Within 10 days, the consulted units shall send a written opinion to the agency granting the Certificate of eligibility for regulatory sandbox activity. Based on the adjusted regulatory sandbox plan and the opinions from relevant units (if any), the agency granting the Certificate of eligibility for regulatory sandbox activity shall issue a written approval, in both physical and electronic versions, for the adjustment of the solution to implement the regulatory sandbox activity; in case of refusal to approve the adjustment, the agency must send a written response, clearly stating the reason.
Article 14. Extension of the regulatory sandbox period
1. Within no more than 30 days before the end of the approved sandbox period, an organization or individual engaged in a regulatory sandbox activity that wishes to extend the sandbox period shall submit a written request for extension (made using the form HDTN13 or HDTN14 in the Appendix issued together with this Decree) and a Report on the results of the regulatory sandbox activity to the agency granting the Certificate of eligibility for regulatory sandbox activity.
2. The granting agency shall consider and decide on the extension of the regulatory sandbox activity according to the order specified in Clause 3, Article 13 of this Decree.
Article 15. Revocation of Certificates of eligibility for regulatory sandbox activities
1. The agency granting a Certificate of eligibility for regulatory sandbox activity shall consider and decide to revoke the revoked Certificate of eligibility for regulatory sandbox activity in the following cases:
a) At the request of the organization or individual that was granted the Certificate of eligibility for regulatory sandbox activity;
b) After 90 days from the issuance date of the Certificate of eligibility for regulatory sandbox activity, for the case where the organization or individual does not commence the regulatory sandbox activity and does not request an adjustment or extension of the sandbox;
c) The organization or individual that was granted the Certificate of eligibility for regulatory sandbox activity does not fully meet the conditions specified in Clause 1, Clause 2, Article 9 of this Decree;
d) The organization or individual engaged in the sandbox fails to fully comply with the contents stated in the Certificate of eligibility for regulatory sandbox activity, which the granting agency has requested to be rectified during a periodic or unscheduled inspection;
dd) During the sandbox process, the organization or individual cannot rectify incidents or violations arising as requested by the agency granting the Certificate of eligibility for regulatory sandbox activity.
2. No later than 15 days after there is a ground defined in Clause 1 of this Article, the agency granting the Certificate of eligibility for regulatory sandbox activity shall issue a Decision on revocation of the Certificate of eligibility for regulatory sandbox activity and send it to the organization or individual who was granted the certificate, and revoke simultaneously the electronic version and making an announcement on its information system or website.
Upon receipt of the Decision on revocation, the organization or individual shall be responsible for returning the Certificate of eligibility for regulatory sandbox activity to the agency granting the Certificate.
3. The Ministry of National Defence shall be responsible for considering the trial use and deciding to revoke Certificates of eligibility for regulatory sandbox activities in the fields of national defense and cipher.
Article 16. Termination of regulatory sandbox activities
Upon termination of regulatory sandbox activities, the competent agency specified in Clause 1, Article 12 of this Decree shall consider granting the Certificate of termination of regulatory sandbox activity.
1. A Certificate of termination of regulatory sandbox activity shall be granted in the following cases:
a) The organization or individual requests the completion of regulatory sandbox activity before the approved time limit;
b) The approved time limit for the regulatory sandbox activity stated in the Certificate of eligibility for regulatory sandbox activity has expired, or the extended regulatory sandbox period has ended.
2. A dossier of request for grant of Certificate of termination of regulatory sandbox activity must comprise:
a) A written request for the grant of a Certificate of termination of regulatory sandbox activity for an organization or individual (made using the form HDTN09 or HDTN10 in the Appendix issued together with this Decree);
b) A report on the results of regulatory sandbox activity, made using the form HDTN07, for an individual, or the form HDTN08, for an organization, in the Appendix issued together with this Decree.
3. Implementation procedure:
a) An organization or individual shall submit 01 dossier defined in Clause 2 of this Article, either online, in person, or via postal service, to the agency granting the Certificate of eligibility for regulatory sandbox activity;
b) Within 03 working days from the date of receiving a complete and valid dossier, the agency granting the Certificate of eligibility for regulatory sandbox activity shall seek opinions from relevant agencies and organizations, and within 10 days, the consulted agencies and organizations shall send their written opinions to the requesting agency.
In case the dossier is not valid or complete as prescribed, within 03 working days, the agency granting the Certificate of eligibility for regulatory sandbox activity shall issue a written request for supplementation, explanation or completion of the dossier to the organization or individual. After 05 working days from the issuance date of the written request for explanation and completion of dossier, if the organization or individual fails to submit the written explanation or supplementary documents as required, the agency shall issue a written document on return of the dossier to the organization or individual. The time for explanation and dossier completion shall not be included in the dossier processing time;
c) If necessary, the agency granting the Certificate of eligibility for regulatory sandbox activity may establish an advisory council for pre-acceptance test of the results of regulatory sandbox activity. The composition of the advisory council shall comply with Point b, Clause 4, Article 12 of this Decree;
d) Within 03 working days from the date of receiving all opinions from the relevant agencies and organizations, the agency granting the Certificate of eligibility for regulatory sandbox activity shall consider and grant the Certificate of termination of regulatory sandbox activity to the organization or individual (using the form HDTN11 or HDTN12 in the Appendix issued together with this Decree).
4. The Minister of National Defence shall be responsible for granting the Certificate of termination of regulatory sandbox activity in the fields of national defense and cipher.
5. The Certificate of termination of regulatory sandbox activity does not substitute for a business registration certificate or operation license of the organization engaged in the regulatory sandbox activity.
Article 17. Supervision and inspection of the sandbox process
1. An agency granting the Certificate of eligibility for regulatory sandbox activity shall supervise the implementation of the contents of the approved regulatory sandbox plan.
