Decree No. 108/2016/ND-CP detailing the conditions for operating products and services of information security

This Decision details the conditions for operating products and services of information security in Vietnam. It includes requirements for application files for license issuance, technical solutions and product/service quality assurance, as well as the responsibilities of enterprises after being licensed.

문서 번호108/2016/NĐ-CP
문서 유형Decree
발행 기관Ministry of Justice
서명자Nguyễn Xuân Phúc — Thủ tướng
업데이트17. 06. 2026
산업Information and Communications
분야Uncategorized
발행일01. 07. 2016
발효일01. 07. 2016
효력 만료일
상태In effect
✦ 스마트 요약

This Decision details the conditions for operating products and services of information security in Vietnam. It includes requirements for application files for license issuance, technical solutions and product/service quality assurance, as well as the responsibilities of enterprises after being licensed.

적용 범위

Enterprises operating products and services of information security in Vietnam

핵심 사항

  • Requirements for application files for business license issuance
  • Technical solutions and product/service quality assurance
  • Responsibilities of enterprises after being issued a license
  • Procedures for reissuing, extending, amending, and supplementing licenses
  • Commitment to comply with laws on information security

🌐 이 문서의 사회적 영향

  • Strengthening state management over the operation of products and services of information security
  • Ensuring the quality and confidentiality of products/services supplied to the market
  • Developing the cybersecurity industry in Vietnam

❓ 자주 묻는 질문

What do enterprises need to prepare when applying for a business license?

Enterprises need to prepare application files including a request letter, business and technical plans, and certificates of compliance with quality and security standards.

How long does it take to process an application file for a business license?

The processing time from receipt to completion of the application file does not exceed 30 working days.

전문

THE GOVERNMENT
______

SOCIALIST REPUBLIC OF VIET NAM
Independence - Freedom - Happiness

_______________________

Number: 108/2016/NĐ-CP

Hanoi, July 1, 2016

DECREE

DETAILING THE CONDITIONS FOR OPERATING

INFORMATION SECURITY PRODUCTS AND SERVICES

On the basis of The Law on Archives dated November 11, 2011;

On the basis of Law on Information Security dated November 19, 2015;

On the basis of The Investment Law dated November 26, 2014;

On the basis of The Enterprise Law on November 26, 2014;

At the proposal of the Minister of Information and Communications;

The Government issues this Decree to detail the conditions for operating information security products and services.

PART I
GENERAL PROVISIONS

Article 1. Scope of Regulation

1. This Decree stipulates on:

a) Conditions, procedures, formalities, and documents for issuing a Business License for information security products and services;

b) Information security products and services;

c) Imported information security products pursuant to a permit.

2. This Decree does not regulate the business activities of civil cryptography products and the provision of electronic signature certification services.

Article 2. Applicability

This Decree applies to organizations and enterprises directly participating or related to the production, importation of information security products, and provision of information security services in Vietnam.

Article 3. Information Security Products and Services

1. Information security products include:

a) Information security testing and evaluation products are hardware and software devices with basic functions including scanning, checking, analyzing system configuration, status, log data; identifying vulnerabilities and weaknesses; providing risk assessments for information security;

b) Information security monitoring products are hardware and software devices with basic functions including monitoring and analyzing data transmitted over the information system; collecting and analyzing real-time log data; detecting and warning of unusual events that pose risks to information security;

c) Intrusion prevention products are hardware and software devices designed to prevent attacks and intrusions into the information system.

2. Information security services include:

a) Information security monitoring services involve monitoring and analyzing data traffic transmitted over the information system; collecting and analyzing real-time log data; detecting and warning of unusual events that pose risks to information security;

b) Network attack prevention services involve preventing network attacks through monitoring, collecting, and analyzing ongoing events within the information system;

c) Information security consulting services involve supporting advice, inspection, assessment, implementation, design, and construction of solutions to ensure information security;

d) Information security incident response services involve promptly handling and resolving incidents causing information security breaches in the information system;

đ) Data recovery services involve recovering data from the information system that has been deleted or damaged;

e) Information security testing and evaluation services involve scanning, inspecting, analyzing system configuration, status, log data; identifying vulnerabilities and weaknesses; providing risk assessments for information security loss;

g) Non-cryptographic information security services involve assisting users in ensuring the confidentiality of information and systems without using civil cryptographic systems.

Article 4. List of Information Security Products Imported Under Permits

1. Information security products imported under permits include:

a) Information security testing and evaluation products;

b) Information security monitoring products;

c) Intrusion prevention products.

2. The Ministry of Information and Communications shall develop a detailed list of information security products imported under permits as stipulated in Clause 1 of this Article.

