In the current era of robust digital transformation, system security and cybersecurity are no longer issues solely within the technology sector; they have become indispensable requirements for every enterprise. From banking, e-commerce, and logistics to enterprises managing extensive data infrastructures, all rely on network security systems to safeguard their data, assets, and reputation. However, the import of cybersecurity equipment is not unrestricted. Vietnam currently enforces a stringent control mechanism for the import of specific types of information technology equipment, with the objective of ensuring national security and mitigating risks posed by technologies capable of unauthorized exploitation and intrusion.
Specifically, which products are subject to control? What preparations must an enterprise undertake to secure an import license? And what legal risks may arise from non-compliance with the prescribed procedures? This article provides a comprehensive perspective, encompassing both legal frameworks and practical implementation.
1. Legal Basis and Management Policy for Importing Cybersecurity Products
The regulation of cybersecurity equipment imports is governed by the following pivotal legal instruments:
- Decree 108/2016/ND-CP: Establishes the foundational definitions and classifications for cybersecurity products.
- Circular 13/2018/TT-BTTTT, as amended by Circular 10/2022/TT-BTTTT: Provides detailed guidance on the list of products, procedural requirements, and licensing criteria for imports.
- Law on Cybersecurity 2015: Delineates the obligations of organizations deploying information technology-related products within cyberspace.
Historically, the primary regulatory authority was the Authority of Information Security (AIS) under the Ministry of Information and Communications, responsible for technical appraisal, risk assessment, and import licensing. However, this authority has since been transferred to the Ministry of Public Security.
2. Eligibility for Import License Applications
Not all enterprises with a demand for cybersecurity equipment are entitled to submit an application. Pursuant to Circular 13:
- Only enterprises that have been duly granted a License for Business in Cybersecurity Products and Services possess the legal standing to submit an import application.
- Enterprises primarily engaged in general IT equipment supply, units acquiring equipment for internal consumption, or contractors executing projects without registered cybersecurity business lines will not be approved.
Consequently, to legitimize the import of such equipment, enterprises must register additional conditional business lines and fully comply with the procedures for obtaining a License for Business in Cybersecurity Products and Services, as stipulated by the Law on Investment and its guiding instruments.
3. Import License Application Process – Beyond Mere Procedure, It’s Technical Control
The process of applying for an import license for cybersecurity equipment (ATTTM) is not a purely administrative formality—submitting an application, awaiting review, and receiving results. In reality, it constitutes a comprehensive, integrated technical-legal control mechanism designed to prevent the ingress of equipment that could compromise the safety of the national network infrastructure into the Vietnamese market.
This implies that the application dossier must not only be “correct” in terms of documentation but also “technically sound,” transparent in its functionalities, clear in its independent operational capabilities, and compliant with national standards.
- Application for Import License (Form 01 – Appendix II of Circular 13/2018/TT-BTTTT): This administrative document expresses the enterprise’s formal request for a license. Enterprises are required to clearly furnish information regarding the enterprise itself, the product type, the primary functions of the equipment, quantity, origin, and intended use. It is advisable for enterprises to explicitly state if the product is intended for a specific project deployment, accompanied by a relevant contract or implementation plan, to substantiate the legitimacy and rationale of the import requirement.
- Certified Copy of the License for Business in Cybersecurity Products and Services: This constitutes a prerequisite for the acceptance of the application. The copy must be legally certified. In cases where an uncertified copy is submitted, the original document must be presented for verification during in-person submission. The license must remain valid at least until the receipt of the import license, as the import license’s validity period shall not exceed the remaining term of the Business License.
- Detailed Description Document of the Imported Equipment: This component is critical for the technical appraisal process and frequently serves as the primary reason for requests for supplementary information. Mandatory requirements typically include:
- Description of the product name, manufacturer, model, and hardware/software version (if applicable).
- Elucidation of the primary technical functions: Is the product categorized as inspection, monitoring, or anti-attack equipment? Does it possess capabilities for network data analysis, logging, anomaly detection, or unauthorized access blocking?
- Explicit confirmation that the product constitutes complete equipment, capable of independent operation (as defined in Article 3 of Circular 13/2018/TT-BTTTT). Descriptions pertaining to accessories, components, or separate modules are not acceptable. Documentation must be exclusively in Vietnamese or English; Chinese versions or promotional materials must be accompanied by certified translations.
