Vulnerability scanner means a dedicated appliance or integrated solution for scanning, testing and assessing information-security vulnerabilities. It should not be treated as an ordinary IT device where the catalogue shows specialized cybersecurity testing functions. Wrong HS classification, missing cybersecurity import license, unreviewed encryption functions or model mismatch among Invoice, Packing List, catalogue and license may lead to document queries, inspection channel escalation, loss of C/O preference, DEM/DET costs and project delay.

E2E map: this article helps enterprises review HS code, duty, C/O, specialized policies, customs documents, clearance decision points and pre-ETA risk controls for the single product Vulnerability scanner.

QUICK FACT

Review item	Application direction for Vulnerability scanner	Point to close before ETA
Product	Vulnerability scanner as a dedicated hardware appliance or integrated system used to scan vulnerabilities, check configurations, detect security weaknesses and assess the security posture of networks, servers, applications or digital assets.	Do not apply the same conclusion to database security, storage security or DLP if the model/function is different.
Reference HS Code	HS 8471.30.90 / 8471.41.90 / 8471.49.90 should be reviewed where the product is an automatic data-processing machine or ADP system. HS 8517.62.43 / 8517.62.49 should only be reviewed where the principal character is data transmission/reception/conversion network equipment.	Close the HS position based on catalogue, datasheet, hardware configuration, deployment mode, ports, scanning/assessment function and commercial description.
Import duty	MFN import duty is commonly 0% for many 8471/8517 lines above, but ordinary duty and the exact MFN rate must be checked against the tariff in force on the declaration date.	Do not lock the tax rate without checking Decree 26/2023/ND-CP, Decree 199/2025/ND-CP and the latest tariff schedule.
VAT	VAT should be reviewed against the standard 10% rate and any 8% VAT reduction policy effective on the customs declaration date. Do not automatically apply 8% if the goods fall under IT/telecommunication/cybersecurity products or the exclusion appendices.	Check Decree 181/2025/ND-CP, Decree 359/2025/ND-CP, Decree 174/2025/ND-CP and Decree 144/2026/ND-CP if the declaration is made after the relevant effective date.
Specialized policy	The product may require an import license for network information security products if it matches the group of security testing/evaluation solutions. If encryption, key management, VPN or crypto modules are present, civil cryptography rules must also be reviewed.	Do not conclude “no license required” before reading the datasheet, license features and technical file.
Key dossier	Invoice, Packing List, B/L or AWB, C/O if any, catalogue/datasheet, model list, label photos, vulnerability scanning feature documents and specialized license dossier if applicable.	Goods name, model, serial number, origin, technical specifications and function must match across commercial documents, catalogue, license and customs declaration.

Legal note: This English version is for operational reference and is not an official legal translation. Enterprises must verify catalogue, datasheet, model, license features, goods condition and actual import purpose before application. Do not use this article to conclude for database security, storage security or DLP if the model/function differs.

SCOPE OF APPLICATION

This article applies only to Vulnerability scanner as a hardware appliance or dedicated hardware system used to scan, test, assess and report information-security vulnerabilities of networks, servers, applications or digital assets.

Do not automatically apply it to database security, storage security, DLP or pure software not imported with hardware.
New, used, refurbished, sample, warranty/RMA or project goods may trigger different policies.
If the product includes Wi-Fi/Bluetooth/4G/5G, battery, adapter, charger, software license, encryption module, key management or special security functions, each element should be reviewed separately.
Review must be based on catalogue, datasheet, model and actual import purpose.

CLASSIFICATION & PRODUCT IDENTIFICATION

Technical identification

A Vulnerability scanner is usually identified by port/service scanning, software-version detection, CVE discovery, misconfiguration assessment, risk scoring, remediation reporting and vulnerability-management dashboard.

Points not to miss

Distinguish hardware appliance from pure software/license. Confirm CPU, RAM, storage, network ports, wireless modules, data transmission, encryption, log retention and on-prem/cloud scanning functions.