3. Enterprises importing information security products not covered by Clause 1 of this Article are not required to obtain an Import Permit for information security products.

Chapter II
ISSUANCE OF BUSINESS LICENSES FOR INFORMATION SECURITY PRODUCTS AND SERVICES

Article 5. Business License for Network Information Security Products and Services

1. The Ministry of Information and Communications shall issue the Business License for Network Information Security Products and Services.

2. The Business License for Network Information Security Products and Services shall be granted to enterprises with a validity period of ten years according to Model No. 01 attached to this Decree.

Article 6. Conditions for Issuing the Business License for Network Information Security Products and Services

1. An enterprise shall be granted the Business License for Network Information Security Products and Services as stipulated in Article 3 of this Decree if it meets all conditions specified in Article 42 of the Law on Network Information Security and the conditions set forth in this Decree.

2. For the importation of network information security products as stipulated in Clause 1, Article 3 of this Decree, the enterprise must meet the conditions specified in Clause 1 of this Article. In particular, the detailed conditions at Points c and d of Clause 1, Article 42 of the Law on Network Information Security are as follows:

a) Having a management and operational team that meets the professional requirements for network information security; having technical staff responsible for the main tasks who hold a bachelor's degree in a relevant field or a certificate in network information security, information technology, or telecommunications, with the number of personnel meeting the scale and requirements of the business plan.

b) Having a suitable business plan including the following contents: Purpose of importation; scope and target audience for product provision; compliance with technical standards and regulations applicable to each type of product; basic technical features of the product.

3. For the production of network information security products as stipulated in Clause 1, Article 3 of this Decree, the enterprise must meet the conditions specified in Clause 1 of this Article. In particular, the detailed conditions at Points b, c, and d of Clause 1, Article 42 of the Law on Network Information Security are as follows:

a) Having a system of equipment, infrastructure, and production technology appropriate to the business plan for network information security products.

b) Having a management and operational team that meets the professional requirements for network information security; having a technical team holding a bachelor's degree in a relevant field or a certificate in network information security, information technology, or telecommunications, with the number of personnel meeting the scale and requirements of the business plan.

c) Having a suitable business plan including the following contents: Scope and target audience for product provision; types of products expected to be produced; compliance with technical standards and regulations applicable to each type of product; basic technical features of the product.

4. For the provision of network information security services as stipulated in Points a, b, c, d, and đ of Clause 2, Article 3 of this Decree, the enterprise must meet the conditions specified in Clause 1 of this Article. In particular, the detailed conditions at Points b, c, and d of Clause 1, Article 42 of the Law on Network Information Security are as follows:

a) Having a system of equipment and infrastructure appropriate to the scale of service provision and the business plan.

b) Having a management and operational team that meets the professional requirements for network information security; having a technical team holding a bachelor's degree in a relevant field or a certificate in network information security, information technology, or telecommunications, with the number of personnel meeting the scale and requirements of the business plan.

c) Having a suitable business plan including the following contents: Scope and target audience for service provision; types of services expected to be provided; customer information security plan; quality assurance plan for services.

5. For the provision of network information security testing and evaluation services, the enterprise must meet the conditions specified in Clause 2, Article 42 of the Law on Network Information Security. For the provision of non-civil cryptography-based information security services, the enterprise must meet the conditions specified in Clause 3, Article 42 of the Law on Network Information Security. Detailed conditions at Points a and d of Clause 2, Article 42 of the Law on Network Information Security are as follows:

a) The conditions specified in Clause 4 of this Article.

b) Having a suitable technical plan including the following contents: Overall technical system; compliance with functions of the system corresponding to the types of services expected to be provided; compliance with applicable technical standards and mandatory regulations.

Article 7. Documents and Procedures for Issuing Business Licenses for Cybersecurity Products and Services

The documents and procedures for issuing, amending, supplementing, renewing, temporarily suspending, revoking, and reissuing business licenses for cybersecurity products and services shall be carried out in accordance with Articles 43, 44, and 45 of the Cybersecurity Law.

Article 8. Acceptance of Applications for Business Licenses for Cybersecurity Products and Services

1. Enterprises submit applications for business licenses for cybersecurity products and services to the Ministry of Information and Communications through one of the following methods:

a) Submitting directly to the document reception unit;

b) Submitting via postal service;

c) Submitting online on the Ministry of Information and Communications' electronic portal.

2. The document reception unit is responsible for confirming in writing or via email that it has received the enterprise's application within one working day from the date of receipt of the application.

3. For direct submission, the date of receipt of the application is the date when the document reception unit receives the application submitted by the enterprise.

