Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Apr 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Vietnam: Cybersecurity

Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

1.1. Legislation

The key pieces of cybersecurity legislation in Vietnam are the Cybersecurity Law ('CSL') (enacted in 2018 and effective on 1 January 2019) (only available to download in Vietnamese here) and the Law on Cyber Information Security No.86/2015/QH13 ('LCS') (enacted in 2015 and effective on 1 July 2016), together with the LCS' lower-level implementing Decrees and Circulars. Currently, there is no implementing guideline for the CSL.

The implementing Decrees and Circulars for the LCS include:

  • Decree 53/2022/ND-CP dated 17 August 2022 and effective on 1 October 2022 Detailing some Articles on the Cyber Security Law (only available in Vietnamese here) ('Decree 53/2022')
  • Decree 85/2016/ND-CP dated 1 July 2016 and effective on the same date on security of information systems by classification (only available in Vietnamese here) ('Decree 85/2016');
  • Decree 142/2016/ND-CP dated 14 October 2016 and effective on 1 December 2016 on the prevention of online information conflicts (only available in Vietnamese here) ('Decree 142/2016');
  • Circular 20/2017/TT-BTTTT - Regulations on coordinating and responding to information security incidents nationwide;
  • Circular 31/2017/TT-BTTTT - Regulations on surveillance of information system security (only available in Vietnamese here);
  • Circular 09/2020/TT-NHNN – Prescribing information system security in banking operations ('Circular 09/2020');
  • Circular 54/2017/TT – BYT - Regulations on the Protocols of IT Application at medical units ('Circular 54/2017');
  • Decree 117/2018/ND-CP dated 11 September 2018 and effective on 1 November 2018 on the obligations to confidentiality and the provision of clients' information in banking sector (only available in Vietnamese here); and
  • Decree 15/2020/ND-CP dated 3 February 2020 and effective on 15 April 2020 on the administrative penalties in post, telecommunications, radio frequencies, information technology and e-transactions (only available in Vietnamese here) ('Decree 15/2020/ND-CP') (amended by Decree 91/2020/ND-CP dated 14 August 2020 on fighting spam messages, spam emails and spam calls ('Decree 91/2020')).

The CSL and the LCS are aimed at different cybersecurity areas. The LCS primarily provides requirements on cyber-data security protection, while the CSL primarily provides requirements to ensure national security of the cyber-environment as a whole, with a strong focus on controlling online speech and combating other digital crimes.

The CSL and the LCS broadly apply to any users that use, gather, process, and disseminate online information from Vietnamese and Vietnam-based users ('Data Holders').

Given the relative 'youth' of the LCS and the CSL, especially the LCS which currently still lacks any implementing regulations, there are many areas within their scope that remain uncertain and require further guidance from the authorities. There are ongoing efforts by the Government of Vietnam ('the Government') and its agencies to guide the legislation at the lower level. Specifically, the Ministry of Public Security ('MPS') is responsible for guiding the CSL and the Ministry of Information and Communications ('MIC') for guiding the LCS.

1.2. Regulatory authority 

In general, the National Assembly of Vietnam is the organ to promulgate the LCS and CSL. However, the MIC and the MPS are the main regulatory authorities regulating, implementing, interpreting and enforcing both the LCS and CSL. In particular, the MIC is the key line authority with respect to the LCS and plays more of a supporting role with respect to the CSL. Conversely, the MPS is the focal authority for the CSL and plays more of a supporting role with respect to the LCS.

1.3. Regulatory authority guidance

The MPS has not yet issued any implementing regulations or official guidance for the CSL, despite being promulgated three years ago. It is widely expected that the Government will issue an implementing Decree soon, though the timing is uncertain. However, on the issue of tackling digital crimes and controlling online speech, the MPS has been very active in introducing measures to penalise violations committed online, to the extent that criminal prosecution could be applied in extreme cases.

On the other hand, Decree 142/2016 was issued by the Government to implement the LCS. Decree 142/2016 provides guidance to and imposes obligations on Data Holders dealing with online conflicts. Accordingly, it sets out a procedure and timeline for the Data Holders to respond to in the event it receives reports of online information conflicts. Decree 142/2016 also stipulates the measures, which the authorities will need to implement to prevent online conflicts when Data Holders refuse to comply, including altering the information, and applying technical barriers against Data Holders' information portals.

