Decree No. 53/2022/ND-CP dated August 15, 2022 on elaborating a number of articles of the Law on cybersecurity of Vietnam

DECREE

ELABORATING A NUMBER OF ARTICLES OF THE LAW ON CYBERSECURITY OF VIETNAM

Pursuant to the Law on Organization of the Government of Vietnam dated June 19, 2015; the Law on Amendments to the Law on Organization of the Government of Vietnam and the Law on Organization of the Local Government of Vietnam dated November 22, 2019;

Pursuant to the Law on National Cybersecurity of Vietnam dated December 3, 2004; 

Pursuant to the Law on National Cybersecurity of Vietnam dated June 12, 2018;  

Pursuant to the Law on Cybersecurity of Vietnam dated November 19, 2015;

At the request of the Minister of Public Security of Vietnam;

The Government of Vietnam hereby promulgates the Decree on elaborating a number of Articles of the Law on Cybersecurity of Vietnam.

...

...

...

GENERAL PROVISIONS

Article 1. Scope

This Decree elaborates on Points a, b, c, d, dd, g, i, k, l Clause 1 Article 5, Clause 4 Article 10, Clause 5 Article 12, Clause 1 Article 23, Clause 7 Article 24, Clauses 2, 4 Article 26, and Clause 5 Article 36 of the Law on Cybersecurity of Vietnam, including:

1. Measures to protect cybersecurity; appraise cybersecurity; assess cybersecurity criteria; test cybersecurity; supervise cybersecurity; respond to and remedy cybersecurity incidents; use codes to protect cyber information security; request the removal of illegal information or false information in cyberspace infringing on national security, social order and safety, and legitimate rights and benefits of agencies, organizations, and individuals; collect data related to acts of infringing on national security, social order and safety, and legitimate rights and benefits of agencies, organizations, and individuals in cyberspace; suspense, temporarily suspense, or request the termination of operations of information systems and revoke domain names.

2. Bases and procedures for establishment and cooperation between Ministries and central authorities with functions related to the appraisal, assessment, inspection, supervision, response, and remedy to cybersecurity incidents regarding major national security information systems.

3. Cybersecurity criteria for major national security information systems.

4. Contents of the implementation of cybersecurity protection activities in state agencies and political agencies at the central or local level.

5. Procedures for cybersecurity testing regarding information systems of agencies, organizations, and individuals that are not included in the list of major national security information systems according to cases prescribed in Clause 1 of Article 24.

6. The storage of data and establishment of branches or representative offices in Vietnam for enterprises is prescribed in Clause 3 of Article 26.

...

...

...

Article 2. Interpretation of terms

For the purpose of this Decree, the following terms shall be construed as follows:

1. “Data on personal information” is data on information in the form of symbols, letters, numbers, images, sounds, or equivalences to identify an individual.

2. "Service users" are organizations and individuals using services in cyberspace.

3. "Service users in Vietnam" are organizations and individuals using cyberspace in the territory of the Socialist Republic of Vietnam.

4. “Data on relationships of service users" is data on information in the form of symbols, letters, numbers, images, sounds, or equivalences reflecting and identifying relationships of service users with other people in cyberspace.

5. "Data created by service users in Vietnam" is data on information in the form of symbols, letters, numbers, images, sounds, or equivalences reflecting the process of participating, operating, and using cyberspace of service users and information on devices and network services used for connection with cyberspace in the territory of the Socialist Republic of Vietnam.

6. “Services on the telecommunications network” are telecommunications services and services that apply telecommunications according to the law.

7. “Services on the Internet” are internet services and services that provide content via the Internet according to the law.

...

...

...

9. Cybersecurity protection forces include:

a) Department of Cyber ​​Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam;

b) The Department of Military Security Protection, General Political Department, and Cyber Command of the Ministry of National Defense of Vietnam.

10. Governing bodies of major national security information systems are agencies and organizations competent directly manage such major national security information systems, including:

a) Ministries, ministerial agencies, and governmental agencies;

b) People’s Committee of provinces and centrally affiliated cities;

c) Central political organizations;

d) Authorities competent to decide on the investment in projects on construction, establishment, upgrade, and extension of major national security information systems.

11. Domestic enterprises that are established or registered for establishment according to laws of Vietnam with their headquarters located in Vietnam.

...

...

...

Chapter II

ESTABLISHMENT OF LISTS, COOPERATIVE MECHANISMS, AND CYBERSECURITY CRITERIA FOR THE PROTECTION OF MAJOR NATIONAL SECURITY INFORMATION SYSTEMS

Section 1. ESTABLISHMENT OF THE LIST OF MAJOR NATIONAL SECURITY INFORMATION SYSTEMS

Article 3. Bases for establishment of major national security information systems

Major national security information systems are information systems of state agencies and political organizations of the Socialist Republic of Vietnam, including:

1. Major national information systems according to regulations of the Law on Cybersecurity of Vietnam.

2. Information systems that serve the direction and operation of major works related to national security according to the law.

3. Information systems that serve the direction, operation, and control of activities of major telecommunications works related to national security according to the law.

4. Information systems of fields prescribed in Clause 2 Article 10 of the Law on Cybersecurity of Vietnam, when there is a breakdown, intrusion, hijacking, falsification, interruption, disruption, paralysis, attack, or sabotage, will cause one of the following consequences:

...

...