4. For submission via postal service, the date of receipt of the application is the date when the document reception unit receives the application delivered by the postal service provider.

5. For online submission, the Ministry of Information and Communications will issue business licenses for cybersecurity products and services according to the schedule for providing online government services.

Article 9. Verification of the Validity of Applications for Business Licenses for Cybersecurity Products and Services

1. Applications for business licenses for cybersecurity products and services must be prepared in Vietnamese, consisting of one original set and four valid copies of the application for new license requests, and one original set and one valid copy of the application for amendment, supplementation, and renewal requests. The original set must contain all signatures and seals of the enterprise, and if there are two or more pages of documents, they must have a cross-seal stamp. Valid copies of the application do not require confirmation seals or certified copies but must have a cross-seal stamp of the submitting enterprise.

2. The application form for requesting issuance/reissuance/amendment/supplementation of business licenses for cybersecurity products and services is specified in Form No. 02; the Business Plan is specified in Form No. 03; the Technical Plan is specified in Form No. 04; and the Report on Implementation of Business Licenses for Cybersecurity Products and Services is specified in Form No. 05 attached as an appendix to this Decree.

3. The Ministry of Information and Communications will verify and notify the enterprise submitting the application about the validity of the application within three working days from the date of receipt of the application.

4. The verification of the validity of the application is based on the following criteria:

a) The application is prepared in accordance with Clause 1 of this Article;

b) It contains all required documents corresponding to each type of application for licensing as stipulated in Article 43 of the Cybersecurity Law;

c) All provided documents contain complete information sections as requested and comply with the corresponding application forms specified in the appendix of this Decree.

5. For invalid applications, the Ministry of Information and Communications will notify the enterprise submitting the application in writing and specify the invalid elements. The enterprise has the right to resubmit the application with additional documents or explanatory statements regarding its validity. The verification of the validity of the resubmitted application will be conducted in accordance with Clause 4 of this Article.

Article 10. Submission, Explanation, and Supplement of Documents During the Examination Process

1. Within the examination period for the documents, the Ministry of Information and Communications has the right to send a notification requesting enterprises to supplement documents, provide explanations in writing, or provide direct explanations if the application documents do not provide sufficient information or do not meet the required Conditions as stipulated but not more than once.

2. Enterprises have the responsibility to submit supplementary documents, provide written explanations, or provide direct explanations to the Ministry of Information and Communications according to the content requested and within a maximum period of 10 working days from the date the enterprise receives the notification specified in Clause 1 of this Article. The examination period will continue to be counted from the date the unit receiving the documents receives the supplementary documents or the written explanation of the enterprise or the signing date of the meeting minutes for the explanation session.

3. If at the end of the period for submitting supplementary documents and explanations as prescribed in Clause 2 of this Article, the enterprise does not submit supplementary documents or does not provide explanations and does not request an extension of the submission period, it shall be deemed that the enterprise has abandoned the submission of the documents. Acceptance of documents submitted after the deadline for supplementary submissions and explanations or after the date the enterprise requests an extension of the deadline shall be treated as acceptance of new submissions.

4. Time limit for examining initial documents and supplementary documents, opinions on explanations, and issuing the License or notifying non-issuance of the License:

a) Not exceeding 15 working days from the date of receipt of valid documents for applications for issuance of the License;

b) Not exceeding 10 working days from the date of receipt of valid documents for applications for renewal of the License and applications for amendment and supplementation of the License;

c) Not exceeding 5 working days from the date of receipt of valid documents for applications for reissuance of the License.

Article 11. Reporting Obligations of Enterprises Engaged in Network Security Products and Services Business

Enterprises granted the License for network security products and services business must report promptly upon request and submit annual reports (before December 31) on their business situation regarding network security products and services to the Ministry of Information and Communications according to Form No. 05 attached to this Decree.

Chapter III
IMPLEMENTING PROVISIONS

Article 12. Transitional Provisions

1. Enterprises currently engaged in network security products and services business as stipulated in Article 3 of this Decree need to complete the necessary documents and procedures to obtain the License for network security products and services business within a maximum of six months from the effective date of this Decree.

2. For contracts for network security products and services business that have been signed and are valid before the effective date of this Decree, enterprises may continue to implement the contents of these contracts.

Article 13. Effective Date

This Decree takes effect from July 1, 2016.

1. The Minister, Heads of Ministries equivalent to ministries, Heads of government agencies, Chairmen of provincial People's Committees under the central government, and related agencies, units, and individuals are responsible for implementing this Circular.

1. The Minister of Information and Communications is responsible for guiding and supervising the implementation of this Decree.