Criteria to verify	Documents to cross-check	Risk if described incorrectly	Suggested goods description on documents/declaration
Nature of goods	Catalogue, datasheet, product photos and hardware configuration	A generic name such as “security device” may cause wrong HS classification and wrong specialized policy.	“Vulnerability scanner appliance – device for vulnerability scanning/security assessment, model…, brand new”.
Principal function	Feature list, user/admin manual and license sheet	May be mistaken for firewall, DLP, SIEM or network monitoring, leading to functional clarification requests.	Describe the vulnerability scanning/security assessment function clearly; avoid over-broad descriptions.
Hardware configuration	CPU, RAM, storage, network ports, console port, power supply and accessories	Wrong 8471/8517 classification if the principal character is not evidenced.	Include key configuration where HS explanation may be needed.
Security/encryption features	Encryption specification, license feature and manufacturer statement	Civil cryptography or cybersecurity licensing may be missed if special functions exist.	Separate the vulnerability scanning function from encryption/key-management functions, if any.
Goods condition	Invoice, contract, RMA and supplier confirmation	Refurbished/warranty goods may be handled differently from new commercial goods.	State “new 100%”, “warranty replacement” or “sample” according to the real file.

HS CODE – DUTY – C/O

HS Code should not be determined only by trade name. The key is the principal function: automatic data processing equipment, an ADP system, or network data transmission/reception/conversion equipment. For cybersecurity products, HS code is also linked to specialized licensing and customs explanation.

Reference HS code	Applicable condition	Risk if misclassified	Documents to cross-check
8471.30.90	Portable automatic data-processing equipment where weight/configuration match the heading description.	Wrong classification if the actual product is a rackmount appliance or dedicated network device.	Catalogue, dimensions/weight, CPU/RAM/storage configuration and product photos.
8471.41.90	Automatic data-processing machine incorporating at least a CPU and input/output unit in the same housing.	May be rejected if the principal function is network data transmission/reception/conversion.	Datasheet, system diagram, I/O ports and operating system/software description.
8471.49.90	ADP system or configuration not falling under the above lines.	Unclear description may trigger reclassification to 8517 or another code.	Commercial documents, system configuration, catalogue and model list.
8517.62.43 / 8517.62.49	Only where the principal character is network data transmission, reception, conversion, routing or switching.	Using 8517 for an ADP/scanning appliance may affect policy, VAT and license analysis.	Datasheet, network diagram, port list and routing/switching/transmission description.

Tax/charge item	Reference rate to review	Applicable condition	Control note
Ordinary import duty	Must be checked against the ordinary tariff on the declaration date; do not infer before the HS code is finalized.	Applies where MFN/special preferential treatment is not available or under statutory conditions.	Check the 8-digit HS code and policy at the time of declaration.
MFN preferential import duty	Reference: often 0% for many lines such as 8471.30.90, 8471.41.90, 8471.49.90, 8517.62.43 and 8517.62.49; recheck the tariff in force.	Applies where the goods meet MFN preferential conditions.	Cross-check Decree 26/2023/ND-CP and Decree 199/2025/ND-CP.
VAT	Reference: 10%; only consider 8% where the actual goods are not in the exclusion appendices of the VAT reduction policy.	Depends on HS code, product nature and VAT policy on the import date.	Do not apply 8% automatically to IT/telecom/cybersecurity equipment.
Special preferential duty under C/O	May be 0% or the FTA rate if the C/O is valid and the HS code is consistent.	Correct C/O form, origin criterion, description, exporting country and HS code.	Wrong form, origin criterion or description may lead to refusal of preference.

APPLICABLE SPECIALIZED POLICIES

Goods scenario	Possible policy	Documents to check	Authority/portal if identifiable	Recommended timing	Risk note
Vulnerability scanner matching the cybersecurity testing/evaluation group	Possible import license for network information security products.	Catalogue, datasheet, feature list, model list and the cybersecurity import-license application dossier; note that Circular 10/2022 removed the copy of the cybersecurity product/service business license from the import-license application dossier.	Authority of Information Security – Ministry of Information and Communications / relevant public service portal.	Before ETA; ideally from PO/catalogue review stage.	Do not conclude no license before matching the model with the list.
Device with Wi-Fi/Bluetooth/4G/5G	Possible ICT Group 2 conformity certification/declaration and quality inspection.	Wireless module, frequency, test report, applicable QCVN and CR mark if applicable.	Telecommunications Authority / radio-frequency authority or relevant portal depending on the case.	Before arrival; test reports should be prepared early.	Do not treat it only as a security device if radio modules exist.
Device with encryption/key management/VPN	Civil cryptography rules under Decree 211/2025/ND-CP may need review.	Encryption specification, license feature, user manual and manufacturer statement.	Civil cryptography authority as prescribed by current regulations.	Before ordering or shipment.	Missing encryption features may leave the specialized dossier incomplete.
Goods with battery, adapter or charger	Possible separate requirements on safety, labelling, transport documents or technical records.	Power specification, adapter, battery, MSDS if lithium battery exists and original label.	Customs or specialized authority depending on the dossier.	Before ETA and before transport booking.	Accessories may affect description and transport dossier.
Used/refurbished goods	May trigger restrictions or separate policies for used IT equipment.	Goods condition, year of manufacture, refurbished statement, RMA and import purpose.	Customs and specialized authority depending on the case.	Before purchase/shipment.	Do not process as new goods if invoice/label shows refurbished.
Goods for EPE/FDI/factory/project	HS code, duty, license, labelling and use purpose still need review; customs regime may differ.	Contract, PO, use purpose, investment documents if needed and internal project documents.	Customs sub-department and specialized authority if applicable.	Before declaration.	Wrong customs regime or missing license may affect project schedule.