...

b) Severe consequences to the national defense, security, and foreign affairs, weakening the capacity to defend and protect the Vietnam Fatherland;

c) Severe consequences to the national economy;

d) Severe disasters to the human life and ecological environment;

dd) Severe consequences to activities of construction works at special levels according to the decentralization of laws on construction;

e) Severe consequences to activities of the planning of guidelines and policies within the scope of state confidentiality;

g) Serious influence on the directive and direct operation of CPV agencies and agencies of the State at central levels.

Article 4. Application for inclusion of information systems in the List of major national security information systems

1. The governing body of an information system shall conduct the review and comparison with regulations prescribed in Clause 4 Article 3 of this Decree and apply for the inclusion of the information system under its management in the List of major national security information systems.

2. Regarding information systems included in the List of major national security information systems:

...

...

...

b) In cases prescribed in Point a Clause 2 of this Article, the governing body of a major national security information system is not required to apply for the inclusion of such system in the List of major national security information systems;

c) The Ministry of Public Security of Vietnam shall include major national security information systems in the List of major national security information systems according to the prescribed order and procedures; notify governing bodies of such information systems of the information systems eligible for inclusion in the List of major national security information systems, and perform other equivalent responsibilities.

3. During the appraisal of information systems on their level of information safety, if such information systems are eligible for inclusion in the List of major national security information systems, the Ministry of Information and Communications of Vietnam shall transfer applications of such information systems for inclusion in the List of major national security information systems to the Ministry of Public Security for appraisal.

4. Cybersecurity protection forces shall, based on their functions and assigned tasks, review information systems with qualifications in accordance with regulations prescribed in Article 3 of this Decree and request governing bodies of such information systems to apply for inclusion of their information systems in the List of major national security information systems.

5. An application for inclusion of an information system in the List of major national security information systems includes:

a) A written request for inclusion of the information system in the List of major national security information systems (Form No. 1 of the Appendix);

b) A document on the provision of the list of the whole information system of the agency or organization (Form No. 2 of the Appendix);

c) Enclosed proving documents, including: documents describing and explaining the overview of the information system; construction design documents approved by competent authorities or equivalences; documents proving the suitability with the criteria for inclusion in the List of major national security information systems; documents explaining solutions to protect information systems (plans for assurance of network infrastructure safety; server security; application security; database security; management policies; organization, personnel; management of design, construction; management of operation; inspection, assessment, and management of risks).

6. The application for inclusion of the information system in the List of major national security information systems shall be made into 1 original copy and sent to:

...

...

...

b) The Cyber Command of the Ministry of National Defense of Vietnam regarding military information systems.

c) The Cipher Department of the Government of Vietnam regarding cipher information systems of the Cipher Department of the Government of Vietnam.

7. Agencies that receive applications prescribed in Clause 6 of this Article shall respond to suggestions on the received applications in writing (Form No. 3 of the Appendix).

Article 5. Appraisal of applications for inclusion of information systems in the List of major national security information systems

1. The Department of Cyber ​​Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam shall appraise applications for inclusion of information systems in the List of major national security information systems as prescribed by regulations, excluding cases prescribed in Clause 2 and Clause 3 of this Article.

2. The Cyber Command of the Ministry of National Defense of Vietnam shall provide guidelines on the making, receipt, and appraisal of applications for inclusion of military information systems in the List of major national security information systems.

3. The Cipher Department of the Government of Vietnam shall appraise applications for inclusion of information systems of the Cipher Department of the Government of Vietnam in the List of major national security information systems.

4. An Appraisal Council of applications for inclusion of information systems in the List of major national security information systems:

a) The Appraisal Council is required for major national security information systems related to many fields or when the appraisal process needs suggestions from many Ministries and relevant authorities;

...

...

...

c) The Appraisal Council shall appraise the safety level of an information system and the application for inclusion of such information system in the List of major national security information systems.

5. Meeting results of the Appraisal Council shall be generally used for work of cybersecurity and cyber information security.

6. In case of requirement for verification of information in applications and the actual state of the information systems mentioned in such applications, appraisal agencies prescribed in Clauses 1, 2, and 3 of this Article shall organize actual surveys and testing to appraise applications for inclusion of information systems in the List of major national security information systems. The actual survey and testing time shall not exceed 20 days.

Survey results shall be recorded in writing and certified by appraisal agencies and governing bodies of such information systems.

7. Governing bodies shall cooperate and facilitate the appraisal, survey, testing, and supplement of applications at the request of appraisal agencies.

8. Time and procedures for appraisal of applications:

a) The appraisal time of applications is 30 days from the receipt date of valid applications for inclusion of information systems in the List of major national security information systems or from the end date of the survey process prescribed in Clause 6 of this Article;  

b) The time for confirmation of valid applications is 3 working days after receiving the adequate applications for inclusion of information system in the List of major national security information systems;

c) At the end of the appraisal time, appraisal agencies shall finalize documents and send them to the Minister of Public Security of Vietnam, Minister of National Defense of Vietnam for suggestions for presentation of such documents to the Prime Minister of Vietnam to request the promulgation and update of decisions according to their functions and assigned tasks. At the same time, notify the governing bodies of information systems of the appraisal results in writing (Form No. 4 of the Appendix); 

...

...

...

9. The Ministry of Public Security of Vietnam shall take charge and cooperate with the Ministry of National Defense of Vietnam and the Cipher Department of the Government of Vietnam in agreeing on the mechanism for requesting the Prime Minister of Vietnam to promulgate Decisions on the establishment and update of the List of major national security information systems.