2. Ministers, Heads of Ministries equivalent to ministries, Heads of government agencies, Chairmen of provincial People's Committees under central cities, and related organizations and individuals are responsible for implementing this Decree./.

Place of Receipt:
- Central Party Committee Secretariat;
- Prime Minister, Deputy Prime Ministers;
- Ministries, ministerial-level agencies, and agencies under the Government;
- Provincial People's Councils, People's Committees of centrally governed cities;
- Central Party Office and Party Committees;
- General Secretary's Office;
- President's Office;
- Office of the National Assembly;
- National Assembly's Office;
- Supreme People's Court;
- Supreme People's Procuracy;
- National Financial Supervisory Commission;
- State Audit Office;
- Social Policy Bank;
- Vietnam Development Bank;
- Vietnam Fatherland Front Central Committee;
- Central Agencies of Mass Organizations;
- Vietnam Chamber of Commerce and Industry;
- VPCP: Deputy Chairman, all Vice Chairmen, Assistants to the Prime Minister, Director of the Government Portal, all Departments, Bureaus, subordinate units, Official Gazette;
- To be filed: General Office, Legal Department (3 copies).

PRIME MINISTER
PRIME MINISTER

(Signed)

Nguyen Xuan Phuc

 

ANNEX

(Attached to Decree No. 108/2016/NĐ-CP dated July 1, 2016 of the Government)

Form No. 01 License for Network Security Products and Services Business
Form No. 02 Application for Issuance/Renewal/Extension/Amendment and Supplementation of the License for Network Security Products and Services Business
Implementation Report of Production Projects of Supporting Industry Products Confirmed with Incentives Business Plan
Form number 04 Technical Plan
Form number 05 Report on Implementation of the License for Network Security Products and Services Business

Form No. 01

MINISTRY OF INFORMATION AND COMMUNICATION
COMMUNICATION
-------

SOCIALIST REPUBLIC OF VIET NAM
Independence - Freedom - Happiness
---------------

No.: /GP-BTTTT

Hanoi, day ... month ... year ....

 

BUSINESS LICENSE
INFORMATION SECURITY PRODUCTS AND SERVICES
(Valid until .../.../...)

MINISTRY OF INFORMATION AND COMMUNICATION

Pursuant to the Law on Cybersecurity dated November 19, 2015;

Pursuant to Decree No. …../2016/NĐ-CP dated .../.../2016 of the Government detailing the Conditions for Network Security Products and Services Business;

Pursuant to Decree No. …/………/NĐ-CP dated …/.../... of the Government detailing the functions, tasks, powers, and organizational structure of the Ministry of Information and Communications;

Upon reviewing the application for issuance/renewal/amendment and supplementation of the License for Network Security Products and Services Business dated .../.../... of ... (1);

At the proposal of ... (2),

DECISION:

Article 1. Permit ... (1) to engage in network security products and services business

1. Enterprise Information

a) Enterprise name in Vietnamese or foreign language (if applicable): ……

b) Legal representative's name: …

c) Business registration certificate number: …issued by …on .../.../... at …

d) Main office address in Vietnam: …

đ) Telephone: …

e) Fax number: …

g) Tax code: …

2. The enterprise is permitted:

a) …(3);

b) …(3);

c) …(3);

Article 2. …(1) must comply with the provisions of Decree No. …/2016/NĐ-CP dated …/.../2016 of the Government detailing the Conditions for Network Security Products and Services Business and other relevant laws.

Article 3. This License for Network Security Products and Services Business becomes effective from the date of signature and is valid until .../.../...; (4) replacing the License for Network Security Products and Services Business …/GP-BTTTT dated .../.../.../.

 

THE MINISTER

Note:

(1) Name of the enterprise granted the License.

(2) Head of the unit applying for the License.

(3) Network security products and services permitted to be traded.

(4) Used in cases of reissue/amendment and supplementation of the License.

 

Form No. 02

(ENTERPRISE NAME)
-------

SOCIALIST REPUBLIC OF VIET NAM
Independence - Freedom - Happiness
---------------

No.: …

..., day ... month ... year ....

 

APPLICATION FOR ISSUANCE/RENWAL/EXTENSION/AMENDMENT AND SUPPLEMENTATION

BUSINESS LICENSE FOR NETWORK SECURITY PRODUCTS AND SERVICES 

Pursuant to Decree No. ……/2016/NĐ-CP dated ……/.../2016 of the Government detailing the Conditions for Network Security Products and Services Business;

Respectfully submitted to: Ministry of Information and Communications.

Pursuant to the Law on Cybersecurity dated November 19, 2015;

(Enterprise name) applies for issuance/renewal/extension/amendment and supplementation of the License for Network Security Products and Services Business with the following contents:

2. Enterprise name in Vietnamese or foreign language (if applicable): ……

Part 1. General Information
1. Enterprise Name: ...

