Decree 53/2022/ND-CP detailing the Law on Cyber Security

DECREE

Detailing a number of articles of the Law on Cyber Security^[1]

Pursuant to the June 19, 2015 Law on Organization of the Government; and the November 22, 2019 Law Amending and Supplementing a Number of Articles of the Law on Organization of the Government and the Law on Organization of Local Administration;

Pursuant to the December 3, 2004 Law on National Security;

Pursuant to the June 12, 2018 Law on Cyber Security;

Pursuant to the November 19, 2015 Law on Cyberinformation Security;

At the proposal of the Minister of Public Security;

The Government promulgates the Decree detailing a number of articles of the Law on Cyber Security.

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation

This Decree details Points a, b, c, d, dd, g, i, k, and l,  Clause 1, Article 5; Clause 4, Article 10; Clause 5, Article 12; Clause 1, Article 23; Clause 7, Article 24; Clauses 2 and 4, Article 26; and Clause 5, Article 36, of the Law on Cyber Security, covering the following contents:

1. Cyber security protection measures: cyber security appraisal; assessment of cyber security conditions; cyber security inspection; cyber security monitoring; response to and remediation of cyber security incidents; use of cryptography to protect information in cyberspace; request for removal of unlawful or false information in cyberspace that infringes upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals; collection of electronic data related to activities in cyberspace that infringe upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals; termination, suspension or request for cessation of operation of information systems or revocation of domain names.

2. Grounds, order and procedures for, and coordination among related ministries and sectors in, cyber security appraisal, assessment, inspection and monitoring, response to, and remediation of, cyber security incidents with regard to information systems of national security importance.

3. Cyber security conditions for information systems of national security importance.

4. Specific cyber security protection activities of state agencies and central and local political organizations.

5. Order and procedures for cyber security inspection for information systems of agencies, organizations and individuals that are not on the list of information systems of national security importance in the cases specified in Clause 1, Article 24.

6. Data storage and setting up of Vietnam-based branches or representative offices of enterprises specified in Clause 3, Article 26.

7. The assignment of responsibility for, and coordination in, implementation of measures to protect cyber security and prevent and handle acts of infringing upon cyber security in cases involving the state management of multiple ministries or sectors.

Article 2. Interpretation of terms

In this Decree, the terms below are construed as follows:

1. Personal information data means informative data in the form of symbols, letters, numerals, images, sounds or the like that are used to identify an individual.

2. Service user means an organization or individual using services in cyberspace.

3. Service user in Vietnam means an organization or individual using cyberspace in the territory of the Socialist Republic of Vietnam.

4. Data about service user’s relationship means informative data in the form of symbols, letters, numerals, images, sounds or the like that reflect or identify the service user’s relationship with others in cyberspace.

5. Data created by service users in Vietnam means informative data in the form of symbols, letters, numerals, images, sounds or the like reflecting service users’ activity logs in cyberspace as well as network equipment and services used to connect to the cyberspace in the territory of the Socialist Republic of Vietnam.

6. Telecommunications network-based services means telecommunications services and telecommunications application services specified by law.

7. Internet-based services means Internet services and Internet-based content delivery services specified by law.

8. Value-added services in cyberspace means value-added telecommunications services specified by law.

9. The professional cyber security protection forces include:

a/ The Department of Cyber Security and Hi-Tech Crime Prevention and Control of the Ministry of Public Security;

b/ The Military Security Department, the General Department of Politics and the Cyber ​​Command of the Ministry of National Defense.

10. Managers of information systems of national security importance means agencies and organizations competent to directly manage information systems of national security importance, including:

a/ Ministries, ministerial-level agencies and government-attached agencies;

b/ Provincial-level People’s Committees;

c/ Central political organizations;

d/ Authorities competent to decide on investment in projects on building, establishment, upgrading and expansion of information systems of national security importance.

11. Domestic enterprise means an enterprise established or registered for establishment in accordance with Vietnam’s law and having its head office based in Vietnam.

12. Foreign enterprise means an enterprise established or registered for establishment in accordance with a foreign law.

Chapter II

FORMULATION OF THE LIST OF INFORMATION SYSTEMS OF NATIONAL SECURITY IMPORTANCE, COORDINATION MECHANISM, AND CYBER SECURITY CONDITONS FOR PROTECTION OF INFORMATION SYSTEMS OF NATIONAL SECURITY IMPORTANCE

Section 1

FORMULATION OF THE LIST OF INFORMATION SYSTEMS OF NATIONAL SECURITY IMPORTANCE

Article 3. Grounds for establishment of information systems of national security importance

Information systems of national security importance are information systems of state agencies and political organizations of the Socialist Republic of Vietnam, including:

1. Information systems of national importance specified by the Law on Cyberinformation Security.

2. Information system serving the direction and administration of important works related to national security as specified by law.

3. Information systems serving the direction, administration and control of operation of important telecommunications works related to national security as specified by law.

4. Information systems in the fields specified in Clause 2, Article 10 of the Law on Cyber Security that, when encountering incidents or being hacked, falsified, interrupted, stagnated, paralyzed, attacked or vandalized, might cause one of the following consequences:

a/ Directly affecting the independence, sovereignty, unity and territorial integrity of the Fatherland, or the existence of the regime and the State of the Socialist Republic of Vietnam;

b/ Causing serious consequences to national defense, national security and foreign affairs, thus weakening national defense and protection capacity;

c/ Causing serious consequences to the national economy;

d/ Causing catastrophes to human life and the ecological environment;

dd/ Causing serious consequences to operation of special-grade construction works specified by the law on construction;

e/ Causing serious consequences to the formulation of guidelines and policies classified as state secrets;

g/ Seriously affecting the direct direction and administration work of Party and State agencies at the central level.

Article 4. Formulation of dossiers of request for inclusion of information systems in the List of information systems of national security importance

1. Information system managers shall review and collate the provisions of Clause 4, Article 3 of this Decree, and formulate dossiers of request for inclusion of information systems under their management in the list of information systems of national security importance.