LEGAL DOCUMENTS TO REVIEW

Document group	Document name/number	Issuing authority	Effective date/application timing	Role in the procedure	Articles/clauses/appendices to note, if any	Review note
Law	Law on Cyberinformation Security 2015	National Assembly	Validity should be checked at application time	Basis for management of network information security products/services.	Provisions on cybersecurity products/services and related business conditions.	Review according to actual dossier and product type.
Circular	Circular 13/2018/TT-BTTTT amended by Circular 10/2022/TT-BTTTT	Ministry of Information and Communications	Circular 10/2022 effective from 15 Sep 2022	Regulates the list of network information security products imported under license and licensing dossier.	Appendix list includes security testing/evaluation solutions; application/license forms.	Match the model, function and HS before concluding license requirements.
Decree	Decree 211/2025/ND-CP	Government	Effective from 09 Sep 2025	Review where civil cryptography, encryption or key-management functions exist.	Civil cryptography lists/conditions/dossiers if applicable.	Apply only where the technical file shows regulated functions.
Circular/QCVN	Circular 02/2024/TT-BTTTT and relevant QCVN if wireless/ICT Group 2 modules exist	Ministry of Information and Communications	Effective from 15 May 2024	Quality inspection and conformity certification/declaration if the module is listed.	ICT Group 2 appendices and corresponding QCVN.	Do not apply mechanically where no listed module exists.
Tariff	Decree 26/2023/ND-CP and Decree 199/2025/ND-CP	Government	Decree 26 effective 15 Jul 2023; Decree 199 effective 08 Jul 2025	Reference for preferential import duty and HS code.	Tariff schedule by 8-digit HS code.	Recheck on the declaration date.
VAT	Decree 181/2025/ND-CP; Decree 359/2025/ND-CP; Decree 174/2025/ND-CP; Decree 144/2026/ND-CP if the declaration is after its effective date	Government	Decree 181 effective 01 Jul 2025; Decree 359 effective 01 Jan 2026; Decree 174 effective 01 Jul 2025; Decree 144 effective 20 Jun 2026	Review VAT 8%/10%, exclusion appendices and rules effective on the declaration date.	Goods/services excluded from VAT reduction, if any.	IT/telecom/cybersecurity equipment requires careful exclusion-list review before applying 8%.
Goods labelling	Decree 43/2017/ND-CP amended by Decree 111/2021/ND-CP	Government	Decree 43 effective 01 Jun 2017; Decree 111 effective 15 Feb 2022	Basis for original label and Vietnamese supplementary label.	Mandatory contents: goods name, origin, responsible entity and specifications where applicable.	Label photos must match model and documents.
Customs	Circular 38/2015/TT-BTC amended by Circular 39/2018/TT-BTC	Ministry of Finance	Circular 39/2018 effective from 05 Jun 2018	Basis for customs declaration, dossier check, customs value, HS and C/O review.	Customs dossier and post-clearance audit provisions.	Check consolidated/current version at the time of clearance.

VIEW / DOWNLOAD ORIGINAL LEGAL DOCUMENTS

Enterprises may search legal documents by number on official legal document portals, the Government portal or the issuing authority’s website. Enterprises should additionally verify the documents on official portals before application.

