VietnameseDecree 23/2025/ND-CP defining e-signatures and trust services
ATTRIBUTE
| Issuing body: | Government | Effective date: | Known Please log in to a subscriber account to use this function. Don’t have an account? Register here |
| Official number: | 23/2025/ND-CP | Signer: | Nguyen Hoa Binh |
| Type: | Decree | Expiry date: | Updating |
| Issuing date: | 21/02/2025 | Effect status: | Known Please log in to a subscriber account to use this function. Don’t have an account? Register here |
| Fields: | Administration , Tax - Fee - Charge , Information - Communications |
THE GOVERNMENT | THE SOCIALIST REPUBLIC OF VIETNAM |
DECREE
Defining e-signatures and trust services
__________
Pursuant to the Law on Organization of the Government dated June 19, 2015; Law on Amending and Supplementing a Number of Articles of the Law on Organization of the Government and the Law on Organization of Local Administration dated November 22, 2019;
Pursuant to the Law on E-Transactions dated June 22, 2023;
Pursuant to the Law on Charges and Fees dated November 25, 2015;
At the request of the Minister of Information and Communications;
The Government promulgates the Decree defining e-signatures and trust services.
Chapter I
GENERAL PROVISIONS
Article 1. Scope of regulation
The Decree defines e-signatures and trust services, except for public duty-specialized digital signatures and authentication service for public duty-specialized digital signatures.
Article 2. Subjects of application
This Decree applies to agencies, organizations and individuals directly engaged in or related to e-signatures and trust services.
Article 3. Interpretation of terms
In this Decree, the terms below are construed as follows:
1. “Key” means a sequence of binaries (0 and 1) used in cryptosystems.
2. “Digitally signing” means incorporating a private key into a software program for the automatic creation and attachment of a digital signature to a data message.
3. “Valid digital signature certificate” means a digital signature certificate which has not expired, or has not been suspended or revoked.
4. “Message digest”, which refers to a string of characters used to verify the integrity of the data message.
5. “Subscriber” means an agency, organization or individual that enters into a contract for provision and use of trust services with a trust service provider.
6. “Vietnam National Root Certification Authority” means the National Electronic Authentication Centre under the Ministry of Information and Communications.
7. “Authentication rules” refers documents outlining the policies, processes, and procedures for grant and management of e-signature certificates or digital signature certificates, using specialized e-signatures for ensuring the safety, or trust services of Vietnam National Root Certification Authority, trust service providers, organizations creating specialized e-signatures to ensure safety.
8. “Service charge for maintenance of the inspection system of digital signature certificate status” means a sum of money for maintenance of the information system for inspection of digital signature certificate status for the public digital signature authentication service, timestamping service and data message authentication service.
9. “Means for private key storage” refers a means containing a subscriber's private key.
Chapter II
E-SIGNATURES
Section 1
E-SIGNATURE CERTIFICATE
Article 4. E-signature certificate
E-signature certificates are classified as follows:
1. The digital signature certificate of the Vietnam National Root Certification Authority is the digital signature certificate granted by the Vietnam National Root Certification Authority to itself, corresponding to each type of trust service.
2. The digital signature certificate of a trust service provider is the digital signature certificate granted by the Vietnam National Root Certification Authority to the trust service provider, corresponding to each type of trust service, including: digital signature certificate for the timestamping service, digital signature certificate for the data message authentication service, digital signature certificate for the public digital signature authentication service.
3. Public digital signature authentication service means a digital signature certificate which is granted by a public digital signature authentication service provider to a subscriber.
4. Specialized e-signature certificate refers to an e-signature certificate granted by an agency or organization creating specialized e-signatures.
Article 5. Contents of e-signature certificates
Contents of an e-signature certificate include:
1. Information about the agency or organization creating the e-signature certificate.
2. Information about the agency, organization, or individual who is granted the e-signature certificate, including the name of the agency, organization, or individual; the identification code/number of the agency, organization, or individual, or the e-identity of the agency, organization, or individual granted the e-signature certificate, and any other necessary information (if any).
3. Code of the e-signature certificate.
4. Validity period of the e-signature certificate.
5. Data for verifying the e-signature of the agency, organization, or individual that is granted the e-signature certificate.
6. E-signature of the agency or organization creating the e-signature certificate.
7. The purpose and scope of use of the e-signature certificate.
8. The legal liability of the agency or organization granting the e-signature certificate.
Article 6. Contents of digital signature certificates
1. The digital signature certificate of the Vietnam National Root Certification Authority includes the following contents:
a) Name of the Vietnam National Root Certification Authority;
b) Code of the digital signature certificate;
c) Validity period of digital signature certificates;
d) Public key of the Vietnam National Root Certification Authority;
dd) Digital signature of the Vietnam National Root Certification Authority;
e) Use purpose and scope of the digital signature certificate;
g) Legal liability of the Vietnam National Root Certification Authority;
h) Asymmetric key algorithms.
2. The digital signature certificate of a trust service provider corresponding to each type of service includes the following contents:
a) Name of the organization issuing the digital signature certificate;
b) Name of the trust service provider;
c) Code of the digital signature certificate;
d) Validity period of the digital signature certificate;
dd) Public key of the trust service provider;
e) Digital signature of the organization granting the digital signature certificate;
g) Use purpose and scope of the digital signature certificate;
h) Legal liability of the trust service provider;
i) Asymmetric key algorithms.
3. A public digital signature certificate includes the following contents:
a) Name of the digital signature certificate issuer;
b) Name of the subscriber;
c) Code of the digital signature certificate;
d) Validity period of the digital signature certificate;
dd) Public key of the subscriber;
e) Digital signature of the digital signature certificate issuer;
g) Use purpose and scope of the digital signature certificate;
h) Legal liability of the public digital signature authentication service provider;
i) Asymmetric key algorithms.
Article 7. Validity period of e-signature certificates, digital signature certificates
1. The digital signature certificate of the Vietnam National Root Certification Authority is valid for 25 years.
2. Validity period of a digital signature certificate of a trust service provider:
a) A digital signature certificate for the timestamping service is valid for 5 years at most;
b) A digital signature certificate for the data message authentication service is valid for 5 years at most;
c) A digital signature certificate for the public digital signature authentication service is valid for 10 years at most.
3. A public digital signature certificate is valid for 3 years at most.
4. A specialized e-signature certificate for cases where a specialized e-signature is secured by the specialized e-signature certificate is 10 years.
Article 8. Formats of e-signature certificates and digital signature certificates
Upon issuance and distribution of e-signature certificates and digital signature certificates, the agencies or organizations creating specialized e-signatures, trust service providers must comply with regulations on formats of e-signature certificates and digital signature certificates defined by the Minister of Information and Communications.
Section 2
SECURED SPECIALIZED E-SIGNATURES
Article 9. Secured specialized e-signatures
1. A secured specialized e-signature must meet all requirements specified in Clause 2 Article 22 of the Law on E-Transactions.
The specialized e-signature secured by the e-signature certificate of the creating agency or organization shall be considered to satisfy all requirements specified in Clause 2 Article 22 of the Law on E-Transactions.
2. A secured specialized e-signature is created by an agency or organization and used exclusively for its activities, in line with its functions and tasks, including:
a) Internal activities of the creating agency or organization;
b) Specialized or sectoral activities or related activities with similar operational characteristics or work objectives, linked through operation charters or documents specifying the organizational structure, forms of connection, and joint activities;
c) Activities of representing the agency or organization creating the specialized e-signature for transactions with other organizations or individuals.