2. For information systems on the list of information systems of national importance:

a/ The Ministry of Information and Communications shall send to the Ministry of Public Security dossiers of information systems of national importance approved by the Prime Minister for the latter to formulate the List of information systems of national security importance;

b/ In the case specified at Point a, Clause 2 of this Article, managers of information systems of national importance are not required to formulate dossiers of request for inclusion of information systems under their management in the List of information systems of national security importance;

c/ The Ministry of Public Security shall include information systems of national importance in the List of information systems of national security importance according to the law-specified order and procedures; notify managers of these information systems of the inclusion of their information systems in the List of information systems of national security importance and perform corresponding responsibilities.

3. During the appraisal of information security level of information systems, if the Ministry of Information and Communications finds that there are sufficient grounds to include these information systems in the List of information systems of national security importance, it shall transfer dossiers of request for inclusion of these information systems in the List of information systems of national security importance to the Ministry of Public Security for appraisal.

4. The professional cyber security protection forces shall, based on their assigned functions and tasks, review information systems’ compliance with Article 3 of this Decree and request information system managers to make dossiers of request for inclusion of information systems under their management in the List of information systems of national security importance.

5. A dossier of request for inclusion of information systems in the List of information systems of national security importance must comprise:

a/ A request for inclusion of information systems in the List of information systems of national security importance (made according to Form No. 01 provided in the Appendix to this Decree);

b/ A document listing all information systems of the requesting agency or organization (made according to Form No. 02 provided in the Appendix to this Decree);

c/ Accompanying proofs, including: documents describing and explaining the information systems; construction design documents approved by competent authorities or documents of equivalent validity; documents proving the conformity with the grounds for requesting the inclusion of information systems in the List of information systems of national security importance; documents explaining information system protection plans (plans on assurance of network infrastructure safety; server safety; application safety; database safety; management policy; organization and personnel; design and construction management; operation management; inspection, assessment and risk management).

6. A dossier of request for inclusion of an information system in the List of information systems of national security importance shall be made in 1 original and sent to:

a/ The Department of Cyber Security and Hi-Tech Crime Prevention and Control of the Ministry of Public Security, except the cases specified at Points b and c
of this Clause;

b/ The Cyber Command of the Ministry of National Defense, for military information systems;

c/ The Government Cipher Committee, for cipher information systems of the Government Cipher Committee.

7. A dossier-receiving agency specified in Clause 6 of this Article shall give written feedback on the received dossier (made according to Form No. 03 provided in the Appendix to this Decree).

Article 5. Appraisal of dossiers of request for inclusion of information systems in the List of information systems of national security importance

1. The Department of Cyber Security and Hi-Tech Crime Prevention and Control of the Ministry of Public Security shall appraise dossiers of request for inclusion of information systems in the List of information systems of national security importance under regulations, except the cases specified in Clauses 2 and 3 of this Article.

2. The Cyber ​​Command of the Ministry of National Defense shall guide the preparation, receipt and appraisal of dossiers of request for inclusion of military information systems in the List of information systems of national security importance.

3. The Government Cipher Committee shall appraise dossiers of request for inclusion of cipher information systems under its management in the List of information systems of national security importance.

4. The Council for appraisal of dossiers of request for inclusion of information systems in the List of information systems of national security importance:

a/ For information systems of national security importance that are related to multiple sectors and fields, or of which the appraisal requires opinions of multiple ministries and sectors;

b/ The Appraisal Council shall work on a part-time basis and dissolve itself upon completion of its tasks. Based on the nature and role of information systems, members of the Appraisal Council may be those from the Ministry of Public Security, Ministry of National Defense, Ministry of Information and Communications, Government Cipher Committee and other related agencies and units. Depending on each specific case, the Appraisal Council may invite information system managers to attend appraisal meetings;

c/ The Appraisal Council shall appraise the safety level of information systems and dossiers of request for inclusion of information systems in the List of information systems of national security importance.

5. Results of meetings of the Appraisal Council shall be used to serve the cyber security and cyberinformation security work.

6. In case it is necessary to verify information in dossiers of request for inclusion of information systems in the List of information systems of national security importance and the actual state of information systems stated in the dossiers, the appraising agency specified in Clause 1, 2 or 3 of this Article shall carry out field survey and inspection to appraise requests for inclusion of information systems in the List of information systems of national security importance. The time limit for field survey and inspection is 20 days.

Survey results shall be recorded in minutes certified by the appraising agency and information system managers.

7. Information system managers shall coordinate with the appraising agency in, and create conditions for, the appraisal, survey, inspection and supplementation of dossiers at the request of the appraising agency.

8. Time limit and order of appraisal of a dossier:

a/ The time limit for appraisal of a dossier of request for inclusion of an information system in the List of information systems of national security importance is 30 days from the date of receipt of a complete and valid dossier or the completion of the survey process specified in Clause 6 of this Article;

b/ The time limit for certifying the validity of a dossier of request for inclusion of an information system in the List of information systems of national security importance is 3 working days after the receipt of a complete dossier;

c/ Past the appraisal time limit, the appraising agency shall complete and submit the dossier to the Minister of Public Security or Minister of National Defense for the latter to propose the Prime Minister to issue a decision on formulation or updating of the List of information systems of national security importance according to his/her assigned functions and tasks; and at the same time, issue a notice of appraisal results to the information system manager (made according to Form No. 04 provided in the Appendix to this Decree);

d/ The Minister of Public Security or Minister of National Defense may decide to extend the appraisal time limit. An extension must not exceed 20 days.

9. The Ministry of Public Security shall assume the prime responsibility for, and coordinate with the Ministry of National Defense and Government Cipher Committee in, reaching consensus on the mechanism for proposing the Prime Minister to issue decisions on formulation and updating of the List of information systems of national security importance.

Article 6. Removal of information systems from the List of information systems of national security importance

1. When finding that an information system of national security importance under its management no longer satisfies the conditions specified in Article 3 of this Decree, the information system manager shall make a dossier of request for removal of the information system from the List of information systems of national security importance.