3. Legal representative's name: …

4. Business registration certificate number: …issued by …on .../.../... at …

5. Main office address: …

6. Telephone: …7. Fax number: …

8. Tax code: …

8. Tax code: …

Part 2. Attached Documents (Specify type and quantity of documents)
1. …………………………………………………………………………………………………….

2. ……………………………………………………………………………………………………

3. ……………………………………………………………………………………………………

Part 3. Reasons for Reissuing/Amending/Supplementing (In case of reissuing/amending/supplementing the Business License)
Part 4. Commitment

(Name of the enterprise) hereby commits:

1. To bear legal responsibility for the accuracy and legality of the contents in the application for issuance/reissuance/extension/amendment/supplementation of the Business License for network security products and services and accompanying documents.

2. If granted/reissued/extended/amended/supplemented with the Business License for network security products and services, (name of the enterprise) will strictly comply with the laws of Vietnam on business activities related to network security products and services and the provisions stipulated in the Business License for network security products and services./.

 

Place of Receipt:
- As above;
- ………….

LEGAL REPRESENTATIVE OF THE ENTERPRISE
(Signature, full name, position, and stamp)

 

Implementation Report of Production Projects of Supporting Industry Products Confirmed with Incentives

(ENTERPRISE NAME)
-------

SOCIALIST REPUBLIC OF VIET NAM
Independence - Freedom - Happiness
---------------

 

..., day ... month ... year ....

 

BUSINESS PLAN
(Attached to Application No. ... dated ..., ..., ...)

Part 1. Overview
1. Organizational structure of the enterprise.

2. Summary of the enterprise's business activities.

3. Description of the enterprise's equipment and infrastructure system.

4. Staff description: Number; technical/business experience in the field for which the License is requested.

Part 2. Scope and Objectives of Business Activities for Products and Services
1. Types of products and services expected to be traded.

2. Scale of business operations for products and services.

3. Target customers for product and service provision.

4. Plan for deploying the equipment system to provide services/produce products.

Part 3. Quality Assurance Measures for Products and Services
1. Product and service quality standards.

2. Information security regulations.

3. Customer information security measures (before, during, and after service provision).

4. Service quality assurance standards applied/Certification and announcement plans for conformity with mandatory standards for products announced and circulated in the market by the enterprise.

5. Procedures for handling customer complaints about service quality.

 

Form number 04

(ENTERPRISE NAME)
-------

SOCIALIST REPUBLIC OF VIET NAM
Independence - Freedom - Happiness
---------------

 

..., day ... month ... year ....

 

TECHNICAL SOLUTIONS
(Attached to Application No. ... dated ..., ..., ...)

1. Overall Technical System

Description of configuration, installation diagram of equipment, overall technical solution.

2. Features of the system

3. Explanation of compliance with technical standards and mandatory standards applicable to network security products and services

Description and proof of compliance with technical standards and mandatory standards based on technical specifications of the used solutions, certificates and certifications meeting standards issued by the solution provider that have been tested and recognized or certified by recognized testing organizations.

For software products, describe and prove the origin, whether copyrighted or self-developed.

4. Appendices

Appendices of technical specification documents for the system, certificates and certifications complying with standards that have been issued.

 

Form number 05

(ENTERPRISE NAME)
-------

SOCIALIST REPUBLIC OF VIET NAM
Independence - Freedom - Happiness
---------------

No.: …

..., day ... month ... year ....

 

REPORT ON THE IMPLEMENTATION OF THE BUSINESS LICENSE FOR NETWORK SECURITY PRODUCTS AND SERVICES
(From month .../... to month .../...)

Part 1. General Information
1. Enterprise Name: ...

3. Legal representative's name: …

3. Telephone: …4. Fax number: …

5. Business License for network security products and services No. …issued on ... month …year …

Part 2. Implementation Status of the Business License
1. Summary of the enterprise's business activities for network security products and services: …

2. Quantity and types of network security products imported, produced, and consumed in the year: …

3. Number of customers categorized by service type provided in the year: …

4. Total revenue and profit in the year: …

5. Human resources directly involved in import, production, and provision of network security services: …

6. Other contents: …

Part 3. Commitments
(Name of the enterprise) hereby commits to bear legal responsibility for the accuracy of the contents in the Report and accompanying documents.

 


Place of Receipt:
- As above;
- …………

LEGAL REPRESENTATIVE OF THE ENTERPRISE
(Signature, full name, position, and stamp)

 

원본 문서(PDF)

새 탭에서 PDF 열기 ↗