Tiếng Việt
中文 (中国)
IMPORT PROCEDURE GUIDE FOR VULNERABILITY SCANNER
A vulnerability scanner is an appliance or solution used to inspect, scan and assess information-security weaknesses. Import risk is not limited to HS classification; the core issue is whether the shipment is a complete hardware appliance, automatic data processing equipment, network data transmission equipment or only a software license. If the product description, model, catalogue and cybersecurity function do not match, the shipment may face additional cybersecurity documentation, HS explanation, import license review, C/O preference issues, or DEM/DET before clearance. This guide provides an E2E (End-to-End) control map for review before ETA, covering HS code, duty, specialized policies, documents, customs clearance flow and risk checkpoints.
SCOPE OF APPLICATION
This article applies only to Vulnerability scanner — equipment or appliances used to scan vulnerabilities, assess security weaknesses, audit system configuration, scan network services, applications or IT assets for cybersecurity management purposes.
- It does not automatically apply to database security, storage security, DLP or other data protection products in the same menu group.
- It does not automatically apply to online software downloads, electronic licenses, subscriptions or SaaS services without physical goods.
- It does not automatically apply to firewall, IPS/IDS, UTM, SIEM or Network Monitoring products if vulnerability scanning is not the principal function.
- New goods, used goods, refurbished goods, samples, warranty replacements and project cargo may trigger different policy requirements.
- If the device includes Wi‑Fi/Bluetooth/4G/5G modules, encryption, battery, adapter, charger or accessories, each policy layer must be reviewed separately.
Review must be based on catalogue, datasheet, model and the actual import purpose.
PRODUCT CLASSIFICATION & TECHNICAL IDENTIFICATION
The product may be a standalone appliance, automatic data processing equipment or network equipment integrated with vulnerability scanning functions. CPU, memory, network ports, operating system, license and operating mode must be identified.
The principal function should clearly show vulnerability assessment, penetration-test support, asset discovery, configuration audit or compliance scan. If the product is mainly a firewall, IPS, IDS or SIEM, HS and licensing approach may differ.
Catalogue, datasheet, user manual, model list, label images, connection ports, wireless modules and license description are the minimum records for review before ETA.
| Criterion | Documents to check | Risk if misdescribed | Suggested goods description |
|---|---|---|---|
| Physical device or software/license | Invoice, PO, packing list, license terms, datasheet | Incorrect HS and customs value if a license is declared as physical goods or vice versa | “Network vulnerability scanner appliance, model…, with operating license if any” |
| Vulnerability scanning as principal function | Catalogue, user manual, feature list | Misclassified as firewall, IPS/IDS, SIEM or ordinary network equipment | “Vulnerability scanner appliance used for security assessment” |
| Hardware configuration and ports | Datasheet, port images, bill of materials if any | Wrong split between heading 84.71 and 85.17 | State CPU/RAM/storage, Ethernet ports and network connection mode |
| Encryption or security function | Security feature list, crypto module, admin guide | Civil cryptography or cybersecurity review may arise | Avoid generic “security device”; describe the actual function |
| New/used/refurbished condition | Invoice, condition statement, serial list, year of manufacture | Used ICT goods policy may be triggered | State “brand-new 100%” or actual condition with supporting records |
HS CODE – DUTY – C/O
For vulnerability scanners, HS should not be finalized by trade name only. The key is whether the equipment is automatic data processing equipment, an ADP system or network data transmission/reception equipment. Under the list of cybersecurity products subject to import licensing, the product group for inspecting and reviewing information-security vulnerabilities refers to HS directions 8471.30.90, 8471.41.90, 8471.49.90 and 8517.62.43.
