The development of the business sector “Trading of cybersecurity products and services” has already been considered by the Government as it was included as a conditional business line under the Law on Investment 2020 (which is further amended and supplemented by Law No. 03/2022/QH15 dated 11 January 2022). In order to further explain and offer guidance for the implementation of this business sector, the Ministry of Public Security (“MPS”) has released the draft Decree on the Regulation of Business Conditions for Trading of Cybersecurity Products and Services (the “Draft Decree”) in January 2022. This article will brief the Draft Decree.
The clarification of cybersecurity products and services
The Draft Decree has not yet introduced specific legal definitions of cybersecurity products and services, instead, such products and services are listed for ease of implementation.
Regarding cybersecurity products, this type of products includes:
- Products that secretly collect information.
- Security control products for network traffic.
- Network information suppression products.
- Digital forensics and digital investigation products.
- Specialised network attack products.
- Spyware and cyberweapons detection products.
- Products that detect the risk of causing cybersecurity incidents, revealing or losing State secrets in cyberspace.
- Products to fight against attacks and intrusions into information systems that are vital to national security.
Regarding cybersecurity services, this type of services includes:
- Cybersecurity inspection services for equipment and software used in information systems that are vital to national security.
- Cybersecurity supervising services to supervise, detect and provide early warning of network attacks, cyber terrorism, cyber espionage, cybersecurity incidents, unusual signs of cybersecurity information systems that are vital to national security.
- Cybersecurity consulting services for agencies, organisations and individuals to prevent infringing upon cybersecurity and protect confidentiality of information and data.
- Assessment services to ensure cybersecurity standards.
- Cybersecurity testing services, including testing services for cybersecurity vulnerabilities and weaknesses; detect spyware, malicious code in the information system that are vital to national security.
- Cybersecurity product maintenance services.
- Services for responding to and overcoming cybersecurity incidents and dangerous situations in cybersecurity.
Enterprises trading in cybersecurity products and services will need to meet the requirements of a conditional business line
Upon the validity of the Draft Decree, enterprises that intend or currently operate the business activity in trading of cybersecurity products and services will need to satisfy the six following conditions:
- Satisfy the conditions specified in Article 7 of Decree No. 96/2016/ND-CP dated 1 July 2016, regulating the conditions on security, orders with certain conditional business lines.
- Enterprises must be established under the laws of Vietnam.
- Have a business plan for trading of cybersecurity products and services; including the following contents: the scope, the object for which products and services are provided; types of products and services to be produced; the compliance with relevant technical regulations and standards for each type of product or service; the basic technical features of products and services.
- Have a system of equipment, facilities, and technologies that are suitable to the description of the aforementioned business plan.
- Have personnel who will be responsible for information security and administration, with an in-depth understanding of system cybersecurity, and a university bachelor, or higher, degree majoring in information technology, information security or electronic telecommunication.
- Have an appropriate technical plan that included the following contents: an overall description of the technical system; system features; compliance with relevant technical regulations and mandatory standards, information security plans in the process of using and providing cybersecurity products and services.
New regulations over the license to trade of cybersecurity products and services
License to trade of cybersecurity products and services
Enterprises that meet the foregoing conditions will be granted a license to trade cybersecurity products and services once their registration with the MPS is legally accepted. The MPS is the competent authority that receives, accepts the registration dossier and grants operational licenses to qualified enterprises in this sector. This license will be effective for five years and can be extended one time for another five years. One of the mandatory contents of the license is that it must include the information of cybersecurity products, services that are permitted to be traded.
The issuance of a license to trade in cybersecurity products and services comes with reporting responsibilities by the enterprise. Licensed enterprises must make irregular reports upon request and annual reports on the business status of trading of cybersecurity products and services. The MPS is the administratively competent authority to receive such reports.
Dossier applied for the grant of License to trade of cybersecurity products and services
A dossier for registration to operate trading of cybersecurity products and services will only be submitted and accepted by the MPS. Components of the dossier mainly include documents showing that enterprises meet the business conditions as discussed above. Three essential documents that must be included are: (i) A written explanation of the technical equipment systems to ensure compliance with laws; (ii) A Description of the business plan including the scope, the object of service provision, service standards, and quality; and (iii) Documents evidencing the plan to secure information.
During the process of handling such dossier, the MPS will have the right to request the enterprise to supplement its application dossier, a written explanation, or explain in person if the corresponding application dossier neither provides enough information nor satisfies the conditions. Such request may only be made once.
Conclusion
In February 2022, the MPS received the VCCI’s assessments and comments on the content of the Draft Decree. Such assessments and comments are now published on the legal development website of VCCI for public reference. No further official information has been issued by the Government (the MPS in particular) on the revision steps, or the exact promulgation time of the Draft Decree.
