Nghị định 108/2016/ND-CP

DECREE

DETAILED REGULATIONS ON PROVISION OF CYBER INFORMATION SECURITY SERVICES AND PRODUCTS

Pursuant to the Law on Government organization dated June 19, 2015;

Pursuant to the Law on Cyber information security dated November 11, 2015;

Pursuant to the Law on Investment dated November 26, 2014;

Pursuant to the Law on Enterprises dated November 26, 2014;

At request of the Minister of Information and Communications, the Government hereby issues this Decree detailing regulations for provision of cyber information security services and products.

Chapter I

GENERAL PROVISIONS

Article 1. Scope

1. This Decree stipulates regulations on:

a) Requirements, procedures and application for the Business License to provide cyber information security services and products (hereinafter referred to as “Business License”);

b) Cyber information security services and products;

c) Cyber information security imports under the Import License.

2. This Decree does not affect the trading and provision of civil cryptographic services and products and digital signature certification services.

Article 2. Regulated entities

This Decree applies to organizations and enterprises directly participating or involving in the production and importation of cyber information security products and services in Vietnam.

Article 3. Cyber information security services and products

1. Cyber information security products include:

a) Information security risk evaluation products which are hardware or software applications designed to scan, monitor and analyze the configuration, status and log data, detect and identify vulnerabilities and make information security risk assessments.

b) Information security monitoring products which are hardware or software applications designed to monitor and analyze electronic data; collect and analyze real-time data logging; detect and give warning of potential risks or events that may threaten the information security;

c) Instruction detection and prevention products which are hardware or software applications designed to help save the system from cyber-attacks.

2. Cyber information security services include:

a) Information security monitoring services provided to monitor and analyze electronic information, collect and analyze real-time data log, detect and give warning of potential risks or events that may threaten information security;

b) Intrusion detection and prevention services provided to monitor, collect and analyze real-time activities on the system or network in order to detect and prevent malicious activities targeted into the network or system;

c) Information security consulting services aiming to give advices, testing, assessment, offer, design and execution of information security solutions;

d) Incident response services provided to response or adopt appropriate measures to promptly remedy information security incidents;

dd) Data recovery services provided to salvage data that has been damaged or deleted;

e) Information security risk evaluation services provided to scan, monitor and analyze the configuration, status and log data, detect and identify vulnerabilities and make information security risk assessments.

g) Information confidentiality without civil cryptography provided to ensure user's information confidentiality without the backup of civil cryptography.

Article 4. Lists of licensed cyber information security imports

1. Licensed cyber information security imports include:

a) Information security risk evaluation products;

b) Information security monitoring products;

c) Instruction detection and prevention products.

2. The Ministry of Information and Communications shall compile the List of licensed information security imports under clause 1 of this Article.

3. For importers wishing to import information security products other than those specified in clause 1 of this Article, the Import License is not required.

Chapter II

REQUIREMENTS, PROCEDURES AND APPLICATION FOR THE LICENSE TO PROVIDE CYBER INFORMATION SECURITY SERVICES AND SOFTWARE

Article 5. Business Licenses

1. The Ministry of Information and Communications has the power to issue the Business License to provide information security products and services

2. The Business License shall be valid for 10 years and shall be made using the Form 01 in the Annex hereto.

Article 6. Requirements for grant of Business Licenses

1. In order to be granted the Business License prescribed in Article 3 hereof, the enterprise shall meet all requirements stipulated in Article 42 of the Law on Cyber-Information Security and those prescribed hereof.

2. Every importer of information security products prescribed in clause 1, Article 3 hereof shall satisfy requirements in clause 1 of this Article. Requirements in point c, and d, clause 1, Article 42 of the Law on Cyber-information Security are detailed as follows
Every importer shall:

a) Have a management team satisfying professional requirements for information security and technicians in-charge obtaining the bachelor degree in or certificate of information security or information technology or electronics and telecommunications at the appropriate quantity according to the business scale and business methods;

b) Have appropriate business methods available that cover the purposes of importation, scope and clients; the conformity with relevant technical standards and regulations by each product and basic specifications.

3. Every information security product producer prescribed in clause 1, Article 3 hereof shall satisfy requirements in clause 1 of this Article. Requirements in point b, c, and d, clause 1, Article 42 of the Law on Cyber-information Security are detailed as follows
Every producer shall:

a) Have facilities, equipment and production technology that are appropriate for the business method available;

b) Have a management team satisfying professional requirements for information security and technicians obtaining bachelor degrees in or certificates of information security of information technology or electronics and telecommunications at the appropriate quantity according to the business scale and business methods;

c) Have appropriate business methods available that cover the purposes of importation, scope and clients; expected products, the conformity with relevant technical standards and regulations by each products and basic specifications.

4. Every information security service provider providing services prescribed in point a, b, c, Article, and/or dd, clause 2 Article 3 hereof shall satisfy requirements in clause 1 of this Article. Requirements in point b, c, and d, clause 1, Article 42 of the Law on Cyber-information Security are detailed as follows:

Every service provider shall:

a) Have facilities, and equipment that are appropriate for the business scale and business methods available;

b) Have a management team satisfying professional requirements for information security and technicians obtaining bachelor degrees in or certificates of information security of information technology or electronics and telecommunications at the appropriate quantity according to the business scale and business methods;

Have appropriate business methods available that cover the purposes of importation, scope and clients; expected products, approaches to customers’ information protection and service quality assurance. 5. Information security risk evaluation service providers shall satisfy requirements in clause 2, Article 42 of the Law on Cyber Information Security. Entities providing information confidentiality services without civil cryptography shall satisfy requirements in clause 3, Article 42 of the Law on Cyber Information Security. Point a and d, clause 2, Article 42 of the Law on Cyber Information Security is detailed as follows
Every service provider shall:

a) Satisfy all requirements stipulated in clause 4 of this Article:

b) Have appropriate engineering methods which cover the general engineering, the compatibility of system with expected services, conformity with compulsory technical regulations and standards.

Article 7. Requirements, procedures and application for Business License

The applications and procedures for grant, adjustment, extension, suspension, revocation and re-issue of the Business License are stipulated in Articles 43, 44 and 45 of the Law on Cyber Information Security.

Article 8. Submission of applications for Business Licenses

1. Applicants shall submit their application for the Business License to the Ministry of Information and Communications

a) Directly;

b) By post; or

c) Electrically via the portal of the Ministry of Information and Communications.

2. The Ministry of Information and Communications shall send the applicant a notification to confirm the receipt of the application in writing or electrically within 01 working day from the date of receipt.

3. In case of direct submission, the date of receipt is the date on which the applicant submits his/her application.

4. The date of receipt of the application submitted by post is the date on which the application is delivered to the Ministry of Information and Communications by the postal service provider.

5. In case of electrical submission, the Ministry of Information and Communications shall consider issuing the Business License according to the Government’s roadmaps for electronically providing public services.

Article 9. Verification of applications for Business Licenses

1. The application shall be made in Vietnamese including 01 original and 04 valid copies in case of application for the Business License; or 01 original and 01 valid copy in case of adjustment and extension to the Business License. The original application shall be signed and sealed by the applicant, any document issued by the applicants with two pages or more shall be fan stamped. The valid copy may not be stamped with certification mark nor authentication mark but must be fan stamped.

2. The application form for grant/re-issue/adjustment/extension of the Business License shall be made using the form 02; business method, engineering method and status report on information security product and service provision shall be made using forms 3, 4 and 5, respectively, presented in the Annex hereto.

3. The Ministry of Information and Communications shall examine and notify the applicant of the validity of his/her application after 03 working days from the date of receipt of the application.

4. The application is verified valid if it:

a) Be made in accordance with clause 1 of this Article;

b) Include all required documents specified in Article 43 of the Law on Cyber Information Security;

c) Include all required information and be made using respective form stipulated in the Annex hereto.

5. In case of invalid applications, the Ministry of Information and Communications shall send the applicant a written notice which specifies unsatisfactory elements. The applicant shall be entitled to submit an additional application or written accountability for the validity of the application or adjustments to the application. The verification shall be carried out in accordance with clause 4 of this Article.

Article 10. Submission, accountability and supplementation to applications during the verification

1. In the verification period, the Ministry of Information and Communications has the right to request the applicant to supplement his/her application or submit accountability in writing or verbally if the application is unsatisfactory only once.

2. The applicant shall submit the additional application or written or verbal accountability which covered all required aspects to the Ministry of Information and Communications within 10 working days from the date of receipt of the notice stipulated in clause 1 of this Article. The verification period is counted from the date of receipt of the additional application or accountability or the date on which the minute of accountability meeting is signed.

3. If the applicant fails to submit the additional application or accountability or written request for deadline extension within the set forth time limit for submission prescribed in clause 2 of this Article, the applicant is deemed to waive his/her right to supplement the application or to make accountability. Any additional application or accountability submitted after the set forth time limit or extended deadline shall be considered as new application.

4. Time limits for verification of new applications and additional applications, accountability and issue of Business License or notification of rejection are as follows:

a) Not exceeding 15 working days from the date of receipt of the valid application for Business License;

b) Not exceeding 10 working days from the date of receipt of the valid application for extension of/adjustments to Business License;

c) Not exceeding 05 working days from the date of receipt of the valid application for re-issue of Business License;

Article 11. Reporting

Enterprises granted the Business License shall submit surprised reports (if it is requested) and annual status reports (by December 31^st of every year) to the Ministry of Information and Telecommunications using form 05 enclosed herewith.

Chapter III

IMPLEMENTATION

Article 12. Transitional provisions

1. Every enterprise providing information security products and services prescribed in Article 3 hereof shall submit the application for Business License within 06 months from the effective date of this Decree.

2. Contracts for provision of information security products and/or services which are signed prior to the effective date of this Decree shall be continued to be executed.

Article 13. Entry into force

This Decree enters into force from July 01, 2016.

Article 14. Implementation organizations

1. The Minister of Information and Telecommunications shall be responsible for providing guidance and conducting the inspection of the implementation of this Decree.

2. Ministers, Heads of Ministerial-level agencies, heads of Governmental Agencies, Presidents of People’s Committees of provinces and relevant entities shall be responsible for the implementation of this Decree./.