2. SCOPE OF APPLICATION

The CSL applies to all Data Holders and their information infrastructure. The CSL and the LCS collectively cover all entities and network and information systems, which handle data from Vietnamese and Vietnam-based users. While at first glance it appears that both legislation may focus on social network providers, for example Facebook, YouTube, or 'pure tech' behemoths such as Google, the language of the legislation is broad and, on the face of it, captures a wide range of business activities and models. In particular, both pieces of legislation cover all actors (whether based onshore in Vietnam or offshore) that provide services on telecommunication networks, the internet, and other value-added services on the internet in Vietnam. This wide language covers a vast array of activity and is clearly not limited to social media services. For example, when a foreign bank provides an online service to a client in Vietnam (including a non-Vietnamese citizen resident in Vietnam), its activities may be covered by the legislation. Another example would be online booking services that are accessible to, and used by, residents of Vietnam.

Users and social media network providers are, of course, also targeted when it comes to tackling digital crimes and controlling online speech. Administrative fines and possible criminal prosecutions are in place to penalise violations in this front.

There is an ongoing effort to draft an implementing Decree that may clarify/limit the scope of the CSL's application to certain entities but as of today, both the draft Decree on implementing the CSL and the draft Decree on protection of personal data based on CSL have not been approved by the Government.

3. DEFINITIONS

Information security program: Hardware or software functioning to protect information and information systems.

Cybersecurity incident: An unexpected event in cyberspace that threatens national security, public order, or the lawful rights and interests of an organisation or individual.

Cyber information security risk: A subjective factor or an objective factor that is likely to affect the status of cyber information security.

Cybercrime: A crime that involves the use of cyberspace, information technology, or electronic device as defined in the the Criminal Code No. 100/2015/QH13 of Vietnam National Assembly (27 November 2015) (only available in Vietnamese here) ('the Criminal Code').

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

All network and information systems of Data Holders are subject to certain monitoring by authorities when Data Holders use such systems to gather, use, transfer, or process data from Vietnamese and/or Vietnam-based users.

The CSL also stipulates requirements for certain national networks and information systems, which are classified as 'national critical information infrastructure.' It is also stipulated in the CSL that the Government shall promulgate a list of national critical information infrastructure to give clarity to this provision. However, as of today, no such list has been promulgated.

Article 10.2 of the CSL stipulates that the following national information systems shall be deemed 'national critical information infrastructure':

  • systems of military, security, diplomatic, or cryptographical significance;
  • archiving and processing state-secret information;
  • serving storage of particular important items and documents;
  • serving storage, manufacturing, and management of other facilities relevant to national security;
  • serving operation of central organisations;
  • serving energy, finance, banking, telecommunications, transport, resources and environment, chemical, health, culture, and press authorities;
  • serving storage of materials or substances that are harmful to humans or the environment; and
  • automatic monitoring and control systems at important works relevant to national security or national security targets.

Any network and information systems not classified as 'national critical information infrastructure,' the LCS divides them into five classes with each classification corresponding to a certain level of necessary security measures. The below headings summarise these categories and their criteria found under Articles 7 to 11 of the Decree 85/2016/ND-CP on security measures for each network classification:

Classification 1

  • An information system that serves internal operations of an organisation or agency and only processes public information.

Classification 2

To fall under classification 2, at least one of the following criteria must be satisfied:

  • an information system that serves internal operations of an organisations or agency and processes private information and personal information of users but does not handle classified state information;
  • an information system that serves the people and enterprises in one of these manners:
    • provides information and online public services at level two or lower as per the law;
    • provides online services that are not stated in the list of conditional business services; or
    • provides other online services of processing private and personal information of less than 10,000 users; and
  • a system of information infrastructure that is of use to an organisation or agency.