Article 6. Exclusion of information systems from the List of major national security information systems

1. The governing body of a major national security information system shall apply for exclusion of such information system from the List of major national security information systems if the governing body detects that such information system fails to satisfy the bases prescribed in Article 3 of this Decree.

2. Annually, cybersecurity protection forces shall, based on their functions and tasks, review and detect information systems that fail to comply with regulations prescribed in Article 3 of this Decree and request the related governing bodies to apply for exclusion of such information systems from the List of major national security information systems.

3. An application for exclusion of an information system from the List of major national security information systems includes:

a) A written request for exclusion of the information system from the List of major national security information systems (Form No. 5 of the Appendix);

b) Other necessary documents directly related to the application for exclusion of the information system from the List of major national security information systems.

4. Order, procedures, and competency to consider and decide on the exclusion of information systems from the List of major national security information systems shall comply with regulations on the order, procedures, and competency to consider and decide on the inclusion of information systems in the List of major national security information systems.

Article 7. Cooperation in appraising, assessing, inspecting, supervising, responding to, and remedying incidents of major national security information system

...

...

...

2. Principles of cooperation

a) Application of regulations of laws on cybersecurity and cyber information security to the appraisal, assessment, inspection, supervision, response, and remedy for incidents of major national information systems;

b) In case cooperation between many relevant parties is required, the Ministry of Public Security of Vietnam, the Ministry of National Defense of Vietnam, and the Cipher Department of the Government of Vietnam shall, based on the Law on Cybersecurity, take charge and cooperate with the Ministry of Information and Communications and Ministries and central authorities related to the organization of the appraisal, assessment, inspection, supervision, response, and remedy for incidents of major national security information systems according to their functions and assigned tasks;

c) The cooperation process shall ensure compliance with treaties and regulations of international organizations to which Vietnam is a signatory, the Law on Cybersecurity, and relevant laws in a proactive, regular, and timely manner that is in line with assigned functions, tasks, and entitlements.

3. Methods of cooperation

a) The Ministry of Public Security shall request relevant Ministries and central authorities to appoint their members to participate in the appraisal, assessment, inspection, supervision, response, and remedy for incidents of major national security information systems in writing;

b) Relevant Ministries and central authorities shall appoint their members to adequately participate in activities during the process of the appraisal, assessment, inspection, supervision, response, and remedy for incidents of major national security information systems according to the content of the request;

c) Records and documents that serve the appraisal, assessment, inspection, supervision, response, and remedy for incidents of major national security information systems shall be sent to participants by the Ministry of Public Security according to regulations.

4. Regarding the cooperation in supervising major national security information systems for cybersecurity and cyber information security:

...

...

...

b) In case the supervision of cyber information security for major national security information systems has been performed, the supervision data shall be shared and generally used for cybersecurity and cyber information security;

c) Governing bodies of major national security information systems shall arrange premises, technical conditions and establish and connect systems and supervision devices of cybersecurity protection forces to information systems under their management for early detection and warning of cybersecurity risks. 

Section 2. CYBERSECURITY CRITERIA FOR MAJOR NATIONAL SECURITY INFORMATION SYSTEMS

Article 8. Criteria for regulations, procedures, and methods of ensuring cybersecurity for major national security information systems

1. Governing bodies of major national security information systems shall, based on regulations on cybersecurity, state confidentiality protection, confidential work, technical standards and regulations on cyber information security, and other relevant professional technical standards, develop regulations, procedures, and plans for the protection of cybersecurity of major national security information systems under their management.

2. Contents of regulations, procedures, and plans for the protection of cybersecurity shall elaborate on the major information system and major information prioritized for protection; management procedures, technical procedures, and professional procedures in using and protecting cybersecurity of the database and technical infrastructure; the criteria for personnel of cyber administration, system operation, assurance of cyber information security and safety, and activities of drafting, storing, and transmitting state confidentiality via information systems; responsibilities of each division and individual in managing, operating, and using; sanctions for violations.

Article 9. Criteria for personnel of system operation, administration, and cybersecurity protection

1. Divisions in charge of system operation and administration and cybersecurity protection are required.

2. Personnel in charge of system operation and administration and cybersecurity protection shall have professional qualifications in cybersecurity, cyber information security, and information technology; have commitments to protect the confidentiality of information on major national security information systems during the process of working and after leaving the job position.

...

...

...

Article 10. Criteria for assurance of cybersecurity for devices, hardware, and software that are components of the system

1. Hardware devices that are components of the system shall be tested for cybersecurity to detect weaknesses and confidential vulnerabilities, malicious codes, transceivers, and malicious hardware for the assurance of compatibility with other components in the major national security information system. Administrative devices must be installed with operating systems and clean applications and have layers of firewall protection. Information systems that handle state confidentialities shall not be connected to the Internet.

2. Products that are warned or notified to have risks of cybersecurity disorder by cybersecurity protection forces shall not be put into use, or they shall have measures to handle and remedy weaknesses, confidential vulnerabilities, malicious codes, and malicious hardware before being put into use.

3. Digital data and information shall be handled and stored via information systems of state confidentiality shall be encrypted or have protection measures during the process of establishment, trade, and storage on the Internet according to regulations of laws on state confidentiality protection.

4. Information technology devices, communication means, data containers, and devices serving activities of information systems shall be managed, destroyed, or fixed according to laws on state confidentiality protection and working regulations of governing bodies of such information systems.

5. System software, feature software, middleware, database, application programs, source codes, and development tools shall be periodically reviewed and updated with patches.