2. The agency granting the Certificate of eligibility for regulatory sandbox activity shall coordinate with relevant functional agencies to conduct on-site inspection of the organization engaged in the regulatory sandbox activity, either periodically once a year or ad hoc when there are signs of incorrect or incomplete implementation of the contents of the Certificate of eligibility for regulatory sandbox activity. The inspection contents shall be:
a) Inspecting the legal documents in the dossier; the implementation of the contents of the approved regulatory sandbox plan;
b) Inspecting compliance with this Decree and other relevant legal documents;
c) Inspecting individuals, vehicles, and products related to the regulatory sandbox activities of the organizations or individuals in accordance with the law regulations;
Upon the conclusion of the inspection, a record must be made, clearly stating the results, shortcomings, limitations, or violations (if any), and the causes.
3. Within 30 days from the date the inspection is concluded, the organization or individual engaged in the sandbox shall be responsible for rectifying the shortcomings, limitations, or violations that were noted by the competent inspection agency in the inspection record.
4. Based on the nature and extent of the violation, the competent agency granting the Certificate of eligibility for regulatory sandbox activity shall handle the matter in accordance with regulations or propose the competent agency for handling of the matter in accordance with law regulations.
Article 18. Reporting and information provision regimes
1. Organizations and individuals engaged in regulatory sandbox activities shall be responsible for submitting quarterly reports and providing ad hoc information on the sandbox process, arising risks, and sandbox results to the agencies granting the Certificates of eligibility for regulatory sandbox activities as prescribed.
2. The submission of reports and provision of information shall be carried out electronically or in writing to the agencies granting the Certificates of eligibility for regulatory sandbox activities.
3. The quarterly reports on the implementation of regulatory sandbox activities shall be made using the form HDTN08, for organizations or the form HĐTN07, for individuals, as specified in the Appendix issued together with this Decree. The quarterly reporting data shall be calculated from the 1st day of the first month of the quarter to the last day of the last month of the quarter; the deadline for submission of the report shall be no later than the 5th day of the first month of the next quarter.
4. At least 30 days before the end of the sandbox period, organizations and individuals engaged in regulatory sandbox activities must submit a report on the results of regulatory sandbox activities, made using the form HDTN08, for organizations, or form HDTN07, for individuals, in the Appendix issued together with this Decree.
5. In case an incident causing operational disruption or a serious risk is detected, organizations or individuals engaged in regulatory sandbox activities must immediately report it by phone to the agencies granting the Certificates of eligibility for regulatory sandbox activities, and at the same time, organize the rectification of the incident or risk; after 03 days, the organizations or individuals shall send a written report to the agencies granting the Certificates of eligibility for regulatory sandbox activities.
Article 19. Protection of users of products and services from regulatory sandbox activities
For the purpose of protection of the legitimate rights and interests of users during and after the sandbox period, organizations and individuals engaged in the sandbox shall be responsible for:
1. Recommending on one or more mass media and directly to agencies, organizations, and users about the risks upon use of innovative products and services, and new business models created by innovative products and services during the sandbox period; ensuring the provision of accurate, complete, and truthful information about the innovative products and services, new business models created by the innovative products and services being under sandbox, service charges, and the rights and obligations of users for each type of innovative product and service, and new business model created by innovative products and services.
2. On a monthly and quarterly basis, evaluating risks, ensuring the implementation of measures of risk prevention and remediation of consequences during and after the sandbox period; promptly notifying users in case there is a change in the risk level of the innovative products and services participating in the sandbox.
3. Announcing the focal point for handling of customers’ complaints on the products and services. In case disputes or complaints arise, the organizations and individuals engaged in the sandbox shall be responsible for receiving and taking measures to handle all requests for review and complaints from users.
4. Implementing measures for damage compensation and consequence remediation in accordance with the civil law during and after the sandbox period.
5. Other responsibilities in accordance with the law on consumer protection and other relevant laws.
Article 20. Competence to agencies granting Certificates of eligibility for regulatory sandbox activities
1. To advise on the formulation, supplementation, and adjustment of guidance on implementation of law regulations for regulatory sandbox activities.
2. To receive, consider, and provide guidance on legal issues arising during the sandbox within their competence, or to propose the competent agencies to consider and resolve them.
3. To inspect and supervise the sandbox periodically or ad hoc; to evaluate the application of risk control measures by the organizations and individuals conducting the sandbox; to promptly detect and prevent potential abuses or uncontrolled risks during the sandbox.
4. To receive, consider, and resolve within their competence, or to propose the competent agency to resolve, the recommendations and reports from users or third parties regarding the sandbox.
5. To request the organizations and individuals conducting the sandbox to report and provide explanations on arising issues; to supplement risk control measures; to decide on the adjustment of the sandbox scope, the extension of the sandbox, and decide on suspension of the sandbox; to terminate the sandbox.
6. The agencies granting the Certificates of eligibility for regulatory sandbox activities shall decide the scope of exemption from the application of law regulations for each specific sandbox project in accordance with the sandbox's requirements and objectives, based on an assessment of the level of risk and controllability.
Article 21. Rights and responsibilities of organizations and individuals engaged in regulatory sandbox activities
1. Organizations and individuals conducting the regulatory sandbox activities are permitted not to apply some law regulations on standards, technical regulations for technologies, products, services, business conditions, licensing order and procedures, ensuring of business conditions, and other regulations that are not suitable for the new features and characteristics of the technologies, products, services, or business models proposed for the sandbox.
2. During the sandbox process, the participants must ensure the requirements for national defense, security, social order and safety, user rights, and societal interests.
3. To fully report on the status of the sandbox, potential risks, and damage compensation measures (if any), ensuring publicity and transparency in the sandbox process.
4. To comply with the requirements of the agencies granting the Certificates of eligibility for regulatory sandbox activities to ensure the implementation of the sandbox in accordance with the approved plans.
Article 22. Waiver of liability in regulatory sandbox activities
1. Agencies, organizations, and individuals engaged in the appraisal for the grant of Certificates of eligibility for regulatory sandbox activities, and the inspection, supervision, and evaluation of the sandbox process who have fully comply with Article 20 of this Decree within their assigned responsibilities shall be exempt from civil liability for damage caused to the State.