2. Every year, the professional cyber security protection forces shall, based on their functions and tasks, review information systems that no longer meet the criteria specified in Article 3 of this Decree and request information system managers to make dossiers of request for removal of the information systems under their management from the List of information systems of national security importance.

3. A dossier of request for removal of an information system from the List of information systems of national security importance must comprise:

a/ A request for removal of an information system from the List of information systems of national security importance (made according to Form No. 05 provided in the Appendix to this Decree);

b/ Other necessary documents directly related to the request for removal of the information system from the List of information systems of national security importance.

4. The order, procedures and competence for considering and deciding to remove an information system from the List of information systems of national security importance must comply with regulations on order, procedures and competence for considering and deciding on inclusion of information systems in the List of information systems of national security importance.

Article 7. Coordination in appraisal, assessment, inspection and monitoring of, response to, and remediation of consequences of, incidents in information systems of national security importance

1. The protection of cyber security and cyber information safety for information systems of national security importance must comply with the laws on cyber security and cyberinformation security.

2. Coordination principles

a/ To apply the provisions of the laws on cyber security and cyberinformation security to the appraisal, assessment, inspection and monitoring of, response to, and remediation of consequences of, incidents in information systems of national security importance;

b/ In case the coordination among many related parties is required, the Ministry of Public Security, Ministry of National Defense or the Government Cipher Committee shall, based on the Law on Cyber Security, assume the prime responsibility for, and coordinate with the Ministry of Information and Communications and related ministries and sectors in, organizing the appraisal, assessment, inspection and monitoring of, response to, and remediation of consequences of, cyber security incidents in information systems of national security importance according to their assigned functions and tasks;

c/ The process of coordination must comply with treaties and regulations of international organizations to which Vietnam is a contracting party, the Law on Cyber Security and relevant laws and shall be carried out in a proactive, regular and prompt manner in accordance with assigned functions, tasks and powers of related parties.

3. Method of coordination

a/ The Ministry of Public Security shall request in writing related ministries and sectors to appoint its officers to participate in the appraisal, assessment, inspection and monitoring of, response to, and remediation of consequences of, cybersecurity incidents in information systems of national security importance;

b/ Related ministries and sectors shall appoint their representatives to participate in all activities involved in the appraisal, assessment, inspection and monitoring of, response to, and remediation of consequences of, cyber security incidents in information systems of national security importance as requested;

c/ The Ministry of Public Security shall duplicate and send copies of dossiers, texts and documents serving the appraisal, assessment, inspection and monitoring of, response to, and remediation of consequences of, cybersecurity incidents in information systems of national security importance to those participating in these activities under regulations.

4. Coordination in the monitoring of information systems of national security importance serving the protection of cyber security and cyberinformation security:

a/ The professional cyber security protection forces shall share with one another and with the Department of Information Security of the Ministry of Information and Communications data on cyber security monitoring and cyberinformation security to serve the performance of assigned functions and tasks;

b/ In case the cyberinformation security monitoring for information systems of national security importance has been carried out, monitoring data shall be shared or made available for shared use in service of cyber security and cyberinformation security protection;

c/ Managers of information systems of national security importance shall arrange space, ensure technical conditions and install and connect monitoring systems and equipment of the professional cyber security protection forces into information systems under their management in order to detect and provide early warnings about cyber security threats.

Section 2

CYBER SECURITY CONDITIONS FOR INFORMATION SYSTEMS OF NATIONAL SECURITY IMPORTANCE

Article 8. Conditions on regulations, processes and plans on assurance of cyber security for information systems of national security importance

1. Pursuant to regulations on protection of cyber security, protection of state secrets and work secrets, standards and technical regulations on cyber information security, and other relevant professional technical standards, managers of information systems of national security importance shall formulate regulations, processes and plans on cyber security protection for information systems of national security importance under their management.

2. Contents of regulations, processes and plans on cyber security protection must clearly specify information systems and important information prioritized for protection; managerial, technical and professional processes in the use of, and cyber security protection with regard to, data and technical infrastructure; conditions on personnel in charge of network administration, system operation, assurance of cyber security and cyberinformation security, and drafting, storage and transmission of state secrets through information systems; responsibility of each section or individual for management, operation and use of information systems; and sanctions for violations.

Article 9. Conditions on personnel in charge of system operation and administration and cyber security protection

1. Having a section in charge of system operation and administration and cyber security protection.

2. Personnel in charge of system operation and administration and cyber security protection must have professional qualifications in cyber security, cyberinformation security and information technology; shall make commitments to keeping confidential information relating information systems of national security importance while working and after leaving working positions.

3. Having worked out a mechanism for independent professional operation among sections in charge of system operation and administration and cyber security protection for information systems of national security importance.

Article 10. Conditions for assurance of cyber security for equipment, hardware and software that are system components

1. Hardware devices that are system components must undergo cyber security inspection to detect security weaknesses and vulnerabilities, malicious codes, transceivers, and malicious hardware so as to ensure compatibility with other components of information systems of national security importance. Administration devices shall be installed with virus-free operating systems and software as well as firewalls. Information systems that process state secrets may not be connected to the Internet.

2. Products against which the professional cyber security protection and cyber information security forces have issued cyber security risk warnings or announcements may not be used or may be used only after measures to address or remedy security weaknesses or vulnerabilities, malicious codes and malicious hardware are taken.

3. Digital data and information being state secrets that are processed and stored through information systems shall be encrypted or protected during the process of creation, exchange and storage on the Internet in accordance with the law on protection of state secrets.

4. Information technology equipment, communications devices, information-carrying media and equipment serving the operation of information systems shall be managed, destroyed and repaired in accordance with the law on protection of state secrets and working regulations of information system managers.

5. System software, utility software, middleware, databases, application programs, source codes and development tools shall be periodically reviewed and updated with patches.

6. Mobile devices and information storage devices shall, when connected to local-area networks of information systems of national security importance, be checked and controlled to ensure safety and may be used only at information systems of national security importance.