3. The agencies or organizations creating specialized e-signatures shall be responsible before the law for the use of secured specialized e-signatures in accordance with Clause 2 of this Article.
Article 10. Dossiers of request for grant or re-grant of secured specialized e-signature certificates
1. A dossier of request for grant of a secured specialized e-signature certificate includes:
a) A written request for grant of a secured specialized e-signature certificate, made using the Form No. 01 in the Appendix issued together with this Decree;
b) A valid copy, including a copy issued from the original register or a certified copy, or a copy verified against the original of one of the following documents: an enterprise registration certificate, an investment registration certificate for foreign investors, a decision on establishment, or a document specifying the structure and organization, or other valid equivalent certificate or license in accordance with the laws on investment and enterprises;
c) Operation charter, documents specifying the structure, organization; and forms of connection and joint activities to prove the use of the secured specialized e-signature as stipulated in Clause 2, Article 9 of this Decree;
d) Documents proving that the creation of secured specialized e-signature fully meets the requirements defined in Clause 1, Article 9 of this Decree, made using the Form No. 03 in the Appendix issued together with this Decree;
dd) Authentication rules in accordance with Article 29 of this Decree.
2. A dossier of request for re-grant of a secured specialized e-signature certificate includes:
a) A written request for grant of a secured specialized e-signature certificate due to expiration, made using the Form No. 01 in the Appendix issued together with this Decree;
b) Documents proving that the creation of secured specialized e-signature fully meets the requirements defined in Clause 1, Article 9 of this Decree, made using the Form No. 03 in the Appendix issued together with this Decree;
c) Changes in the information in the dossier of certificate grant request as specified at Points b, c, and dd, Clause 1 of this Article;
d) A report on the implementation of the certificate from the date of grant to the date of request for re-grant, made using the Form No. 08 in the Appendix issued together with this Decree.
Article 11. Process for receiving and processing a dossier of request for grant or re-grant of a secured specialized e-signature certificate
1. The agency or organization shall prepare a dossier corresponding to the of request for grant or re-grant as specified in Article 10 of this Decree.
2. The dossier can be submitted directly to the Ministry of Information and Communications, sent by post, or submitted via the online public service system (National Public Service Portal, https://dichvucong.gov.vn, or Public Service Portal of the Ministry of Information and Communications, https://dichvucong.mic.gov.vn).
3. The validity of dossiers shall be verified based on the following criteria:
a) The dossier is made in accordance with Clause 1 of this Article;
b) The dossier shall be made in Vietnamese. The dossier must have the seal of the agency or organization for confirmation, the certification seals for copies; printed documents prepared by the agency or organization with two or more pages must have seals appended on every two adjoining pages.
4. Within 7 working days from the date of receipt of the dossier of request for grant or re-grant of a secured specialized e-signature certificate, the Ministry of Information and Communications shall verify the validity of the dossier in accordance with Clause 3 of this Article.
a) If the dossier is not valid, the Ministry of Information and Communications shall send a written notice, clearly stating the reason;
b) In case the dossier is valid, the Ministry of Information and Communications shall request the coordination in the verification of the dossier with the Ministry of Public Security, the Government Cipher Committee, and relevant agencies and organizations. Within 15 days from the date of receiving the request for coordination in the verification of the dossier, the Ministry of Public Security, the Government Cipher Committee, and relevant agencies and organizations shall be responsible for replying in writing;
c) Within 20 days from the date of fully receiving the replies to coordination in the verification of the dossier as specified at Point b of this Clause, the Ministry of Information and Communications shall verify and assess the information system for creating and grant or re-grant the secured specialized e-signature certificate for the agency or organization. A secured specialized e-signature certificate shall be made using the Form No. 02 in the Appendix issued together with this Decree. In case of refusal to grant or re-grant of the certificate, the Ministry of Information and Communications shall send a written notice, clearly stating the reason. The secured specialized e-signature certificate of the agency or organization is valid for 10 years at most.
5. In case an agency or organization chooses to carry out the procedure for grant or re-grant of a secured specialized e-signature certificate in the electronic environment, the receipt and processing of the dossier shall comply with the Government's regulations on implementation of administrative procedures in the electronic environment, provision of online public services by state agencies on the internet, and the law on e-transactions, except for the case of actual assessment specified at Point c, Clause 4 of this Article.
6. In case the secured specialized e-signature does not meet one of the requirements defined in Clause 2, Article 22 of the Law on E-Transactions, the Ministry of Information and Communications shall revoke the secured specialized e-signature certificate and announce on the website (https://rootca.gov.vn/) that the specialized e-signature is not secured.
Section 3
DIGITAL SIGNATURES
Article 12. Public digital signatures
A public digital signature is a digital signature used in public activities, secured by a public digital signature certificate and fully meeting the requirements defined in Clause 3 Article 22 of the Law on E-Transactions.
Article 13. Digital signature certificates of agencies or organizations and competent persons of agencies or organizations
1. All agencies or organizations and competent persons of agencies or organizations that are established and operate in accordance with law regulations have the right to grant and distribute digital signature certificates.
2. A digital signature certificate granted to a a competent person of an agency or organization must show the title of such person and the name of his/her agency or organization.
Article 14. Use of digital signatures and digital signature certificates of agencies or organizations and competent persons of agencies or organizations
1. Agencies or organizations and competent persons of agencies or organizations that are entitled to grant and distribute digital signature certificates under Article 13 of this Decree may use their digital signatures only for conducting transactions and operations according to the competence of agencies or organizations and titles of such entities.
2. The on-behalf or by-order signing made under law regulations by a person assigned or authorized to use his/her digital signature shall be construed as signing by the person holding the title shown in the digital signature certificate.
Article 15. Obligations of signers before digital signing
1. Before digital signing, signers shall follow the process of checking digital signature certificate validation status as follows:
a) To check the validation status of their digital signature certificates in the information systems of the creating agencies or organizations granting, distributing such digital signature certificates;
b) To check the validation status of digital signature certificates of the organizations creating, distributing their digital signature certificates on the trust service authentication system of the Vietnam National Root Certification Authority;
c) If the validation status of certificates as mentioned at Points 1 and 2 of this Clause is concurrently valid, the signers may perform the digital signing. If the validation status of certificates as mentioned at Points 1 and 2 of this Clause are invalid, the signers may not perform the digital signing.
2. Use digital signing software that meets the requirements defined in Article 17 of this Decree.
Article 16. Obligations of recipients upon receipt of a digitally signed data message
1. Before accepting a digital signature of a signer, a recipient shall check the following information:
a) The identification of digital signature validation status, scope of use, limits of liability, and information on the signer’s digital signature certificate must be carried out in accordance with law regulations on electronic identification and authentication;
b) The digital signature must be created by a private key corresponding to the public key on the signer’s digital signature certificate;
c) For digital signatures created by foreign digital signature certificates recognized in Vietnam, to check the validation status of digital signature certificates in both the trust service authentication system of the Vietnam National Root Certification Authority and the systems providing the e-signature authentication service of the foreign organizations.
2. Recipients shall follow the process of checking digital signature certificate validation status as follows:
a) To check the digital signature certificate validation status at the time of digital signing, scope of use, limits of liability, and other information on the digital signature certificate under Article 6 of this Decree in the information systems of the creating agencies or organizations granting, distributing such digital signature certificates;
b) In cases a signer uses a public digital signature certificate granted by a public digital signature authentication service provider: To check the validation status of the public digital signature certificate of the public digital signature authentication service provider distributing such public digital signature certificate at the time of digital signing in the trust service authentication system of the Vietnam National Root Certification Authority;
c) Digital signatures on data messages shall be valid only when the validation status of certificates mentioned at Points a and b of this Clause are concurrently valid.