2. Organizations and individuals engaged in the regulatory sandbox activities shall be exempt from civil liability for damage caused to the State in cases they have fully complied with the relevant processes and regulations during the implementation of the regulatory sandbox activities.
Chapter III
DATA INTERMEDIATION PRODUCTS AND SERVICES
Article 23. Data intermediation products and services
1. Data intermediation products are provided by organizations providing products and services, offering infrastructure, equipment, applications, and software to serve data subjects and data owners in carrying out the activities specified in Article 24 of this Decree.
2. Data intermediation services are provided by organizations providing products and services to serve data intermediation activities of connection, transmission, access, and processing of electronic data between data subjects, data owners, and parties using data products and services, ensuring safety, effectiveness, and correct formatting.
3. Organizations providing data intermediation products and services between service users and state agencies shall implement the registration for management and grant of licenses in accordance with this Decree.
4. Data intermediation products and services in this Decree do not include cloud computing services, data center services, the provision of internal data intermediation products and services within an organization, and products and services that have been defined in other legal documents.
Article 24. Contents of data intermediation activities
1. To represent data subjects and data owners to perform the connection, sharing, exchange, and access of data with service users.
2. To provide consultancy and evaluation of the impact of data processing, and the provision of data intermediation services among data subjects, data owners, and parties using data services.
3. To provide data administration services on an entrusted basis on behalf of data subjects and data owners to connect, share, exchange, and access data with data users.
4. To act as an agency for connection, sharing, exchange, and access of data between data subjects, data owners, and data users.
5. To provide services for provision of infrastructure, equipment, applications, software, transmission services, and other types to serve data intermediation activities.
6. To provide services for support and control of data attributes to ensure privacy, sensitive data, and personal data, and for risk assessment for the transfer and processing of core data and important data in accordance with law regulations in data intermediation activities.
7. To provide services for cooperation and sharing of data to serve the connection, sharing, utilization, and access of data in accordance with law regulations.
8. To appraise the conditions for relevant parties to participate in data exchanges; the legality and the fulfillment of conditions for data products and services to participate in transactions; the ability to meet requirements for ensuring of security and safety upon use of data products.
9. To perform other activities carried out in accordance with the regulations on regulatory sandbox activities for evaluation and analysis to be supplemented to data intermediation activities.
Article 25. Conditions for organizations providing data intermediary products and services between service users and state agencies
1. Organizations specified in Clause 3, Article 23 of this Decree include public non-business units and enterprises established and operating under Vietnamese law, which must meet the conditions prescribed in Clauses 2, 3, and 4 of this Article.
2. Conditions on personnel:
a) The head of a public non-business unit or the at-law representative of an enterprise is a Vietnamese citizen, resides permanently in Vietnam; has a university degree or higher and at least 03 years of working experience related to data management, and does not fall into one of the cases defined at Points a, b, and c, Clause 1, Article 9 of this Decree;
b) Having at least 05 staff with a university degree or higher and holding one of the following certificates or certifications on data science, data analysis, data management, data administration, consulting, brokerage, trade promotion; asset administration; or data appraisal.
3. Conditions regarding infrastructure, technical equipment, service provision management processes, and plans for ensuring security and order.
An organization requesting grant of a Certificate of eligibility for business of data intermediation products and services must have available infrastructure and equipment located in Vietnam, which have been inspected in terms of information security and safety in accordance with law regulations, and must have a scheme for provision of products and services, including the following main contents:
a) A plan and process for provision of data intermediation services, including an explanation of the information technology system;
b) A technical plan on technological solution;
c) A plan on storage and assurance of integrity of data, and assurance of information security of the service provision system;
d) A plan on protection of personal data and data of organizations;
dd) A plan for assurance of security and order;
e) A plan on payment;
g) A plan for data appraisal;
h) A plan for use of electronic identification and authentication services;
i) A plan on fire prevention and fighting, disaster preparedness and assurance of stable and uninterrupted operation of data intermediation services;
k) An explanation of the technical equipment used.
4. Financial conditions:
Making a deposit of at least 5 billion Vietnam dong at a commercial bank operating in Vietnam for settling risks and paying compensations likely to arise in the course of provision of products and services due to the fault of the organizations providing data intermediation products and services, and for paying expenses for receipt of information and maintenance of an organization or enterprise’s database, in case of license revocation.
Article 26. Responsibilities of organizations providing data intermediation products and services
1. To demonstrate responsibility through the connection, sharing, exchange, and access of data, and the protection of data and personal data in accordance with law regulations.
2. To inform organizations and individuals who are data owners, data subjects, and data users about the purpose of provision of data intermediation products and services and to ensure the rights of individuals in accordance with the law regulations on protection of personal data.
3. To collect, use, or disclose personal data for legitimate purposes and with the consent of the data subjects.
4. To ensure that the data provided by the data subjects and data owners to the service users is accurate and complete.
5. To ensure data access for the correct purpose, by the correct users, and data utilization correctly according to the signed contracts.
6. To implement reasonable protection and security measures to protect personal data in the organization's possession, including prevention of unauthorized access, collection, use, disclosure, or similar risks.
7. To limit the storage of personal data in a necessary period and to properly handle personal information when it is no longer needed for business or legal purposes.
8. To ensure that the cross-border transfer of personal data is limited according to regulatory requirements, ensuring that the standards for protection are equivalent to the standards required by relevant law regulations.
9. To notify affected organizations and individuals of a data breach as soon as possible if the data breach may cause significant harm to individuals or the scale of breach is significant.
10. To ensure the ability to transfer data to the correct data users in accordance with the signed agreements.
11. To ensure the ability to advise on and evaluate the impact of data processing, appraisal of data, flexible payment methods, and regulations on taxes, charges, and prices in accordance with e-commerce activities.
12. Organizations engaged in data intermediation activities must perform identity authentication in accordance with law regulations on electronic identification and authentication.
