This Decree details regulations on digital signatures and services for verifying digital signatures, applicable to organizations providing such services and individuals using them in electronic transactions. Notably, it covers management of licenses, operating conditions, rights, and obligations of the parties involved.
适用范围
Agencies, organizations providing services for verifying digital signatures and individuals, organizations using digital signatures in electronic transactions.
要点
- Organizations providing public digital signature verification services must obtain a license from the Ministry of Posts and Telecommunications with a validity period not exceeding ten years.
- Foreign digital signatures and certificates are recognized when foreign organizations providing digital signature verification services meet the prescribed conditions.
- Organizations providing services for verifying digital signatures have the obligation to store confidential information of subscribers and compensate for damages if there is a breach.
- Violations of regulations on operations and security will be fined from VND 1,000,000 to VND 100,000,000 depending on the severity of the violation.
- National digital signature verification service providers issue their own certificates.
🌐 本文件的社会影响
- Facilitating electronic transactions, enhancing information security, and protecting personal data.
- Saving time and costs in the process of verifying digital signatures compared to traditional methods.
- Investment in technology and human resources is required to ensure effective operation, which may impose financial pressure on small enterprises.
- Enhancing the responsibility of organizations providing digital signature verification services in managing customer information.
❓ 常见问题
What conditions must a company meet to be granted a license to provide public digital signature verification services?
The company must have a business license, meet financial conditions (financial capacity, deposit, or guarantee), personnel, and technical requirements. The license validity period is ten years.
If a digital signature verification service provider has its license revoked, what actions must they take?
The organization must transfer databases to another operating organization and notify subscribers. If the enterprise does not wish to continue providing services, they must notify at least three months before cessation.
What is the legal value of a digital signature?
In cases where the law requires a signature, a data message signed with a digital signature satisfies this requirement. Foreign digital signatures are also recognized and have equivalent legal value.
What conditions must organizations providing specialized digital signature verification services meet?
The company must meet personnel, technical requirements, and regulations of the Ministry of Posts and Telecommunications. They may also be issued a certificate confirming compliance with safety standards for digital signatures.
Which violations will result in the heaviest penalties?
Serious violations such as providing digital signature verification services without a valid license, improperly using another organization's secret key, or damaging database equipment may be fined from VND 70,000,000 to VND 100,000,000.
全文
DECREE
Regulations on implementation of the Law on Electronic Transactions regarding digital signatures and digital signature certification services.
____________________
THE GOVERNMENT
Pursuant to the Law on Organization of the Government dated December 25, 2001;
Pursuant to the Law on Electronic Transactions dated November 29, 2005;
BASED ON THE Ordinance on Handling Administrative Violations dated July 2, 2002;
CONSIDERING the proposal of the Minister of Posts and Telecommunications.
DECREE:
Chapter I:
GENERAL PROVISIONS
Article 1. Scope of Regulation
This Decree provides detailed regulations on digital signatures and digital certificates; management, provision, and use of digital signature certification services.
Article 2. Applicability
This Decree applies to agencies and organizations providing digital signature certification services and agencies, organizations, and individuals choosing to use digital signatures and digital signature certification services in electronic transactions.
Article 3. Explanation of Terms
In this Decree, the following terms are understood as follows:
1. "Digital certificate"is a form of electronic certificate issued by an organization providing digital signature certification services.
2. "Foreign digital certificate"is a digital certificate issued by an organization providing digital signature certification services abroad.
3. “Valid digital certificate"is a digital certificate that has not expired, is not temporarily suspended, or revoked.
4. "Electronic invoice issuance system"is a type of electronic signature created by transforming a data message using an asymmetric cryptographic system such that anyone who obtains the original data message and the public key of the signer can accurately determine:
a) The transformation was created using the correct private key corresponding to the public key in the same key pair;
b) The integrity of the content of the data message from the time of the transformation.
5. “Foreign digital signature"is a digital signature created by a subscriber using a foreign digital certificate.
"Digital signature certification service" is a type of electronic signature certification service provided by an organization offering digital signature certification services. A digital signature certification service includes:
a) Creating a key pair including public and private keys for subscribers;
b) Issuing, renewing, suspending, restoring, and revoking subscribers' digital certificates;
c) Maintaining an online database of certificates;
d) Other related services as prescribed.
7. “Asymmetric cryptographic system"is a cryptographic system capable of generating a key pair consisting of a private key and a public key.
8. “Key" is a binary string (0 and 1) used in cryptographic systems.
9. “Private key"is one key in an asymmetric key pair used to create a digital signature.
10. “Public Key"is one key in an asymmetric key pair used to verify a digital signature created by the corresponding private key in the key pair.
11. "Signing"is the process of inserting a private key into software to automatically generate and attach a digital signature to a data message.
12. “Signer" is a subscriber who uses their own private key to sign a data message under their name.
13. “Received by"is an organization or individual who receives a digitally signed data message, uses the digital certificate of the signer to verify the digital signature in the received message, and proceeds with related activities and transactions.
14. “Subscriber"is an organization or individual issued a digital certificate, accepts the digital certificate, and holds the corresponding private key recorded on the issued digital certificate.
15. “Suspension of digital certificate"temporarily renders a digital certificate invalid from a specified date.
16. “Revocation of digital certificate"permanently renders a digital certificate invalid from a specified date.
17. "Organization providing digital signature certification services"is an organization providing digital signature certification services that carries out the activity of providing digital signature certification services.
Article 4. Organizations providing digital signature certification services
Organizations providing digital signature certification services include:
1. Public digital signature certification service providers are organizations providing digital signature certification services for agencies, organizations, and individuals using them in public activities. The operation of public digital signature certification service providers is aimed at business purposes.
2. Specialized digital signature certification service providers are organizations providing digital signature certification services for agencies, organizations, and individuals with similar operational characteristics or work objectives and linked to each other through articles of association or legal regulations stipulating common organizational structures or forms of collaboration and joint operations. The operation of specialized digital signature certification service providers serves internal transaction needs and does not aim at business purposes.
3. National digital signature certification service providers (Root Certification Authority) are organizations providing digital signature certification services for public digital signature service providers. There is only one national digital signature certification service provider.
Article 5. Policy on developing digital signature certification services
1. The State encourages the use of digital signatures and digital signature certification services in economic, political, and social fields to promote information exchange and online transactions, thereby increasing labor productivity; expanding commercial activities; supporting administrative reform, enhancing social benefits, improving the quality of life for the people, and ensuring national security and defense.
2. The State promotes the application of digital signatures and the development of digital signature certification services through key projects aimed at raising awareness; disseminating laws; developing applications; organizing training for human resources; researching, cooperating, and transferring technology related to digital signatures and digital signature certification services.
3. The State supports the activities of public digital signature certification service providers through preferential policies on tax, land, and other incentives.
Article 6. Responsibilities for state management of digital signature certification services
1. The Ministry of Posts and Telecommunications is responsible before the Government for implementing state management over digital signature certification services, including:
a) Submitting to the Government for approval or issuing within its authority policies, strategies, planning, development plans, and management of digital signature certification services;
b) Issuing within its authority legal regulatory documents on digital signatures and digital signature certification services;
c) Leading and coordinating with the Ministry of Science and Technology, the Ministry of Public Security, and the Government Cryptographic Office to develop and issue mandatory technical standards and standards on digital signatures and digital signature certification services;
d) Leading and coordinating with the Ministry of Public Security and the Government Cryptographic Office in managing digital signature certification service providers, including issuing licenses, certificates of conditions ensuring safety for digital signatures, recognition of foreign digital signatures and certificates, inspection, supervision, and handling violations, and other necessary activities;
đ) Leading and coordinating with the Ministry of Science and Technology, the Ministry of Public Security, and the Government Cryptographic Office to implement international cooperation on digital signature certification services;
e) Establishing and maintaining the operation of national digital signature certification service providers.