6. Mobile devices and devices with information storage features when connecting to the internal network of a major national security information system shall be tested and controlled for safety assurance and may only be used in such information systems.

7. Devices and means that store information when connecting, transporting, and storing shall:

a) Test the confidentiality before connecting to major national security information systems;

...

...

...

c) Implement measures to ensure safety during transport and storage and protection measures regarding the stored information of state confidentiality.

Article 11. Criteria for technical measures to supervise and protect cybersecurity

1. The operational environment of a major national security information system shall:

a) Be separated from environments of development, testing, and experiment;

b) Apply measures to ensure information safety;

c) Not install tools and means for application development;

d) Eliminate or turn off unused or unnecessary features and feature software on the information system.

2. Data of the major national security information system shall have automatic backup plans suitable for external storage with data change frequency and ensure that arising data must be backed up within 24 hours. Backup data must be tested to ensure the restoration ability every 6 months.

3. A network system shall:

...

...

...

b) Have devices and software to control connections and access to major network zones;

c) Have measures to timely control, detect, and prevent unauthorized connections, access, and intrusion;

d) Have plans to respond to distributed denial-of-service attacks (DDoS) and other forms of attacks suitable with the scale and nature of the major national security information system.

4. Adoption of measures and solutions to find and timely detect technical weaknesses and vulnerabilities of the network system, illegal connections, and devices and software illegally installed in the network.

5. Logs of the information system and users’ activities, arising errors, and information safety incidents must be recorded and stored for at least 3 months in a centralized form and backed up at least once a year.

6. Regarding the control of access of users and groups of users using devices and tools:

a) Register, allocate, renew, and revoke access rights of devices and users;

b) Ensure that each account with access to the system is only associated with one user; in case of sharing the account for general access to the major national security information system, there must be approval from competent authorities and identification of the responsibility of each individual at each time of use;

c) Limit and control access to accounts with administrative rights: (i) establish mechanisms to control the creation of accounts with administrative rights to ensure that such accounts may only be used with the approval of competent authorities; (ii) adopt measures to supervise the use of accounts with administrative rights; (iii) ensure that there is only 1 access at a time to an account with administrative rights, and such account shall automatically log out if it is idle for a certain time;

...

...

...

dd) Review, inspect, and re-consider the approval of access rights of users;

e) Impose requirements and criteria for information safety for devices and tools used for access.

Article 12. Criteria for physical security

1. Major national security information systems shall be arranged and installed at safe locations and protected to reduce risks of threats and hazards from the environment and intrusion.

2. Major national security information systems shall be ensured regarding power sources and support systems when the main power source is disrupted; have measures to prevent overload, voltage drop, and lightning transmission; have grounding systems; have backup power generators and uninterruptible power supply systems (USP) to ensure the continuous operation of devices.

3. Major national security information systems shall have plans and measures to protect and combat intrusion for information collection of unmanned aerial devices.

4. Data centers of major national security information systems shall have their access controlled 24/7.

Chapter III

ORDER AND PROCEDURES FOR APPLYING CERTAIN CYBERSECURITY PROTECTION MEASURES

...

...

...

1. Cybersecurity protection forces shall conduct cybersecurity appraisals of information systems in the List of major national security information systems as per regulation.

2. Order of the implementation of cybersecurity appraisals of major national security information systems

a) Governing bodies of major national security information systems shall submit applications for cybersecurity appraisals to competent cybersecurity protection forces;

b) Cybersecurity protection forces shall receive, inspect, and provide guidelines on the completion of applications for cybersecurity appraisals and issue receipt documents after adequately receiving the valid applications within 3 working days;

c) Cybersecurity protection forces shall conduct cybersecurity appraisals according to the contents prescribed in Clause 3 Article 11 of the Law on Cybersecurity and provide notifications on the results within 30 days from the receipt date of applications for governing bodies of major national security information systems.

3. An application for cybersecurity appraisal of a major national security information system includes:

a) A written request for cybersecurity appraisal (Form No. 6 of the Appendix); 

b) A pre-feasibility research report and a document on the design and construction of the project on investment in the development of the information system before its approval;

c) The scheme for the upgrade of the information system before its approval in case of upgrading the major national security information system.

...

...

...

5. Cybersecurity appraisal results shall be protected as prescribed by law.

Article 14. Order and procedures for assessing the criteria for cybersecurity of major national security information systems

1. Cybersecurity protection forces shall assess the criteria for cybersecurity of information systems in the List of major national security information systems as per regulation.

2. Order of the assessment of the criteria for cybersecurity of major national security information systems:

a) Governing bodies of major national security information systems shall submit applications for assessment of the criteria for cybersecurity of major national security information systems to cybersecurity protection forces competent to assess the criteria for cybersecurity according to regulations prescribed in Clause 3 Article 12 of the Law on Cybersecurity;

b) Cybersecurity protection forces shall receive, inspect, and provide guidelines on the completion of applications for assessment of the criteria for cybersecurity and issue receipt documents after receiving the valid applications;

c) After receiving the adequate and valid applications, cybersecurity protection forces shall assess the criteria for cybersecurity and provide notifications on the results within 30 days from the receipt date of such applications for governing bodies of major national security information systems;

d) In case of eligibility for cybersecurity, the Director of the cybersecurity criteria assessment agency shall issue certificates of eligibility for cybersecurity to major national security information systems within 3 working days from the end date of the cybersecurity criteria assessment.

