The Business License to provide Cyber Information Security Services and Products (“Cyber Information Security License”) and the Business License for Civil Cryptography Products and Services (“Civil Cryptography License”) are two types of independent licenses, which govern different scopes: (1) Cybersecurity management of systems, networks, data and protection services (such as security monitoring and assessment); (2) Civil cryptography governs products/services with data encryption functions, managing cryptographic keys on the Regulated List (usually associated with HS codes when importing and exporting). Businesses need to differentiate based on the technical nature of the product or service instead of just relying on the generic term “security”.
1. Why do businesses confuse Cyber information security and Civil cryptography?
With many recent changes in governance needs from the state to private enterprises and accompanying digitalization policies, it has created a driving force to promote the strong development of business activities related to services and equipment in the field of technology, especially the group of products and services belonging to security and cybersecurity. However, the current legal regulations for groups of services and products belonging to cyber information security are currently only a general legal framework without detailed criteria or guidance. Therefore, businesses in this field will be forced to determine by themselves whether the group of products and services that the enterprise provides belongs to the group of cyber information security or the group of civil cryptography.
In fact, there will be many businesses importing technology equipment, deploying cloud infrastructure or providing security solutions that often encounter the keywords “encryption” or “security”, and the default security is to apply for security, or with encryption is to apply for Civil Cryptography License. However, this determination is inaccurate, especially when Decree 211/2025/ND-CP was promulgated, which excludes many products that have encryption features (AES/TLS) but are only internal protection mechanisms, for example, Database has TLS encryption Storage or encryption at rest. Or that product is not eligible for Civil cryptography License when the encryption function is not must be the primary purpose or function, not provide a standalone cryptographic service to the user…
According to regulations, enterprises must be licensed to trade products before applying for an import license, applicable to both Cyber information security and Civil cryptography, the time for internal preparation of documents and licensing is quite long, so enterprises must accurately determine the type of products that the enterprise trades in the Cyber information security or Civil cryptography group to carry out the correct procedures necessary. Accurate identification from the initial stage will help enterprises not fall into the situation of delaying the implementation of relevant procedures, missing business opportunities or enterprises not meeting bidding requirements due to lack of corresponding licenses.
2. The different nature of the features of Cyber information security and Civil cryptography products
Cyber information security management – “System Safety”
Security is understood as a protective layer that surrounds it. It revolves around ensuring the integrity, availability, and security of networks and information systems. If you sell services or products with network monitoring (SOC) or vulnerability assessment (Pentest) functions, you are providing services and products in the cybersecurity group.
Cyber information security products include:
- Cyber information security inspection and assessment products are hardware and software devices with the following basic functions: Scanning, checking, analyzing the configuration, status, and log data of the information system; detecting vulnerabilities and weaknesses; conducting information security risk assessments;
- Network information security monitoring products are hardware and software devices with the following basic functions: Monitoring and analyzing data transmitted on the information system; collect and analyze log data in real time; detecting and issuing warnings of abnormal events that may cause information security risks / breaches;
- Anti-attack and intrusion products are hardware and software devices with the basic function of preventing attacks and intrusions into information systems.
Cyber information security services include:
- Cyber information security monitoring service is a service of monitoring and analyzing data traffic transmitted on the information system; collect and analyze log data in real time; detecting and issuing warnings of abnormal events that may cause information insecurity;
- Cyber attack prevention and control services are services to prevent acts of attacking and intrusions information systems through monitoring, collecting and analyzing events that are happening on the information system;
- Cyber information security consulting service is a service that supports consulting, inspecting, evaluating, implementing, designing, and building solutions to ensure information security;
- Cyber information security incident response service is a service to promptly handle and remedy incidents that cause information insecurity to information systems;
- Data recovery service are services that recover data in an information system that has been deleted or damaged;
- Cyber information security inspection and assessment services are services of scanning, inspecting and analyzing the configuration, current status, and log data of information systems; detecting vulnerabilities and weaknesses; assessing of information security risks;
- Information security services that do not use civil cryptography are services that support users to ensure the confidentiality of information and information systems without using civil cryptography systems.
Civil cryptography governs “Encryption Technology”
Civil cryptography products are described as systems, devices, modules and integrated circuits, software specifically designed to protect information by cryptographic techniques using “symmetric cryptography algorithms” or “asymmetric cryptographic algorithms”, the list of product groups with features classified as civil cryptography includes:
- The product generates cryptographic keys, manages, or stores cryptographic keys.
- The product secures data retention.
- The product secures the data exchanged on the network.
- IP stream security products.
- Analog voice and digital voice security products.
- Radio information security products.
- Fax and telegraph security products.