2. The Ministry of Science and Technology, the Ministry of Public Security, the Government Cryptographic Office, other relevant ministries and sectors, provincial People's Committees, and centrally governed city People's Committees within their respective authorities and responsibilities shall coordinate with the Ministry of Posts and Telecommunications to implement the provisions of Clause 1 of this Article.
3. The Ministry of Public Security is responsible for leading efforts to combat high-tech crimes using digital signatures and digital signature certification services.
4. The Government Cryptographic Office establishes and maintains the operation of specialized digital signature certification service providers serving agencies under the political system.
Article 7. Prohibited acts
1. Providing digital signature certification services and using digital signatures with the intent to oppose the Socialist Republic of Vietnam, disrupt public security, social order, and social safety; engage in smuggling or conduct other activities contrary to the law and social morals.
2. Directly or indirectly destroying the digital signature certification service provision systems of digital signature certification service providers; obstructing the provision and use of digital signature certification services; forging or instructing others to forge digital certificates.
3. Stealing, cheating, impersonating, appropriating, or improperly using another person's secret key.
4. Buying, selling, or transferring licenses for providing public digital signature certification services.
Chapter II:
DIGITAL SIGNATURES AND DIGITAL CERTIFICATES
Article 8. Legal Value of Digital Signatures
1. In cases where laws require a document to bear a signature, a data message shall be deemed to meet this requirement if it is signed with a digital signature.
2. In cases where laws require a document to bear the stamp of an agency or organization, such requirement shall be deemed met if the data message is signed by a digital signature of an authorized person according to the regulations on management and use of stamps and digital signatures, provided that the digital signature is secured in accordance with Clause 9 of this Decree.
3. Foreign digital signatures and digital certificates recognized in accordance with Chapter VII of this Decree shall have the same legal value and effect as those issued by public key certification service providers in Vietnam.
Article 9. Conditions for Ensuring Security of Digital Signatures
A digital signature shall be considered a secure electronic signature when it meets the following conditions:
1. The digital signature is created during the period when the digital certificate is valid and can be verified using the public key recorded on the valid digital certificate.
2. The digital signature is created using the private key corresponding to the public key recorded on the digital certificate issued by a national key certification service provider, a public key certification service provider, a specialized key certification service provider certified to ensure security for digital signatures, or a foreign key certification service provider recognized in Vietnam.
3. The private key is under the control of the signer at the time of signing.
4. The private key and the content of the data message are uniquely associated with the signer when they sign the data message.
Article 10. Contents of Digital Certificates
Digital certificates issued by national key certification service providers, public key certification service providers, and specialized key certification service providers certified to ensure security for digital signatures must include the following contents:
1. Name of the key certification service provider.
2. Name of the subscriber.
3. Serial number of the digital certificate.
4. Validity period of the digital certificate.
5. Public key of the subscriber.
6. Digital signature of the key certification service provider.
7. Restrictions on purpose and scope of use of the digital certificate.
8. Limitations on the legal liability of the key certification service provider.
9. Other necessary contents as prescribed by the Ministry of Posts and Telecommunications.
Article 11. Digital Certificates of Agencies and Organizations
1. All state positions and authorized persons of agencies and organizations as stipulated by laws on management and use of stamps shall have the right to issue digital certificates with the value as prescribed in Clause 2 of Article 8 of this Decree.
2. Digital certificates issued to state positions and authorized persons of agencies and organizations must clearly indicate their positions.
3. Issuing digital certificates to state positions and authorized persons of agencies and organizations must be based on the following documents:
a) Documents from the agency or organization requesting issuance of a digital signature for an authorized person or state position.
b) Legally certified copies of the registration certificate of the stamp model of the agency or organization or state position issued in accordance with laws on management and use of stamps.
c) Legally certified copies of documents confirming the position of the authorized person of the agency or organization or state position.
Article 12. Use of digital signatures and certificates of agencies and organizations
1. The digital signature of a person issued a certificate according to Article 11 of this Decree shall only be used to perform transactions in accordance with the position of that person.
2. The act of signing on behalf of another or at the request of another, as provided for by law, shall be carried out by a person authorized to use their own digital signature, understood based on the position of the signer recorded on the certificate.
Chapter III:
ISSUING LICENSES FOR PROVIDING PUBLIC DIGITAL SIGNATURE VERIFICATION SERVICES
Article 13. Conditions for operation
An organization providing digital signature verification services may provide services to the public when meeting the following conditions:
1. Having a license to provide public digital signature verification services issued by the Ministry of Posts and Telecommunications.
2. Possessing a digital certificate issued by an organization providing national digital signature verification services.
Article 14. Term of the license
The license granted to an organization providing public digital signature verification services shall have a term not exceeding ten years.
Article 15. Conditions for issuing licenses
1. Subject conditions:
It must be a business established under Vietnamese law.
2. Financial condition:
a) Having sufficient financial capacity to establish technical equipment systems, organize and maintain operations consistent with the scale of service provision;
b) Depositing a guarantee fund in a commercial bank operating in Vietnam or having a guarantee letter from a commercial bank operating in Vietnam not less than five billion (5,000,000,000) Vietnamese dong, or committing to purchase insurance to address risks and compensation that may occur during the service provision process and payment of costs for receiving and maintaining the company's database in case the license is revoked.
3. Personnel conditions:
a) Having a team of technical staff, management staff, operational staff, security management staff, and customer service staff meeting the requirements of expertise and the scale of service deployment; without prior criminal records;
b) The legal representative must understand laws related to digital signatures and digital signature verification services.
4. Technical conditions:
a) Establishing a technical equipment system ensuring the following requirements:
- Fully, accurately, and timely storing information of subscribers to serve the issuance of digital certificates throughout the validity period of the certificates;
- Ensuring the creation of key pairs that only allow each key pair to be generated randomly and uniquely once; having features to ensure that the private key cannot be detected when the corresponding public key is available;
- Fully, accurately, and timely updating the list of valid and expired certificates and allowing Internet users to access online 24 hours a day, seven days a week;
- Having the ability to detect, warn, and prevent all unauthorized access, forms of attacks in the network environment, and comply with information security standards;
- Designed to minimize direct contact with the Internet environment as much as possible;
- The key distribution system for subscribers must ensure the integrity and confidentiality of the key pair. In cases where keys are distributed through a computer network, the key distribution system must use secure protocols to ensure that information is not exposed on the transmission path.
b) Having feasible technical and business plans consistent with applicable technical standards and mandatory standards;
c) Having control measures for entering and exiting the headquarters, access rights to the system, and entry and exit rights to the location where equipment for providing digital signature verification services is placed;
d) Having backup plans to ensure safe, continuous operation and recovery in case of incidents;
đ) All equipment systems used to provide services must be located in Vietnam.
5. Other conditions:
a) Constructing headquarters and locations for machinery and equipment in compliance with fire and explosion prevention laws; capable of resisting floods, earthquakes, electromagnetic interference, and illegal human intrusion;
b) Having a publicly disclosed verification regulation in the format prescribed by the Ministry of Posts and Telecommunications and containing content consistent with the provisions of this Decree.
Article 16. Application Documents for Permit Issuance
The application documents for obtaining a permit to provide public digital signature certification services shall be prepared in six sets, each set containing the following:
1. The business's application for a permit to provide public digital signature certification services.
2. A business registration certificate or investment certificate indicating the business’s activities related to providing electronic signature certification services.
3. The business’s charter on organization and operation.
4. Documentation proving compliance with financial conditions stipulated in Clause 2, Article 15 of this Decree.
5. A service provision plan including the following main contents:
- Business plan including scope, target customers for the service; service quality standards; financial plans and other necessary information;
- Technical plan ensuring compliance with Clause 4, Article 15;
- Certification regulations;
- Detailed personal information, qualifications, and credentials of personnel directly involved in the provision of digital signature certification services by the business.