3. Recipients shall take responsibility for their acceptance of digital signature certificates in the following cases:
a) Failing to comply with Clauses 1 and 2 of this Article;
b) Being aware of or having been notified of the suspension, revocation, or expiration of the digital signature certificate of the subscriber.
4. Use digital signature verification software that meets the requirements of Article 17 of this Decree.
Article 17. Requirements for digital signing software and digital signature verification software
1. Digital signing software and digital signature verification software must comply with technical standards for digital signatures on data messages; they must not use technical or technological barriers to restrict the verification of digital signature validity.
2. Digital signing software must have the following functions:
a) Function to authenticate the signer and perform digital signing;
b) Function to check the validity of the digital signature certificate, ensuring that the identification of information in the certificate has been carried out in accordance with law regulations on electronic identification and authentication; function to connect with the public digital signature authentication service portal;
c) Function to store and cancel the information accompanying the digitally signed data message;
d) Function to modify (add or remove) the digital signature certificate of the creating agency or organization granted and distributing the digital signature certificate;
dd) Function to notify (in writing or by symbol) the signer of the success or failure of the digital signing on the data message.
3. Digital signature verification software must have the following functions:
a) Function to check the validity of the digital signature on the data message;
b) Function to store and cancel the information accompanying the digitally signed data message;
c) Function to modify (add or remove) the digital signature certificate of the creating agency or organization granted and distributing the digital signature certificate;
d) Function to notify (in writing or by symbol) the validity or invalidity of the digital signature.
4. The Minister of Information and Communications shall define the technical requirements for the functions of digital signing software and digital signature verification software.
Chapter III
TRUST SERVICES
Section 1
PROVSION OF TRUST SERVICES
Article 18. Conditions for providing trust services
Enterprises are entitled to register one or more trust services. Upon registration of any trust service, enterprises must fully meet all the conditions specified in Clause 1, Article 29 of the Law on E-Transactions. The conditions specified at Points b, c, d, and dd, Clause 1, Article 29 of the Law on E-Transactions are detailed as follows:
1. Regarding financial conditions for handling risks and paying compensations for damage that may occur during the provision of services and for covering the costs of receiving and maintaining databases related to the provision of services, enterprises may choose one of the following options:
a) Make a deposit at a commercial bank in Vietnam applicable to one or more trust services. The deposit amount is 10 billion Vietnamese Dong for every 300,000 subscribers and must not be less than 10 billion Vietnamese Dong, provided that the enterprise does not collect subscribers’ advance payments for more than one year of use;
b) Purchase damage and liability insurance for the provision of trust services to ensure the rights of subscribers during the service provision period.
2. Conditions for management and technical personnel:
a) Human resources for system operation including administration, operation, information security and safety, access control, monitoring and inspection, digital signature certificate lifecycle management, and key lifecycle management;
b) Human resources for service provision including technical audit, confidentiality, grant, suspension, cancellation, installation, and maintenance; verification of subscriber identity (for the public digital signature authentication service and data message authentication service);
c) Personnel in charge of information security and safety, confidentiality possessing a university degree or higher in information security and having at least 2 years of relevant experience in the trained discipline;
d) Personnel in charge of administration, operation, technical audit, grant, suspension, cancellation, installation, and maintenance, monitoring, and inspection, key lifecycle management having a university degree or higher in information technology or in training disciplines related to information technology, and at least 2 years of relevant experience in the trained discipline.
3. The technical plan for provision of services applicable to all types of trust services must include the following contents:
a) Complying with standards, technical regulations, and technical requirements on digital signatures, digital signature certificates; trust services; cyberinformation security, and cyber security;
b) Storing subscriber information in an adequate and accurate manner, and updating it; updating the list of valid, suspended, and revoked digital signature certificates; ensuring that subscribers may access and use the Internet online round the clock;
c) Ensuring that each key pair is randomly generated and unique; with a feature of ensuring that the private key is kept confidential when its corresponding public key is known;
d) Warning about, preventing and detecting illegal access in the electronic environment;
dd) The component for managing the lifecycle of digital signature certificates is designed to minimize direct interaction with the electronic environment and is independent from systems not serving trust services;
e) The information system must ensure cyberinformation security of grade 3 or higher grade and protection of personal data in accordance with law regulations on cyberinformation security and cyber security;
g) Control of access, rights of system access and physical access to equipment locations;
h) Backup solutions to maintain the safe and continuous operation and respond to incidents, processes for data backup, online data backup, data recovery, and the ability to recover data for within 8 working hours at the latest from the time the system has an incident; the backup center shall be at least 20 kilometers away from the main data center and ready to operate when the main system has an incident;
i) The information system providing services must be located in Vietnam;
k) Authentication rules in accordance with Article 29 of this Decree.
4. Regarding the public digital signature authentication service, a technical plan must meet requirements defined in Clause 3 of this Article and the following contents:
a) The system distributing keys to subscribers must ensure integrity and security of key pairs. In case of distributing keys via the computer network, the key distribution system must use security protocols ensuring no information disclosure in transmission links;
b) Information provision solutions (digital signature certificate, regular and ad-hoc reports as required) via electronic means to the Vietnam National Root Certification Authority, serving the task of state management.
5. Regarding the timestamping service and data message authentication service, a technical plan must meet the requirements specified in Clause 3 of this Article and the following contents:
a) Timing sources in accordance with law regulations on the national standard timing sources;
b) Information provision solutions (message digest, event log, regular and ad-hoc reports as required) via electronic means to the Vietnam National Root Certification Authority, serving the task of state management.
Article 19. Dossiers of request for grant, re-grant, modification and extension of licenses for trust service provision
1. A dossier of request for grant of a license for trust service provision comprises:
a) A written request for grant of a license for trust service provision, made using the Form No. 04 in the Appendix issued together with this Decree, clearly stating type of trust service to be operated;
b) A valid copy, including a copy issued from the original register or a certified copy, or a copy verified against the original of one of the following documents: an enterprise registration certificate, an investment registration certificate for foreign investors, a decision on establishment, or other valid equivalent certificate or license in accordance with the laws on investment and enterprises;
c) Documents proving the satisfaction of the financial conditions prescribed in Clause 1, Article 18 of this Decree;
d) Management and technical personnel records, including: judicial records, certified copies of university degrees or higher of the management and technical personnel as stipulated in Clause 2, Article 18 of this Decree, a description of the relevant jobs and experience corresponding to the positions of management and technical personnel, labor contracts, and assignment decisions;
dd) Technical plan for providing services in accordance with each type of trust service to ensure compliance with Clauses 3, 4, and 5 of Article 18 of this Decree;
e) Authentication rules in accordance with Article 29 of this Decree.
2. A dossier of request for re-grant of a license for trust service provision comprises:
a) A written request for re-grant of a license due to the expiration of the original license, made using Form 05 in the Appendix to this Decree;
b) Documents proving the satisfaction of the financial conditions prescribed in Clause 1, Article 18 of this Decree;
c) Information about the enterprise’s changes (if any) related to the business conditions prescribed in Article 29 of the Law on E-Transactions;
d) A report on the implementation of the license from the date of grant to the date of request for re-grant, made using the Form No. 08 in the Appendix issued together with this Decree.
3. A dossier of request for modification of a license for trust service provision comprises:
a) A written request for modification of license, made according to Form No. 05 in the Appendix issued together with this Decree;
b) A report describing in detail the proposed changes and the related documents.