Classification 3

To fall under classification 3, at least one of the following criteria must be satisfied:

  • an information system that processes classified state information or provides services to national defence and security and whose sabotage compromises the defence and security of the country;
  • an information system that serves the people and enterprises in one of the following manners:
    • provides information and online public services at level three or higher as per the law; or
    • provides online public services that are defined in the list of conditional business services; or provides other online services of processing private and personal information of 10,000 or more users.
  • a system of shared information infrastructure that is of use to agencies and organisations in an industry, province, or provinces; and
  • an industrial manoeuvre information system that directly services the manoeuvre and operation of ordinary activities of buildings of grade II, III or IV as per the regulated gradation of construction. An industrial manoeuvre information system is defined as an information system having 'the functional role in supervising and collecting data, managing, and controlling vital sections for manoeuvring, and operating the ordinary activities of construction buildings' (Article 6.2.d - Decree 85/2016).

Classification 4

To fall under classification 4, at least one of the following criteria must be met:

  • an information system that processes state information or provides a service of national defence and security and whose sabotage gravely compromises the defence and security of the country;
  • a national information system that serves the development of the electronic government, functions on a round-the-clock basis and does not halt without prior schedule;
  • a system of shared information infrastructure that services agencies and organisations on nation-wide scale and round-the-clock basis and does not halt without prior schedule; and
  • an industrial manoeuvre information system that directly services the manoeuvre and operation of ordinary activities of buildings of grade I as per the regulated gradation of construction.

Classification 5

To fall under classification 5, at least one of the following criteria must be satisfied:

  • information system that processes confidential state information or which provides a service of national defence and security and whose sabotage causes excessively grave detriment to the defence and security of the country;
  • an information system that services the centralised storage of particularly vital information and data of the country;
  • a system of national information infrastructure that connects Vietnam with the world;
  • an industrial manoeuvre information system that directly services the manoeuvre and operation of ordinary activities of special-graded buildings as per the regulated gradation of construction or vital buildings concerning national security according to legal regulations on national security; and
  • other information systems at the discretion of the Prime Minister.

4.1.Cybersecurity training and awareness

According to Article 9 of Circular No. 03/2017/TT-BTTTT guiding Decree No. 85/2016, each level of cyber information security has each relevant measure as detailed in the annexes thereof.

According to Article 49 of the CSL, cyber information training shall be regulated as follows:

  • the managing body of an information system shall provide training in cyber information security knowledge and skills for managerial and technical staff members;
  • full-time cyber information security officers shall be assigned with, and assisted in performing, tasks relevant to their professional qualifications, and prioritised in attending cyber information security refresher training;
  • the State shall encourage organisations and individuals to invest in, and enter into joint venture and association with other organisations in building, higher education institutions and vocational training institutions with a view to training human resources for cyber information security; and
  • the Ministry of Home Affairs shall assume the prime responsibility for, and coordinate with the MIC and related ministries and sectors in planning and organising training in cyber information security knowledge and operations for cadres, civil servants, and public employees.

4.2. Cybersecurity risk assessments

According to the LCS, a cybersecurity risk assessment means the detection, analysis, and estimation of levels of harm and threats to information or information systems, which shall be managed by the MIC.

Assessment of cyber information security standard or regulation conformity shall be conducted in the following cases:

  • regulation conformity certification shall be conducted and regulation conformity stamps shall be obtained by an organisation or individual prior to the marketing cyber information security products; or
  • to serve the State management of cyber information security.

Assessment of cyber information security standards or regulation conformity serving national important information systems and serving the state management of cyber information security shall be conducted by conformity certification organisations designated by the MIC.

4.3. Vendor management

Article 10 of the LCS provides that telecommunications enterprises, enterprises providing telecommunications application services, and enterprises providing information technology services that send information shall:

  • comply with the law on storage of information and protection of personal information and private information of organisations and individuals;
  • take blocking and handling measures upon receiving notices of organisations or individuals that the sending of information is illegal;
  • offer recipients to refuse to receive information; and
  • provide necessary technical and professional conditions upon request for competent state agencies to manage and ensure cyber information security.

Enterprises providing email services or transmitting and storing information must have malware filtering systems in the course of sending, receiving, and storing information via their systems and shall send reports to competent state agencies in accordance with law.

Internet service-providing enterprises shall take measures to manage, prevent, detect, and stop the spread of malware and handle it at the request of competent state agencies.

4.4. Accountability/record keeping

With regards to audit procedures, the audit dossier must be fully and safely preserved during the period of use. Furthermore, in relation to records of processing activity, whether under electronic or hard copy form, such activities must recorded relevantly, while the data must be kept confidential and can only be researched during the period of use.