7. The connection, transportation and storage of information storage devices and tools must comply with the following provisions:

a/ Information storage devices and tools must undergo security check before being connected to information systems of national security importance;

b/ The connection and disconnection of devices belonging to information systems of national security importance shall be controlled;

c/ It is required to take measures to ensure safety for the transportation and storage of information storage devices and tools and measures to protect information being state secrets contained therein.

Article 11. Conditions on technical measures to monitor and protect cyber security

1. The operating environment of an information system of national security importance must satisfy the following requirements:

a/ Being separated from development, checking and testing environments;

b/ Applying solutions to ensure information security;

c/ Ensuring that no application development tools and means are installed;

d/ Removing or turning off unused and unnecessary utility features and software on information systems.

2. There must be plans on creation of automatic backup copies of data of information systems of national security importance on external storage devices in conformity with the frequency of data changes and adherence to the principle that newly arising data shall be backed up within 24 hours. Backup data shall be checked every 6 months so as to ensure restorability.

3. The network system must meet the following requirements:

a/ Being separated based on users and use purposes into different network areas, including at least a network partition for the information system’s server; a demilitarized zone (DMZ) for provision of Internet-based services; a network partition for  provision of wireless network services; and a network partition for the database server;

b/ Having equipment and software to control connections and access to important network areas;

c/ Devising solutions to control, detect and prevent in time untrusted connections and access and unauthorized intrusion;

d/ Having plans to respond to denial-of-service attacks and attacks in other forms in conformity with the scale and nature of information systems of national security importance.

4. To take measures and solutions to search and promptly detect technical weaknesses and vulnerabilities of the network system, unauthorized connections and illegally installed equipment and software.

5. To keep information systems’ operation logs and users’ activity logs, errors and information security incidents for at least 3 months in centralized storage and create backups at least once a year.

6. To control access by users and groups of users of equipment and tools through application of the following measures:

a/ Registering, granting, renewing and revoking access rights of devices and users;

b/ Assigning every system access account to a unique user; the use of a shared account to access an information system of national security importance shall be approved by a competent authority with personal responsibility for every time of account use determined;

c/ Limiting and controlling accesses using administrator accounts: (i) To formulate a mechanism to control the creation of administrator accounts in order to ensure that no account can be used without approval of competent authorities; (ii) To take measures to monitor the use of administrator accounts; (iii) To limit the use of administrator accounts to ensure that there is only one administrator access at a single time and automatic log out after a specific period of inactivity;

d/ Managing and granting private keys to access information systems;

dd/ Reviewing, checking and reviewing user access rights;

e/ Setting information security requirements and conditions for devices and tools used for access.

Article 12. Conditions on physical security

1. Information systems of national security importance shall be arranged and installed in safe and protected locations in order to minimize risks from environmental threats and dangers and unauthorized intrusion.

2. It is required to ensure the power source and support systems when the main power source for information systems of national security importance is interrupted; to take measures to prevent overload, voltage drop and lightning transmission; to install earthing systems; to equip backup power generators and power supply systems to ensure uninterrupted operation of equipment.

3. Information systems of national security importance must have plans and measures to protect against intrusion and information collection from unmanned aerial vehicles.

4. Entry into and exit from data centers of information systems of national security importance shall be controlled around the clock.

Chapter III

ORDER AND PROCEDURES FOR APPLICATION OF A NUMBER OF CYBER SECURITY PROTECTION MEASURES

Article 13. Order and procedures for cyber security appraisal of information systems of national security importance

1. Cyber security appraisal of information systems on the list of information systems of national security importance shall be conducted by professional cyber security protection forces under regulations.

2. Procedures for cyber security appraisal of information systems of national security importance:

a/ Managers of information systems of national security importance shall submit a dossier of request for cyber security appraisal to professional cyber security protection forces;

b/ Professional cyber security protection forces shall receive, examine, and guide the completion of, dossiers of request for cyber security appraisal and issue a receipt within 3 working days after receiving a complete and valid dossier;

c/ Professional cyber security protection forces shall conduct cyber security appraisal under Clause 3, Article 11 of the Law on Cyber Security and notify the appraisal results to managers of information systems of national security importance within 30 days from the date of issuance of the receipt.

3. A dossier of request for cyber security appraisal of an information system of national security importance must comprise:

a/ A request for cyber security appraisal (made according to Form No. 06 provided in the Appendix to this Decree);

b/ A prefeasibility study report and construction design dossier of the investment project to build the information system before they are approved;

c/ A scheme on upgrading the information system before it is approved in case the information system of national security importance is upgraded.

4. When it is necessary to determine the conformity between the current state of the information system of national security importance and the dossier of request for appraisal, the professional cyber security protection force shall conduct survey and assess the current state of the information system of national security importance for collation against the dossier of request for appraisal. The survey and practical assessment must not affect normal operation of the information system of national security importance and its manager. The time period for survey and practical assessment must not exceed 7 working days.

5. The cyber security appraisal results shall be protected in accordance with law.

Article 14. Order and procedures for assessment of cyber security conditions of information systems of national security importance

1. The assessment of cyber security conditions of information systems on the list of information systems of national security importance shall be conducted by professional cyber security protection forces under regulations.

2. The order for assessment of cyber security conditions of an information system of national security importance is as follows:

a/ The manager of the information system of national security importance shall submit  a dossier of request for assessment of cyber security conditions of the information system of national security importance to a professional cyber security protection force competent to assess cyber security conditions prescribed in Clause 3, Article 12 of the Law on Cyber Security;

b/ The professional cyber security protection force shall receive, examine, and guide the completion of, the dossier of request for assessment of cyber security conditions and issue a receipt right after receiving a complete and valid dossier;

c/ After receiving a complete and valid dossier, the professional cyber security protection force shall conduct assessment of cyber security conditions and notify the assessment results to the manager of the information system of national security importance within 30 days from the date of issuance of the receipt;

d/ In case the cyber security conditions are fully satisfied, the head of the agency conducting assessment of cyber security conditions shall issue a certificate of satisfaction of cyber security conditions for the information system of national security importance within 3 working days after the assessment of cyber security conditions is completed.