Chapter IV
DATA ANALYSIS AND SYNTHESIS PRODUCTS AND SERVICES
Article 27. Levels of data analysis and synthesis
1. Level 1: Data analysis and synthesis are performed directly by humans, using equipment and software that are not integrated with artificial intelligence.
2. Level 2: Data analysis and synthesis are performed directly by humans and partially supported by artificial intelligence.
3. Level 3: Data analysis and synthesis are performed entirely by artificial intelligence, under human supervision during the process.
4. Level 4: Data analysis and synthesis are performed entirely by artificial intelligence, without human supervision.
Article 28. Management of data analysis and synthesis products and services
1. Organizations providing the following data analysis and synthesis products and services must be granted a Certificate of eligibility for business on data analysis and synthesis products and services:
a) Data analysis and synthesis products and services for data of level 3 and level 4 in the information systems of state agencies.
Organizations providing data analysis and synthesis products and services that may endanger national defense, national security, social order and safety, or public health;
b) Data analysis and synthesis products and services that connect and share data with national databases and specialized databases;
c) Data analysis and synthesis products and services that use core data and important data.
2. Organizations providing data analysis and synthesis products and services other than those defined in Clause 1 of this Article shall send a notification to the Ministry of Public Security when providing data analysis and synthesis products and services and may request the Ministry of Public Security to appraise and evaluate them to receive incentives for those products and services as for enterprises operating in the fields of high technology, innovation, innovative startups, and digital technology industry; incentive policies for the development of scientific and technological activities and innovation related to data, including:
a) Virtual assistants, generative artificial intelligence systems, systems that automatically analyze contents such as videos, images, news, and articles, and other similar products and services that directly interact with service users and have the potential to suggest or guide service users to misleading content;
b) Products and services of analysis and synthesis of sensitive personal data with a data scale of 01 million individuals or more;
c) Level 3 and level 4 data analysis and synthesis products and services, performed automatically in industrial and production systems, that account for 20% or more of the usage structure in that industrial or production sector;
d) Products and services achieving a certain data scale for training of data analysis and synthesis models of 10 TB of data or more.
3. Data analysis and synthesis products and services in this Decree do not include the provision of internal data analysis and synthesis products and services within an organization, and products and services that have been defined in other legal documents.
Article 29. Conditions for dealing in data analysis and synthesis products and services
An organization dealing in data analysis and synthesis products and services must meet the following conditions:
1. Be a public non-business unit or an enterprise established and operating under Vietnamese law.
2. Conditions on personnel
The head of a public non-business unit or the at-law representative of an enterprise is a Vietnamese citizen, resides permanently in Vietnam; has a university degree or higher and at least 03 years of working experience related to data management, and does not fall into one of the cases defined at Points a, b, and c, Clause 1, Article 9 of this Decree.
Having a management and operation team that meets the professional requirements for data analysis and synthesis; has technical staff who holds a certificate or certification for completion of a course in one of the following specializations of data science, data analysis, data management, data administration; data appraisal or has at least 03 years of experience in data science, data analysis, data management, data administration; data appraisal.
3. Having a system of equipment, infrastructure, and production technology that are suitable for the business plan for data analysis and synthesis products and services.
4. Having a business plan that includes the following contents: The scope of subjects for provision of the products and services; types of products expected to be provided; the satisfaction of relevant standards and technical regulations for each type of product and service; the basic technical features of the products and services.
Article 30. Criteria for appraisal of data analysis and synthesis products and services
1. To appraise the data source for analysis and synthesis in accordance with law regulations.
2. To appraise the data analysis and synthesis models and formulas to ensure they do not impact or guide users in a manner that affects national defense, national security, social order and safety, the safety of industrial systems, national important information system, public health, transportation, the environment, justice, or public affairs.
3. To appraise the accuracy of the data analysis and synthesis models.
Article 31. Responsibilities of organizations trading in or providing data intermediation products and services
1. To provide data analysis and synthesis products and services to organizations and individuals on the basis of product and service provision contracts in accordance with regulations; to be responsible for the provided products and services.
2. During the provision of data analysis and synthesis products or services, the product and service provider must provide and ensure that the user clearly grasps the following contents:
a) Name, contact information, and method of accessing relevant information of the product and service provider;
b) Function, purpose, scope of use, and operation mechanism of the products and services;
c) Impacts and risks that may affect the rights and interests of the service user;
d) Information about the Certificate of eligibility for provision of data analysis and synthesis products and services or the Certificate of eligibility for provision of data analysis and synthesis products and services;
dd) Rights and obligations of the service user.
3. To comply with law regulations on protection of personal data, cyberinformation security, cyber security, data security, electronic transactions, data-related standards and technical regulations, information confidentiality, and to ensure the accuracy of the service provision; to issue a business process for data analysis and synthesis products and services and obtain the consent of the state management agency on data.
4. To comply with the approved business plan and process for products and services.
5. Organizations providing data analysis and synthesis products and services defined in Article 28 of this Decree must submit a periodic report on the provision of products and services, made using the form BC01 in the Appendix issued together with this Decree to the Ministry of Public Security (via the National Data Center) before December 20 annually (reporting data is calculated from December 15 of the previous year to the end of December 14 of the reporting year) or submit an ad hoc report upon request (directly or via postal service or online).
CHAPTER V
DATA EXCHANGES
Article 32. Activities of data exchanges
Activities of data exchanges include:
1. Providing data-related resources to serve research, startup development, and innovation; providing data-related services to serve socio-economic development:
a) Data in specialized databases and national databases;
b) Data provided by other organizations and individuals.
2. Providing services:
a) Services for offering to buy, offering to sell, introducing, representing, acting as an agent for, consulting, brokering, supporting valuation, providing technical support, supporting negotiations, and concluding data-related transactions, data products and services;
b) Data auction service;
c) Service for providing an environment for trading and exchanging data and data-related products and services.
Article 33. Provision of data products and services on data exchanges for trading
1. Data products and services of organizations and individuals on data exchanges shall operate under a market mechanism, with valuation support provided by organizations providing data exchange services or other organizations with the valuation function as needed.