4. A dossier of request for extension of a license for trust service provision comprises:
a) A written request for extension of the license for trust service provision of the enterprise due to the expiration of the original license, made using the Form No. 05 in the Appendix issued together with this Decree;
b) Documents proving the satisfaction of the financial conditions prescribed in Clause 1, Article 18 of this Decree;
c) A report on the implementation of the license from the date of grant to the date of request for extension, made using the Form No. 08 in the Appendix issued together with this Decree.
Article 20. Process for receiving a dossier of request for grant, re-grant, modification or extension of a license for trust service provision
1. An enterprise shall make a dossier corresponding to the request for grant, re-grant, modification or extension of a license for trust service provision as defined in Article 19 of this Decree.
2. The dossier can be submitted directly to the Ministry of Information and Communications, sent by post, or submitted via the online public service system (National Public Service Portal, https://dichvucong.gov.vn, or Public Service Portal of the Ministry of Information and Communications, https://dichvucong.mic.gov.vn).
3. The validity of dossiers shall be verified based on the following criteria:
a) The dossier is made in accordance with Clause 1 of this Article;
b) The dossier shall be made in Vietnamese. The dossier must have the seal of the agency or organization for confirmation, the certification seals for copies; printed documents prepared by the agency or organization with two or more pages must have seals appended on every two adjoining pages.
4. Within 7 working days from the date of receipt of the dossier of request for grant, re-grant, modification or extension of a license for trust service provision, the Ministry of Information and Communications shall verify the validity of the dossier in accordance with Clause 3 of this Article.
a) If the dossier is not valid, the Ministry of Information and Communications shall send a written notice, clearly stating the reason;
b) In case the dossier is valid, the Ministry of Information and Communications shall consider and handle it in accordance with Article 21 of this Decree.
5. In case the enterprise chooses to carry out the procedure for grant, re-grant, modification or extension of a license for trust service provision in the electronic environment, the receipt and processing of the dossier shall comply with the Government's regulations on implementation of administrative procedures in the electronic environment, provision of online public services by state agencies on the internet, and the law on e-transactions, except for the case of actual assessment specified in Clauses 1 and 2 Article 21 of this Decree.
Article 21. Process for processing a dossier of request for grant, re-grant, modification or extension of a license for trust service provision
1. Regarding a dossier of request for grant of a license for trust service provision
a) Within 7 working days from the date of receiving a valid dossier, the Ministry of Information and Communications shall request the coordination in the verification of the dossier with the Ministry of Public Security, the Government Cipher Committee, and relevant agencies and organizations. Within 20 days from the date of receiving the request for coordination in the verification of the dossier, the Ministry of Public Security, the Government Cipher Committee, and relevant agencies and organizations shall be responsible for replying in writing;
b) Within 20 days from the date of fully receiving the replies to coordination in the verification of the dossier as specified at Point a of this Clause, the Ministry of Information and Communications shall verify and grant the license, using the Form No. 06 in the Appendix issued together with this Decree. In case of refusal to grant the license, the Ministry of Information and Communications shall issue a written notice, clearly stating the reason;
c) Within 1 year from the grant of the license, the trust service provider must implement the conditions stipulated in Article 18 of this Decree; submit a report on the implementation of trust service provision activities, made using the Form No. 07 in the Appendix issued together with this Decree;
d) The digital signature certificate shall be granted or re-granted to the trust service provider within 30 days from the date of receipt of the report specified at Point c of this Clause, based on the actual assessment of the system operation process and authentication rules; the compliance of the trust service information system with the dossier of request for license grant, and witnessing of the creation of the key pair (private key and public key) by the trust service provider. In case of refusal, the Vietnam National Root Certification Authority must issue a written notice, clearly stating the reason.
2. Regarding a dossier of request for re-grant of a license for trust service provision
a) In case of wishing to continue providing the service, the enterprise must request the re-grant of the license at least 90 days before the expiration date of the license;
b) Within 10 days from the date of receiving a valid dossier, the Ministry of Information and Communications shall request the coordination in the verification of the dossier with the Ministry of Public Security, the Government Cipher Committee, and relevant agencies and organizations. Within 20 days from the date of receiving the request for coordination in the verification of the dossier, the Ministry of Public Security, the Government Cipher Committee, and relevant agencies and organizations shall be responsible for replying in writing;
c) Within 15 days from the date of fully receiving the replies to coordination in the verification of the dossier as specified at Point a of this Clause, the Ministry of Information and Communications shall verify the dossier and re-grant the license, based on the satisfaction of business conditions defined in Article 18 of this Decree and actual assessment of results of the trust service provision of the enterprise. In case of refusal to re-grant of the license, the Ministry of Information and Communications shall send a written notice, clearly stating the reason.
3. Regarding a dossier of request for modification of a license for trust service provision
a) An enterprise changing its head office address or transaction name must request the modification of its license;
b) Within 07 working days after receiving a complete and valid dossier, the Ministry of Information and Communications shall verify the dossier and grant a modified license to the enterprise. In case of refusal, the Ministry of Information and Communications shall issue a written reply, clearly stating the reason. The validity period of a modified license is the remaining period of the original license.
4. Regarding a dossier of request for extension of a license for trust service provision
a) In case the trust service business license remains valid for at least 60 days before its expiration but is in the process of division, splitting, consolidation or merger and has not been subject to handling of administrative violation in trust service provision activities within the past 12 months until the date of submitting the dossier of request for extension, the enterprise wishing to extend its trust service provision license must submit a request for extension;
b) Within 30 days from the date of receiving a complete and valid dossier, the Ministry of Information and Communications shall grant the extended license, using the Form No. 06 in the Appendix issued together with this Decree. In case of refusal to grant an extended license, the Ministry of Information and Communications shall issue a written reply, clearly stating the reason. The validity period of an extended license is no more than 1 year from the expiration date of the license.
Article 22. Suspension of licenses
1. A trust service provider shall have its license suspended for no more than 06 months in one of the following cases:
a) Providing services other than those stated in the license;
b) Failing to satisfy one of the business conditions specified in Article 18 of this Decree from the commencement of service provision;
c) Failing to fully and accurately declare and pay the service charge for maintenance of the inspection system of digital signature certificate status in accordance with law regulations on charges and fees for more than 6 months.
2. Procedures for suspension of licenses, suspension of digital signature certificates
a) The Ministry of Information and Communications shall arrange a meeting and make a working minutes with the trust service provider in any of the cases specified in Clause 1 of this Article. Within 7 working days from the issuance of the minutes, the Ministry of Information and Communications shall consider and issue a decision on suspension of the license;
b) Within 5 working days, the Vietnam National Root Certification Authority shall suspend the digital signature certificate of the trust service provider and publish the information on the website (https://rootca.gov.vn/) in the event that the license for trust service provision is suspended or the trust service information system fails to meet the technical audit requirements.
3. Within the suspension period, if a trust service provider can remediate the reasons for the suspension, the Ministry of Information and Communications shall permit the trust service provider to resume its service provision; and restore the digital signature certificate within 7 working days from the date the reason for suspension is resolved.