3. Current legal framework for product management of Cyber information security and Civil cryptography
To accurately determine the features of the products sold by a business, the company’s technical department will need to rely on the features of the product shown in the accompanying documents such as product datasheets and relevant legal documents for each product group. For security products and services, businesses will need to base on the Law on Cyber Information Security 2015 and Decree No. 108/2016/ND-CP, in order to be consistent with actual activities, we believe that in the coming time, the legal regulations governing this group will have certain adjustments. Previously, the Department of Cyber Information Security under the Ministry of Information and Communications granted licenses, but from the beginning of 2025 this procedure has been transferred to the Ministry of Public Security, so it will be necessary to adjust the implementation regulations to be compatible with the current cybersecurity regulations as well as compatible with the new licensing agency.
For civil cryptography products, enterprises will need to rely on Decree No. 211/2025/ND-CP effective from 9 September 2025 to determine and implement the necessary procedures. Notably, based on CDLAF’s experience in consulting and carrying out procedures related to the above product groups, we now realize that many businesses are still using the old checklist according to Decree No. 58/2016/ND-CP when preparing documents as well as relying on old regulations and practices to determine product classification. To avoid wrong identification and dossier preparation accurately, resulting in returns and delays, businesses need to rely on the new regulations to determine as well as prepare documents.
4. When do enterprises need to apply for a Cyber Information Security License or Civil Cryptography License?
We often recommend that customers who are businesses operating in the field of information technology need to have a long-term data and compliance plan so that businesses have time to complete the necessary legal procedures for obtaining permission, avoid putting businesses at risk of failure to meet bidding requirements, etc. or failing to import products or violations of contractual implementation schedules with their customers.
So when do businesses need to carry out the procedures for applying for a Cyber Information Security License? That’s when businesses:
- Provision of cyber information security services: You sign a contract to provide information security assessment, system monitoring (SOC), incident response or specialized security consulting.
- Trading in Cyber information security products: You import or manufacture devices such as firewalls, intrusion detection devices (IDS/IPS) without emphasizing the specific cryptographic features in the Civil cryptography category.
- Bidding dossiers: enterprises participating in bidding and enterprises must prove their capacity to perform information system security services through corresponding licenses.
When do businesses really need a Civil Cryptographic License?
Enterprises will need to work with the Government Cipher Committee to apply for a license to trade Civil cryptography products when the enterprise provides products/services with cryptographic functions (encryption of stored data, encryption of exchange data, security of IP traffic, etc.). Actual signals such as when the product catalogue/datasheet appears parameters: AES-256, RSA, Elliptic Curve, IPsec encryption, Key Management Module, etc., however, as analyzed above, there will be some cases where the product’s product has encryption features but is not classified as Civil cryptography.
Criteria table of Cyber information security vs Civil cryptography
|
Criteria |
Cyber Information Security License |
Civil Cryptography License |
|
Management Objectives |
Information Network & System Security. |
Control cryptographic technology/algorithms. |
|
Subject of management |
Information Network & System Security. |
Products and services with encryption functions. |
|
Licensing Authority |
Ministry of Public Security (from 2025) |
Government Cipher Committee |
|
Grounds for determination |
Service description, operating process, datasheet |
Technical Datasheet, Algorithm, HS Code. |
|
Critical personnel |
Experts in cybersecurity, incident response, security, information security |
Information security and security |
|
Management Documents |
Decree No. 108/2016/ND-CP. |
Decree No. 211/2025/ND-CP. |
5. Practical confusions drawn from the CDLAF experience
Mistake 1: “As long as there is encryption, you have to apply for Civil Cryptography License “. Fact: Encryption is a common feature. The law only regulates Civil cryptography for products in the specialized category. For example, regular HTTPS/TLS may not require a license, but a dedicated channel security device does.
Mistake 2: “If you have a cyber information security License, you are exempt from Civil cryptography”, this is incorrect, the license is issued according to the group of products and services provided by the company, not issued by the name of the company, a company that has trades in both Cyber information security and Civil cryptography products is required to obtain both types of licenses for different product groups in parallel.
Mistake 3: “I am only the implementer, so I don’t need a license”, if the business is named on the contract to provide conditional information security services or in the name of the importer of Civil cryptography goods, it is still required to hold the relevant license.
CDLAF – A unit specializing in providing services to obtain licenses to trade in cyber information security products and services and civil cryptography
New regulations are always accompanied by opportunities as well as operational “bottlenecks.” CDLAF is ready to support enterprises in reviewing their internal governance systems to ensure compliance with and alignment to current laws.
-
Advisory email info@cdlaf.vn
-
Hotline: (+84) 909 668 216
Time of writing: 30/12/2025
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Execution of Electronic Labor Contracts: Compliance Conditions and Implementation Process
- Impacts of Decree No. 337/2025/NĐ-CP on Electronic Labour Contracts
- Essential clauses in an overseas processing contracts