Article 17. Review and Issuance of Permit
Within sixty working days from the date of receipt of valid application documents, the Ministry of Posts and Telecommunications shall lead and coordinate with the Ministry of Public Security, the Government Cryptographic Committee, and relevant ministries and sectors to review the application documents. If the enterprise meets all conditions for permit issuance as stipulated in Article 15, the Ministry of Posts and Telecommunications will issue a permit to the enterprise. In case of refusal, the Ministry of Posts and Telecommunications will notify in writing and specify the reasons.
Article 18. Amendment of Permit Content and Reissuance of Permit
1. When there is a need to amend the permit content, the entity providing public digital signature certification services must submit an application for amending the permit content for public digital signature certification services to the Ministry of Posts and Telecommunications.
2. The application for amending the permit shall be prepared in six sets, each set containing: a request for amendment of the permit content; a copy of the currently valid permit; a report on operational status and reasons for amending the permit content; detailed proposed amendments and other necessary documents.
3. Within sixty working days from the date of receipt of valid application documents for amending the permit content, the Ministry of Posts and Telecommunications shall lead and coordinate with relevant ministries and sectors to review the application documents and conduct on-site inspections if necessary. If the proposed amendment still meets all conditions for permit issuance as stipulated in Article 15, the Ministry of Posts and Telecommunications will issue a new permit to the enterprise. If the proposed amendment does not meet all conditions for permit issuance, the Ministry of Posts and Telecommunications will notify in writing and specify the reasons.
4. In cases of restructuring, the entity providing public digital signature certification services must report to the Ministry of Posts and Telecommunications for consideration of permit content changes; procedures for changes shall follow the provisions of Clauses 2 and 3 of this Article.
5. In cases where the permit is lost, torn, burned, or destroyed in any form, the entity providing public digital signature certification services may apply for reissue of the permit. To obtain a reissued permit, the entity must submit a request clearly stating the reason for requesting a reissue to the Ministry of Posts and Telecommunications and pay the required fee.
Article 19. Extension of License
1. When wishing to extend the license, the organization providing public digital signature authentication services must submit the application for license extension 60 days before the license expires.
2. The application for license extension shall be prepared in two sets, each set including: Application for license extension, a copy of the currently valid license, report on operational status and inspection results over the last three years.
3. Within 60 days from the date of receiving a complete application, the Ministry of Posts and Telecommunications shall review and consider the request for license extension. In case of agreement, the Ministry of Posts and Telecommunications will extend the license for the enterprise. In case of refusal, the Ministry of Posts and Telecommunications shall issue a notification letter specifying the reasons.
4. The license may only be extended once, and the extension period shall not exceed one year.
Article 20. Suspension or Revocation of License
1. The organization providing public digital signature authentication services shall have its license suspended when any of the following situations occur:
a) Providing services contrary to the content stated on the license;
b) Failing to meet any of the licensing conditions during the service provision process;
c) Other conditions as prescribed by law.
2. The organization providing public digital signature authentication services shall have its license revoked when any of the following situations occur:
a) Not implementing service provision within twelve months from the date of issuance of the license without a legitimate reason;
b) Being dissolved or declared bankrupt according to relevant laws;
c) The service provision license for public digital signatures has expired;
d) Failing to rectify the suspension conditions stipulated in Clause 1 of this Article within the suspension period determined by the competent authority.
3. The organization providing public digital signature authentication services whose license is revoked shall be responsible for negotiating with another operating organization providing public digital signature authentication services to transfer related databases within ninety days from the date of revocation. In case of failure to reach an agreement, it shall report to the Ministry of Posts and Telecommunications for consideration and resolution.
4. The costs of accepting and maintaining the database of the organization providing public digital signature authentication services whose license is revoked shall be covered from the deposit or guarantee or insurance of that service authentication organization.
Chapter IV:
ACTIVITIES OF ORGANIZATIONS PROVIDING PUBLIC DIGITAL SIGNATURE AUTHENTICATION SERVICES
Article 21. Application for Digital Certificate
The application for a digital certificate includes:
1. Application for a digital certificate according to the form of the organization providing public digital signature authentication services.
2. Supporting documents include:
a) For individuals: a certified true copy of identity card, passport, or other lawful personal identification;
b) For organizations: a certified true copy of the decision to establish or business registration certificate or equivalent document of the organization; authorization document and a certified true copy of identity card, passport, or other lawful personal identification of the authorized representative of the organization;
c) Other documents as prescribed in the authentication regulations of the organization providing public digital signature authentication services.
Article 22. Key Generation and Distribution
1. A key pair of an organization or individual applying for a digital certificate may be generated by:
a) The organization or individual applying for a digital certificate;
b) An organization providing public digital signature verification services based on a written request from the organization or individual applying for a digital certificate.
2. In the case where the organization or individual applying for a digital certificate generates the key pair themselves, the organization providing public digital signature verification services must ensure that they have used equipment in accordance with the prescribed standards to generate and store the key pair.
3. In the case where the organization providing public digital signature verification services generates the key pair, such organization must ensure secure methods are used to transfer the private key to the organization or individual applying for a digital certificate and may only retain a copy of the private key upon a written request from the organization or individual applying for a digital certificate.
Article 23. Issuance of Digital Certificates
1. An organization providing public digital signature verification services shall issue a digital certificate upon verifying the following contents:
a) Information in the application is accurate;
b) The public key on the digital certificate to be issued is unique and paired with the private key of the organization or individual applying for a digital certificate.
2. A digital certificate can only be issued to the applicant and must contain all information prescribed in Article 10 of this Decree.
3. An organization providing public digital signature verification services may only publish the issued digital certificate for the subscriber in its database of digital certificates after receiving confirmation from the subscriber regarding the accuracy of the information on the digital certificate; the publication period shall not exceed 24 hours after receipt of the confirmation, except in cases of agreement otherwise.
4. An organization providing public digital signature verification services shall not refuse to issue a digital certificate to an organization or individual applying for a digital certificate without a valid reason.
Article 24. Renewal of Digital Certificates
1. At least 30 days before the expiration date of the digital certificate, if renewal is desired, the subscriber must submit a renewal application for the digital certificate.
2. In the event of a change in the public key on the renewed digital certificate, the subscriber must clearly indicate this in the application; the generation of keys, distribution of keys, and publication of the renewed digital certificate shall be carried out in accordance with the provisions of Articles 22 and 23 of this Decree.
Article 25. Change of Key Pair
In the event that the subscriber requests a change in the key pair, the subscriber must submit an application for changing the key pair. The generation of keys, distribution of keys, and publication of the digital certificate with the new public key shall be carried out in accordance with the provisions of Articles 22 and 23 of this Decree.
Article 26. Suspension of Digital Certificates
1. A digital certificate shall be suspended when any of the following circumstances occur:
a) When the subscriber requests in writing and such request has been verified by the organization providing public digital signature verification services as being accurate;
b) When the organization providing public digital signature verification services has grounds to confirm that the issued digital certificate does not comply with the provisions of Articles 22 and 23 of this Decree or when any errors affecting the rights of the subscriber and recipient are discovered;
c) Upon request from a prosecution agency, security agency, or the Ministry of Posts and Telecommunications;
d) According to the suspension conditions stipulated in the contract between the subscriber and the service provider.
2. Upon having grounds to suspend a digital certificate, the organization providing public digital signature verification services must immediately suspend it and simultaneously notify the subscriber and publish on the database of digital certificates the suspension, start time, and end time of the suspension.
3. The organization providing public digital signature verification services must restore the digital certificate when there are no longer grounds for suspension or when the suspension period according to the request has expired.
Article 27. Revocation of Digital Certificates
1. A digital certificate shall be revoked in the following cases:
a) When the subscriber requests in writing and such request has been verified by the organization providing public digital signature verification services as being accurate;
b) When the subscriber is an individual who has died or been declared missing by a court, or when the subscriber is an organization that has been dissolved or declared bankrupt in accordance with the law;
c) Upon request from a prosecution agency, security agency, or the Ministry of Posts and Telecommunications;
d) In accordance with the conditions for revoking digital certificates as stipulated in the contract between the subscriber and the organization providing public digital signature certification services.
2. Upon having grounds to revoke a digital certificate, the organization providing public digital signature certification services must proceed to revoke the digital certificate and immediately notify the subscriber and publish on the database of digital certificates the revocation thereof.
Article 28. Issuing Timestamps
1. Issuing timestamps involves attaching information about date, month, year, and time to a data message.
2. The organization providing public digital signature certification services has the right to provide timestamp issuance services. The provision of timestamp issuance services must comply with technical standards and mandatory standards applicable to such services.
3. The date, month, year, and time attached to a data message are those at which the organization providing public digital signature certification services receives the data message. The date, month, year, and time attached to a data message must be digitally signed by the organization providing public digital signature certification services.
4. The date, month, year, and time attached to a data message, in compliance with the provisions of Clauses 1, 2, and 3 of this Article, are recognized by law.
Chapter V:
RIGHTS AND OBLIGATIONS OF PARTIES INVOLVED IN PROVIDING AND USING PUBLIC DIGITAL SIGNATURE CERTIFICATION SERVICES
Section 1: RIGHTS AND OBLIGATIONS OF ORGANIZATIONS PROVIDING PUBLIC DIGITAL SIGNATURE CERTIFICATION SERVICES
Article 29. Obligations Regarding Storage and Use of Information of Organizations and Individuals Applying for Digital Certificates
1. The organization providing public digital signature certification services has the obligation to store information related to the identity of organizations and individuals applying for digital certificates in a confidential and secure manner, and may only use such information for purposes related to the digital certificate, except where otherwise agreed upon or provided by law.
2. Compensation shall be provided to subscribers and recipients in the following cases:
a) Damage occurs as a result of disclosing subscriber information that the organization is obligated to store confidentially;
b) Damage occurs as a result of including inaccurate information on the digital certificate compared to the information provided by the subscriber.
Article 30. Obligations Related to Issuing Digital Certificates
To ensure the legitimate rights of subscribers, the organization providing public digital signature certification services has the following obligations:
1. Provide written guidance to organizations and individuals applying for digital certificates before signing a digital certificate issuance contract regarding the following information:
a) Scope, limitations of use, level of security, fees, and charges for issuing and using the type of digital certificate being applied for, and other information that could affect the rights of organizations and individuals applying for digital certificates;
b) Requirements to ensure the safety in storing and using secret keys;
c) Complaint procedures and dispute resolution;
d) Other contents determined by the organization providing public digital signature certification services.
2. Develop a model contract for digital certificate issuance activities.
3. Ensure security throughout the process of creating and transferring digital certificates to subscribers.
4. Be responsible to subscribers and recipients for the accuracy of the information on the digital certificate.
5. Compensate subscribers and recipients when damage occurs as a result of a digital certificate issued contrary to the provisions of this Decree.
Article 31. Obligations related to the extension of digital certificates
1. When receiving a request for extension from the subscriber in accordance with the provisions of Article 24 of this Decree, the organization providing public digital signature certification services shall have the obligation to complete the procedures for extending the digital certificate before the digital certificate of the subscriber expires.
2. The organization providing public digital signature certification services shall be responsible for compensating the subscriber and the recipient for any damage that occurs due to the violation of Clause 1 of this Article.
Article 32. Rights and obligations related to suspending and restoring digital certificates
The organization providing public digital signature certification services shall have the obligation to:
1. Ensure a communication channel to receive requests to suspend the operation of digital certificates available 24 hours a day, 7 days a week.
2. Store all information related to the suspension of digital certificates for at least 5 years, starting from the date when the digital certificate is suspended.
3. During the period of suspension of digital certificates, the organization providing public digital signature certification services must still fulfill the obligations related to keeping confidential personal information and secret keys of subscribers as stipulated in this Decree.
4. Compensate the parties involved in case of damage resulting from non-compliance with the provisions of Clause 2 and 3 of Article 26 of this Decree.
Article 33. Obligations related to revoking digital certificates
The organization providing public digital signature certification services shall have the following obligations:
1. Ensure a communication channel to receive requests for revoking digital certificates available 24 hours a day, 7 days a week.
2. Retain all information related to the revocation of digital certificates and revoked digital certificates for at least 5 years, starting from the date when the digital certificate was revoked.
3. Ensure the confidentiality of the secret key of the subscriber in cases where the subscriber has authorized it, and retain information related to the digital certificate of the subscriber for at least 5 years, starting from the date when the digital certificate was revoked.
4. Compensate the parties involved in case of damage resulting from non-compliance with the provisions of Article 27 of this Decree.
Article 34. Obligations related to key management activities
The organization providing public digital signature certification services shall have the following obligations:
1. Ensure the confidentiality of the entire process of generating key pairs in cases where key pairs are generated for organizations or individuals applying for digital certificates.
2. Utilize all means and make the greatest effort to notify the subscriber simultaneously and apply measures to prevent and promptly address any signs of exposure, loss of integrity, or any other errors that may adversely affect the interests of the subscriber when such signs are detected.
3. Advise the subscriber to change key pairs when necessary to ensure the highest level of reliability and security for the key pairs.
4. Compensate the subscriber and the recipient if damage occurs as a result of exposing the key generation process, exposing the subscriber's secret key during transfer, or storing the subscriber's secret key when the organization providing public digital signature certification services retains the subscriber's secret key.
Article 35. Obligation to Temporarily Suspend Issuance of New Digital Certificates
1. Public Key Infrastructure Service Providers must temporarily suspend the issuance of new digital certificates in the following cases:
a) When discovering errors in their service provision system that may affect the interests of subscribers and recipients;
b) Upon request from competent state authorities.
2. When temporarily suspending the issuance of new digital certificates, Public Key Infrastructure Service Providers must publicly announce this suspension on their website and report to competent state authorities.
3. During the period of temporarily suspending the issuance of new digital certificates, Public Key Infrastructure Service Providers are responsible for maintaining the database systems related to previously issued digital certificates.
Article 36. Obligation to Publicly Disclose Information
Public Key Infrastructure Service Providers must publicly disclose and maintain information 24 hours a day, 7 days a week on their website the following information:
1. Their authentication regulations and digital certificate policies.
2. Lists of active, suspended, and revoked digital certificates of subscribers.
3. Other necessary information.
Article 37. Obligation to Purchase Risk Insurance
In cases where they do not deposit a guarantee or have a bank guarantee as stipulated in Clause 2, Article 15 of this Decree, Public Key Infrastructure Service Providers must purchase insurance to address risks and compensation that may arise for subscribers and recipients due to the fault of the Public Key Infrastructure Service Provider and pay fees to other Public Key Infrastructure Service Providers to take over and maintain their database when their license is revoked.
Article 38. Obligations Related to License Application and Implementation
Public Key Infrastructure Service Providers have the following obligations:
1. To fully bear legal responsibility for the accuracy of the application dossier for licensing.
2. To implement and maintain activities in accordance with the content recorded in the license and commitments made in the application dossier for licensing.
3. To pay licensing fees and charges as prescribed.
Article 39. Rights and Obligations Upon Revocation of Public Key Infrastructure Service Provision License
1. Public Key Infrastructure Service Providers whose licenses are revoked have the obligation to hand over relevant documentation and databases related to digital certificates and the issuance of digital certificates to the receiving organization as stipulated in Clause 3, Article 20 of this Decree.
2. Public Key Infrastructure Service Providers whose licenses are revoked have the obligation to notify subscribers about the revocation of their license and information about the receiving organization of their database. In cases where the license revocation is due to the business entity's decision not to continue providing services, such notification must be made at least three months before the business entity stops providing services.
3. The organization receiving the database of the Public Key Infrastructure Service Provider whose license has been revoked must perform rights and obligations towards subscribers and recipients of the Public Key Infrastructure Service Provider whose license has been revoked.
4. After a period of three years from the date of license revocation, Public Key Infrastructure Service Providers whose licenses have been revoked have the right to reapply for a license. Conditions and procedures for reissuance shall be carried out according to the provisions applicable to new applications.
Article 40. Other rights and obligations
1. Reporting periodically and urgently upon request of competent state agencies.
2. Being subject to inspection, audit, and violation handling by competent state agencies.
3. Providing necessary information to investigative agencies or security agencies for serving the work of ensuring information security, investigation, and crime prevention according to the prescribed legal procedures and formalities.
4. In cases of emergency as defined by laws on emergency situations or to ensure national security, public service providers of digital signature certification have the obligation to provide all necessary support at the request of competent state agencies.
SECTION 2: RIGHTS AND OBLIGATIONS OF SUBSCRIBERS OF ORGANIZATIONS PROVIDING DIGITAL SIGNATURE CERTIFICATION SERVICES
Article 41. Rights and obligations of subscribers in providing information
Subscribers of organizations providing digital signature certification services have the following rights and obligations:
1. The obligation to provide truthful and accurate personal information and present documents required for issuing digital certificates to the organization providing digital signature certification services; subscribers shall be responsible under the law and for any damage resulting from violations of this provision.
2. The right to request the organization providing digital signature certification services to provide in writing the information specified in Clause 1 of Article 30 of this Decree.
3. Providing secret keys and necessary information to investigative agencies and security agencies to serve the purpose of ensuring national security or investigating crimes as prescribed by law.
Article 42. Creation, use, and management of keys
Subscribers of organizations providing digital signature certification services have the following rights and obligations:
1. When creating key pairs for themselves, subscribers must ensure that the key pair generation equipment complies with technical standards and mandatory requirements. This provision does not apply when subscribers lease key pair generation equipment from organizations providing digital signature certification services.
2. Safely and confidentially storing and using their secret keys throughout the period during which their digital certificates are valid and suspended.
3. Immediately notifying the organization providing digital signature certification services if they discover signs indicating that their secret keys have been exposed, stolen, or used improperly so that appropriate measures can be taken.
4. Being legally responsible for any damage resulting from violations of Clauses 1, 2, and 3 of this Article.
Article 43. Legal Obligations
1. When agreeing to have the organization providing digital signature certification services publicly announce their digital certificate as stipulated in Clause 3 of Article 23 of this Decree or when providing such a digital certificate to others for transactions, subscribers are deemed to have committed to the recipient that they are the lawful holder of the secret key corresponding to the public key on the digital certificate and that the information on the digital certificate related to the subscriber is true, and must fulfill the obligations arising from the digital certificate.
2. The right to request the organization providing digital signature certification services to suspend or revoke issued digital certificates and bear responsibility for such requests.
PART 3: OBLIGATIONS OF THE RECEIVER
Article 44. Obligation to check information
1. Before accepting a digital signature from the signer, the recipient must verify the following information:
a) The validity, scope of use, liability limits, and other related information about the digital certificate of the signer;
b) The digital signature must be created using the secret key corresponding to the public key on the digital certificate of the signer.
2. The receiver shall bear all losses arising in the following cases:
a) Failure to comply with the provisions of Clause 1 of this Article;
b) Knowing or being informed that the digital certificate and the private key of the signer are no longer trustworthy.
Chapter VI:
ORGANIZATIONS PROVIDING SPECIALIZED DIGITAL SIGNATURE VERIFICATION SERVICES
PART 1: CONDITIONS AND PROCEDURES FOR REGISTRATION OF ACTIVITIES OF ORGANIZATIONS PROVIDING SPECIALIZED DIGITAL SIGNATURE VERIFICATION SERVICES
Article 45. Conditions for operation of organizations providing specialized digital signature verification services
Organizations providing specialized digital signature verification services must meet the following conditions:
1. Having sufficient professional technical staff and management personnel appropriate to provide digital signature verification services.
2. Equipment systems suitable for national security and safety standards.
Article 46. Procedures and formalities for registration of activities of organizations providing specialized digital signature verification services
Before commencing operations, organizations providing specialized digital signature verification services must register with the Ministry of Posts and Telecommunications according to the following contents:
1. Name and address of the organization's headquarters.
2. Detailed information about the head and person responsible for managing the equipment system providing the service.
3. Scope and target audience for the provision of services.
4. Technical standards and standards to be applied.
Article 47. Rights and obligations of organizations providing specialized digital signature verification services
Organizations providing specialized digital signature verification services have the following rights and obligations:
1. To stipulate the procedures for providing services.
2. To stipulate the rights and obligations of related parties based on not contravening relevant laws and principles of the Vietnamese legal system.
3. To be subject to inspection, audit, and handling of violations by competent state agencies.
4. To provide necessary information to investigative agencies or security agencies to serve the work of ensuring information security and investigating crimes in accordance with the prescribed legal procedures.
5. In case of emergency as defined by the law on emergency situations or to ensure national security, organizations providing specialized digital signature verification services have the obligation to provide all necessary support at the request of competent state agencies.
6. Organizations providing specialized digital signature verification services have the right to request the Ministry of Posts and Telecommunications to issue a certificate of compliance with security conditions for digital signatures to ensure the security of digital signatures in accordance with Article 9 of this Decree. The conditions and procedures for issuing certificates of compliance with security conditions for digital signatures follow the provisions of Articles 48, 49, and 50 of this Decree.
PART 2: CONDITIONS AND PROCEDURES FOR ISSUANCE OF CERTIFICATES OF COMPLIANCE WITH SECURITY CONDITIONS FOR DIGITAL SIGNATURES
Article 48. Conditions for issuance of certificates of compliance with security conditions for digital signatures
Organizations providing specialized digital signature verification services can only obtain certificates of compliance with security conditions for digital signatures when they meet the human resources, technical conditions, and other conditions specified in Clauses 3, 4, and 5 of Article 15 of this Decree.
Article 49. Documents for Application to Obtain a Certificate of Compliance with Safety Conditions for Digital Signature
The application documents for obtaining a certificate of compliance with safety conditions for digital signature shall be prepared in six sets, each set containing the following:
1. An application form for obtaining a certificate of compliance with safety conditions for digital signature.
2. Decision on establishment and operational regulations of the organization.
3. A proposal for service provision including:
a) Scope, target audience for service provision and other necessary information;
b) Technical solutions to ensure the provisions stipulated in Article 48 of this Decree;
c) Authentication rules;
d) Detailed personal information and qualifications, certificates of personnel directly involved in the authentication services provided by the organization.
Article 50. Examination of Application Documents and Issuance of Certificate of Compliance with Safety Conditions for Digital Signature
Within sixty working days from the date of receipt of the application documents for obtaining a certificate of compliance with safety conditions for digital signature, the Ministry of Posts and Telecommunications shall take the lead and coordinate with the Ministry of Public Security, the Government Cryptographic Committee, and relevant ministries and sectors to examine the application documents and conduct on-site inspections. In case the organization meets all conditions for service provision as prescribed in Article 48, the Ministry of Posts and Telecommunications will issue a certificate of compliance with safety conditions for digital signature to the organization. If the organization fails to meet the required conditions, the Ministry of Posts and Telecommunications will notify in writing and specify the reasons.
Article 51. Rights and Obligations of Organizations Providing Specialized Digital Signature Authentication Services that Have Obtained a Certificate of Compliance with Safety Conditions for Digital Signature
Organizations providing specialized digital signature authentication services that have obtained a certificate of compliance with safety conditions for digital signature shall have the following rights and obligations:
1. To regulate their operations, rights, and obligations of related parties based on not violating relevant laws and principles of the Vietnamese legal system.
2. To report periodically and ad hoc as required by competent state agencies.
3. To be subject to inspection, audit, and handling of violations by competent state agencies.
4. To provide necessary information to investigative agencies or security agencies to serve the work of ensuring information security and investigating crimes in accordance with the prescribed legal procedures.
5. In cases of emergency as defined by laws on emergency situations or to ensure national security, organizations providing specialized digital signature authentication services that have obtained a certificate of compliance with safety conditions for digital signature shall have the obligation to provide all necessary support as requested by competent state agencies.
Chapter VII:
RECOGNITION OF FOREIGN DIGITAL SIGNATURES AND CERTIFICATES, AND ACTIVITIES OF FOREIGN SERVICE PROVIDERS FOR DIGITAL SIGNATURE AUTHENTICATION
Article 52. Recognition of Foreign Digital Signatures and Certificates
1. Foreign digital signatures and certificates are recognized when the foreign service provider issuing such certificates has been granted a recognition certificate for foreign digital signatures and certificates by the Ministry of Posts and Telecommunications.
2. A foreign service provider is granted a recognition certificate for foreign digital signatures and certificates if it meets the following conditions:
a) The country where the foreign service provider registers its activities has signed or joined international treaties that include provisions on the recognition of foreign digital signatures and certificates, which Vietnam has also joined.
b) It has been licensed or certified by the competent authority of its own country to operate in the field of digital signature authentication services and is currently operating.
c) The reliability of the digital signatures and certificates issued by the foreign service provider is not lower than the reliability of those issued by public digital signature authentication service providers in Vietnam.
d) It has a representative office in Vietnam to handle related issues.
Article 53. Documents for Issuing Certificates Recognizing Foreign Digital Signatures and Certificates
The application package for issuing certificates recognizing foreign digital signatures and certificates consists of six sets, each set including:
1. Application for recognition of foreign digital signatures and certificates submitted by the foreign service provider organization.
2. Documents proving compliance with the provisions stipulated in Clauses 1, 2, 3, and 4 of Article 52 of this Decree.
3. Receipt for payment of the examination fee.
4. Other contents as required by the Ministry of Posts and Telecommunications.
Article 54. Examination of Documents and Issuance of Certificates Recognizing Foreign Digital Signatures and Certificates
Within sixty working days from the date of receipt of the application for issuance of certificates recognizing foreign digital signatures and certificates, the Ministry of Posts and Telecommunications shall take the lead and coordinate with the Ministry of Public Security, the Government Office for Official Communications, and relevant ministries and sectors to examine the application. If all conditions stipulated in Article 52 of this Decree are met, the Ministry of Posts and Telecommunications will issue certificates recognizing foreign digital signatures and certificates to the foreign service provider organization. In case these conditions are not met, the Ministry of Posts and Telecommunications will notify in writing and specify the reasons.
Article 55. Activities of Foreign Service Providers of Digital Signature Certification Services
1. Investment activities of foreign service providers of digital signature certification services in Vietnam shall be carried out in accordance with the laws on investment and international treaties on digital signature certification services to which Vietnam is a party.
2. The activities of foreign service providers of digital signature certification services in Vietnam must comply with regulations on operating conditions, rights, and obligations as prescribed for public digital signature certification service providers.
Chapter VIII:
NATIONAL DIGITAL SIGNATURE CERTIFICATION SERVICE PROVIDERS
Article 56. Establishment of National Digital Signature Certification Service Providers
1. The establishment of national digital signature certification service providers must comply with the provisions stipulated in Clause 3, 4, and 5 of Article 15 of this Decree.
2. National digital signature certification service providers shall issue their own digital certificates.
Article 57. Activities, Rights, and Obligations of National Digital Signature Certification Service Providers
The issuance and management of digital certificates by national digital signature certification service providers, as well as the rights and obligations of related parties, must comply with the provisions stipulated in Chapters IV and V of this Decree. Accordingly, national digital signature certification service providers shall act as public digital signature certification service providers, while public digital signature certification service providers shall act as subscribers, subject to certain additional and amended provisions as follows:
1. The application for issuance of digital certificates stipulated in Article 21 of this Decree shall be supplemented with a license issued by the Ministry of Posts and Telecommunications to public digital signature certification service providers.
2. The key pair stipulated in Article 22 of this Decree shall be generated by public digital signature certification service providers on their own systems.
3. The pre-issuance verification requirements stipulated in Clause 1 of Article 23 of this Decree shall include verification of compliance with the operating conditions stipulated in Clauses 4 and 5 of Article 15 of this Decree.
4. Information to be publicly disclosed stipulated in Article 36 of this Decree shall be published on the website of the national digital signature certification service provider or the public digital signature certification service provider.
Chapter IX:
DISPUTES, COMPLAINTS, REPORTS AND COMPENSATION
Article 58. Dispute Resolution
Disputes between parties regarding the provision and use of public digital signature certification services shall be resolved based on the contracts between the parties and relevant laws.
Article 59. Complaints and Reports
Complaints against administrative decisions and administrative acts concerning digital signatures and digital signature certification services; reports to competent state agencies regarding violations related to digital signatures and digital signature certification services shall be carried out in accordance with the provisions of the law on complaints and reports.
Article 60. Compensation for Damage
1. Organizations and individuals causing damage to other organizations and individuals in the provision and use of digital signature certification services must compensate according to the provisions of the law.
2. The Ministry of Posts and Telecommunications shall specify the principles and levels of compensation for damage in the provision and use of digital signature certification services.
Chapter X:
INSPECTION, AUDIT AND VIOLATION HANDLING
Article 61. Inspection and Supervision
1. Public digital signature certification service providers and specialized digital signature certification service providers who have been issued certificates confirming their qualification to ensure the security of digital signatures shall be subject to annual inspections by the Ministry of Posts and Telecommunications on compliance with the provisions of this Decree. The results of the inspection must be publicly announced on the Ministry's electronic news website.
2. Service providers and organizations and individuals using digital signature certification services shall be subject to inspection and supervision by competent state agencies in accordance with the law.
3. Inspections of organizations and individuals participating in the management, provision, and use of digital signature certification services shall be conducted in accordance with the law on inspection.
Article 62. Violations of Operating Conditions Rules
1. A fine of from VND 1,000,000 to VND 2,000,000 shall be imposed for the act of not applying for reissue when lost or damaged to the extent that the content is no longer clear in one of the following papers:
a) License for providing public digital signature certification services;
b) Certificate confirming qualification to ensure the security of digital signatures;
c) Recognition certificate of foreign digital signatures and certificates.
2. A fine of from VND 4,000,000 to VND 10,000,000 shall be imposed for one of the following acts:
a) Applying for extension of the license for providing public digital signature certification services without ensuring the time stipulated in Clause 1, Article 19 of this Decree;
b) Submitting the application for extension of the license for providing public digital signature certification services when receiving notification from the Ministry of Posts and Telecommunications without ensuring the time stipulated in Clause 1, Article 19 of this Decree;
c) Providing specialized digital signature certification services without meeting the conditions stipulated in Clause 1, Article 45 of this Decree.
3. A fine of from VND 10,000,000 to VND 20,000,000 shall be imposed for one of the following acts:
a) Erasing or altering the content of the certificate confirming qualification to ensure the security of digital signatures;
b) Buying, selling, transferring, leasing, lending or renting the certificate confirming qualification to ensure the security of digital signatures;
c) Providing false information or materials for the purpose of registering activities or applying for the certificate confirming qualification to ensure the security of digital signatures.
4. A fine of from VND 20,000,000 to VND 40,000,000 shall be imposed for one of the following acts:
a) Erasing or altering the content recorded in the license for providing public digital signature certification services;
b) Erasing or altering the content recorded in the recognition certificate of foreign digital signatures and certificates;
c) Buying, selling, transferring, leasing, lending or renting the papers specified in point a, b, Clause 1 of this Article;
d) Providing false information or materials for the purpose of applying for, changing the content, or extending the license for providing public digital signature certification services;
đ) Providing false information or materials for the purpose of applying for the recognition certificate of foreign digital signatures and certificates;
e) During the process of providing digital signature certification services, failing to meet the human resource conditions stipulated in Clause 3, Article 15 of this Decree;
g) Keeping copies of secret keys when there is no written request from the organization or individual applying for the certificate.
5. A fine of from VND 50,000,000 to VND 70,000,000 shall be imposed for one of the following acts:
a) Providing digital signature certification services to the public without a license for providing public digital signature certification services issued by the Ministry of Posts and Telecommunications or a certificate issued by a national digital signature certification service provider;
b) Providing digital signature certification services to the public when the certificate issued by a national digital signature certification service provider has expired or the license for providing public digital signature certification services has expired.
6. A fine of from VND 70,000,000 to VND 100,000,000 shall be imposed for one of the following acts:
a) Not purchasing insurance in cases where no deposit or guarantee is made as prescribed in Article 37 of this Decree;
b) During the process of providing public digital signature certification services, failing to meet the financial conditions stipulated in Clause 2, Article 15 of this Decree;
c) Not storing complete, accurate, and updated information about subscribers serving the issuance of certificates throughout the validity period of the certificates.
Article 63. Violations of provisions on safety and security
1. A fine of from five million to ten million Vietnamese dong shall be imposed for any of the following acts:
a) Illegally obstructing the use of digital certificates;
b) Illegally storing another person's secret key;
c) Storing information related to organizations or individuals applying for digital certificates without ensuring confidentiality and safety;
d) Using information related to organizations or individuals applying for digital certificates in violation of the law;
đ) Failing to ensure safety during the creation or transfer of digital certificates to subscribers;
2. A fine of VND 10,000,000 to VND 30,000,000 shall be imposed for the following acts:
a) Stealing, fraudulently obtaining, impersonating, or appropriating another person's secret key;
b) Illegally copying, disclosing, or providing a subscriber's secret key;
c) Illegally accessing, disclosing, or using information of subscribers and digital signature certification service providers;
d) Failing to ensure the confidentiality of the entire process of creating a key pair;
đ) Using equipment that does not comply with technical standards and mandatory requirements to create a key pair;
e) Using insecure methods to transfer secret keys to organizations or individuals applying for digital certificates;
g) Creating a key pair in violation of the law;
h) Failing to securely store information about subscribers and their secret keys during the suspension period of digital certificates;
i) Illegally modifying information of subscribers and digital signature certification service providers;
k) Failing to ensure the confidentiality of subscribers' secret keys when authorized by the subscriber;
3. A fine of VND 30,000,000 to VND 50,000,000 shall be imposed for any of the following acts:
a) Using computer software or technical equipment to illegally intrude into the system or database of digital signature certification service providers without reaching the level of criminal prosecution;
b) Illegally disclosing or providing the secret key of specialized digital signature certification service providers;
c) Illegally using another person's secret key;
d) Counterfeiting or instructing others to counterfeit digital certificates;
đ) Creating a digital signature that does not meet one of the conditions stipulated in Article 9 of this Decree;
e) Using a technical system that lacks the ability to detect and warn against illegal access and cyber attacks;
g) Using a key distribution system for subscribers that does not ensure the integrity and security of the key pair;
h) Failing to implement measures to control entry into the premises or location where equipment for providing digital signature certification services is located;
i) Failing to implement measures to control access rights to the system providing digital signature certification services;
k) Illegally using the secret key of specialized digital signature certification service providers;
l) Stealing the secret key of specialized digital signature certification service providers;
m) Violating other provisions on safety and security as prescribed by law;
4. A fine of VND 50,000,000 to VND 70,000,000 shall be imposed for any of the following acts:
a) Illegally obstructing the operation of digital signature certification service providers;
b) Illegally using the secret key of public digital signature certification service providers;
c) Illegally disclosing or providing the secret key of public digital signature certification service providers;
d) Stealing the secret key of public digital signature certification service providers;
5. A fine of VND 70,000,000 to VND 100,000,000 shall be imposed for any of the following acts:
a) Failing to implement or fully implementing contingency plans to ensure safe, continuous operation and recovery from incidents;
b) Stealing the secret key of national digital signature certification service providers;
c) Illegally disclosing or providing the secret key of national digital signature certification service providers;
d) Illegally using the secret key of national digital signature certification service providers;
đ) Damaging equipment or databases of digital signature certification service providers without reaching the level of criminal prosecution;
e) Failing to comply with or complying improperly with the requirements of competent state agencies in emergency situations as prescribed by law on emergencies or to ensure national security.
Article 64. Violations of regulations on technical standards and mandatory standards
1. A fine of VND 10,000,000 to VND 30,000,000 shall be imposed for the act of providing digital signature certification services by specialized digital signature certification organizations not in accordance with registered standards.
2. A fine of VND 30,000,000 to VND 50,000,000 shall be imposed for the act of providing digital signature certification services by public digital signature certification service providers that do not meet registered standards.
3. A fine of VND 50,000,000 to VND 70,000,000 shall be imposed for any of the following acts:
a) Technical solutions not conforming to technical standards during operation;
b) Providing digital signature certification services not in accordance with technical standards and mandatory standards.
Article 65. Violations of regulations on tariff rates, fees, and charges
1. For violations concerning tariff rates for digital signature certification services provided in accordance with the provisions of Government Decree No. 169/2004/NĐ-CP dated September 22, 2004, which stipulates administrative penalties in the field of pricing.
2. For violations concerning fees and charges in the provision of digital signature certification services in accordance with the provisions of Government Decree No. 106/2003/NĐ-CP dated September 23, 2003, which stipulates administrative penalties in the field of fees and charges.
Article 66. Violations of regulations on service provision
1. A fine of from VND 1,000,000 to VND 5,000,000 for one of the following acts:
a) Providing incorrect or incomplete information as prescribed in Clause 1, Article 30 of this Decree;
b) Not providing written guidance to organizations or individuals requesting issuance of digital certificates before signing a digital certificate issuance contract;
c) Not renewing digital certificates of subscribers when requested according to regulations;
d) Not ensuring a 24-hour-a-day, seven-day-a-week channel to receive requests for revocation or suspension of digital certificates;
đ) Not retaining information related to digital certificates for a minimum period of five years from the date of certificate revocation;
e) Not providing in writing the information prescribed in Clause 1, Article 30 upon request of the subscriber;
2. A fine of VND 5,000,000 to VND 10,000,000 shall be imposed on any of the following acts:
a) Not notifying the subscriber if signs of exposure or non-integrity of their secret key are detected or any other errors that may adversely affect the subscriber's interests;
b) Not notifying the subscriber about the revocation of their public digital signature certification service license and information about the organization receiving their database;
c) Not notifying the subscriber before suspending the service as required under Clause 2, Article 39 of this Decree;
d) Not notifying the subscriber about the suspension, start time, and end time of the suspension when there is a basis for suspending their digital certificate;
đ) Not publicly announcing the suspension of new digital certificate issuance on their website;
e) Refusing to issue digital certificates without justifiable reasons;
g) Public certification rules not in accordance with the model of the Ministry of Posts and Telecommunications or containing content inconsistent with the provisions of this Decree;
h) Not publicly disclosing public certification rules in accordance with the model of the Ministry of Posts and Telecommunications;
i) Not notifying the subscriber about the revocation of their digital certificate;
k) Not registering with the Ministry of Posts and Telecommunications as prescribed in Article 46 of this Decree;
l) Not establishing a standard contract for digital certificate issuance activities;
m) Providing time stamping services not in accordance with technical standards and mandatory standards;
n) Not reporting to competent state agencies the suspension of new digital certificate issuance;
3. A fine of from VND 10,000,000 to VND 20,000,000 shall be imposed for one of the following acts:
a) Publishing digital certificates issued to subscribers on the database without confirmation from the subscriber regarding the accuracy of the information on the digital certificate;
b) Not publishing on the website new digital certificates issued, suspended, revoked, start time, and end time of the suspension of digital certificates;
c) Not restoring digital certificates after the suspension period has expired;
d) Not retaining all information related to the suspension or revocation of digital certificates for a minimum period of five years;
đ) Not agreeing to transfer the relevant database when the public digital signature certification service license is revoked;
e) Not reporting to the Ministry of Posts and Telecommunications in cases where agreement on the transfer of the relevant database cannot be reached when the public digital signature certification service license is revoked;
g) Changing key pairs without the subscriber's request;
h) Not retaining information related to organizations or individuals requesting issuance of digital certificates;
4. A fine of from VND 20,000,000 to VND 40,000,000 shall be imposed for one of the following acts:
a) Not suspending digital certificates upon request of the subscriber or competent state agency;
b) Not revoking digital certificates upon request of the subscriber or competent state agency;
c) Incorrectly publishing the content of digital certificates on the database;
d) Digital certificates not containing all required contents as prescribed in Article 10 of this Decree;
đ) Issuing digital certificates not in accordance with the positions within state agencies or organizations as prescribed in Article 11 of this Decree or not in accordance with laws;
e) Not allowing internet users to access lists of valid and expired digital certificates;
g) Not complying with the suspension or revocation of licenses as prescribed in Clause 1 and 2, Article 20 of this Decree;
h) Publishing digital certificates issued to subscribers on the database not meeting the deadline prescribed in Clause 3, Article 23 of this Decree;
i) Issuing time stamps not in accordance with the provisions of Clause 3, Article 28 of this Decree;
k) Not suspending the issuance of new digital certificates when errors in the digital signature certification service system are discovered.
