Database

A 2018 draft version of the Law on Cybersecurity requires that, before buying products and services for use in "Critical Systems", administrators of the critical systems must have the products and services reviewed by the competent agency under the Ministry of Public Security or by a professional organization authorized by this Ministry. However, the draft Law contains no detail on any review procedures, as well as on any objective criteria to establish whether a specific product or service is fit for use in critical systems. The definition of "Critical System" also remains unclear, including whether this term covers state-owned systems only or also private systems.

The draft Law introduced the concept of "cybersecurity assurance services" (CAS), which partially overlaps with the concept of cyber information security services under Article 41 of the Law on Cyber Information Security (LOCIS) (for more information on LOCIS, see entry in Chapter 11 on Quantitative Trade Restrictions). CAS includes cybersecurity services relating to audit, assessment, consultancy, supervision, prevention, and testing. A license from the Ministry of Public Security is required for the business of providing CAS. The draft Law further states that this law will prevail in cases of overlap with the LOCIS.

At this stage, since the full text of the law is not yet available, it is unclear whether this provision remains in the final version of the law due to come into force in January 2019.

Products such as desktops, laptop and portable computers, servers, PDA, router, switch, hub, gateway, optical transmission equipment, technical equipment, etc., are subject to certification and/or declaration procedure.

The procedure has to be performed in Vietnam or in one of the 57 foreign testing laboratories recognized by the Ministry of Information and Communications under the APEC-Tel Mutual Recognition Agreement for supporting certification and declaration activities.

Vietnam participates in relevant ISO and IEC standard-setting processes, is a full member of the ISO, and recent standards development processes have favored international standards. However, it is reported that legacy standards are based on national standards and many are still in use. This creates problems of clarity, especially for foreign companies.

The Ministry of Information and Communications (MIC) sets standardization policies, strategies and plans based on practical requirements and new technology trends. However, there is no ICT standards agency responsible for the development of ICT standards at national level and it is reported that there is not a forum where operators can discuss and combine standards before submitting to the regulator to issue technical regulation.

Vietnam’s Law on Cyber Information Security (“LOCIS”) came into effect 1 July 2016. The LOCIS imposes, inter alia, restrictions and conditions on entities engaging in the import, export and trade of various cyber information security (CIS) products with encryption capabilities. It has been reported that applications for import permits are cumbersome, and involve licenses, certificates of conformity, product specifications, copies of commercial invoices, and copies of commercial contracts or documentary evidence.

Automatic licensing regimes for imports of key consumer goods were re-introduced by the Vietnamese Ministry of Industry and Trade (MOIT) in January 2009 (Circular 17/2008/TT-BCT). On 28 May 2010, MOIT published Circular 24/2010/TT-BCT, which requires local importers to obtain an automatic import license from the government before any shipment can be unloaded at any Vietnamese port.
On 5 September 2011, MOIT issued Circular 32/2011/TT-BCT to amend the Circular 24/2010/TT-BCT. This Circular entered into force on 20 October 2011. The biggest revision under the new circular is that all 22 commodities mentioned in Annex 1 of Circular 24/2010/TT-BCT are now subject to automatic import licensing. There are only two exceptions, wire telephone sets (HS code 8517.11.00.00) and mobile phones (HS code: 8517.12.00.00). These are not subject to this automatic licensing regime.
So far, no complaints have been made in this regard, as the registration procedure by the MOIT is swift. However, once issued, the license is valid only for 30 days, which makes it difficult for companies to calculate when to introduce the request so that it will not expire before the goods arrive at port. The measure may therefore result in backlogs of products at ports, additional business costs and reduced availability of goods.
The circular

The US and the EU raised concerns at the WTO about the lack of transparency, the confusing nature and the legal uncertainty of Vietnam's import licensing regime.

On 17 July 2012, the Vietnamese Ministry of Information and Communications issued Circular No.11/2012/TT-BTTTT amending the list of used IT products that are banned from import (with limited exceptions). The following products have been added to the existing list:
- Parts and accessories to be used with machines including calculating machines, and data processing machines (HS 8473);
- Microphones and other speakers (HS 8518);
- Transmission apparatus for radio broadcasting or television (HS 8525);
- Radar and radio navigational apparatus (HS 8526);
- Reception apparatus for radio broadcasting (HS 8527);
- Certain projectors (HS 8528);
- Printed circuits (HS 8534);
- Thermionic, cold cathode or photo cathod valves and tubes (HS 8540);
- Electronic integrated circuits (HS 8542).

The list of banned second-hand IT goods for import already includes printing machinery (HS 8443), typewriters (including keyboards and word processing machines) (HS 8469), calculating machines (HS 8470), automatic data processing machines, magnetic/optical readers (HS 8471), telephone sets (HS 8517), Transmission appartus for radio broadcasting, cameras (HS 8525), monitors and projectors (HS 8528), insulated wires and cables (HS 8544).

Circular 31/2015/TT-BTTTT published effective 15 December 2015 extended the above ban and also provided additional guidelines for its implementation.

Vietnam currently prohibits commercial importation of some products, including encryption devices and encryption software. This applies despite Vietnam has agreed in its WTO Accession Protocol to the principle of no restriction or regulation on commercially traded goods equipped with encryption technology (Paragraph 218 of the October 200 Report of the Working Party on the Accession of Vietnam to the World Trade Organization).

Decree 72 contains a section (Section 2, Article 23 onwards) that applies only to social networks. It obliges social networks to prevent any information to be published that defames the state of Vietnam. Additionally, it provides that the establishment of an online social network requires a license from the Ministry of Information and Communication (MIC).

Clause 20.4 of the Decree bans personal blogs from providing “aggregated information”, which Vietnam’s Broadcast and Electronic Information Department has reportedly used as a justification to warn users not to “quote or share information from press agencies or websites of government agencies.” Personal webpage owners are only allowed to provide their own information and are prohibited from taking news from media agencies and using that information as if it were their own.

A 2017 draft version of the Law on Cybersecurity would require that foreign suppliers of telecom services and internet services to obtain operation licenses in order to provide their services in Vietnam. The concept of "telecom services" and "Internet services" are not defined. If "telecom services" and "Internet services" covered by the draft Law were too broad, the Law could be inconsistent with relevant WTO commitments, as the cross border supply of certain telecom services have been liberalised under Vietnam services schedule for WTO accession. Other requirements for these opertarors are to locate a "representative agency" in Vietnam and locate the server that manages Vietnamese users' data in the territory of Vietnam.

At this stage, since the full text of the law is not yet available, it is unclear whether this provision remains in the final version of the law due to come into force in January 2019.

While any Vietnamese firm can operate as an Internet Service Provider (ISP), only state-owned companies are allowed to operate as Online Service Providers or Internet Exchange Providers.

State regulation determines how Internet connectivity in Vietnam is organized and managed, and it is reported to facilitate Internet content filtering by limiting external access points that must be controlled.

Only Internet Exchange Points (IXPs) can connect to the Internet, while Online Service Providers (OSPs) and Internet Content Providers (ICPs) may connect to Internet Service Providers (ISPs) and IXPs.

Internet filtering happens at the Domain Name System (DNS) level, which means that instead of blocking a site, ISPs simply configure domain names to resolve to an invalid address or remove blocked websites from their DNS servers.

A draft version from 2017 of the Law on Cybersecurity would entitle the Ministry of Public Security to propose to the Government of Vietnam to cease the provision of cyber information at certain locations to respond to or remedy cybersecurity incidents for protecting national security, social safety, and order. This provision, if arbitrarily applied, could disrupt the flow of information.

At this stage, since the full text of the law is not yet available, it is unclear whether this provision remains in the final version of the law due to come into force in January 2019.

Art. 25 of Decree 72 sets the obligation of Internet Services Providers (ISPs) to coordinate with the State the removing or blocking of information that contains prohibited acts, which include: State opposition, undermining national security and social order, conducting propaganda; propagating obscenity, pornography and harming national traditions and customs; providing information offending organizations or individuals; and advertising banned good and services, banned newspapers, works and publications.

Various press reports have highlighted the controversial nature of Decree 72 and its wide scope regarding the capacity to block websites.