| Reference HS | Applicable condition | Ordinary duty | MFN duty | VAT | FTA/C/O preference | Documents to check |
|---|---|---|---|---|---|---|
| 8471.30.90 | Portable ADP equipment not over 10kg with CPU, keyboard and screen, only if the actual configuration matches. | 5% | 0% | 10% | Usually 0% with valid C/O; where MFN is already 0%, C/O may not reduce duty further but remains relevant for origin records. | Datasheet, product images, CPU/RAM configuration, input/output units, catalogue. |
| 8471.41.90 | Other ADP machines in the same housing with at least CPU, input and output units. | 5% | 0% | 10% | Usually 0% if C/O is valid and origin rules are met. | Catalogue, hardware configuration, input/output description, model list. |
| 8471.49.90 | Other ADP machines in system form; consider if multiple functional units work together. | 5% | 0% | 10% | Usually 0%; C/O form depends on the exporting market. | System configuration list, detailed packing list, serial list. |
| 8517.62.43 | Data transmission/reception/conversion equipment such as controllers, adapters, connectors, bridges, routers or similar devices designed for connection with ADP machines. | 5% | 0% | 10% | Usually 0% with valid C/O; goods description on C/O must match the declaration. | Network port datasheet, connection diagram, data transmission function documents. |
| Reference HS | Risk if wrong | Issue to explain | Control measure |
|---|---|---|---|
| 8471.30.90 / 8471.41.90 / 8471.49.90 | ADP heading used while the goods are actually network data transmission equipment. | Does the device operate independently as ADP equipment or only as network equipment? | Prepare datasheet, product photos, hardware configuration and operating description before ETA. |
| 8517.62.43 | Network heading used while the goods are ADP equipment or only software license. | Does it transmit/receive/convert data and have dedicated network ports? | Compare connection ports, topology, user manual and goods description. |
The rates above are for cost-planning reference. The applicable tariff, VAT and special preferential rates must be checked at declaration date.
APPLICABLE SPECIALIZED POLICIES
| Goods scenario | Possible policy | Documents to check | Authority/portal if identifiable | Recommended timing | Risk note |
|---|---|---|---|---|---|
| Complete equipment with vulnerability scanning function | May fall under cybersecurity products subject to import licensing. | Catalogue, technical function document, cybersecurity business/import license records if applicable. | Authority of Information Security / relevant public service portal. | Before ETA, preferably from PO stage. | Do not wait until arrival; licensing delay may cause storage charges. |
| Encryption, key management, tunnel or data protection | Review civil cryptography policy. | Crypto specification, admin guide, datasheet. | Government Cipher Committee or relevant authority if applicable. | Before purchase or before ETA. | Do not assume “no license” if documents mention encryption/crypto/key management. |
| Wi‑Fi/Bluetooth/4G/5G module | ICT/telecom conformity and radio frequency review may apply. | RF module, frequency band, test report, applicable QCVN. | Telecom authority / specialized portal if identifiable. | Before ETA. | The same model may differ by wireless configuration. |
| Used/refurbished goods | Review banned used ICT goods list and exceptions. | Invoice, condition statement, year/serial, refurbished confirmation. | Specialized authority and Customs. | Before contract signing. | Potential import prohibition if conditions are not met. |
| EPE/FDI/project import | Customs regime and actual import purpose must be matched. | Contract, project records, internal PO, use purpose. | Managing Customs branch. | Before declaration. | Wrong customs regime may create explanation burden. |
LEGAL DOCUMENTS TO REVIEW
| Document group | Name / number | Issuing body | Effective timing | Role | Key appendix/article | Review note |
|---|---|---|---|---|---|---|
| Law | Law on Cyberinformation Security 2015 | National Assembly | As effective | Legal basis for cybersecurity products/services. | Review business/import requirements. | Applies when the product falls under cybersecurity scope. |
| Decree | Decree 69/2018/ND-CP | Government | 15/05/2018 | Foreign trade management framework. | Conditional import/export groups if any. | Use together with cybersecurity and cryptography regulations. |
| Cybersecurity | Consolidated Document 13/VBHN-BTTTT | Ministry of Information and Communications | Issued 28/10/2022 | List of cybersecurity products subject to import license and application dossier. | Appendix I – products used to inspect and review information-security vulnerabilities. | Compare actual model, function and HS. |
