Law on Cyberinformation Security

10/10/2016
Law on Cyberinformation Security marks an important event. This Law prescribes cyberinformation security activities, and rights and responsibilities of agencies, organizations and individuals in ensuring cyberinformation security; civil cryptography; standards and technical regulations on cyberinformation security; trading in the field of cyberinformation security; development of human resources for cyberinformation security; and state management of cyberinformation security.
The sending of information in cyberspace must meet the following requirements: Not forging the information sender source;Complying with this Law and other relevant laws.
Commercial information may not be sent to electronic addresses of recipients when the latter has not yet consented or has refused to receive, unless the recipients are obliged to receive information under law. Telecommunications enterprises, enterprises providing telecommunications application services and enterprises providing information technology services that send information shall: Comply with the law on storage of information and protection of personal information and private information of organizations and individuals; Take blocking and handling measures upon receiving notices of organizations or individuals that the sending of information is illegal; Offer recipients to refuse to receive information; Provide necessary technical and professional conditions upon request for competent state agencies to manage and ensure cyberinformation security.
An enterprise applying for a license for trading in civil cryptographic products and services shall submit a dossier of application for a license at the Government Cipher Committee. A dossier of application for a license for trading in civil cryptographic products and services shall be made in two sets, each comprising:
a/ An application for a license for trading in civil cryptographic products and services;
b/ A copy of the enterprise registration certificate, investment registration certificate or another paper of equivalent validity;
c/ Copies of information confidentiality and security diplomas or certificates of managerial, administration and technical staff members;
d/ A technical plan, consisting of papers on technical characteristics and specifications of products; standards or technical regulations of products; standards and quality of services; technical measures and solutions; and product warranty and maintenance plan;
dd/ A cyberinformation confidentiality and security plan in the course of management and provision of civil cryptographic products and services;
e/ A business plan, indicating the scope of provision and recipients of products and services, scale and quantity of products and services, customer service networks, and technical assurance.
Within 30 days after receiving a complete dossier, the Government Cipher Committee shall appraise it and grant a license for trading in civil cryptographic products and services; if refusing to grant a license, it shall issue a written notice clearly stating the reason. A license for trading in civil cryptographic products and services shall be valid for 10 years.
If wishing to export and import civil cryptographic products on the list of civil cryptographic products subject to export and import permit, an enterprise must obtain a permit for export and import of civil cryptographic products from a competent state agency. An enterprise shall be granted a permit for export and import of civil cryptographic products when fully meeting the following conditions:
a/ Possessing a license for trading in civil cryptographic products and services;
b/ Having to-be-imported civil cryptographic products certified and announced as conformable with regulations under Article 39 of this Law;
c/ Ensuring that users and use purposes of civil cryptographic products do not harm national defense and security or social order ad safety.
 A dossier of application for a permit for export and import of civil cryptographic  products must comprise:
a/ An application for a permit for export and import of civil cryptographic products;
b/ A copy of the license for trading in civil cryptographic products and services;
c/ A copy of the regulation conformity certificate, for civil cryptographic products to be imported.
Within 10 working days after receiving a complete dossier, the Government Cipher Committee shall appraise it and grant a permit for export and import of civil cryptographic products to the enterprise; if refusing to grant a license, it shall issue a written notice clearly stating the reason.
Cyberinformation security services include:Cyberinformation security testing and evaluation services; Information confidentiality services without using civil cryptography; Civil cryptographic services; E-signature certification services; Cyberinformation security counseling services; Cyberinformation security supervision services; Cyberinformation security incident response services; Data recovery services; Cyber-attack prevention and combat services; Other cyberinformation security services.
Cyberinformation security products include: Civil cryptographic products; Cyberinformation security testing and evaluation products; Cyberinformation security supervision products;Attack and hacking combat products; Other cyberinformation security products.
An enterprise that applies for a license for trading in cyberinformation security products and services shall submit a dossier of application at the Ministry of Information and Communications. A dossier of application for a license for trading in cyberinformation security products and services shall be made in five sets, each comprising:
a/ An application for a license for trading in cyberinformation security products and services, specifying types of cyberinformation security products and services to be traded;
b/ A copy of the enterprise registration certificate, investment registration certificate or another paper of equivalent validity;
c/ A written explanation of the technical equipment system compliant with law;
d/ A business plan specifying the provision scope, users and standards and quality of products and services;
dd/ Copies of information security diplomas or certificates of managerial, administration and technical staff members.
 In addition to the papers and documents mentioned in Clause 2 of this Article, a dossier of application for a license for provision of information security testing and evaluation services or information confidentiality services without using civil cryptography must comprise:
a/ Judicial record cards of the enterprise’s at-law representative and managerial, administration and technical staff members;
b/ A technical plan;
c/ A customer information confidentiality plan in the course of service provision.
Within 40 days after receiving a complete dossier, the Ministry of Information and Communications shall assume the prime responsibility for, and coordinate with related ministries and sectors in, appraising the dossier, and grant a license for trading in cyberinformation security products and services, except products and services mentioned at Points c and d, Clause 1, and Point a, Clause 2, Article 41 of this Law; if refusing to grant a license, it shall issue a written notice clearly stating the reason.
A license for trading in cyberinformation security products and services must have the following principal contents:
a/ Name of the enterprise and its transaction name in Vietnamese and a foreign language (if any); and its head office address in Vietnam;
b/ Name of the enterprise’s at-law representative;
c/ Serial number, date of grant and expiry date of the license;
d/ Cyberinformation security products and services licensed for trading.
An enterprise that is granted a license for trading in cyberinformation security products and services shall pay a fee in accordance with the law on charges and fees.
To import cyberinformation security products on the Government-prescribed list of cyberinformation security products subject to import permit, an enterprise shall obtain a permit for import of cyberinformation security products from a competent state agency.Before importing cyberinformation security products, organizations and enterprises must have them certified and announced as conformable with regulations under Article 39 of this Law. An organization or enterprise shall be granted a permit for import of cyberinformation security products when fully meeting the following conditions:
a/ Possessing a license for trading in cyberinformation security products;
b/ Having cyberinformation security products certified and announced as conformable with regulations under Article 39 of this Law;
c/ Ensuring that users and use purposes of cyberinformation security products do not harm national defense and security or social order and safety.
The Ministry of Information and Communications shall prescribe in detail the order, procedures and dossier for grant of a permit for import of cyberinformation security products.
Higher education institutions and vocational training institutions may grant cyberinformation security diplomas and certificates within the ambit of their tasks and powers.The Ministry of Education and Training shall assume the prime responsibility for, and coordinate with the Ministry of Information and Communications and related ministries and sectors in, recognizing diplomas of higher education in cyberinformation security granted by foreign organizations.The Ministry of Labor, War Invalids and Social Affairs shall assume the prime responsibility for, and coordinate with the Ministry of Information and Communications and related ministries and sectors in, recognizing diplomas and certificates of vocational training in cyberinformation security granted by foreign organizations.
This Law takes effect on July 1, 2016. The Government and competent state agencies shall detail the articles and clauses in the Law as assigned. This Law was passed on November 19, 2015, by the XIIIth National Assembly of the Socialist Republic of Vietnam at its 10th session