5. A fine of from VND 40,000,000 to VND 70,000,000 shall be imposed for the following acts:
a) Failure to hand over documents and databases as prescribed in Clause 1 of Article 39 of this Decree;
b) Failure to report to the Ministry of Posts and Telecommunications for consideration of changes in content, revocation, or issuance of new licenses in accordance with regulations on eligible recipients when organizations providing public digital signature certification services carry out mergers, joint ventures, affiliations, and other organizational changes;
c) Implementation or provision of digital signature certification services not in accordance with the contents recorded on the public digital signature certification service license;
d) Failure to temporarily halt issuance of new certificates upon request of competent state agencies;
đ) Failure to maintain related database systems during the period of temporary suspension of new certificate issuance;
6. A fine of from VND 70,000,000 to VND 100,000,000 shall be imposed for one of the following acts:
a) Failure to maintain online 24 hours a day, 7 days a week a list of valid and expired certificates;
b) Failure to store accurately and update the list of valid and expired certificates for at least five years;
c) The equipment system for providing digital signature certification services of organizations licensed by the Ministry of Posts and Telecommunications to provide public digital signature certification services or certified as meeting security conditions for digital signatures is not located in Vietnam;
d) Failure to maintain information as prescribed in Article 36 of this Decree online 24 hours a day, 7 days a week on their website;
Article 67. Violation of provisions on the use of services
1. A fine of from VND 10,000,000 to VND 20,000,000 shall be imposed for failure to provide secret keys or necessary information to investigative agencies or security agencies;
2. A fine of VND 20,000,000 to VND 30,000,000 shall be imposed on any of the following acts:
a) Providing false information to obtain a certificate;
b) Using a digital signature corresponding to a certificate issued to an agency or organization as prescribed in Article 12 of this Decree when no longer holding the relevant position;
Article 68. Violation of provisions on reporting systems, information provision, and inspection and supervision
A fine of from VND 5,000,000 to VND 15,000,000 shall be imposed for any of the following acts:
Violating reporting systems as prescribed;
1. Providing false or incomplete information to competent state agencies when requested under the law;
2. Refusal to comply with inspections and supervisions conducted by competent state agencies;
Article 69. Additional penalties and measures to remedy consequences
In addition to primary penalties, depending on the nature and severity of the violation, organizations and individuals may also be subject to one or more additional penalties or remedial measures as follows:
1. Temporary suspension or cessation of issuance of new certificates for any of the violations prescribed in point c, Clause 2, Article 62; point d, Clause 2, Article 63; Article 64; point b, Clause 2; points a, c, d, Clause 3, Article 66 of this Decree;
2. Revocation of the license for providing public digital signature certification services or certificate of compliance with security conditions for digital signatures or foreign digital signature recognition and certificate for any of the violations prescribed in point b, c, Clause 2, Article 62; point d, Clause 2, Article 63; Article 64; point b, Clause 2; points a, c, d, Clause 3, Article 66 of this Decree;
3. Confiscation of objects and means used to commit administrative offenses for any of the violations prescribed in point b, Clause 2, Article 62; Clause 1; points a, b, c, d, Clause 2; points a, b, c, d, Clause 3; point a, Clause 4, Article 63; point c, Clause 2, Article 66 of this Decree;
4. Compulsion to restore the original condition altered due to administrative violations for any of the violations prescribed in point b, Clause 1; point b, Clause 3, Article 63 of this Decree;
5. Compulsion to comply with national regulations for violations prescribed in Clause 1; points a, c, Clause 2; Clause 3, Article 62; point d, Clause 2; point d, Clause 3, Article 63; Article 64; Clause 1; points a, b, Clause 2; Clause 3, Article 66; Article 68 of this Decree.
Article 70. Competence to Impose Administrative Penalties
1. Postal, Telecommunications, and Information Technology Inspectors carrying out their duties have the competence to:
a) Impose fines up to 200,000 VND;
b) Confiscate objects and means used for administrative violations with a value up to 2,000,000 VND;
c) Apply remedial measures as stipulated in Clause 4 and Clause 5 of Article 69 of this Decree;
d) Exercise rights prescribed in Clause 2 of Article 46 and Clause 2 of Article 48 of the Ordinance on Handling Administrative Violations.
2. The Head of Postal and Telecommunications Inspection at the Department has the competence to:
a) Impose fines up to 20,000,000 VND;
b) Apply additional forms of administrative penalties and remedial measures as stipulated in Article 69 of this Decree;
c) Exercise rights prescribed in Clause 1 of Article 46 of the Ordinance on Handling Administrative Violations.
3. The Head of Postal and Telecommunications Inspection at the Ministry has the competence to:
a) To impose fines up to VND 100,000,000;
b) Apply additional forms of administrative penalties and remedial measures as stipulated in Article 69 of this Decree;
c) Exercise rights prescribed in Clause 1 of Article 46 of the Ordinance on Handling Administrative Violations.
4. Inspectors and Heads of other specialized inspection agencies have the competence to impose administrative penalties on acts of administrative violation in the field of digital signatures and digital signature certification services like postal, telecommunications, and information technology inspectors within the scope of state management as prescribed by the Government.
People's Public Security, Customs, Tax Authorities, Market Management Agencies have the competence to impose administrative penalties according to Articles 31, 34, 36, and 37 of the Ordinance on Handling Administrative Violations for acts of administrative violation related to digital signatures and digital signature certification services directly under their management as prescribed in this Decree.
5. Competence to Impose Administrative Penalties of People's Committees at all levels
Chairpersons of People's Committees at all levels have the right to impose administrative penalties according to the competence prescribed in Articles 28, 29, and 30 of the Ordinance on Handling Administrative Violations within the territory under their management for acts of administrative violation related to digital signatures and digital signature certification services as prescribed in this Decree.
Article 71. Principles, Time Limits, Procedures for Imposing Administrative Penalties, Aggravating Circumstances, Mitigating Circumstances
Principles for imposing administrative penalties, time limits for imposing administrative penalties, procedures for imposing administrative penalties, aggravating circumstances, mitigating circumstances, and the period considered as not having been administratively penalized regarding digital signatures and digital signature certification services shall be implemented in accordance with the provisions of the Ordinance on Handling Administrative Violations.
Article 72. Criminal Liability Pursuit
Acts of exploiting digital signatures and digital signature certification services to oppose the Socialist Republic of Vietnam and disrupt national security, public order, and social safety; other serious violations related to digital signatures and digital signature certification services that constitute criminal offenses will be pursued for criminal liability in accordance with the provisions of the law.
Chapter XI:
IMPLEMENTING PROVISIONS
Article 73. Implementation Provisions
This Decree shall take effect fifteen days after its publication in the Official Gazette.
The Ministers, Heads of ministerial-level agencies, Heads of government-attached agencies, Chairpersons of provincial People's Committees under the central city shall be responsible for implementing this Decree./.
关系图
点击文件即可打开。红色边框=改变效力的关系。