Circular 10/2022/TT-BTTTT Decree 211/2025/ND-CP Circular 02/2024/TT-BTTTT VAT: Decrees 174/181/359/144 Tariff Decree 26/2023

CUSTOMS CLEARANCE DOSSIER

Commercial documents

Commercial Invoice, Packing List, Bill of Lading/Air Waybill, Sales Contract/Purchase Order if any, C/O if duty preference is claimed, catalogue/datasheet, product photos, original label and model list.

Specialized dossier if applicable

Cybersecurity import license, civil cryptography dossier, conformity certification/declaration and test report if ICT Group 2 applies, labelling dossier, technical documents and manufacturer statement.

Dossier group	Required documents	Used for which step	Usually prepared by	Common errors	How to check before ETA
Commercial	Invoice, Packing List, Contract/PO	Declaration, value, quantity and sale terms	Importer, supplier, purchasing team	Generic goods name, missing model suffix, wrong quantity/serial.	Cross-check every line against catalogue and model list.
Transport	B/L or AWB, arrival notice, pre-alert	Cargo release, manifest check and clearance planning	Forwarder, agent, carrier/airline	Wrong consignee, inaccurate description, late documents.	Review pre-alert before cargo arrival.
Technical	Catalogue, datasheet, user/admin manual and label photos	HS classification, policy review and function explanation	Supplier, technical team, compliance	Marketing brochure only, no security testing/evaluation function.	Request full technical datasheet before ETA.
Specialized	Cybersecurity license/civil cryptography/conformity dossier if applicable, test report if any	Specialized filing and presentation to customs when requested	Compliance team, service provider, competent authority	License is prepared after ETA; model on license does not match invoice.	Check license by exact model, quantity, function and reference HS.
Origin	Draft/original C/O where preference is claimed	Special preferential duty and origin control	Shipper, exporter, importer	Wrong form, HS, description or origin criterion.	Check draft C/O before the original is issued.

Dossier consistency rule: goods name, quantity, model, serial number, origin, technical specifications and function must match 100% across commercial documents, catalogue, label, specialized dossier and customs declaration.

DECISION POINTS THAT MAY HOLD THE SHIPMENT

Decision point	Question to answer	Evidence documents	Consequence if unclear	Recommended action
HS code	Is the principal character ADP equipment under 8471 or network transmission equipment under 8517?	Catalogue, datasheet, configuration and port description.	Reclassification, additional duty and clearance delay.	Finalize HS before ETA; prepare a function-based classification rationale.
Cybersecurity license	Does the model fall under security testing/evaluation solutions?	Datasheet, license feature, model list and licensing dossier.	Request for additional license and shipment hold.	Review Circular 13/2018 and Circular 10/2022 before booking.
Civil cryptography	Does it include encryption, key management, VPN or crypto modules?	Encryption specification, user manual and manufacturer statement.	Specialized dossier may be incomplete and schedule affected.	Separate vulnerability scanning from cryptographic functions.
Model and label	Do invoice, packing list, catalogue, label and license show the same model?	Label photos, model list, license and invoice.	Goods may be treated as different from the licensed/declared goods.	Lock the model list; do not abbreviate model names.
C/O	Is the C/O form, origin criterion, description and HS consistent?	C/O, invoice, B/L and origin rules.	Preference may be rejected or amendment requested.	Check the draft C/O first.
Condition	Is it new, refurbished, warranty replacement or sample?	Invoice, contract, RMA and supplier statement.	Wrong policy or restricted-goods issue may arise.	State goods condition and import purpose clearly in the dossier.

PRACTICAL E2E PROCESS

Step 1: Pre-ETA review

Finalize HS, policy, duty, C/O, labelling and any cybersecurity/civil-cryptography/conformity license.

Step 2: Lock documents

Finalize Invoice, Packing List, B/L/AWB, catalogue, datasheet, model/serial list and check consistency.

Step 3: Specialized filing

Submit cybersecurity/civil-cryptography/conformity dossier where applicable; do not wait until arrival.

Step 4: Customs declaration

Green channel: conditional release by system; Yellow: document inspection; Red: document and physical inspection.

Step 5: Clearance and delivery

Pay duties/taxes, release goods, arrange delivery and control supplementary label/specialized records if applicable.

Step 6: Post-clearance file

Archive shipment documents, license, C/O, catalogue and HS/policy explanation for post-clearance audit.