| Decree | Decree 211/2025/ND-CP | Government | 09/09/2025 | Civil cryptography activities and related import/export matters. | Only when the model has cryptographic functions. | Review by actual documents; do not apply automatically. |
| Circular | Circular 29/2025/TT-BKHCN | Ministry of Science and Technology | 31/12/2025 | Group-2 ICT/telecom goods and conformity management principles. | Appendices I/II if the device integrates relevant ICT/telecom functions. | Pay attention to wireless/cellular models. |
| Circular | Circular 26/2025/TT-BKHCN | Ministry of Science and Technology | 31/10/2025 | Used ICT goods import restrictions and exceptions. | Applies to used/refurbished goods. | Check condition before purchase. |
| Decree | Decree 146/2025/ND-CP | Government | 01/07/2025 | Delegation and decentralization in industry and trade; relevant to certain used ICT goods procedures. | Check relevant appendices/procedural routes if the shipment is used/refurbished. | Review only when the shipment is used/refurbished or subject to a special-purpose permission route. |
| Tariff | Decree 26/2023/ND-CP | Government | 15/07/2023 | MFN import tariff schedule. | Check HS and MFN rate at declaration date. | Also check VAT and FTA tariff schedule. |
| Labelling | Decree 43/2017/ND-CP, Decree 111/2021/ND-CP | Government | As effective | Imported goods labelling. | Original label, Vietnamese supplementary label. | Check before circulation in Viet Nam. |
VIEW / DOWNLOAD OFFICIAL DOCUMENTS
Enterprises should also cross-check the documents on official legal portals or the issuing authority’s website before application.
CUSTOMS CLEARANCE DOCUMENT SET
Commercial documents
- Commercial Invoice.
- Packing List.
- Bill of Lading/Air Waybill.
- Sales Contract/Purchase Order if any.
- C/O if preferential duty is claimed.
- Catalogue/Datasheet, model list and original label photos.
Specialized documents if any
- Cybersecurity product import license if applicable.
- Civil cryptography dossier/license if applicable.
- ICT conformity/quality inspection if wireless or telecom function exists.
- Test report, technical documents and user manual.
- Goods labelling documents.
Data matching rule
Goods name, quantity, model, serial, origin, technical specifications, license and cybersecurity function must match across commercial documents, catalogue, label, specialized dossiers and customs declaration.
| Dossier group | Required documents | Used for | Usually prepared by | Common error | Pre-ETA check |
|---|---|---|---|---|---|
| Commercial | Invoice, Packing List, Contract/PO | Declaration, value, quantity | Importer, shipper, purchasing | Generic “security device” description | Match model, description, unit price and Incoterms |
| Transport | B/L or AWB, pre-alert | D/O, declaration, ETA monitoring | Forwarder, agent, shipper | Wrong consignee or package/weight | Lock documents before arrival |
| Technical | Catalogue, datasheet, user manual, model/serial list | HS and policy review | Supplier, importer, IT team | No clear vulnerability scanning function | Request English technical files |
| Origin | C/O and through transport document if needed | Preferential duty | Shipper, exporter, importer | Wrong HS, goods description or origin criterion | Compare C/O with invoice, packing list and draft declaration |
| Specialized | Cybersecurity/civil cryptography license, test report, conformity documents if any | Clearance and market circulation | Importer, compliance, consultant | Prepared only after ETA | Review from PO stage |
DECISION POINTS THAT MAY HOLD THE SHIPMENT
| Decision point | Question | Proof | Consequence if unclear | Recommended action |
|---|---|---|---|---|
| HS code | Is it ADP equipment or data transmission equipment? | Datasheet, manual, port photos | Channel change, explanation, tax adjustment | Prepare HS reasoning before ETA |
| Cybersecurity | Does the model fall under vulnerability assessment products? | Feature list, catalogue | License or additional dossier request | Review cybersecurity list early |
| Civil cryptography | Does it include encryption, key management or tunnel? | Security admin guide | Civil cryptography policy risk | No “license-free” conclusion without documents |
| Model and label | Does the model match documents, catalogue and label? | Invoice, packing list, label photo, serial list | Physical inspection or amendment request | Lock model list and original labels |
| Goods condition | New or used/refurbished? | Condition statement, serial/year | Used ICT import restriction | Review before contract signing |
PRACTICAL E2E PROCESS
Finalize HS, duty, C/O, label, goods condition and specialized policies.