There are no relevant provisions relating to Privacy by Design or Default or codes of conduct.

5. DATA SECURITY

  • Technical and organisational measures: The Ministry of Science and Technology shall appraise and publish national technical standards on cyber information security, and the MIC shall promulgate national technical standards on cyber information security;
  • Access controls and privileges: These shall be stipulated based on the following classifications of data:
    • Public information is the online data that an organisation or individual owns and discloses to every entity without identifying and locating such entities;
    • Private information is the online data that an organisation or individual owns and does not disclose or only provides to one or some entities identified and located;
    • Personal information is the online data related to the identification of a particular person; and
    • Classified state information is the data classified as confidential, secret, and top secret in conformity to the laws on protection of classified state information.
  • Multi-factor authentication: Not applicable;
  • Encryption: Not applicable;
  • Cryptography: Such measures are required in banking and telecommunications sector;
  • Physical security: Not applicable; and
  • Security policy: Not applicable.

The legislation imposes obligations on Data Holders to perform technical measures to monitor and manage risks occurring on their network and information systems. The measures vary according to the respective class of the network and information systems. Such measures shall follow the principle for network and information systems of classes 1 and 2. Data Holders are encouraged to proactively apply measures at their own discretion.

For Data Holders who operate network and information systems of class 3 and above, the following measures must be observed:

  • storing the data of the users and making this available for the authorities to check and investigate upon requests (localise the data);
  • apply technical solutions to detect any risks; and
  • cooperate with the authorities upon request in order to provide data and report on the implementation of security measures.

No further provisions are currently in place that further elaborate or clarify the above measures at the moment. It is unclear whether such measures are strictly observed by Data Holders in Vietnam.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

There is an obligation on Data Holders to notify of any cybersecurity incidents to the authorities. Under Vietnamese law, a 'cybersecurity incident' is understood as (and seemingly limited to) incidents where the information or information systems are attacked or harmed affecting the 'entirety, confidentiality, or utilisation' of the system in question. It is unclear what such criteria means in practice, but we understand that any significant incidents that cause systems to crash or compromise the confidentiality of stored data will be deemed a cybersecurity incident.

When a cybersecurity incident occurs, Data Holders have five days to proactively address the incident, without having to notify the authorities. After the end of such five-day period, Data Holders need to notify the authorities of the incident, regardless of whether it has been resolved or is ongoing. If the incidents remain ongoing or unresolved at the end of the five-day notification period, Data Holders must keep the authorities up to date on the actions taken to address the incidents. However, there is currently no more detail on how this requirement is to be implemented in practice.

In case Data Holders deem that they are not capable of resolving an incident, the authorities may address the incident. It is unclear if a prolonged incident triggers the right to step in by authorities.

7. REGISTRATION WITH AUTHORITY

Data Holders are required to register their network and information systems with the MIC for classification. The registration dossier includes technical dossiers describing the network and information systems in question and also includes Data Holders' self-appraisal of their network and information systems. The statutory timing for the MIC to review the application document is seven days from the date of submission of a complete dossier.

8. APPOINTMENT OF A SECURITY OFFICER

Not applicable. There is no express statutory obligation for Data Holders to appoint 'security' officers.

However, under Decree 52/2013/ND-CP on e-commerce activities (available on in Vietnamese here), traders who own e-commerce websites which store and use personal data of customers must have a personal data protection policy, specifying in details the address and contact information of the organisation/officer to collect and manage the information.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial services

Only the banking sector (as opposed to the financial sector as a whole) is subject to more specific regulation. In particular, the State Bank of Vietnam ('SBV'), requires that credit institutions in Vietnam strictly follow the protocol to handle data breach incidents with procedures very similar to those under the LCS. However, the main difference is that the SBV together with their specialised divisions will be the line authority to handle, coordinate, and assist credit institutions with applying such protocols. As such, banks and financial companies appear to be more compliant with this protocol than normal companies which must follow the LCS.

Health

While following the general laws under the CSL and the LCS, the Ministry of Health ('MoH') issued Circular 54/2017. Circular 54/2017 stipulates what the MoH deems as 'good practices' for medical units (e.g. hospitals, clinics) to apply when they handle patients' data online. Though in a form of a legal instrument, these 'good practices' are largely viewed as 'suggestive' and it is unclear whether or how medical units apply these protocols in practice.