3. A dossier of request for certification of the satisfaction of cyber security conditions for an information system of national security importance must comprise:

a/ A request for certification of satisfaction of cyber security conditions (made according to Form No. 07 provided in the Appendix to this Decree);

b/ A prefeasibility study report and construction design dossier of the investment project to build the information system before they are approved;

c/ A dossier on cyber security assurance methods for the information system of national security importance.

4. In case cyber security conditions are not satisfied, the professional cyber security protection force shall request the manager of the information system of national security importance to supplement and upgrade the information system to meet the law-prescribed conditions.

Article 15. Order and procedures for cyber security supervision

1. The Department of Cyber Security and Hi-Tech Crime Prevention and Control of the Ministry of Public Security and the Cyber Command of the Ministry of National Defense shall supervise cyber security for national cyberspace and information systems of national security importance according to their assigned functions and tasks. The Government Cypher Committee shall supervise cyber security for cypher information systems under its management according to its assigned functions and tasks.

2. The order for cyber security supervision by professional cyber security protection forces is as follows:

a/ Sending a request for implementation of cyber security supervision measures to the manager of the information system, clearly stating the reason, time, content and scope of cyber security supervision;

b/ Implementing cyber security supervision measures;

c/ Making statistics of and reporting on cyber security supervision results on a periodical basis.

3. Responsibilities of managers of information systems of national security importance:

a/ To build and deploy cyber security supervision systems, coordinate with professional cyber security protection forces in supervising cyber security for information systems under their management;

b/ To arrange space, ensure technical conditions, establish and connect supervision systems and devices of professional cyber security protection forces to their information systems to serve cyber security supervision;

c/ To provide and update information on information systems under their management and technical plans on deployment of supervision systems to professional cyber security protection forces on a periodical basis or upon the latter’s request;

d/ To notify professional cyber security protection forces of their cyber security supervision activities once every 3 months;

dd/ To keep relevant information confidential in the course of coordination with professional cyber security protection forces.

4. Telecommunications enterprises and information technology, telecommunications and Internet service providers shall coordinate with professional cyber security protection forces in cyber security supervision within their competence in order to protect cyber security.

5. Cyber security supervision results shall be kept confidential in accordance with law.

Article 16. Order and procedures for cyber security inspection

1. Professional cyber security protection forces shall inspect cyber security of information systems under Clause 5, Article 13 and Clause 1, Article 24 of the Law on Cyber Security. Contents of cyber security inspection include inspection of observance of the law on assurance of cyber security and protection of state secrets in cyberspace; inspection and evaluation of effectiveness of cyber security assurance plans and measures, plans on response to and remediation of cyber security incidents; inspection, assessment and detection of security weaknesses and vulnerabilities and malware, penetration testing; other inspections and assessments prescribed by information system managers.

2. The order and procedures for cyber security inspection by professional cyber security protection forces are as follows:

a/ Announcing cyber security inspection plans under regulations;

b/ Forming inspection teams according to their assigned functions and tasks;

c/ Conducting cyber security inspection and closely coordinating with information system managers in the course of inspection;

d/ Making records of the process and results of cyber security inspection and preserving them in accordance with law;

dd/ Notifying cyber security inspection results within 3 working days after the inspection is completed.

3. If it is necessary to maintain the current state of the information system for investigation and handling of violations, detection of security weaknesses and vulnerabilities; or to guide or take part in remediation at the request of the manager of the information system, the professional cyber security protection force shall request in writing the manager of the information system to suspend cyber security inspection. The request must clearly state the reason, purpose and time of suspension of cyber security inspection.

Article 17. Order and procedures for response to and remediation of cyber security incidents of information systems of national security importance

1. In case an information system of national security importance encounters cyber security incidents, the order and procedures for response to and remediation of the incidents are as follows:

a/ A professional cyber security protection force shall notify in writing the manager of the information system and provide the latter with guidance on temporary measures to prevent and handle cyber attacks, remedy consequences of cyber attacks and cyber security incidents.

In case of emergency, to make notification via telephone or other means before sending written notices;

b/ The manager of the information system of national security importance shall adopt measures under guidance and other suitable measures to prevent, handle and remedy consequences after receiving the notice, except the case specified at Point c of this Clause.

In case the handling of consequences falls beyond its capacity, the manager of the information system of national security importance shall promptly notify thereof to the professional cyber security protection force for coordination in responding to and remedying cyber security incidents;

c/ In case immediate reponse is needed to prevent consequences that are likely to cause harms to national security, the professional cyber security protection force shall decide to directly coordinate the response to and remedyiation of cyber security incidents.

2. Coordination of the response to and remediation of cyber security incidents by professional cyber security protection forces:

a/ Evaluating, and deciding on plans on response to and remediation of, cyber security incidents;

b/ Executing the response to and remediation of cyber security incidents;

c/ Assuming the prime responsibility for receiving, collecting, processing and exchanging information on response to and remediation of cyber security incidents;

d/ Mobilizing and coordinating with related domestic and foreign organizations and individuals in responding to and remedying cyber security incidents when necessary;

dd/ Designating a focal-point unit to coordinate with functional units of other countries or international organizations in responding to and handling transnational incidents based on international agreements or treaties to which Vietnam is a contracting member;

e/ Inspecting, supervising and urging related units to respond to and remedy cyber security incidents;

g/ Making records of the process of responding to cyber security incidents.

3. Organizations and individuals engaged in cyber security incident response and remediation shall implement measures and carry out activities to respond to and remedy incidents under the coordination of professional cyber security protection forces.

4. In cases involving defense of national security and social order and safety, telecommunications enterprises and Internet service providers shall arrange space, connection ports and necessary technical measures for the Department of Cyber Security and Hi-Tech Crime Prevention and Control under the Ministry of Public Security to perform the task of cyber security assurance. Telecommunications enterprises and Internet service providers shall coordinate with the Department of Cyber Security and Hi-Tech Crime Prevention and Control under the Ministry of Public Security in working out specific order and procedures therefor.