Lock Invoice, Packing List, B/L/AWB, catalogue, datasheet, model list and serial list.
Prepare cybersecurity, civil cryptography, ICT conformity or used-goods dossiers if applicable.
Green/Yellow/Red channel handling with HS, value, C/O and policy explanation ready.
Release cargo, complete supplementary labels/conformity marking if applicable, and archive shipment records.
Handover import documents, licenses, tax records, C/O and technical files to IT/project team.
PRE-ETA RISK CHECKLIST
| Risk | Consequence | Pre-ETA control | Documents |
|---|---|---|---|
| Wrong C/O form, HS or description | Preference denied or queried | Check draft C/O | C/O, invoice, packing list, B/L |
| Model mismatch | Long explanation or inspection | Lock model and label photos | Invoice, label, catalogue |
| Missing cybersecurity/cryptography dossier | Specialized hold | Review feature list from PO stage | Datasheet, security guide |
| Generic goods description | Wrong HS/policy/label | Describe function and model | Invoice, packing list, draft declaration |
| Unclear used/refurbished condition | Used ICT restrictions | Request condition confirmation | Condition statement, serial/year |
| Hardware/license not separated | Customs value issue | Separate hardware, license and service | PO, invoice, license agreement |
FAQ
It may need a cybersecurity product import license if it is a complete device under the vulnerability review product list. Model and technical files must be checked.
No. Classification depends on whether the product is ADP equipment, an ADP system or data transmission equipment.
If MFN is already 0%, C/O may not reduce duty further but remains important for origin compliance and trade records.
If it is only a download/license with no physical goods, it should be separated from physical import procedures and reviewed as software/service transaction.
Imported goods circulated in Viet Nam must review original and supplementary labeling requirements depending on import purpose and goods condition.
Request supplier confirmation or document amendment before ETA. Do not declare while model data is inconsistent.
RELATED ARTICLES
EXECUTION SUPPORT FROM TGIMEX
This guide provides a control map for HS, duties, documents and specialized policies for vulnerability scanners. For actual shipments, enterprises must still review catalogue, datasheet, model, documents, origin, cybersecurity functions and import purpose.
HS, cybersecurity/civil cryptography/ICT policy, C/O, duties, labelling and model consistency.
Cross-check Invoice, Packing List, B/L/AWB, C/O, test report, labels and technical files.
Coordinate agents, carriers/airlines, ETA, pre-alert, customs declaration and channel handling.
For shipments that may involve specialized inspection, licensing, C/O or labelling, enterprises should not wait until cargo arrival to begin document review. A small discrepancy between Invoice, Packing List, catalogue, datasheet, C/O or labels may trigger additional documentation, delayed clearance or unplanned storage costs.
TGIMEX supports enterprises with E2E import execution: pre-ETA policy review, document control, international freight coordination, customs declaration, clearance handling, domestic delivery and post-clearance record keeping.
NEED TO REVIEW IMPORT PROCEDURES OR A SHIPPING PLAN?
Send us the product name, shipping route, current dossier, or implementation request in advance so we can suggest a suitable approach that is practical, focused, and aligned with your shipment.
Import procedures for food preservatives
Import procedures for anti-caking agent
Import procedures for sweeteners
Import procedure guide for acidity regulators
Import Procedure Guide for Growing-up Milk
Import procedure for food colorants
Import procedures for additive premixes
Import Procedure Guide for Blended Additive
Import Procedures for Food Additives Outside the Permitted List or Not Aligned with the Intended Food Category
Import procedures for capsule/powder supplement
Import procedure for medical nutrition milk
Import Procedures for Meal Replacement Products
Import Procedure for Foods for Special Dietary Uses into Vietnam
Import procedure guide for foods for patients
Import Procedure for Formula Milk