3. An application for the certificate of eligibility for cybersecurity of a major national security information system includes:

...

...

...

b) A pre-feasibility research report and a document on the design and construction of the project on investment in the development of the information system before its approval;

c) Documents on solutions to ensure cybersecurity of the major national security information system.

4. In case of failure to achieve cybersecurity eligibility, cybersecurity protection forces shall request the governing body of the major national security information system to supplement and upgrade its major national security information system to ensure eligibility.

Article 15. Order and procedures for cybersecurity supervision

1. The Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam and the Cyber Command of the Ministry of National Defense of Vietnam shall conduct the supervision of cybersecurity of the national cyberspace and national major security information systems according to their functions and assigned tasks. The Cipher Department of the Government of Vietnam shall conduct the supervision of cybersecurity of cipher information systems of the Cipher Department of the Government of Vietnam according to its functions and assigned tasks.

2. Order of the supervision of cybersecurity of cybersecurity protection forces:

a) Send written notifications to governing bodies of information systems to request the implementation of cybersecurity supervision measures which specify the reason, time, content, and the implementation scope of cybersecurity supervision;

b) Implement cybersecurity supervision measures;

c) Make periodic statistics and reports on cybersecurity supervision results.

...

...

...

a) Develop and implement cybersecurity supervision systems and cooperate with cybersecurity protection forces in implementing cybersecurity supervision activities for information systems under their management;

b) Arrange premises and technical conditions and establish and connect systems and supervision devices of cybersecurity protection forces to information systems under their management for cybersecurity supervision;

c) Provide and update information on information systems under their management, technical plans for the implementation of supervision systems for cybersecurity protection forces periodically or irregularly at the request of competent cybersecurity protection forces;

d) Notify cybersecurity protection forces of their supervision activities once every 3 months;

dd) Protect the confidentiality of relevant information in the process of cooperating with cybersecurity protection forces.

4. Telecommunications enterprises and enterprises that provide services of information technology, telecommunications, and the internet shall cooperate with cybersecurity protection forces in conducting cybersecurity supervision according to their entitlements for cybersecurity protection.

5. Cybersecurity supervision results shall be protected as prescribed by law.

Article 16. Order and procedures for cybersecurity testing

1. Cybersecurity protection forces shall conduct cybersecurity testing for information systems according to regulations prescribed in Clause 5 Article 13 and Clause 1 Article 24 of the Law on Cybersecurity. Cybersecurity testing contents include the inspection of compliance with regulations of laws on cybersecurity assurance and protection of state confidentiality in cyberspace; inspection and assessment of the efficiency of plans and measures to ensure cybersecurity and plans for responding to and remedying cybersecurity incidents; inspection and assessment of detection of vulnerabilities, security weaknesses, and malicious codes and system intrusion test attacks; other testing and assessments prescribed by governing bodies.

...

...

...

a) Notify cybersecurity testing plans as per regulation;

b) Establish Testing Teams according to functions and assigned tasks;

c) Conduct cybersecurity testing and strictly cooperate with governing bodies of information systems during the testing process;

d) Make records of cybersecurity testing processes and results and preserve them as prescribed by law;

dd) Notify cybersecurity testing results within 3 working days from the completion date of the testing.

3. In case it is necessary to keep the current state of information systems to investigate and handle law violations, detect security weaknesses and vulnerabilities, provide guidelines, or participate in remedial activities as requested by governing bodies of information systems, cybersecurity protection forces shall request governing bodies of information systems to suspend cybersecurity testing in writing. The mentioned documents shall specify the reason, purpose, and time of the temporary suspension of cybersecurity testing.

Article 17. Order and procedures for responding to and remedying cybersecurity incidents of major national security information systems

1. Regarding major national security information systems, when facing cybersecurity incidents, shall comply with the following order and procedures for response and remedy as follows:

a) Cybersecurity protection forces shall provide written notifications and guidelines on temporary measures to prevent and handle cyber-attacks and remedy consequences of cyber-attacks and cybersecurity incidents for governing bodies of major national security information systems.

...

...

...

b) Governing bodies of major national security information systems shall implement measures according to guidelines and implement other suitable measures to prevent, handle, and remedy consequences right after receiving notifications, excluding cases prescribed in Point c of this Clause.

In case of inability to handle, timely notify cybersecurity protection forces for coordination and response to cybersecurity incidents;

c) In case it is necessary to immediately respond to and prevent consequences that threaten national security, cybersecurity protection forces shall decide on the direct coordination and remedial response to cybersecurity incidents.

2. Coordination and remedial response to cybersecurity incidents of cybersecurity protection forces:

a) Assess and decide on schemes for response and remedy for cybersecurity incidents;

b) Operate the response and remedy for cybersecurity incidents;

c) Preside over the receipt, collection, handling, and sharing of information on response and remedy for cybersecurity incidents;

d) Mobilize and cooperate with organizations and individuals inside and outside of Vietnam related to the participation in responding to and remedying cybersecurity incidents in necessary cases;

dd) Appoint focal agencies to cooperate with relevant agencies of other countries or international organizations in responding to and handling international incidents based on international agreements or treaties that Vietnam is a signatory;

...

...

...

g) Make records of the process of responding to cybersecurity incidents.

3. Organizations and individuals participating in responding to and remedying cybersecurity incidents shall implement measures, responses, and remedies for incidents according to the coordination of cybersecurity protection forces.

4. In case of the protection of national security and social order and safety, telecommunications enterprises and enterprises that provide Internet services shall arrange premises, connectors, and necessary technical measures for the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam to carry out their tasks and ensure cybersecurity. Telecommunications enterprises and enterprises that provide Internet services shall cooperate with the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam in implementing the specific order and procedures.

Article 18. Order and procedures for implementing measures to use passcodes to protect cyber information

1. Cybersecurity protection forces shall use cryptographic measures of the cipher to protect cyber information when transmitting information and documents subject to state confidentiality in cyberspace. Cryptographic measures shall comply with regulations of laws on the cipher, state confidentiality protection, and cybersecurity.

2. In necessary cases, due to reasons of national security, social order and safety, and protection of legitimate rights and benefits of agencies, organizations, and individuals, cybersecurity protection forces shall request relevant agencies, organizations, and individuals to encrypt information not included in the scope of state confidentiality before storing or transmitting on the Internet in writing. The mentioned requesting documents shall specify the reason and content subject to encryption.

Article 19. Order and procedures for implementing measures to request the removal of illegal information or false information in cyberspace that infringes upon national security, social order and safety, and legitimate rights and benefits of agencies, organizations, and individuals

1. The above-mentioned measures shall be applicable:

a) When information in cyberspace is identified by competent agencies to have contents that infringe upon national security, disseminate information that sabotages the Socialist Republic of Vietnam, incite riots, and disrupt public security and order according to regulations of the law;

...

...

...

c) When other information in cyberspace has contents prescribed in Points c, dd, e Clause 1 Article 8 of the Law on Cybersecurity.

2. The Director of the Department of Cyber ​​Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam and Directors of competent agencies of the Ministry of Information and Communications shall: 

a) Decide on the application of measures to request the removal of illegal information or false information in cyberspace that infringes upon national security, social order and safety, and legitimate rights and benefits of agencies, organizations, and individuals as prescribed in Clause 1 of this Article;

b) Send written requests to enterprises that provide services on the telecommunications network, services on the Internet, and value-added services in cyberspace and governing bodies of information systems for removal of illegal information or false information in cyberspace that infringes upon national security, social order and safety, and legitimate rights and benefits of agencies, organizations, and individuals as prescribed in Clause 1 of this Article;

c) Inspect the implementation of measures of relevant entities when requested;

d) Trade and share information on the implementation of the mentioned measures, excluding cases included in the scope of state confidentiality or professional requests of the Ministry of Public Security of Vietnam.

3. Cybersecurity protection forces of the Ministry of National Defense of Vietnam shall apply measures to request the removal of illegal information or false information in cyberspace that infringes upon national security and military security according to regulations prescribed in Clause 1 of this Clause to military information systems.

Article 20. Order and procedures for implementing measures to collect data related to acts of infringing upon national security, social order and safety, and legitimate rights and benefits of agencies, organizations, and individuals in cyberspace

1. Data is information in the form of symbols, letters, numbers, images, sounds, or equivalences.

...

...

...

3. The collection of data related to acts of infringing upon national security, social order and safety, and legitimate rights and benefits of agencies, organizations, and individuals in cyberspace shall be implemented according to regulations of the law while satisfying the following requirements:

a) Maintenance of the status of digital devices and data;

b) The copying and recording of data shall be done according to correct procedures via recognized devices and software that are verifiable and can protect the integrity of data stored in such devices;

c) The process of restoring data or search data shall be recorded via minutes, images, and videos. The process may be repeated if it is necessary for presentation at a court;

d) Data collectors shall be specialized officials assigned to collect data.

4. Principles of copying and restoring data related to acts of infringing upon national security, social order and safety, and legitimate rights and benefits of organizations, organizations, and individuals in cyberspace:

a) If the data is considered necessary to be copied or restored or there is a request to copy and restore the data for the purpose of proving the commission of a crime, the assigned person shall be authorized to copy and restore such data and acquire a decision on approval of competent authority according to regulations of the law;

b) Compilation of records of activities of copying and restoring electronic evidence, and when it is necessary, an independent third party may be invited to witness and confirm such progress.

5. The confiscation of means that store, transmit, and process data related to acts of infringing upon national security, social order and safety, and legitimate rights and benefits of agencies, organizations, and individuals in cyberspace shall be implemented according to regulations of the law.

...

...

...

Article 21. Order and procedures for implementing measures to suspend, temporarily suspend, or request the termination of operations of information systems and revoke domain names

1. The above-mentioned measures shall be applicable when:

a) There are documents proving the operation of the information system is violating laws on national security and cybersecurity;

b) The information system is currently used for purposes of infringing upon national security and social order and safety.

2. The Minister of Public Security of Vietnam shall directly decide on the suspension, temporary suspension, or termination of operations of information systems and the suspension or revocation of domain names that have activities that violate laws on cybersecurity.

3. The Director of the Department of Cyber ​​Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam shall implement decisions on the suspension, temporary suspension, or request for termination of operations information systems, and suspension or revocation of domain names.

4. Order and procedures for implementing the above-mention measures:

a) Report on the application of measures to suspend, temporarily suspend, or request the termination of operations of information systems and suspend or revoke domain names;

b) Decide on the suspension, temporary suspension, or request for termination of operations of information systems and suspension or revocation of domain names;

...

...