2. State agencies providing data products and services shall collect charges/prices in accordance with law regulations; select data exchanges to provide the products and services; and organize data auctions with a reserve price no lower than the input charge for the data products and services.
3. Data products and services on data exchanges must ensure data origin authentication; organizations providing data exchange services or other organizations with the function of data origin authentication shall be responsible for carrying out data origin authentication.
4. Organizations and individuals shall be responsible for the products and services provided on data exchanges; organization providing data exchange services shall be responsible for appraising the data products and services, ensuring the compliance with law regulations.
5. Agencies, organizations, and enterprises providing data products and services must do so through data exchanges, except for cases where law regulations provide otherwise.
6. Data not allowed to be traded in include:
a) Data in the list of core data and important data;
b) Data not allowed by the concerned data subjects to be provided, unless otherwise provided by law;
c) Other data that are prohibited from trading in accordance with law.
Article 34. Conditions for grant of Certificates of eligibility for business on data exchanges
An organization providing activities of data exchanges must meet the following conditions:
1. Being a public non-business unit or a state enterprise established and operating under Vietnamese law, which meets the conditions prescribed in Clauses 2, 3, and 4 of this Article.
2. Conditions on personnel
a) The head of an organization or the at-law representative of an enterprise has a university degree or higher, has directly engaged in management activities at data centers, has at least 03 years of working experience related to data management, and does not fall into one of the cases defined at Points a, b, and c, Clause 1, Article 9 of this Decree;
b) Having at least 05 personnel with a university degree or higher, of which at least 40% are official employees, and 30% hold a certificate or certification for completion of a course on: data science, data analysis, data management, data administration, consulting, brokerage, trade promotion; asset administration; data appraisal.
3. Conditions regarding infrastructure, technical equipment, service provision management processes, and plans for ensuring security and order.
Having available infrastructure and equipment located in Vietnam, which have been inspected in terms of information security and safety in accordance with law regulations, and having a scheme for activities of data exchanges, including the following main contents:
a) A plan and process for provision of activities of data exchanges, including an explanation of the information technology system;
b) A technical plan on technological solution;
c) A plan on storage and assurance of integrity of data, and assurance of information security of the service provision system;
d) A plan on protection of personal data and data of organizations;
dd) A plan for assurance of security and order;
e) A plan on payment;
g) A plan for data appraisal;
h) A plan for use of electronic identification and authentication services;
i) A plan on fire prevention and fighting, disaster preparedness and assurance of stable and uninterrupted operation;
k) An explanation of the technical equipment used.
4. In cases of data auction activities, the organization providing data exchange services must have a license for provision of property auction services in accordance with law regulations.
Article 35. Responsibilities of organizations providing data exchange services
1. To examine and assess the satisfaction of conditions for relevant parties to participate in data exchanges; the legality and the fulfillment of transaction conditions for data products and services; the ability to meet requirements for ensuring of security and safety upon use of data products, to be specific:
a) Conditions for relevant parties to participate in transactions, including: the civil act capacity of individuals; the civil legal capacity of legal persons;
b) The legality and the fulfillment of transaction conditions for data products and services, including: source of origin of the products and services; subjects, contents, methods, and processes for creating the products and services; determining the requirements related to limited or unlimited circulation of the products and services;
c) The fulfillment of requirements for ensuring security and safety upon use of data products, including: compliance with standards and technical regulations for data products and services; the receipt, storage, and processing of data.
2. To supervise activities on data exchanges, decide on suspension of participation of parties, continue listing and terminate the listing of data products and services; to resolve disputes; to supervise, promptly detect, handle, prevent, and report law violations; and to coordinate with relevant state management agencies in inspection, investigation, and collection of evidence.
3. To issue operation regulations and publicly post them on their websites. The operation regulations must include the following main contents:
a) The conditions for participation and the responsibilities of the parties participating in the exchanges;
b) The transaction process;
c) Requirements for ensuring information confidentiality and combating fraudulent acts;
d) Risk management, handling of complaints and disputes, and personal data protection;
dd) The conditions for data products and services to be uploaded to data exchanges.
4. To establish a system to ensure the security of data transactions in accordance with law regulations; to guide the parties on the exchanges in implementation of data protection, data origin traceability, risk identification, compliance inspection, and use effective measures to protect personal data, individual privacy, trade secrets, and important data in accordance with the State’s regulations.
5. To develop an emergency response plan for data security incidents, to carry out recovery and backups for important systems and databases, and to periodically conduct emergency drills on data security, increasing the ability to respond to data security incidents; to maintain a channel for receipt of information and 24/7 service use; and to comply with the approved operation plan and process.
6. To formulate a set of technical specifications to evaluate and manage the quality of data products and services, a system of data asset evaluation indices, and support of the valuation of data products and services.
7. To submit a semi-annual report before June 20 (the reporting data is calculated from December 15 of the previous year to the end of June 14 of the reporting year), an annual report before December 20 (the reporting data is calculated from December 15 of the previous year to the end of December 14 of the reporting year) or upon request on the provision of data exchange services, made using the form BC02 in the Appendix issued together with this Decree to the Ministry of Public Security (via the National Data Center).
Chapter VI
COMPETENCE, DOSSIERS, ORDER, AND PROCEDURES FOR GRANT, RENEWAL, RE-GRANT AND REVOCATION OF CERTIFICATES OF ELIGIBILITY FOR BUSINESS ON DATA EXCHANGES, CERTIFICATES OF ELIGIBILITY FOR BUSINESS OF DATA INTERMEDIATION PRODUCTS AND SERVICES, CERTIFICATES OF ELIGIBILITY FOR BUSINESS OF DATA ANALYSIS AND SYNTHESIS PRODUCTS AND SERVICES, AND CERTIFICATES OF ELIGIBILITY FOR PROVISION OF DATA ANALYSIS AND SYNTHESIS PRODUCTS AND SERVICES
Article 36. Competence to grant Certificates of eligibility for business on data exchanges, Certificates of eligibility for business of data intermediation products and services, Certificates of eligibility for business of data analysis and synthesis products and services, and Certificates of eligibility for provision of data analysis and synthesis products and services
1. The Ministry of Public Security shall grant Certificates of eligibility for business on data exchanges, Certificates of eligibility for business of data intermediation products and services, Certificates of eligibility for business of data analysis and synthesis products and services, and Certificates of eligibility for provision of data analysis and synthesis products and services.