Article 23. Revocation of licenses
1. A trust service provider shall have its license revoked in one of the following cases:
a) It no longer wishes to provide services;
b) It is dissolved or terminates its operation;
c) It is declared bankrupt by a court decision;
d) It is subject to merger or consolidation;
dd) Within 1 year from the date of grant of the license, the trust service provider fails to implement the requirements specified in Article 18 of this Decree, except for force majeure events or objective obstacles as defined by law regulations on which the trust service provider has reported in writing to the Ministry of Information and Communications;
e) It engages in forgery of documents in the dossier of request for grant, extension, or re-grant of a license, or erases or modifies the content of its granted license;
g) They fail to remedy the reason for suspension as specified in Clause 1, Article 22 of this Decree after the suspension period set by the competent agency;
h) They engage in acts prohibited acts defined in Article 6 of the Law on E-Transactions.
2. The procedure for revoking a license for trust service provision of a trust service provider shall be carried out as follows:
a) The Ministry of Information and Communications shall arrange a meeting and make a working minutes with the trust service provider in any of the cases specified in Clause 1 of this Article. Within 30 days from the issuance of the minutes, the Ministry of Information and Communications shall consider and issue a decision on revocation of the license, while requiring the trust service provider to: immediately stop entering into contracts for provision of trust services; transfer the following relevant records and databases related to the provision of services to another trust service provider as agreed upon or as designated by the Ministry of Information and Communications:
Regarding the public digital signature authentication service: Subscriber information, subscriber records, digital signature certificate data (including the list of published digital signature certificates, the entire list of revoked digital signature certificates during the service provision period);
Regarding the data message authentication service: Subscriber information, subscriber records, recipient and sender confirmation information (based on the registered subscriber information); information on the time of sending and receiving the data message; data message; message digest;
Regarding the timestamping service: Subscriber information, subscriber records, message digest to serve verification.
b) Within 5 working days, the Vietnam National Root Certification Authority shall revoke the digital signature certificate of the trust service provider and publish the information on its website (https://rootca.gov.vn/) in one of the following cases: its license for trust service provision is revoked; its digital signature certificate has expired; a competent agency issues a written request for revocation; the trust service provider submits a written request for revocation, clearly stating the reason for revocation.
3. The enterprise shall not be granted a license for a period of 3 years from the date its license is revoked due to violations of the provisions specified at Points dd, e, and g, Clause 1 of this Article.
4. The Ministry of Information and Communications shall monitor and guide the handover between trust service providers to ensure the uninterrupted provision of services to subscribers; require the trust service provider whose license has been revoked to complete the procedures for insurance or deposit to address risks and compensation issues, and to pay the costs related to receiving and maintaining the database of information related to the provision of services.
Section 2
PROVSION OF TRUST SERVICES
Article 24. Timestamping service
The timestamping service provided by the trust service provider includes the following activities:
1. Attaching time information to data messages; the time information attached to the data message is the date and time when a timestamping service provider receives such data message.
2. Providing necessary information to authenticate the data message of the subscriber that has the information on date, month, year, and time attached to the data message.
3. Storing and managing information about service users.
4. Granting, extending, suspending, restoring, and revoking accounts of subscribers.
5. Online maintaining data on service user information and granted timestamps.
Article 25. Data message authentication service
1. Data message authentication service includes:
a) Storage and certification of the integrity of data messages;
b) Secured sending and receipt of data messages.
2. The service of storage and certification of the integrity of data messages includes:
a) Storage and management of information about service users (service usage identification data, service usage authentication data);
b) Storage of data regarding the proof of the sender’s identity that has been verified;
c) Storage of activity logs of the secured sending/receipt service, the verification of the identity of the sender and recipient, and the exchange of information or data between the sender and recipient;
d) Storage of proof of the recipient's identity verification before sending;
dd) Assurance of the integrity of information in the data message during transmission;
e) Provision of reference information or the listing of the entire process, content of sending/receipt of data messages, and any modifications (if any), accompanied by the timestamp.
3. The service of secured sending and receipt of data messages includes:
a) Sender authentication;
b) Recipient authentication before sending the data;
c) Sending and receipt of data secured by the digital signature of the qualified trust service providers;
d) Notification to the data sender and recipient of any changes to the data necessary for the sending or receipt process;
dd) Attachment of a timestamp to the sending and receipt of the data message.
Article 26. Public digital signature authentication service
1. The public digital signature authentication service is the service provided by public digital signature authentication service providers in order to authenticate the signer on the data message, ensuring non-repudiationof the signer for the data message and ensuring the integrity of the signed data. The public digital signature authentication service includes:
a) Public digital signature authentication service based on the model of digital signing on devices storing private keys using hardware devices;
b) Public digital signature authentication service based on the model of digital signing on mobile devices;
c) Public digital signature authentication service based on the model of remote digital signing.
2. The public digital signature authentication service provided by a trust service provider includes the activities specified in Articles 35, 36, 37, 38, 39, 40, 41, 42, 43, and 44 of this Decree.
Article 27. Technical audit
1. Technical audit is an independent and objective assessment activity of the service provision processes and information system to determine compliance with mandatory technical standards, technical regulations, and technical requirements for secured e-signatures, secured e-signature certificates, digital signatures, digital signature certificates, and trust services.
2. The Ministry of Information and Communications shall define regulations on technical audit as specified in Clause 1 of this Article, in compliance with the laws on standards and technical regulations.
Article 28. Equipment management codes
1. The equipment management code is a string of numbers, letters, or symbols used to identify equipment in the trust service information system as specified in Clause 2 of this Article, for the purpose of state management.
A management code includes the following information fields: name, configuration, and serial number of the equipment; location of the equipment; and the function of the equipment.
2. Equipment in the trust service information system to be tagged with the management code includes servers, equipment involved in the lifecycle management of digital signature certificates, equipment storing private keys, storage equipment, and network and security equipment.
3. Grant of management codes
a) The method of implementation is guided and the registration is conducted automatically through the online public service system (National Public Service Portal, https://dichvucong.gov.vn, or the Public Service Portal of the Ministry of Information and Communications, https://dichvucong.mic.gov.vn, or the Public Service Portal of National Electronic Authentication Centre, https://neac.gov.vn);
b) The registration and attachment of management codes must occur before the system begins providing trust services and immediately upon any change of the attached equipment;
c) The deadline for grant of a management code: within 8 working hours from the receipt of the automated notification of completed registration.
4. The trust service providers shall be responsible for registering management codes and attaching the automatically granted management codes to the equipment in accordance with Clause 2 and Clause 3 of this Article.
Article 29. Model authentication rules
1. Model authentication rules must include at least the following contents: policies regarding e-signature certificates, scope, purpose of use, recipients of issuance, and requirements for the lifecycle of e-signature certificates/digital signature certificates.
2. The Ministry of Information and Communications shall promulgate the model authentication rules in accordance with Clause 1 of this Article.
3. The Vietnam National Root Certification Authority, trust service providers, and organizations creating secured specialized e-signatures shall be responsible for formulating, publicizing, and implementing the authentication rules based on the model authentication rules. Any changes to the information in the authentication rules must be notified in writing to the Ministry of Information and Communications (National Electronic Authentication Centre).
Article 30. Interconnection with the Vietnam National Root Certification Authority
The interconnection of the Vietnam National Root Certification Authority with the public digital signature authentication service providers, and with the public duty-specialized digital signature authentication service provider, as well as the updating of the status of foreign e-signature certificates into the trust service authentication system, must meet the following requirements as prescribed by the Ministry of Information and Communications:
1. The information system must ensure the ability to verify the status of e-signature certificates, digital signature certificates, and verify the validity status of digital signatures.
2. The information system must include tools and measures to protect data and authenticate data during the interconnection process.
3. Technical conditions for interconnection, connection for provision of information to verify the status of e-signature certificates, digital signature certificates, and verify the validity status of digital signatures are required.