...

d) In case of emergencies, timely prevent operations of information systems to avoid endangering national security or prevent potentially harmful consequences. The Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam shall directly request or send written requests via fax or email to agencies, organizations, and individuals for the suspension, temporary suspension, or request for termination of operations of information systems;

Within 24 hours after receiving requests, the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam shall send documents on request for suspension, temporary suspension, or request for termination of operation of information systems.  In case there are no documents on decisions when the mentioned time limit is overdue, information systems may continue their operations. According to the nature, level, and consequences due to the delay in sending requesting documents, the assigned officials and relevant persons shall take responsibility according to regulations of the law;

dd) The suspension, temporary suspension, or request for termination of operations of information systems shall be made into records. The records shall specify the time, location, and bases and be made into 2 copies. Relevant competent agencies shall keep one copy, and agencies, organizations, and individuals that own and manage information systems shall keep the other one;

e) Regarding the suspension and revocation of national domain names in cases prescribed in Clause 1 of this Article, relevant competent authorities shall send written requests to the VNNIC for the suspension and revocation of domain names according to the order and procedures prescribed by law.

5. If the suspension, temporary suspension, or request for termination of operations of information systems does not comply with the bases prescribed in Clause 2 of this Article, Directors and Deputy Directors of relevant competent agencies and relevant officials shall take legal liability. If such suspension, temporary suspension, or request for termination of operations of information systems cause damage to relevant agencies, organizations, and individuals, compensate as prescribed by law.

Article 22. Responsibilities of agencies, organizations, and units in implementing cybersecurity protection measures

1. Cybersecurity protection forces shall provide specific guidelines to relevant agencies, organizations, and individuals in implementing regulations on order and procedures for applying certain cybersecurity protection measures.

2. Agencies, organizations, and individuals shall, within their scope of responsibilities and entitlements, timely support and cooperate with cybersecurity protection forces in implementing regulations on order and procedures for implementing certain cybersecurity protection measures.

3. In case cross-border supply enterprises are declared to violate Vietnamese laws by competent authorities, Vietnamese organizations and enterprises shall cooperate with relevant competent agencies in preventing and handling acts of violating laws of cross-border supply enterprises.

...

...

...

5. Regarding information systems not included in the List of major national security information systems, the Ministry of Public Security of Vietnam, the Ministry of National Defense of Vietnam, and the Ministry of Information and Communications of Vietnam shall synchronously cooperate in protecting cybersecurity and cyber information security according to their functions and assigned tasks:

a) The Ministry of Information and Communications of Vietnam shall act as the focal point in charge of civil activities, excluding regulations prescribed in Points b and c of this Clause;

b) The Ministry of Public Security of Vietnam shall be the focal point in charge of activities of protecting national security, social order and safety, and cybersecurity and preventing and combating cybercriminals, cyber-terrorists, and cyber-spies;

c) The Ministry of National Defense of Vietnam shall be the focal point in charge of activities of protecting the Fatherland in cyberspace.

Chapter IV

IMPLEMENTATION OF CERTAIN ACTIVITIES OF PROTECTING CYBERSECURITY IN STATE AGENCIES AND POLITICAL ORGANIZATIONS AT CENTRAL AND LOCAL LEVELS

Article 23. Development and completion of regulations on the use of computer networks of state agencies and political organizations at central and local levels

1. State agencies and political organizations at central and local levels shall develop regulations on the use, management, and assurance of the internal computer network security and computer networks with Internet connection under their management. Contents of regulations on assurance of cybersecurity and cyber-safety shall be in accordance with regulations on cybersecurity protection, state confidentiality protection, technical standards and regulations on cyber information security, and other relevant professional technical standards.

2. Regulations on the use and assurance of computer network security of state agencies and political organizations at central and local levels shall:

...

...

...

b) Elaborate on prohibitions and principles of management and use and ensure cybersecurity and internal computer networks that store or transmit state confidentiality shall have a complete physical separation from computer networks, devices, and electronic means with Internet connection, other cases shall ensure compliance with regulations of laws on state confidentiality protection;

c) Have procedures for professional and technical management in operating, using, and ensuring cybersecurity of data and technical infrastructure. Such procedures shall satisfy basic requirements for information system safety assurance;

d) Have criteria for personnel in charge of network administration, system operation, cybersecurity assurance, information safety, and work related to the compilation, storage, and transmission of state confidentiality via computer system networks;

dd) Specifically stipulate responsibilities of each division, official, and staff member in managing, using, and ensuring cybersecurity and information safety;

e) Stipulate sanctions for violations of regulations on cybersecurity assurance.

Article 24. Development and completion of schemes for cybersecurity assurance for information systems of state agencies and political organizations at central and local levels

1. Heads of state agencies and political organizations at central and local levels shall issue schemes for cybersecurity assurance for information systems under their management, ensuring synchronicity, unity, focus, and sharing of natural resources to optimize efficiency and avoid duplicate investment.

2. Schemes for cybersecurity assurance for information systems include:

a) Regulations on cybersecurity assurance in designing and developing information systems, satisfying basic requirements for technical and professional management;

...

...

...

c) Cybersecurity assessment and testing;

d) Cybersecurity supervision;

dd) Prevention, response, and remedy incidents and dangerous situations of cybersecurity;

e) Risk management;

g) Ending of operation, utilization, repair, liquidation, and cancellation.

Article 25. Schemes for response and remedy to cybersecurity incidents of state agencies and political organizations at central and local levels

1. Schemes for response and remedy to cybersecurity incidents include:

a) Schemes for prevention and handling of information sabotaging the Socialist Republic of Vietnam, inciting riots, disrupting public order, slandering, and infringing upon the order of economic management uploaded on information systems;

b) Schemes for prevention and combat against cyber-spies and protection of information of state confidentiality, work confidentiality, business confidentiality, personal confidentiality, family confidentiality, and personal life on information systems;

...