2. The Minister of Public Security shall assign responsibility to its affiliated agencies and units to grant Certificates of eligibility for provision of data analysis and synthesis products and services in accordance with regulations.
Article 37. Dossier, order and procedures for grant of Certificates of eligibility for business on data exchanges, Certificates of eligibility for business of data intermediation products and services, Certificates of eligibility for business of data analysis and synthesis products and services, and Certificates of eligibility for provision of data analysis and synthesis products and services
1. Such a dossier must comprise:
a) An application for grant Certificate of eligibility for business on data exchanges, using the form No. TK01; the one for grant of Certificate of eligibility for business of data intermediation products and services, using the form No. TK02; the one for grant of Certificate of eligibility for business of data analysis and synthesis products and services, using the form No. TK03; or the one for grant of Certificate of eligibility for provision of data analysis and synthesis products and services, using the form No. TK04, such forms are provided in the Appendix issued together with this Decree;
b) The papers and documents demonstrating the fulfillment of the conditions specified in Article 25, Article 29, and Article 34 of this Decree, except for the case of requesting the grant of Certificate of eligibility for provision of data analysis and synthesis products and services.
2. Order and time limit for settlement:
a) An organization shall submit 01 dossier defined in Clause 1 of this Article, either online, in person, or via postal service, to the competent agency;
b) Within 05 working days from the date of receipt of a complete and valid dossier, the competent agency shall be responsible for seeking opinions from relevant agencies, organizations, and individuals;
c) Within 10 days, the consulted units shall send a written opinion;
d) Within 05 working days from the date of receipt of all opinions from the relevant units, the competent agency specified in Article 36 of this Decree shall consider and decide to grant a physical and an electronic version of the Certificate of eligibility for business on data exchanges, made using the form GCN01, a Certificate of eligibility for business of data intermediation products and services, made using the form GCN02, a Certificate of eligibility for business of data analysis and synthesis products and services, made using the form GCN03, or a Certificate of eligibility for provision of data analysis and synthesis products and services, made using the form GCN04, these forms are provided in the Appendix issued together with this Decree; in cases of refusal to grant a certificate, the competent agency must send a written notification, clearly stating the reason.
Article 38. Re-grant and renewal of Certificates of eligibility for business on data exchanges, Certificates of eligibility for business of data intermediation products and services, Certificates of eligibility for business of data analysis and synthesis products and services, and Certificates of eligibility for provision of data analysis and synthesis products and services
1. The re-grant of the physical copy of a Certificate of eligibility for business on data exchanges, a Certificate of eligibility for business of data intermediation products and services, a Certificate of eligibility for business of data analysis and synthesis products and services, or a Certificate of eligibility for provision of data analysis and synthesis products and services shall be applied to cases where the Certificate is lost or damaged.
In such case, the requesting organization shall complete the declaration form, using the form TK05, TK06, TK07 or TK08 in the Appendix issued together with this Decree and submit it to the competent agency online, in person, or via postal service; within 05 working days, the competent agency shall consider and re-grant the Certificate of eligibility for business on data exchanges, Certificate of eligibility for business of data intermediation products and services, Certificate of eligibility for business of data analysis and synthesis products and services, or Certificate of eligibility for provision of data analysis and synthesis products and services, using the prescribed form; in cases of refusal to re-grant a certificate, the competent agency must send a written notification, clearly stating the reason.
2. The renewal of a Certificate of eligibility for business on data exchanges, a Certificate of eligibility for business of data intermediation products and services, a Certificate of eligibility for business of data analysis and synthesis products and services, or a Certificate of eligibility for provision of data analysis and synthesis products and services shall be applied to cases where there is incorrect information or a change in the content of the Certificate.
a) A dossier must comprise:
An application for renewal of Certificate, made using the form TK05, TK06, TK07 or TK08 in the Appendix issued together with this Decree;
Papers and documents proving the incorrect information or the change of information in the granted Certificate.
b) Order and time limit for settlement:
The requesting organization shall submit such a dossier either online, in person, or via postal service to the competent agency. Within 05 working days from the date of receiving a complete and valid dossier of request for renewal of Certificate due to incorrect information or a change in information regarding the plan and process for provision of activities of data exchanges, business on data intermediation products and services, or business on data analysis and synthesis products and services specified in Article 25, Article 29, and Article 34 of this Decree, the competent agency shall be responsible for seeking opinions from the relevant units.
Within 10 days, the consulted units shall send a written opinion.
Within 05 working days from the date of receipt of all opinions from the relevant units, the competent person specified in Article 36 of this Decree shall consider and decide to grant a physical and an electronic version of the Certificate of eligibility for business on data exchanges, Certificate of eligibility for business of data intermediation products and services, Certificate of eligibility for business of data analysis and synthesis products and services, or Certificate of eligibility for provision of data analysis and synthesis products and services, made using the specified form. In case of refusal to renew a Certificate, the competent person shall send a written notification, clearly stating the reason.
Article 39. Revocation of Certificates of eligibility for business on data exchanges, Certificates of eligibility for business of data intermediation products and services, Certificates of eligibility for business of data analysis and synthesis products and services, and Certificates of eligibility for provision of data analysis and synthesis products and services
1. A Certificate of an organization providing activities of data exchanges, dealing in data intermediation products and services, or dealing in data analysis and synthesis products and services shall be revoked in the following cases:
a) Having not operated continuously for 06 months or more;
b) Being dissolved or falling bankrupt in accordance with law regulations;
c) Failing to remedy violations of personal data protection, information security, cyber security, and data security as requested by a competent state agency.