Article 31. Responsibilities of trust service providers
1. To fulfill the responsibilities as stipulated in Article 30 of the Law on E-Transactions, the laws on cyberinformation security, cyber security, and protection of personal data.
2. To conduct technical audit every 2 years.
3. In case of being subject suspension, the trust service providers shall be responsible for maintaining the database system related to the public digital signature certificates issued until the digital signature certificates are restored.
4. In case of being subject suspension, the trust service providers shall be responsible for maintaining the database and information related to the service provision activities until the digital signature certificates are restored.
Article 32. Responsibilities of organizations and individuals upon application of timestamping, verification of timestamps of data messages, and development of timestamping application software
1. In case authentication of the time of signing of a data message is required, the recipient must verify the timestamp attached to the data message, and the related timestamp information must be granted by a trust service provider licensed to provide the timestamping service.
2. The recipient must use verification software tools and verification procedures that meet the standards and technical regulations for timestamping or verify the timestamp both on the trust service authentication system of the Vietnam National Root Certification Authority and the information system of the trust service provider.
3. The recipient must bear responsibility for accepting the timestamp in the following cases:
a) Failing to comply with Clauses 1 and 2 of this Article;
b) Being aware of or having been notified of the suspension, revocation, or expiration of the digital signature certificate of the trust service provider for timestamping service on the website https://rootca.gov.vn/.
Article 33. Responsibilities of the Vietnam National Root Certification Authority
1. To build, manage, exploit, and develop the national electronic authentication infrastructure; to manage and provide services to trust service providers, agencies, organizations granted with secured specialized e-signature certificates, organizations and individuals using digital signatures, digital signature certificates, foreign e-signature authentication service providers, and agencies, organizations, individuals using e-signatures, and e-signature certificates recognized in Vietnam.
2. To publish and update the following information on the website https://rootca.gov.vn/: list of trust service providers, agencies and organizations granted with secured specialized e-signature certificates, foreign e-signature authentication service providers, foreign e-signatures, and e-signature certificates recognized in Vietnam; authentication rules; list of valid, expired, suspended, or revoked digital signature certificates, and other necessary information.
3. To coordinate activities of troubleshooting for digital signature authentication and electronic authentication services, timestamping service, and other services as regulated by the law on e-transactions; to update and store accurate and complete information required for authentication as prescribed by law.
4. To evaluate the actual operation process of the trust service information system, authentication rules, the compliance of the trust service information system with the dossiers of request for license grant, the creation of secured specialized e-signatures, and to witness the creation of private and public key pairs by the trust service providers.
5. To grant digital signature certificates, to create key pairs for itself, and to grant, suspend, or revoke digital signature certificates for trust service providers as specified in Chapter III of this Decree: The Vietnam National Root Certification Authority plays the role and has the rights and obligations like a trust service provider as prescribed in Chapter III of this Decree. Trust service providers play the role and have the rights and obligations like subscribers as prescribed in Chapter III of this Decree.
6. To collect, manage, and use the service charge for maintenance of the inspection system of digital signature certificate status in accordance with the law regulations on charges and fees.
7. To research, build, manage, operate the system to test, verify, assess, calibrate, and measure the standards and quality of specialized products and services related to e-signatures and trust services in accordance with the law regulations on e-transactions.
8. To verify compliance with the requirements for secured specialized e-signatures and adherence to the conditions for trust service provision.
9. To implement international cooperation activities on e-signatures and trust services; to coordinate and assist relevant agencies and organizations in integrating trust services into information technology applications to ensure authentication and security.
Section 3
PROVISION OF PUBLIC DIGITAL SIGNATURE AUTHENTICATION SERVICES
Article 34. Dossiers of request for issuance of public digital signature certificates
1. A written request for issuance of a public digital signature certificate in paper or electronic form, made using the template of the public digital signature authentication service provider.
2. Attached documents comprise:
a) For an individual: a personal paper, including citizen’s identity card, identity card, electronic identity, identity certificate, or level-2 electronic identification accounts or a valid passport; a valid entry visa or documents proving exemption from the entry visa requirement (for foreign individuals);
b) For an organization: establishment decision, or decision defining the functions, tasks, powers and organizational structure, or enterprise registration certificate, or investment certificate, or business household registration certificate, along with the personal paper of the organization's at-law representative, including the citizen’s identity card or identity card, identity certificate, level-2 electronic identification account, or passport; or the organization's electronic identification account.
3. Individuals and organizations have the right to submit a copy from the original register, a certified copy, an electronic copy, or a copy together with the original for comparison, or use a level-2 electronic identification account in accordance with law on electronic identification and authentication.
In case of presenting the original for comparison, the public digital signature authentication service provider must certify the copy and take responsibility for the accuracy of the copy compared to the original. Consular legalization of documents granted by foreign competent agencies shall comply with law regulations. In case of electronic copies in the dossier, the public digital signature authentication service provider must take solutions and technology to collect, verify, and compare, ensuring that the electronic copies contain complete and accurate contents matching the information in the original as prescribed by law regulations.
4. In case an individual or the at-law representative of an organization provides or uses information in his/her citizen’s identity card, identity card, electronic identity or identity certificate, or information in the individual’s level-2 electronic identification account or information in the organization’s electronic identification account, the public digital signature authentication service provider (that has obtained a written approval for connection with the electronic identification and authentication system in accordance with law regulations on electronic identification and authentication, or has sufficient devices for reading data in electronic chips or data of level-2 electronic identification accounts) shall exploit the data in electronic chips or data of the individual’s level-2 electronic identification account or the organization’s electronic identification account without requesting the individual or the at-law representative of the organization to submit the papers specified in Clause 2 of this Article.
Article 35. Request for issuance of public digital signature certificates
1. An organization or individual that wishes to request the issuance of public digital signature certificates shall prepare a dossier as defined in Article 34 of this Decree and submit it directly, by post, or by electronic means to the public digital signature authentication service provider.
2. When receiving the request dossier from the organization or individual, the public digital signature authentication service provider must verify and compare the documents in the dossier and process as follows:
a) If the documents in the dossier of request for issuance of digital signature certificate are complete, legal, valid, and the details provided in the written request for issuance fully match the documents in the dossier, the public digital signature authentication service provider shall issue the public digital signature certificate to the organization or individual in accordance with Clause 3 of this Article;
b) If the documents in the dossier of request for issuance of digital signature certificate are not complete, legal, valid, or the details provided in the written request for issuance of public digital signature certificate do not match the documents in the dossier of request for issuance of public digital signature certificate, the public digital signature authentication service provider shall notify the organization or individual to complete the dossier;
c) In case the public digital signature authentication service provider refuses to issue the public digital signature certificate, it must inform the organization or individual.
3. After completing the verification and comparison of the information for identifying the organization or individual, the public digital signature authentication service provider shall enter into a contract and issue a public digital signature certificate to the subscriber in accordance with Article 38 of this Decree.
4. The issuance of the public digital signature certificate through electronic means shall comply with Article 36 of this Decree.
5. The issuance of the public digital signature certificate for an organization or individual with whom the public digital signature authentication service provider has established a relationship and completed the identification and verification of identification information of the organization or individual is decided by the public digital signature authentication service provider provided that all information and documents required in the dossier of request for issuance of public digital signature certificate are complete as specified in Article 34 of this Decree.