Article 18. Order and procedures for implementing measures to use cryptography to protect cyber information

1. Professional cyber security protection forces shall use encryption measures to protect cyberinformation when information and documents containing state secrets are transmitted in cyberspace. Encryption measures must meet requirements of the cipher law and the laws on protection of state secrets and cyber security.

2. In case of necessity for the reason of national security or social order and safety, or protection of lawful rights and interests of agencies, organizations and individuals, professional cyber security protection forces shall request in writing related agencies, organizations and individuals to encrypt information not classified as state secrets before storing or transmitting such information on the Internet. Such request must clearly state the reason and the to-be-encrypted contents.

Article 19. Order and procedures for implementing measures to request the removal of unlawful or false information in cyberspace that infringes upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals

1. Cases for application:

a/ When information in cyberspace is determined by a competent agency to contain contents infringing upon national security or propaganda contents opposing the State of the Socialist Republic of Vietnam, instigating riots or disrupting security or public order in accordance with law;

b/ When there are legal grounds to determine that information in cyberspace contains contents that humiliate or slander others, infringe upon economic management order; or fabricate or falsify information, thus causing public anxiety or seriously damaging socio-economic activities to an extent that it is necessary to request the removal of such information;

c/ Other information in cyberspace that contains the contents prescribed at Points c, dd, and e, Clause 1, Article 8 of the Law on Cyber Cecurity.

2. The Director of the Department of Cyber Security and Hi-Tech Crime Prevention and Control under the Ministry of Public Security and heads of competent agencies of the Ministry of Information and Communications shall:

a/ Decide to apply the measure of requesting the removal of unlawful or false information in cyberspace that infringes upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals under Clause 1 of this Article;

b/ Request in writting enterprises providing telecommunications network- or Internet-based services or value-added services in cyberspace and information system managers to remove unlawful or false information in cyberspace that infringes upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals under Clause 1 of this Article;

c/ Inspect the implementation of measures by requested subjects;

d/ Exchange and share information on the implementation of this measure, except cases involving state secrets or professional requirements of the Ministry of Public Security.

3. The professional cyber security protection force of the Ministry of National Defense shall decide to apply the measure of requesting the removal of unlawful or false information in cyberspace that infringes upon national security or military security under Clause 1 of this Article with regard to military information systems.

Article 20. Order and procedures for implementing the measure of collecting electronic data relating to activities in cyberspace that infringe upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals

1. Electronic data means information in the form of symbols, letters, numberals, images, sounds or the like.

2. The Director of the Department of Cyber Security and Hi-Tech Crime Prevention and Control under the Ministry of Public Security shall decide to apply the measure of collecting electronic data for investigation and handling of infringements of national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals in cyberspace.

3. The collection of electronic data relating to infringments of national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals must comply with law and concurrently meet the following requirements:

a/ The current state of digital devices and electronic data must be presereved;

b/ The copying and recording of electronic data must be carried out by using recognized verifiable equipment and software that can protect the integrity of electronic data stored in devices;

c/ The process of recovering and searching electronic data must be recorded in minues, images or videos and, when necessary, may be repeated until similar results are achieved for presentation at courts;

d/ Electronic data collectors must be full-time officers assigned with tasks of collecting electronic data.

4. Principles of copying and recovering electronic data relating to activities in cyberspace that infringe upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals:

a/ In case of necessity to copy or recover electronic data that are deemed having probative value or if wishing to copy or recover electronic data, the person performing the copying or recovery must have the competence therefor and obtain the competent authority’s decision in accordance with the law;

b/ The copying or recovery of electronic evidences must be recorded in writing; an independent third party may be invited to take part in, witness and certify this process when necessary.

5. The seizure  of devices for storing, transmitting and processing electronic data relating to activities in cyberspace that infringe upon national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals must comply with law.

6. The professional cyber security protection force under the Ministry of National Defense shall decide to apply the measure of collecting electronic data for investigation of violations and crimes in the cyberspace that affect information security and safety or infringe upon national security and military security.

Article 21. Order and procedures for implementing the measure of terminating, suspending or requesting the cessation of operation of information systems or revocation of domain names

1. Cases for application:

a/ There are documents proving that operation of the concerned information systems violates the laws on national security and cyber security;

b/ The concerned information systems are being used for the purpose of infringing upon national security or social order and safety.

2. The Minister of Public Security shall directly decide to terminate, suspend or request the cessation of operation of information systems or suspension or revocation of domain names involved in activities violating the law on cyber security.

3. The Director of the Department of Cyber Security and Hi-Tech Crime Prevention and Control under the Ministry of Public Security shall implement the decision on termination, suspension or request the cessation of operation of information systems or suspension or revocation of domain names.

4. The order and procedures for implementing the measure are as follows:

a/ To report on the application of the measure of terminating, suspending or requesting the cessation of operation of information systems or suspension or revocation of domain names;

b/ To decide to terminate, suspend or request the cessation of operation of information systems or suspension or revocation of domain names;

c/ To request in writting related agencies, organizations and individuals to terminate, suspend or request the cessation of operation of information systems; or request the Vietnam Internet Network Information Center to suspend or revoke domain names according to the law-prescribed order and procedures. The request must clearly state the reason, time, content and recommendations;

d/ In case of urgent need to timely prevent the operation of information systems so as to avoid harms to national security or to prevent possible adverse impacts, the Department of Cyber Security and Hi-Tech Crime Prevention and Control under the Ministry of Public Security shall send directly request agencies, organizations and individuals to terminate, suspend or request the cessation of operation of information systems or send a request therefor via fax or email;

The Department of Cyber Security and Hi-Tech Crime Prevention and Control under the Ministry of Public Security shall send a request for termination, suspension or request for the cessation of operation of information systems within 24 hours after making such request. Past the above-mentioned time limit, if no written decision is made, the information systems may continue to operate. Depending on the nature, severity and consequences caused by the delay in sending the request, the officer in charge of sending the request and related persons shall bear responsibility before law;

dd/ The termination, suspension or the request for cessation of operation of an information system must be recorded in a minutes which must clearly state the time, location and grounds of minutes and be made in 2 copies, one to be kept by the concerned competent functional agency and the other by the agency, organization or individual that owns/manages the information system;

e/ For the suspension or revocation of national domain names in the cases specified in Clause 1 of this Article, competent functional agencies shall request in writing the Vietnam Internet Network Information Center to suspend or revoke domain names according to the law-prescribed order and procedures.