2. A competent person defined in Article 36 of this Decree shall decide to revoke the Certificate of eligibility for business on data exchanges, using the form No. QD01; to revoke the Certificate of eligibility for business of data intermediation products and services, using the form No. QD02; to revoke the Certificate of eligibility for business of data analysis and synthesis products and services, using the form No. QD03; or to revoke the Certificate of eligibility for provision of data analysis and synthesis products and services, using the form No. QD04, such forms are provided in the Appendix issued together with this Decree;
3. The organization dealing in data exchanges, data intermediation products and services, or data analysis and synthesis products and services that has a Certificate of eligibility for business on data exchanges, a Certificate of eligibility for business of data intermediation products and services, a Certificate of eligibility for business of data analysis and synthesis products and services, or a Certificate of eligibility for provision of data analysis and synthesis products and services revoked shall be responsible for:
Submitting the granted Certificate to the agency competent to grant the certificate within 05 working days from the date of receipt of the revocation decision.
4. When issuing a decision on revocation of the certificates, the competent agency shall simultaneously revoke the electronic version and make an announcement on its information system or website.
Chapter VII
RESPONSIBILITIES FOR STATE MANAGEMENT OF SCIENTIFIC AND TECHNOLOGICAL ACTIVITIES AND INNOVATION, DATA PRODUCTS AND SERVICES
Article 40. Responsibility of the Ministry of Public Security
1. To assume the prime responsibility for, and coordinate with relevant ministries and agencies in, managing the international cooperation in scientific and technological activities and innovation related to data; supporting the incubation and development of the innovative startup ecosystem for data products and services; training, fostering, and enhancing the professional qualifications of human resources in data science and technology.
2. To implementation of dissemination, propagation, and education of the laws in the field of specialized management related to scientific and technological activities and innovation and data products and services within its scope of management.
3. To guide and organize the grant, renewal, re-grant, and revocation of Certificates of eligibility for regulatory sandbox activities, Certificates of termination of regulatory sandbox activities, Certificates of eligibility for business on data exchanges, Certificates of eligibility for business of data intermediation products and services, Certificates of eligibility for business of data analysis and synthesis products and services, and Certificates of eligibility for provision of data analysis and synthesis products and services.
4. To assume the prime responsibility for, and coordinate with ministries and sectors in, carrying out the inspection, supervision, handling of complaints and denunciations, prevention, detection, and handling of violations related to regulatory sandbox activities, business on data exchange activities, business on data intermediation products and services, and business on and provision of data analysis and synthesis products and services specified in this Decree within its competence.
5. To issue within its competence and to propose amendments, supplements, and improvements to legal documents in the fields of science, technology, innovation, and data products and services.
Article 41. Responsibilities of the Ministry of National Defence, Ministry of Science and Technology, Ministry of Finance, and Ministry of Education and Training
1. Responsibility of the Ministry of National Defence
a) To implement international cooperation in scientific and technological activities and innovation related to data within its scope of management;
b) To implementation of dissemination, propagation, and education of the laws in the field of specialized management related to scientific and technological activities and innovation and data products and services within its scope of management;
c) To guide and organize the grant of Certificates of eligibility for regulatory sandbox activities, Certificates of termination of regulatory sandbox activities; to decide on the adjustment, extension of the regulatory sandbox period; to inspect and supervise the research and application of science, technology and innovation in building, development, protection, administration, processing and use of data in the fields of national defense and cipher;
d) To carry out the inspection, supervision, handling of complaints and denunciations, prevention, detection and handling of violations related to data-related regulatory sandbox activities within the fields of national defense and cipher; to coordinate with the Ministry of Public Security in carrying out the inspection, supervision, handling of complaints and denunciations, prevention, detection and handling of violations related to business on and provision of data intermediation products and services, business on and provision of data analysis and synthesis products and services, and business on data exchange activities specified in this Decree within its competence;
d) To issue within its competence and to propose amendments, supplements, and improvements to legal documents in the fields of science, technology, innovation, and data products and services.
2. Responsibilities of the Ministry of Science and Technology
a) To conduct the international cooperation in scientific and technological activities and innovation related to data within the scope of its assigned functions and tasks;
b) To coordinate with the Ministry of Public Security and the Ministry of Education and Training in formulating training programs and providing training, fostering and enhancing the professional qualifications of human resources of science and technology related to data;
c) To coordinate with the Ministry of Public Security in carrying out the inspection, supervision, handling of complaints and denunciations, prevention, detection, and handling of violations on data-related regulatory sandbox activities, business on and provision of data intermediation products and services, business on and provision of data analysis and synthesis products and services, and business on data exchange activities specified in this Decree within its competence;
d) To propose amendments, supplements, and improvements to legal documents in the fields of science, technology, innovation, and data products and services.
3. Responsibility of the Ministry of Finance
a) To conduct the international cooperation in scientific and technological activities and innovation related to data within the scope of its assigned functions and tasks;
b) To coordinate with the Ministry of Public Security in carrying out the inspection, supervision, handling of complaints and denunciations, prevention, detection, and handling of violations on data-related regulatory sandbox activities, business on and provision of data intermediation products and services, business on and provision of data analysis and synthesis products and services, and business on data exchange activities specified in this Decree within its competence;
c) To propose amendments, supplements, and improvements to legal documents in the fields of science, technology, innovation, and data products and services.