Article 36. Issuance of public digital signature certificates by electronic means
1. A public digital signature authentication service provider issuing public digital signature certificates by electronic means must develop, promulgate, and disclose the procedures and processes for issuing digital signature certificates by electronic means in accordance with this Article, the laws on e-transactions, and relevant law regulations on information security, cyber security, and personal data protection. The issuance of the public digital signature certificate must include at least the following steps:
a) Collecting information about the dossier of request for issuance of public digital signature certificate as defined in Article 34 of this Decree;
b) Carrying out checking, comparison, and verification of the identification information of the organizations or individuals;
c) Warning the organizations or individuals about prohibited acts during the issuance and use of the public digital signature certificate by electronic means;
d) Providing the organizations or individuals with the contract’s contents and entering into the contract with the organizations or individuals.
2. The public digital signature authentication service provider shall decide by itself on measures, forms and technologies to identify and verify an organization or individual for the purpose of issuance of public digital signature certificates by electronic means; take responsibility for arising risks (if any) and meet at least the following requirements:
a) To have solutions and technology for collection, verification, and comparison, ensuring the consistency of identification information of the organization or individual and biometric data of the at-law representative of the organization or the individual (i.e., biological factors and characteristics that are linked to the at-law representative of the organization or the individual to be identified, difficult to be forged, and rarely match with those of another person, such as fingerprints, face, iris, voice and other biometric factors) with the corresponding biometric information and factors stated in personal papers of the at-law representative of the organization or the individual defined in Clause 2 Article 34 of this Decree and ensuring correct identification of the entity and perform identity authentication in accordance with the law regulations on electronic identification and authentication;
b) To adopt technical measures to certify the identified organization or individual’s consent to the contract contents;
c) To formulate a process of risk management, control and assessment, including measures to prevent acts of impersonating, intervening, altering or falsifying the verification of identification information of the organization or individual before, during, and after issuing the digital signature certificate to the subscriber; in case risks, discrepancies, or suspicious signs are detected between the identification information of the organization or individual and biometric factors of such organization or individual, or if suspicious transactions are detected during the digital signing process, the public digital signature authentication service provider must promptly refuse or suspend the public digital signature certificate and re-verify the identification information of the organization or individual. The process of risk management and control shall be regularly reviewed and revised based on the updated information and data during the process of service provision;
d) To store and preserve complete and detailed identification information and data of the organization or individual by time during the issuance of the public digital signature certificate and the use of public digital signature authentication services, such as: the identification information of the organization or individual; biometric factors of the at-law representative of the organization or individual; sound, images, video recordings, sound recordings; phone numbers used to make transactions; and transaction log. Information and data must be stored safely, securely, backed up, ensuring the completeness and integrity of data to serve the work of checking, comparing, resolving inquiries, complaints, disputes, and providing information upon request from competent state management agencies. The storage duration shall comply with the law regulations on archives and protection of personal information.
Article 37. Creation, distribution and management of keys to subscribers
1. Organizations or individuals that apply for issuance of a public digital signature certificate may themselves create a key pair or request in writing a public digital signature authentication service provider to create a key pair for them.
2. In case the applicant creates a key pair by itself/himself/herself, the public digital signature authentication service provider must ensure that such applicant has used devices creating key pair up in accordance with mandatory technical regulations and technical standards applied for creating and storing key pairs.
3. In case the public digital signature authentication service provider creates the key pair, it must ensure that it safely hands over the private key to the applicant and may store a copy of the private key when so requested in writing by the applicant.
4. In case the public digital signature authentication service provider operates based on the model of remote digital signing, such provider may store the private key of the organizations or individuals requesting the issuance of public digital signature certificate and must use secure methods for storage.
5. Regarding key management activities, the public digital signature authentication service provider has the following responsibilities:
a) In case of detecting a sign that the private key of a subscriber is revealed or no longer intact, or any error that might badly affect the interests of a subscriber, to promptly notify it to such subscriber and at the same time apply timely preventive and remedial measures;
b) To warn subscribers to change their key pairs when necessary to ensure the highest reliability and safety for the key pairs;
c) To restore the means for private key storage upon the subscriber's request.
Article 38. Issuance of public digital signature certificates to subscribers
1. A public digital signature authentication service provider shall issue a public digital signature certificate to a subscriber after checking and ensuring that:
a) The information in the subscriber’s dossier of request for issuance of public digital signature certificate is accurate;
b) The public key in the to-be-granted public digital signature certificate is unique and goes in pair with the private key of the applicant.
2. A public digital signature certificate shall be granted only to the applicant and must have the information details prescribed in Article 6 of this Decree.
3. A public digital signature authentication service provider may announce the public digital signature certificate granted to a subscriber in its database on public digital signature certificates only after obtaining the subscriber’s certification of the accuracy of information in such digital signature certificate; the announcement shall be made within 24 hours after obtaining the certification, unless otherwise agreed upon.
4. A public digital signature authentication service provider shall ensure safety throughout the course of creation and handover of public digital signature certificates to subscribers.
Article 39. Extension of public digital signature certificates for subscribers
1. Before its/his/her public digital signature certificate expires, a subscriber may request extension of such certificate.
2. When receiving a subscriber’s request for extension, the public digital signature authentication service provider shall complete procedures for extension of the public digital signature certificate before it expires and must ensure correct identification of the entity and identity authentication of the subscriber in accordance with the law regulations on electronic identification and authentication.
3. In the case of extension of the public digital signature certificate with a change in the public key, the subscriber must submit a request, clearly specifying the reason; the creation, distribution of keys, and announcement of the extended public digital signature certificate must be carried out in accordance with Article 37 and Article 38 of this Decree.
Article 40. Change of key pairs for subscribers
If wishing to change its/his/her key pair, a subscriber shall make a written request for the change. The creation and distribution of keys and announcement of public digital signature certificates with new public keys must comply with Articles 37 and 38 of this Decree.
Article 41. Suspension or recovery of public digital signature certificates of subscribers
1. A subscriber’s public digital signature certificate shall be suspended in the following cases:
a) The subscriber makes a written request for the suspension, which has been verified by a public digital signature authentication service provider as containing accurate information;
b) Risks, discrepancies, or suspicious signs are detected between the identification information of the organization or individual and biometric factors of such organization or individual, or suspicious transactions are detected during the digital signing process or errors being likely to affect the interests of subscribers and service recipients are detected;
c) The subscriber being an organization suspends all business operations;
d) The suspension is requested by a proceedings-conducting body or public security agency or the Ministry of Information and Communications;
dd) The suspension is effected in accordance with the conditions for suspension of public digital signature certificates specified in the contract between the subscriber and public digital signature authentication service provider.
2. In case of grounds for suspending a public digital signature certificate as defined in Clause 1 of this Article, the public digital signature authentication service provider shall suspend the certificate and, at the same time, notify the suspension to the subscriber and announce the suspension as well as starting and ending dates of the suspension period in the database on public digital signature certificates.
3. The public digital signature authentication service provider shall restore the suspended public digital signature certificate when grounds for suspension no longer exist or when the suspension period expires or at request of the competent state agency.
Article 42. Revocation of public digital signature certificates of subscribers
1. A subscriber’s public digital signature certificate shall be revoked in the following cases:
a) The subscriber makes a written request for the suspension, which has been verified by a public digital signature authentication service provider as containing accurate information;
b) The subscriber being an individual has died or is declared by the court as missing or the subscriber being an organization is dissolved or falls bankrupt under law;
c) The revocation is requested by a proceedings-conducting body or public security agency or the Ministry of Information and Communications;
d) The revocation is effected in accordance with the conditions for revocation of public digital signature certificates specified in the contract between the subscriber and public digital signature authentication service provider.