- Enterprises should utilize official datasheets from the manufacturer, complemented by internal technical department verification reports, to unequivocally demonstrate that the product falls within the regulated import list.
- Certificate of Conformity/Regulation (if applicable to mandatory product groups): Pursuant to the Law on Standards and Technical Regulations, certain equipment may fall within the category of products necessitating a declaration of conformity upon import (particularly for broadcasting and high-frequency equipment). In such instances, the enterprise is required to submit a certificate of conformity issued by an accredited assessment body. If not yet obtained, the declaration of conformity must be executed immediately after the import license is granted and prior to the product’s circulation in the market.
4. Practical Experience: Crucial Lessons from Major Technology Enterprises
The import of cybersecurity equipment (ATTTM) is not merely a technical or administrative step; it is a pivotal component within the operational chain of IT projects involving security elements, where legal, technical, financial, and contractual aspects must be meticulously coordinated. Therefore, our recommendations are as follows:
- Clearly define the product list during the pre-negotiation phase: Many enterprises err by focusing solely on pricing, delivery schedules, and technical performance during equipment purchase contract negotiations with foreign partners, while overlooking the legal implications related to import eligibility. Common consequences include signing contracts valued at hundreds of thousands of USD, only to discover during customs procedures that the equipment is on a controlled list, and the enterprise lacks the requisite import license; project delays, particularly if serving banking, government, or large data systems; incurring warehousing costs, re-export fees, or even contractual penalties from clients due to violated progress commitments.
- Concurrently initiate procedures for obtaining a Cybersecurity Business License if not yet acquired: As per regulations, only enterprises that have been granted a License for Business in Cybersecurity Products and Services are eligible to submit an import license application. However, in practice: Numerous distributors and system integrators only register business lines such as “wholesale of machinery” or “telecommunications electronic equipment”; when confronted with projects requiring the import of firewalls, IDS, SIEM, etc., they then discover the absence of fundamental legal prerequisites, leading to delays. If an enterprise intends to supply or deploy solutions with cybersecurity components, it should proactively submit an application for a Cybersecurity Business License as early as possible. This license is valid for 10 years and constitutes a mandatory “original” document for lawful import.
- Establish an internal process for controlling cybersecurity equipment imports: Given the inherent characteristics of security equipment—its susceptibility to control and policy changes—establishing an internal process for vetting equipment prior to negotiation or ordering is paramount. A suggested standard process for enterprises includes:
- Step 1: The technical department conducts a preliminary assessment of equipment features.
- Step 2: The legal department cross-references with Circular 13’s list and import conditions.
- Step 3: Verify the validity of the internal Cybersecurity Business License.
- Step 4: Prepare a sample dossier, including technical documents, the application form, and the equipment list.
- Step 5: Engage with Customs in advance if the equipment is new or has not been previously imported.
Beyond import license requirements, enterprises must pay particular attention to the customs declaration process—ensuring accurate HS Codes, clear technical documentation, and providing proof that the equipment constitutes a complete product if it falls under control. Under no circumstances should a legal entity be “borrowed” to apply for a license on your behalf, as this can lead to severe legal risks and the forfeiture of goods ownership in the event of disputes.
The import of cybersecurity equipment is no longer solely a concern of the technical department; it is a strategic undertaking that demands comprehensive understanding, compliance, and thorough preparation from enterprises across legal, technical, and internal coordination aspects. A minor oversight in the documentation phase can result in project delays, financial losses, or reputational damage. Conversely, by firmly grasping regulations and proactively managing risks, enterprises can not only ensure compliance but also optimize costs, timelines, and foster trust with partners.
Time of writing: 05/06/2025
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
-
-
- Authority Distribution in Joint Stock Companies: Who Truly Holds Executive and Decision-Making Power?
- Establishing a Company in an Export Processing Zone: Legal Framework, Incentives, and Obligations for Foreign Investors
- Compliance Obligations in Taxation and Accounting for Foreign-Invested Enterprises Operating in Vietnam
- Legal Regulations on the Trading of Functional Foods in Vietnam
-