4. Responsibilities of the Ministry of Education and Training
a) To conduct the international cooperation in education and training related to data within the scope of its assigned functions and tasks;
b) To assume the prime responsibility for, and coordinate with the Ministry of Public Security and relevant ministries, sectors, agencies, and organizations in, organizing and building a scheme for training high-quality human resources that meets the development requirements of scientific and technological activities and innovation related to data;
c) To assume the prime responsibility for, and coordinate with the Ministry of Public Security and relevant ministries, sectors, agencies, and organizations in, formulating mechanisms and policies on credit, scholarships, and tuition fees to attract students, and specific mechanisms for public-private partnership in training for the fields of information technology, cyber security, data science, and artificial intelligence;
d) To coordinate with the Ministry of Public Security in carrying out the inspection, supervision, handling of complaints and denunciations, prevention, detection, and handling of violations on data-related regulatory sandbox activities, business on and provision of data intermediation products and services, business on and provision of data analysis and synthesis products and services, and business on data exchange activities specified in this Decree within its competence;
dd) To propose amendments, supplements, and improvements to legal documents in the field of education and training related to science, technology, innovation, and data products and services.
Article 42. Responsibilities of other ministries, ministerial-level agencies, government-attached agencies, and People’s Committees of provinces and centrally-run cities
1. To conduct the international cooperation in scientific and technological activities and innovation related to data within the scope of their assigned functions, tasks, and localities.
2. To implementation of dissemination, propagation, and education of the laws in the field of specialized management related to scientific and technological activities and innovation and data products and services of ministries, sectors and localities under their management.
3. To guide and organize the grant of Certificates of eligibility for regulatory sandbox activities, Certificates of termination of regulatory sandbox activities; to decide on the adjustment, extension of the regulatory sandbox period; to inspect and supervise the research and application of science, technology and innovation in building, development, protection, administration, processing and use of data in the fields and localities under their management.
4. To coordinate with the Ministry of Public Security in carrying out the inspection, supervision, handling of complaints and denunciations, prevention, detection, and handling of violations on data-related regulatory sandbox activities, business on and provision of data intermediation products and services, business on and provision of data analysis and synthesis products and services, and business on data exchange activities specified in this Decree within their competence and localities.
5. To propose amendments, supplements, and improvements to legal documents in the fields of science, technology, innovation, and data products and services.
6. To direct their affiliated agencies and units to make records of receipt and transfer them to the competent agencies granting the certificates to which the organizations and individuals have submitted, including: Certificates of eligibility for regulatory sandbox activities, Certificates of eligibility for business on data exchanges, Certificates of eligibility for business of data intermediation products and services, Certificates of eligibility for business of data analysis and synthesis products and services, and Certificates of eligibility for provision of data analysis and synthesis products and services
Chapter VIII
ORGANIZATION OF IMPLEMENTATION
Article 43. Amending and supplementing a number of articles of Decree No. 69/2024/ND-CP dated June 25, 2024 of the Government providing electronic identification and authentication
1. To amend and supplement Clause 4, Clause 6 and Clause 9 Article 3 as follows:
a) To amend and supplement Clause 4 as follows:
“4. Electronic identification and authentication management agency is the Ministry of Public Security.”;
b) To amend and supplement Clause 6 as follows:
“6. Electronic authentication means the activity of authenticating electronic data aimed at affirming the correctness of the data, carried out through the National synthetic database, via the electronic identification and authentication system, and other data platforms organized and implemented by data owners and data administrators.”;
c) To amend and supplement Clause 9 as follows:
“9. Electronic authentication service provider means a public non-business unit or a state-owned enterprise operating in Vietnam that satisfies the conditions for dealing in and providing electronic authentication services in accordance with this Decree and other relevant law regulations.”.
2. To amend and supplement Article 21 as follows:
“Article 21. Methods of electronic authentication in performing transactions through the electronic identification and authentication system, data exchanges, National synthetic database, or other methods provided by the Ministry of Public Security
1. Electronic authentication for online transactions shall be performed through authentication means appropriate to the level of authentication requested by the organizations providing these online services.
2. For cases of authentication of electronic identification account information at the place of transaction, the authentication shall be performed through the authentication solution provided in the National Identification Application, data exchanges, National synthetic database, or other methods provided by the Ministry of Public Security.”.
3. To amend and supplement Clause 1 Article 23 as follows:
“1. Conditions on an organization/enterprise
Being a public non-business unit or a state-owned enterprise operating in Vietnam.”.
4. To replace and remove a number of phrases at points, clauses and articles of Decree No. 69/2024/ND-CP dated June 25, 2024 of the Government, providing electronic identification and authentication as follows:
a) To replace the phrase “the Public Security agency of commune, ward or town, or the identity management agency of the provincial- or district-level Public Security agency” with the phrase “the Public Security agency of commune, ward or special zone or the identity management agency of the provincial-level Public Security agency” in Article 15, Article 29, and Article 30;
b) To replace the phrase “an identity management agency that is convenient for the requester” with the phrase “an identity management agency or commune-level Public Security agency that is convenient for the requester” in Clause 1 Article 12; to replace the phrase “the Ministry of Information and Communications” with the phrase “the Ministry of Science and Technology”, and to replace the phrase “the Ministry of Planning and Investment” with the phrase “the Ministry of Finance” in Article 34, Article 35, Article 36, and Article 41;
c) To remove the phrase “the nearest district-level Public Security agency” at Point c Clause 2 and Point b Clause 3 Article 15, Clause 2 and Clause 3 Article 29, Clause 2 and Clause 3 Article 30; to remove the phrase “district-level Public Security agency” at Point d, Point dd Clause 2 and Point c, Point d Clause 3 Article 15, Clause 4 and Clause 5 Article 29, and Clause 4 and Clause 5 Article 30;
d) To repeal Clause 4 Article 23.
Article 44. Effect and implementation responsibility
1. This Decree takes effect on July 01, 2025.
2. The Ministry of Public Security shall be responsible for guiding, inspecting, and urging the implementation of this Decree.
3. Ministers, heads of ministerial-level agencies, heads of government-attached agencies, chairpersons of People’s Committees of provinces, centrally-run cities shall implement this Decree.
| ON BEHALF OF THE GOVERNMENT FOR THE PRIME MINISTER DEPUTY PRIME MINISTER
Nguyen Chi Dung |
Vietnamese
Decree 169/2025/NĐ-CP PDF (Original)
Decree 169/2025/NĐ-CP DOC (Word)