5. In case of terminating, suspending or requesting cessation of operation of information systems without the  grounds specified in Clause 2 of this Article, heads or deputy heads of competent functional agencies and concerned officers shall bear responsibility before law and, if causing damage, pay compensation to related agencies, organizations and individuals in accordance with law.

Article 22. Responsibilities of agencies, organizations and individuals for implementing cyber security protection measures

1. Professional cyber security protection forces shall guide related agencies, organizations and individuals to comply with the order and procedures for applying a number of cyber security protection measures.

2. Agencies, organizations and individuals shall, within the ambit of their responsibilities and powers, timely coordinate with and assist professional cyber security protection forces in complying with the order and procedures for applying a number of cyber security protection measures.

3. In case cross-border service providers are declared by competent agencies as having violated Vietnam’s law, Vietnamese organizations and enterprises shall coordinate with competent functional agencies in deterring, preventing and handling acts of violations of the cross-border service providers.

4. All acts of taking advantage of or abusing cyber security protection measures to violate law shall, depending on the nature and severity of the violation, be handled in accordance with law; if causing damage to lawful rights and interests of organizations and individuals, compensation therefor must be paid in accordance with law.

5. For information systems not on the List of information systems of national security importance, the Ministry of Public Security, Ministry of National Defense, and Ministry of Information and Communications shall coordinate in jointly protecting cyber security and assuring cyberinformation security according to their assigned functions and tasks:

a/ The Ministry of Information and Communications shall act as a focal-point agency in charge of civil activities, except  the cases specified at Points b and c of this Clause;

b/ The Ministry of Public Security shall act as a focal-point agency in charge of activities concerning protection of national security, social order and safety, and cyber security, and prevention of and fight against cybercrimes, cyber terrorism and cyber espionages;

c/ The Ministry of National Defense shall act as a focal-point agency in charge of national defense activities in cyberspace.

Chapter IV

IMPLEMENTATION OF A NUMBER OF CYBER SECURITY PROTECTION ACTIVITIES BY STATE AGENCIES AND POLITICAL ORGANIZATIONS AT CENTRAL AND LOCAL LEVELS

Article 23. Formulation and improvement of regulations on use of computer networks of state agencies and political organizations at central and local levels

1. State agencies and political organizations shall formulate regulations on use and management of, and assurance of cyber security for, local area networks and Internet-connected computer networks under their management. The contents of the regulations on assurance of cyber security must comply with regulations on cyber security protection, protection of state secrets, standards and technical regulations on cyberinformation security, and other related specialized technical standards.

2. Regulations on use of, and assurance of cyber security for, computer networks of state agencies and political organizations at central and local levels must:

a/ Identify the information network system and important information which are prioritized for cyber security assurance;

b/ Specify prohibitions, principles of management and use of, and assurance of cyber security for, local area networks, ensuring that local area networks storing and transmitting state secrets are physically separated from Internet-connected computer networks, electronic equipment and means, and other cases comply with the law on protection of state secrets;

c/ Specify managerial, professional and technical processes in operation, use and assurance of cyber security for data and technical infrastructure, ensuring satisfaction of  basic requirements on assurance of safety for information systems;

d/ Specify conditions on personnel in charge of network administration, system operation, assurance of cyber security and information safety, and those involved in the creation, storage and transmission of state secrets via computer network systems.

dd/ Define responsibilities of each division, cadre and employee in the management and use of, and assurance of cyber security and information security for, computer network systems.

e/ Specify sanctions of violations of regulations on cyber security assurance.

Article 24. Formulation and improvement of plans on cyber security assurance for the information systems of state agencies and political organizations at central and local levels

1. Heads of state agencies and political organizations at central and local levels shall issue plans on cyber security assurance for the information systems under their management, ensuring synchronism, consistency, concentration and resource sharing to optimize the efficiency and avoid overlap investment.

2. Plans on cyber security assurance for information systems must cover:

a/ Regulations on cyber security assurance in the design and formulation of the information system, meeting basic managerial, technical and professional requirements;

b/ Cyber security appraisal;

c/ Cyber security inspection and assessment;

d/ Cyber security supervision;

dd/ Prevention, response to, and remediation of  cyber security incidents and dangerous circumstances;

e/ Risk management;

g/ Operation termination, exploitation, repair, liquidation and cancelation.

Article 25. Plans on response to, and remediation of, cyber security incidents of state agencies and political organization at central and local levels

1. Plans on response to, and remediation of, cyber security incidents cover:

a/ A plan on prevention and handling of information with propaganda contents opposing the State of the Socialist Republic of Vietnam; instigating riots or disrupting security or public order; humiliating or slandering; or infringing upon economic management order which is posted on the information systems;

b/ A plan on prevention and combat of cyber espionage; protection of information classified as state secrets, work secrets, business secrets, personal secrets, family secrets and privacy on the information systems;

c/ A plan on prevention of and fight against acts of using cyberspace, information technology or electronic devices to commit violations of the law on national security and social order and safety;

d/ A plan on cyber-attack prevention and fight;

dd/ A plan on cyber terrorism prevention and fight;

e/ A plan on prevention and handling of dangerous cyber-security circumstances.

2. Contents of a plan on response to, and remediation of, cyber security incidents

a/ General provisions;

b/ Assessment of cyber security threats and incidents;

c/ Plans on response to, and remediation of, a number of specific circumstances;

d/ Tasks and responsibilities of agencies in organizing, coordinating, handling, responding to, and remedying incidents;

dd/ Training and drilling for prevention, supervision, detection, and assurance of conditions for response to and remediation of, incidents;

e/ Solutions to ensure and organize the implementation of the plan and funds for implementation.