Telecommunications

Under Article 6 of the Law on Telecommunications (available only in Vietnamese here), assuring information confidentiality requires:

  • organisations and individuals engaged in telecommunications activities shall protect state secrets under the law on protection of state secrets;
  • when sending, transmitting or storing information classified as state secrets through telecommunications networks, organisations and individuals shall encrypt such information under the law on cipher;
  • private information transmitted through public telecommunications networks of all organisations and individuals shall be kept confidential and the control of information on telecommunications networks shall be performed by competent state agencies under law;
  • telecommunications businesses may not disclose private information on telecommunications service users, including name, address, caller number, call number, position of caller, position of call recipient, call duration, and other private information provided by users upon entry into contracts with telecommunications businesses, except for the following cases:
  • telecommunications service users agree to provide information;
  • telecommunications businesses agree in writing on exchange of provided information on telecommunications service users for calculation of charges, billing of invoices, and prevention of acts of shirking contractual obligations; and
  • the information disclosure is requested by competent state agencies under the law.

Employment

Not applicable. The general guidance under LCS and CSL apply. 

Education

Not applicable. The general guidance under LCS and CSL apply. 

Insurance

In general, under Law on Insurance Business (only available in Vietnamese here), the insurance company is obliged to keep the information about the insurance purchaser confidential.

Other issues shall be governed by LCS and CSL.

10. PENALTIES

In general, both the CSL and the LCS outline that any failure to comply with the laws may result in administrative fines and possible criminal prosecution. While many of the features under CSL remain unregulated (e.g. requirements to set up local entity, data localisation, etc.), digital crime and online speech is heavily regulated under the new Decree 15/2020/ND-CP taking effect on 15 April 2020, amended by Decree 91/2020. In particular, administrative fines and the removal of unlawful content is prevalent, while criminal prosecutions have proliferated, especially in the context of the Government's fight against COVID-19; for example, the first criminal prosecution appeared in April to criminalise one Facebook user who is alleged to have spread 'fake news' regarding confirmed cases of COVID-19 in Vietnam.

Aside from potential administrative penalties, there are currently no specific provisions under the Criminal Code that criminalise non-compliance with the CSL and/or the LCS.

11. OTHER AREAS OF INTEREST

In addition, Decree 53/2022 introduces data storage requirements, alongside the establishment of a representative office. More specifically, Article 26 of Decree 53/2022 provides that data which must be stored in Vietnam includes:

  • personal data of users in Vietnam;
  • data created by Vietnam-based users including, account name, time of usage, credit card information, email address, IP address, most recent log-out, and registered phone numbers; and
  • data in relation to the relationship of Vietnam-based users to users' friends or other people with whom the users interact. 

On the storage of personal data in Vietnam, Decree 52/2022 notes that the form of data storage may be decided by the enterprise in question, but that the MPS will notify, guide, monitor, supervise, and urge enterprises in complying with data storage requirements. 

Furthermore, Decree 53/2022 notes that relevant enterprises must implement data storage requirements within 12 months of the MPS issuing a decision requesting the storage of data, and that the storage period of such data from the time enterprises receive a request is a minimum of 24 months. More specifically, system logs which serve the investigation and handling of violations of Section 26 of the CSL, must be stored for a minimum of 12 months. 

In addition, Article 26 of Decree 53/2022 provides that foreign enterprises are required to establish a representative branch office in Vietnam, should they fall under one of the following criteria:

  • the foreign enterprise doing business in Vietnam is in one of the following fields:
    • telecommunication services;
    • data sharing and storage;
    • provider of a national or international domain for Vietnamese users;
    • e-commercie;
    • social network and social marketing;
    • online games;
    • provision; or
    • management, or operation of other information on the internet in the forms of message, telephone calls, video calls, email, or online games; and
  • the services provided by the enterprise may be used to commit acts violating the CSL. 

 

Dr. Thi Lang Nguyen Senior Associate
[email protected]
Hau Le Nguyen Duy Senior Associate
[email protected]
Duane Morris LLP, Hà Nội

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback