On June 7, 2024, the Ministry of National Defense announced a draft decree detailing the implementation of certain provisions and measures of the Law on Cybersecurity regarding civil cryptography. This draft is based on the proposal by the Government Cipher Committee in June 2023, to replace Decree No. 58/2016/NĐ-CP dated July 1, 2016.
The Necessity of Issuing a New Decree
Decree No. 58/2016/NĐ-CP has provided a solid legal foundation for businesses and state agencies in the trade, export, import, and management of civil cryptographic products. However, after eight years, it needs to be updated to ensure consistency with current laws, enhance management efficiency, and adapt to the current business and import-export practices of civil cryptographic products.
Specific adjustments include updating administrative penalties in line with the amendments to the Law on Handling Administrative Violations 2020. Additionally, detailed regulations are required to organize and implement type approval activities for civil cryptographic products to ensure quality and information security. Given the unique nature of civil cryptographic products and their crucial role in information security across various socio-economic sectors, strict and unified management is essential. Moreover, reducing and simplifying administrative procedures and decentralizing the process for Civil cryptographic products trading license is essential to facilitate businesses in trading, exporting, and importing civil cryptographic products and services.
Scope of Application of the Decree
This decree applies to:
- Enterprises trading in civil cryptographic products and services, exporting, importing civil cryptographic products; organizations involved in conformity assessment activities of civil cryptographic products, and other related individuals and organizations.
- Individuals and organizations that commit administrative violations in the business and use of civil cryptographic products; those authorized to make records, impose administrative penalties in the business and use of civil cryptographic products, and other related individuals and organizations.
New Points in the Decree
New Points in the List of Civil Cryptographic Products and Services
Compared to Decree No. 58/2016/NĐ-CP, the list of civil cryptographic products and services and the list of civil cryptographic products for export and import under license have been adjusted to reflect current business practices and management requirements for civil cryptographic products, such as:
- The list of civil cryptographic products and services includes 07 product groups:
- Merging the "Cryptographic key generation, management, or storage products" group and the "Cryptographic components in information" group into the "Cryptographic key generation, management, or storage products" group;
- Replacing the "IP stream security and channel security products" group with the "IP stream security products" group;
- Adding the excluded civil cryptographic products list (increased from 09 to 12 groups).
- Changing the structure and content of the list of civil cryptographic products for export and import under license (including product names, HS codes, product descriptions, cryptographic technical descriptions) based on the inheritance of the list of civil cryptographic products for export and import under license in Appendix issued with Decree No. 32/2023/NĐ-CP.
New Points on Conformity Assessment of Civil Cryptographic Products
This decree stipulates: Conditions, procedures for registration of conformity assessment activities, designation of conformity assessment organizations, and announcement of conformity of civil cryptographic products shall follow the current legal provisions on conditions, procedures for registration of conformity assessment service business, designation of conformity assessment organizations, and announcement of conformity for products and goods. The recognition of conformity assessment results for civil cryptographic products is implemented according to current legal provisions on standards, technical regulations, and in necessary cases, to serve state management of civil cryptography, the Government Cipher Committee assists the Minister of National Defense in considering and deciding to accept the conformity assessment results of conformity assessment organizations for civil cryptographic products.
This can be considered a new point compared to Decree No. 58/2016/NĐ-CP, aimed at implementing quality management, conformity assessment, and conformity announcement for civil cryptographic products.
New Points on Administrative Penalties
This decree adds general provisions on administrative penalties to clarify the scope, subjects of penalties, penalty levels, and penalty authority consistently with the provisions of the Law on Handling Administrative Violations 2020.
Overall, the new decree partially addresses the following requirements: overcoming obstacles from Decree No. 58/2016/NĐ-CP; aligning with the Law on Cybersecurity and the Law on Handling Administrative Violations 2020; reforming administrative procedures, reducing costs, facilitating businesses, and simplifying business condition regulations according to the Government's Resolution 68/NQ-CP for the 2020-2025 period.
However, according to the draft content, this decree still lacks provisions on licensing the export and import of civil cryptographic products not for business purposes—a content many businesses are interested in and has been mentioned in the draft outline.
The list of civil crytographic products and services according to the new Decree
Phụ lục I
LIST OF CIVIL CRYPTOGRAPHIC PRODUCTS AND SERVICES
(Attached to Decree No. ..../2024/ND-CP dated [day] [month] [year] 2024 of the Government)
I. LIST OF CIVIL CRYPTOGRAPHIC PRODUCTS
| No. | Product's name |
| 1 | Cryptographic key generation, management, or storage products. |
| 2 | Data storage security products. |
| 3 | Data transmission security products over networks. |
| 4 | IP stream security products. |
| 5 | Analog and digital voice security products. |
| 6 | Radio information security products. |
| 7 | Fax and telegraph security products. |
Explanation:
1. Civil cryptographic products are described as systems, devices, modules, integrated circuits, and specialized software designed to protect information using cryptographic techniques employing "symmetric cryptographic algorithms" or "asymmetric cryptographic algorithms".
2. The list of civil cryptographic products subject to conditional business does not include the following products:
| No. | Product's Name |
| 1 | Operating systems, Internet browsers, and software integrated with available cryptographic components (information protection through cryptographic techniques is not the main function), widely used and built for users to install themselves without support from the provider. |
| 2 | Widely used information technology products where information protection through cryptographic techniques is not the main function and are pre-installed without the need for support from the provider, including: tablets, DVD players, digital cameras, and other similar consumer electronics. |
| 3 | Mobile phones without end-to-end encryption capabilities. |
| 4 | Smart cards and readers/writers used solely for general access, specifically designed only to protect personal information. |
| 5 | Products designed to protect copyright and ownership that perform one of the following functions: |
|
| a) Anti-software piracy; |
|
| b) Prevention of access to read-only protected media; |
|
| c) Prevention of access to encrypted information stored on publicly sold media; |
|
| d) Prevention of access to information stored for one-time audio/video data copyright protection. |
| 6 | Products with functions solely for identity authentication, without encryption functions. |
| 7 | Products using cryptographic techniques for remote access and device management. |
| 8 | Hard drives using Self-Encrypting Drive (SED) technology, widely used. |
| 9 | Products using cryptographic techniques for monitoring, preventing, and detecting cyber-attacks. |
| 10 | Integrated circuits using Trusted Platform Module (TPM) technology for device identification, information authentication, and password protection. |
| 11 | Products using cryptographic techniques for wireless access protection. |
| 12 | Products specifically designed only for end-use in the medical field. |
II. LIST OF CIVIL CRYPTOGRAPHIC SERVICES
| No. | Service name |
| 1 | Information protection services using civil cryptographic products. |
| 2 | Inspection and evaluation services for civil cryptographic products. |
| 3 | Consulting services for network security and information safety using civil cryptographic products. |
Appendix II
LIST OF CIVIL CRYPTOGRAPHIC PRODUCTS FOR EXPORT AND IMPORT UNDER LICENSE
(Attached to Decree No. ..../2024/NĐ-CP dated month day year 2024 of the Government)
| No. | Product’s name | Description of cryptographic technical characteristics | HS code | Description of goods |
| 1 | Cryptographic key generation, management, or storage products | - Products in the PKI system using cryptography include: -- HSM (Hardware Security Module): functions to generate, store, and manage cryptographic keys, digital certificates, sign, and verify digital signatures. -- PKI Token (PKI USB Token, PKI Smartcard, SimPKI): functions to generate, store, and manage cryptographic keys, digital certificates, sign, and verify digital signatures. - Products with cryptographic key generation, management, or storage functions not belonging to the PKI system. | 8471.30.90 8471.41.90 8471.49.90 8471.80.90 | Automatic data processing machines and their units; magnetic or optical readers, machines for data transfer to coded data media, and machines for processing such data, not elsewhere specified or included, including: - Other types of goods: portable automatic data processing machines weighing no more than 10 kg, consisting of at least one central processing unit, a keyboard, and a screen. - Other types of goods: not in the same housing containing at least one central processing unit, one input unit, and one output unit, whether or not combined. - Other types, in the form of systems. - Other types of automatic data processing machine units. |
| 2 | Data storage security products | Products using cryptographic algorithms and techniques to protect data stored on devices | 8523.51.11 8523.51.21 8523.51.99 | Solid-state storage devices, including disks, tapes, solid-state storage devices, “smart cards,” and other data storage media for sound recording or other forms of expression, whether or not recorded, including master and original copies for the production of such recordings, but excluding products of photographic or cinematographic material, including: - Type for computers, unrecorded. - Type for computers to reproduce phenomena other than sound or image. - Other types of other kinds. |
| 8523.52.00 | - "Smart card". | |||
| 8542.32.00 | - Integrated circuit memory. | |||
| 3 | Data transmission security products over networks | Products using cryptographic algorithms and techniques to secure data transmitted over networks. | 8471.30.90 8471.41.90 8471.49.90 | Automatic data processing machines and their units; machines for data transfer to coded data media and machines for processing such data, not elsewhere specified or included, including: - Other types of goods: portable automatic data processing machines weighing no more than 10 kg, consisting of at least one central processing unit, a keyboard, and a screen. - Other types of goods: not in the same housing containing at least one central processing unit, one input unit, and one output unit, whether or not combined. - Other types, in the form of systems |
| 8517.62.42 8517.62.43 8517.62.49 | Devices for carrier-current line systems or digital line systems, including receivers, converters, transmitters, or reproducing audio, video, or other data, including switching devices and routers, including: - Concentrators or multiplexers. - Controllers and adaptors (including hubs, bridges, routers, and similar devices) designed solely to connect with automatic data processing machines of heading 84.71. - Other types. | |||
| 8517.62.51 8517.62.53 8517.62.59 | Other transmission devices combined with receiving devices for receiving, converting, transmitting, or reproducing audio, video, or other data, including switching devices and routers, including: - Wireless local area network devices. - Other transmission devices for telegraph or telephone transmission in the form of radio waves. - Other types. | |||
| 8517.62.61 8517.62.69 8517.62.91 8517.62.92 8517.62.99 | - Other transmission devices for receiving, converting, transmitting, or reproducing audio, video, or other data, including switching devices and routers, including: - For telegraph or telephone transmission in the form of radio waves. - Other types. - Portable receivers for calling, signaling, or paging and message warning devices, including pagers. - Other types for telegraph or telephone transmission in the form of radio waves. - Other types of other kinds. | |||
| 4 | IP Stream Security Products | Products using VPN technology (IPSec VPN, TLS VPN) to ensure the safety and security of data transmitted over IP networks. Use symmetric cryptographic algorithms, asymmetric cryptographic algorithms, digital signature algorithms, and cryptographic hash functions to secure and authenticate transmitted information over IP networks.
| 8471.30.90 8471.41.90 8471.49.90 | Automatic data processing machines and their units; machines for data transfer to coded data media and machines for processing such data, not elsewhere specified or included, including: - Other types of goods: portable automatic data processing machines weighing no more than 10 kg, consisting of at least one central processing unit, a keyboard, and a screen. - Other types of goods: not in the same housing containing at least one central processing unit, one input unit, and one output unit, whether or not combined. - Other types, in the form of systems. |
| 8517.62.42 8517.62.43 8517.62.49 | Devices for carrier-current line systems or digital line systems, including receivers, converters, transmitters, or reproducing audio, video, or other data, including switching devices and routers, including: - Concentrators or multiplexers. - Controllers and adaptors (including hubs, bridges, routers, and similar devices) designed solely to connect with automatic data processing machines of heading 84.71. - Other types. | |||
| 8517.62.51 8517.62.53 8517.62.59 | Other transmission devices combined with receiving devices for receiving, converting, transmitting, or reproducing audio, video, or other data, including switching devices and routers, including: - Wireless local area network devices. - Other transmission devices for telegraph or telephone transmission in the form of radio waves. - Other types. | |||
| 8517.62.61 8517.62.69 8517.62.91 8517.62.92 8517.62.99 | Other transmission devices for receiving, converting, transmitting, or reproducing audio, video, or other data, including switching devices and routers, including: - For telegraph or telephone transmission in the form of radio waves. - Other types. - Portable receivers for calling, signaling, or paging and message warning devices, including pagers. - Other types for telegraph or telephone transmission in the form of radio waves. - Other types of other kinds. | |||
| 5 | Analog and digital voice security products | Products using security protocols (ZRTP, SRTP, WebRTC, SIPS) or VPN channels (IPSec, SSL/TLS, L2TP) to secure audio, video, and image data. They use symmetric cryptographic algorithms, asymmetric cryptographic algorithms, digital signature algorithms, and cryptographic hash functions. | 8517.11.00 8517.13.00 8517.14.00 8517.18.00 | Telephones, including smartphones and other phones for cellular networks or other wireless networks; other devices for transmitting or receiving sound, images, or other data, including telecommunications devices for wired or wireless local area networks (such as those used in LANs or WANs), excluding transmission or reception devices of heading 84.43, 85.25, 85.27, or 85.28, including: - Cordless telephones with a handheld receiver. - Smartphones. - Phones for cellular networks or other wireless networks. - Other types. |
| 6 | Radio information security products | Products using cryptographic algorithms and techniques to secure radio information data. | 8525.50.00 8525.60.00 | Transmission devices for radio broadcasting or television, whether or not incorporating reception or recording or reproducing sound; television cameras, digital cameras, and video cameras, including: - Transmission devices. - Transmission devices incorporating reception devices. |
| 8526.91.10 8526.91.90 8526.92.00 | Radar devices, radio navigation devices, and remote control devices by radio waves, including: - Radio navigation devices for civil aircraft or solely for marine vessels. - Other types of radio navigation devices. - Remote control devices by radio waves. | |||
| 7 | Fax and telegram security products | Products using cryptographic algorithms and techniques to secure fax and telegraph data either locally or in transit. | 8443.31.31 8443.31.39 8443.31.91 8443.31.99 | Machines combining two or more functions of printing, copying, or faxing, capable of connecting to automatic data processing machines or networks, including: - Color types of goods combining printing-copying-faxing. - Other types of goods combining printing-copying-faxing. - Other types combining printing-copying-scanning-faxing. - Other types of other kinds. |
| 8443.32.40 | Fax machines. |
Individuals and organizations can read the full draft decree and contribute their feedback for its development at the following link: https://chinhphu.vn/du-thao-vbqppl/du-thao-nghi-dinh-quy-dinh-chi-tiet-mot-so-dieu-va-bien-phap-thi-hanh-luat-an-toan-thong-tin-man-6583
Follow ExtendMax on our FB FanPage or LinkedIn to stay updated with the latest information.
Please leave your reviews and comments, or share the post if you find it useful for your work.
↓ ↓ ↓ ↓ ↓ ↓ ↓