PRE-ETA RISK CHECKLIST

Risk	Consequence	How to prevent before ETA	Documents to check
Generic description such as “security appliance”	Wrong HS, wrong license and difficult explanation under yellow/red channel.	Standardize description as Vulnerability scanner and principal function.	Invoice, Packing List, catalogue, datasheet.
Missing cybersecurity license where the model is listed	Cargo hold, storage charges and project delay.	Review Circular 13/2018 and Circular 10/2022; prepare licensing dossier before ETA.	Datasheet, model list, licensing file.
Overlooking encryption/civil cryptography functions	Additional dossier or policy adjustment may be required.	Request manufacturer confirmation on license features and encryption specification.	User manual, feature list, manufacturer statement.
Model mismatch among documents, catalogue, label and license	Suspicion of wrong goods, wrong license or wrong declaration.	Lock the model list before issuing final documents.	Invoice, PL, original label, catalogue, license.
Wrong C/O form/HS/description	No preferential duty or C/O amendment required.	Check draft C/O before the shipper issues the original.	C/O draft, invoice, B/L, HS code.
VAT not checked on declaration date	Wrong tax declaration and adjustment dossier.	Review Decree 174/2025/ND-CP and exclusion appendices.	Tariff, VAT policy and draft declaration.

FAQ

Does Vulnerability scanner import require a license?

It may require an import license for network information security products if the model falls under security testing/evaluation solutions. Review catalogue, datasheet and Circular 13/2018/TT-BTTTT as amended by Circular 10/2022/TT-BTTTT.

Is quality inspection/conformity required?

No general conclusion should be made. If the model includes radio modules, telecom functions or ICT Group 2 components, a separate review is required.

Is Vietnamese supplementary labelling required?

Yes, if goods are circulated in Viet Nam and the original label lacks mandatory Vietnamese information.

Can C/O reduce duty?

Possibly, if the HS code still bears duty and the C/O is valid under the applicable FTA. Even where MFN is 0%, C/O supports origin control.

Are sample/warranty goods handled like commercial goods?

Not automatically. Samples, warranty/RMA, project or non-payment goods may differ in valuation, purpose and explanation dossier.

What if invoice model differs from catalogue?

Ask the supplier to amend documents or provide model mapping confirmation before declaration. Do not declare while model consistency is unresolved.

IMPLEMENTATION SUPPORT FROM TGIMEX

This article provides a map of HS code, duty, dossier and specialized policy for Vulnerability scanner. In real shipments, enterprises still need to review catalogue, datasheet, model, documents, origin, license features and import purpose.

Deployment capability

Agent network in more than 60 countries.
Member of WCA, WCA China Global, VLA and HNLA.
Sea, air, road and rail freight capabilities.
Customs clearance, C/O, import license, warehousing and inland transport support.

Support scope

Pre-ETA review: HS, policy, C/O, duty, labelling, catalogue/datasheet/model.
Compliance dossier control: Invoice, Packing List, B/L/AWB, C/O, test report, label and technical documents.
International logistics coordination, ETA tracking, pre-alert and transport documents.
Customs declaration, Green/Yellow/Red channel handling, HS/value/origin/policy explanation.

For shipments that may involve specialized inspection, import licenses, C/O or labelling requirements, enterprises should not wait until cargo arrival to review documents. A small mismatch among Invoice, Packing List, catalogue, datasheet, C/O or label may lead to additional document requests, clearance delay or unplanned storage charges.

TGIMEX supports enterprises in setting up an E2E import plan: pre-ETA policy review, document control, international freight coordination, customs declaration, clearance handling, inland delivery and post-clearance file archiving. This approach helps control schedule, cost and compliance risk from the preparation stage.

Có liên quan

QUICK CONSULTATION

NEED TO REVIEW IMPORT PROCEDURES OR A SHIPPING PLAN?

Send us the product name, shipping route, current dossier, or implementation request in advance so we can suggest a suitable approach that is practical, focused, and aligned with your shipment.

CALL NOW

HOTLINE 0963 856 664 / 0982 135 393

EMAIL info@tgimex.com

SUITABLE FOR International shipping · Customs procedures · Import licenses · B2B logistics

ELECTRICAL – ELECTRONICS – IT EQUIPMENT

F&B

MACHINERY

HOUSEHOLD GOODS

COSMETICS – PERSONAL CARE