2. When having grounds for revocation defined in Clause 1 of this Article, a public digital signature authentication service provider shall revoke the public digital signature certificate and, at the same time, notify such revocation to the subscriber and make an announcement thereof in the database on public digital signature certificates.
Article 43. Information provision
1. Information disclosure:
A public digital signature authentication service provider shall publicize the following information and keep it public round the clock on its website:
a) Its authentication rules and digital signature certificate;
b) A list of valid, suspended and revoked public digital certificates of subscribers;
c) Other necessary information as prescribed by law regulations.
2. To update information:
A public digital signature authentication service provider shall update the information specified in Clause 1 of this Article within 24 hours after a change occurs.
3. To provide information:
A public digital signature authentication service provider shall provide online and at real time to the Vietnam National Root Certification Authority information on the numbers of valid, suspended and revoked public digital signature certificates to serve the state management of the public digital signature authentication service.
4. To store information:
a) A public digital signature authentication service provider shall be responsible for ensuring that the receiving places, software, and applications for requesting the issuance of public digital signature certificates fully comply with the regulations on subscriber information authentication and storage; and shall be entirely responsible before the law for ensuring that the subscriber information is authenticated, stored, and managed in compliance with regulations at such receiving places, software, and applications;
b) The public digital signature authentication service provider shall be responsible for building a trust service information system, a centralized subscriber information database to enter, store, and manage subscriber information throughout subscribers’ service usage period, including: information about the dossiers of request for issuance of public digital signature certificates as defined in Article 34 of this Decree, the start date of service usage, and the end date of service usage for subscribers who have terminated their service; for the latter, the provider must continue to store the subscriber information in the database under the archives law for at least 2 years.
The public digital signature authentication service provider shall be responsible for storing all information related to the suspension or revocation of licenses and databases of subscriber information and public digital signature certificates under the archives law for at least 5 years, starting from the date the licenses were suspended or revoked, or not re-granted.
c) The public digital signature authentication service provider shall be responsible for connecting its centralized subscriber information database with the database of the Ministry of Information and Communications to serve the state management of e-transactions; connecting with the National Population Database for referencing and verifying subscriber information to ensure accurate identification of the entity and perform identity verification in accordance with the law regulations on electronic identification and authentication;
d) The public digital signature authentication service provider shall be responsible for providing complete information; proving that the subscriber information in its centralized database has been compared, verified, entered, stored, and managed in accordance with law regulations.
Article 44. Connection to the public digital signature authentication service portal
1. Public digital signature authentication service providers shall be responsible for connecting to the public digital signature authentication service portal.
2. Information systems serving e-transactions that use digital signatures must be integrated with the public digital signature authentication service portal to ensure the authenticity, integrity, and non-repudiation of the data message.
3. The Ministry of Information and Communications shall guide in detail the connection specified in Clauses 1 and 2 of this Article.
Article 45. Rights and responsibilities of subscribers using public digital signature authentication services
1. To request their public digital signature authentication service providers to provide information as stating in the concluded contracts in written form.
2. To request their public digital signature authentication service providers to suspend or revoke the granted digital signature certificates and take responsibility for such request.
3. To provide truthful and accurate information under regulations to their public digital signature authentication service providers. In case of any change in the information provided, the subscribers shall be responsible for notifying their public digital signature authentication service providers to make changes to the content of their public digital signature certificates.
4. To ensure that equipment used for the creation of the key pair complies with compulsory technical regulations and standards if a subscriber creates a key pair for himself/herself/itself.
5. To control and use their private keys in a safe manner throughout the validity and suspension periods of their public digital signature certificates.
6. If detecting that their private keys have been revealed, stolen or illegally used, to notify the relevant public digital signature authentication service provider thereof within 24 hours so that the latter can take handling measures.
7. After having agreed to allow public digital signature authentication service providers to publicize their public digital signature certificates under Clause 3, Article 38 of this Decree or after having issued those certificates to others for transaction purposes, subscribers shall be regarded as having committed with recipients that they are lawful holders of private keys corresponding to public keys on such public digital signature certificates and that subscriber-related information on those certificates is true; they shall, at the same time, perform obligations in relation to such public digital signature certificates.
8. To take responsibility before law if violating Clause 3, 4, 5, 6 or 7 of this Article and other relevant law regulations.
Chapter IV
IMPLEMENTATION PROVISIONS
Article 46. Effect
1. This Decree takes effect on April 10, 2025.
2. Decree No. 130/2018/ND-CP dated September 27, 2018 of the Government, on detailing the Law on E-Transactions regarding digital signatures and digital signature authentication services, and Decree No. 48/2024/ND-CP dated May 9, 2024 of the Government, on amending and supplementing a number of articles of the Government’s Decree No. 130/2018/ND-CP of September 27, 2018, on detailing the Law on E-Transactions regarding digital signatures and digital signature authentication services shall cease to be effective from the effective date of this Decree, except for cases defined in Article 47 of this Decree.
Article 47. Transitional provisions
1. In case an organization is granted a license for public digital signature authentication service provision in accordance with legal documents detailing the Law No. 51/2005/QH11 on E-Transactions that remain effective, the payment of service charge for maintaining the system checking digital signature certificate validation status shall comply with current law regulations on charges and fees until the competent agency promulgates the replacing document.
2. Organizations granted a license for trust service provision that provide public digital signature authentication services from the effective date of the Law No. 20/2023/QH15 on E-Transactions must pay the service charge for maintenance of the inspection system of digital signature certificate status, similar to the service charge for maintaining the system checking digital signature certificate validation status in accordance with the current law regulations on charges and fees, until the competent agency promulgates the replacing document.
3. For new services under the Law No. 20/2023/QH15 on E-Transactions, for which there are no regulations on collection of charges, no charges shall be collected until the competent agency promulgates a document specifying the collection of such charges.
4. Except for public digital signature authentication service providers that choose to comply with the Law No. 20/2023/QH15 on E-Transactions, public digital signature authentication service providers that are legally operating must, within 2 years from the effective date of this Decree, be responsible for reviewing and upgrading their information systems and management and technical personnel to satisfy the requirements defined in this Decree.
5. The grant of digital certificates under the licenses for provision of public digital signature authentication service that have been granted before the effective date of the Law No. 20/2023/QH15 on E-Transactions and are still valid on the date when the Law No. 20/2023/QH15 on E-Transactions takes effect shall be carried out once. The validity period of the granted digital signature certificate is 5 years at most and shall not exceed the remaining term of the license.
6. Application software that integrates digital signing software and digital signature verification software within 2 years from the effective date of this Decree must be reviewed and upgraded to satisfy the requirements defined in Article 17 of this Decree.
7. In case administrators of information systems serving e-transactions use their digital signatures in transactions, they shall take responsibility for reviewing and upgrading the information systems and application software to integrate digital signing software, digital signature verification software in compliance with Article 17 of this Decree.
Article 48. Implementation responsibility
Ministers, heads of ministerial-level agencies, heads of government-attached agencies, chairpersons of People’s Committees at all levels, and other related agencies, organizations and individuals shall implement this Decree.
| ON BEHALF OF THE GOVERNMENT FOR THE PRIME MINISTER DEPUTY PRIME MINISTER
Nguyen Hoa Binh |
* All Appendices are not translated herein.
VIETNAMESE DOCUMENTS
Decree 23/2025/NĐ-CP PDF (Original)This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here
Decree 23/2025/NĐ-CP DOC (Word)This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here
ENGLISH DOCUMENTS
Decree 23/2025/NĐ-CP DOC (Word)This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here
Decree 23/2025/NĐ-CP PDFThis utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here