Chapter V

DATA STORAGE AND SETTING UP OF BRANCHES OR REPRESENTATIVE OFFICES IN VIETNAM

Article 26. Data storage and setting up of branches or representative offices in Vietnam

1. Data which must be stored in Vietnam include:

a/ Personal information of service users in Vietnam;

b/ Data created by service users in Vietnam, including user account, time of service use, credit card information, email address, IP address of the latest login and logout, and registered phone number linked with the user account or data;

c/ Data about the relationships of service users in Vietnam, including friends, groups with which the service users connect or interact.

2. Domestic enterprises shall store the data specified in Clause 1 of this Article in Vietnam.

3. Data storage and setting up of branches or representative offices in Vietnam of foreign enterprises:

a/ Foreign enterprises conducting business activities in Vietnam in one of the following fields: telecommunications services; data storage and sharing in cyberspace; provision of national or international domain names to service users in Vietnam; e-commerce; online payment; payment intermediary services; transport connection services via cyberspace; social networking and social media services; online video games; and services of providing, managing or operating other information in cyberspace in the form of messages, voice calls, video calls, emails or online chats, shall store the data specified in Clause 1 of this Article and set up their branches or representative offices in Vietnam in case the services they provide are used to commit acts of violating the law on cyber security and the Department of Cyber Security and Hi-Tech Crime Prevention and Control, the Ministry of Public Security, has notified and requested in writing the enterprises to coordinate in preventing, investigating and handling these violations but the enterprises fail to comply or incompletely comply with the request, or prevent, obstruct, disable, or deactivate the cyber security protection measures taken by the specialized cyber security protection forces;

b/ In case of force majeure events in which foreign enterprises cannot abide by the law on cyber security, they shall notify thereof to the Department of Cyber Security and Hi-Tech Crime Prevention and Control, the Ministry of Public Security, within 3 working days for the latter to verify the authenticity of the force majeure events. In this case, the enterprises will have 30 working days to find a solution.

4. In case enterprises do not collect, exploit, analyze or process all data specified in Clause 1 of this Article, they shall coordinate with the Department of Cyber Security and Hi-Tech Crime Prevention and Control, the Ministry of Public Security, for certification, and then store data types that are being collected, exploited, analyzed and processed.

In case enterprises collect, exploit, analyze and process other data in addition to those specified in Clause 1 of this Article, they shall coordinate with the Department of Cyber Security and Hi-Tech Crime Prevention and Control, the Ministry of Public Security, so as to add such data to the list of data which must be stored in Vietnam.

5. Forms of data storage in Vietnam shall be decided by enterprises.

6. The order and procedures for requesting data storage or setting up of a foreign enterprise’s branch or representative office in Vietnam:

a/ The Ministry of Public Security shall issue a decision requesting data storage or setting up of the branch or representative office in Vietnam;

b/ The Department of Cyber Security and Hi-Tech Crime Prevention and Control, the Ministry of Public Security, shall notify, guide, monitor, supervise and urge the concerned enterprise to comply with the request on data storage and setting up of the branch or representative office in Vietnam; and at the same time, notify thereof to related agencies for performing the state management according to their competence;

c/ Within 12 months after the Minister of Public Security issues the decision, the enterprise specified at Point a, Clause 3, Article 26 of this Decree must complete data storage and setting up of its branch or representative office in Vietnam.

7. The order and procedures for setting up of branches or representative offices in Vietnam must comply with the laws on business, commerce and enterprises and relevant regulations.

8. Enterprises that disobey this Article shall, based on the nature and severity of their violations, be handled in accordance with law.

Article 27. Data storage period and operational period of branches and representative offices in Vietnam.

1. The data storage period must comply with Article 26 of this Decree, starting from the time enterprises receive a request for data storage until the request ends. The storage period must be at least 24 months.

2. The operational period of an enterprise’s branch or representative office in Vietnam must comply with Article 26 of this Decree, starting from the time the enterprise receives a request for setting up a branch or representative office in Vietnam until the enterprise terminates its operation in Vietnam or no longer provides the specified services in Vietnam.

3. System logs serving the investigation and handling of violations of the law on cyber security specified at Point b, Clause 2, Article 26 of the Law on Cyber Security must be stored for at least 12 months.

Chapter VI

IMPLEMENTATION PROVISIONS

Article 28. Implementation funds

1. Funds for ensuring cyber security in activities of state agencies and political organizations at central and local levels shall be covered by the state budget.

2. Public investment funds for cyber security must comply with the Law on Public Investment. For public investment projects on building or expanding or upgrading information systems, investment funds shall be allocated in investment capital of the equivalent projects.

3. Funds for appraisal, supervision, inspection and assessment of cyber security conditions; and implementation of plans on cyber security assurance in state agencies and political organizations at local and central levels shall be balanced and allocated in the annual state budget estimates of such agencies and organizations as decentralized in the Law on the State Budget.

4. The Ministry of Finance shall guide the inclusion of funds for cyber security protection in the state budget estimates, and the management and use of recurrent expenditures for cyber security assurance of state agencies and organizations.

5. Based on the assigned tasks, state agencies and organizations shall make the estimation, manage, use and make account-finalization of funds for performing cyber security protection tasks in accordance with the Law on the State Budget.

Article 29. Effect

This Decree takes effect on October 1, 2022.

Article 30. Implementation responsibility

1. The Minister of Public Security shall urge, examine and guide the implementation of this Decree. Ministries, sectors and localities shall exchange any problems arising in the course of implementation of this Decree with the Ministry of Public Security for gathering and reporting to the Government for consideration, decision and modification.

2. Ministers, heads of ministerial-level agencies, heads of government-attached agencies, and chairpersons of provincial-level People’s Committees shall implement this Decree.-  

On behalf of the Government
For the Prime Minister
Deputy Prime Minister
VU DUC DAM

* The Appendix to this Decree is not translated.