...

...

d) Schemes for prevention and combat against cyber-attacks;

dd) Schemes for prevention and combat against cyber-terrorists;

e) Schemes for prevention and control of dangerous situations of cybersecurity.

2. Contents of schemes for response and remedy to cybersecurity incidents

a) General provisions;

b) Assessments of risks and cybersecurity incidents;

c) Schemes for response and remedy to specific situations;

d) Tasks and responsibilities of agencies in organizing, coordinating, handling, responding to, and remedying incidents;

dd) Training, drills, incident prevention, detection supervision, and assurance of conditions for readiness for response and remedy to incidents;

...

...

...

Chapter V

STORAGE OF DATA AND ESTABLISHMENT OF BRANCHES AND REPRESENTATIVE OFFICES IN VIETNAM

Article 26. Storage of data and establishment of branches and representative offices in Vietnam

1. Data subject to storage in Vietnam:

a) Data on personal information of service users in Vietnam;

b) Data created by service users in Vietnam: account names, service use time, information on credit cards, emails, IP addresses of the last login or logout session, and registered phone numbers in association with accounts or data;

c) Data on relationships of service users in Vietnam: friends and groups such users have connected or interacted with.

2. Domestic enterprises shall store the data prescribed in Clause 1 of this Article in Vietnam.

3. Regarding the data storage and establishment of branches or representative offices in Vietnam of foreign enterprises:

...

...

...

b) In case of inability to comply with regulations of laws on cybersecurity due to force majeure, foreign enterprises shall notify send notifications to the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam within 3 working days for inspection of the verification of such force majeure. In such cases, enterprises will have 30 days to adopt remedial methods.

4. If enterprises inadequately collect, utilize, analyze, and handle data according to regulations prescribed in Clause 1 of this Article, enterprises shall cooperate with the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam in confirming and storing types of data that is currently being collected, utilized, analyzed, and handled.

If enterprises conduct the additional collection, utilization, analysis, and handling of types of data prescribed in Clause 1 of this Article, they shall cooperate with the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam in including such data in the list of data subject to storage in Vietnam.

5. The form of data storage in Vietnam shall be decided by enterprises.

6. Order and procedures for requesting data storage and establishment of branches or representative offices of foreign enterprises in Vietnam:

a) The Minister of Public Security of Vietnam shall promulgate decisions on the request for data storage and establishment of branches or representative offices in Vietnam;

b) The Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam shall provide notifications and guidelines, monitor, supervise, and urge enterprises to implement requests for data storage and establishment of branches or representative offices in Vietnam while notifying relevant agencies of the implementation of state management functions according to entitlements;

c) Within 12 months from the promulgation date of decisions of the Minister of Public Security of Vietnam, enterprises prescribed in Point a Clause 3 Article 26 of this Decree shall complete the data storage and establishment of branches or representative offices in Vietnam.

7. Order and procedures for the establishment of branches or representative offices in Vietnam shall comply with regulations of laws on business, commerce, enterprises, and other relevant regulations.

...

...

...

Article 27. Time for data storage and establishment of branches or representative offices in Vietnam

1. The time for data storage, according to regulations prescribed in Article 26 of this Decree, shall start when enterprises receive the request for data storage until the end of the time prescribed in such request. The mandatory storage time is 24 months.

2. The time for the establishment of branches or representative offices in Vietnam according to regulations prescribed in Article 26 of this decree shall start when enterprises receive the request for the establishment of branches or representative offices in Vietnam until such business terminate their operation in Vietnam or the prescribed service is no longer available in Vietnam.

3. The system log for investigation and handling of acts of violating laws on cybersecurity prescribed in Point b Clause 2 Article 26 of the Law on Cybersecurity shall be stored for at least 12 months.

Chapter VI

IMPLEMENTATION PROVISIONS

Article 28. Guarantee budget

1. The budget for the implementation of cybersecurity assurance in the operations of state agencies and political organizations at central and local levels shall be guaranteed by the state budget.

2. The investment budget for public investment cybersecurity shall comply with regulations of the Law on Public Investment. Regarding public investment projects on the development of new information systems or the extension and upgrade of existing information systems, the investment budget shall be included in the investment capital of the corresponding project.

...

...

...

4. The Ministry of Finance of Vietnam shall provide guidelines on the expenditure on the budget for cybersecurity protection in the budget estimate and guidelines on the management and use of recurrent expenditures on cybersecurity assurance of state agencies and organizations.

5. State agencies and organizations shall, based on their assigned tasks, form estimates, manage, use, and conduct the final settlement of the budget for the implementation of cybersecurity assurance tasks according to the Law on State Budget.

Article 29. Entry into force

This Decree comes into force as of October 1, 2022.  

Article 30. Implementation responsibilities

1. The Minister of Public Security of Vietnam shall urge, inspect, and provide guidelines on the implementation of this Decree.  Difficulties that arise during the implementation of this Decree shall be consulted with the Ministry of Public Security for summary and submission of reports to the Government of Vietnam for consideration, decisions, and adjustment.

2. Ministers, Directors of ministerial agencies, Directors of Government’s affiliates, Chairmen of the People’s Committees of provinces, and centrally affiliated cities shall implement this Decree.

...

...

...