Tiếng Việt
中文 (中国)
Law on Cyber Information Security No. 86/2015/QH13: Compliance notes for ICT, security and cryptographic products
This operational reference article helps importers identify when ICT devices, cyber security products or products with encryption/security functions may trigger specialized import controls in Vietnam.
QUICK SUMMARY
Law No. 86/2015/QH13 has been effective from 1 July 2016; note that Law 116/2025/QH15 takes effect on 1 July 2026 and terminates Law 86 under Article 44.
ICT equipment, security appliances, firewalls, encryption devices, cyber information security products and data protection products.
Incorrect technical identification may cause missing permits, delayed customs clearance or additional catalogue/datasheet requests.
DOCUMENT INFORMATION
| Field | Content |
|---|---|
| Document title | Law on Cyber Information Security |
| Reference number | 86/2015/QH13 |
| Issuing authority | National Assembly of Vietnam |
| Date of issuance | 19 November 2015 |
| Effective date | 1 July 2016 |
| Validity status | Effective until before 1 July 2026. Under Article 44 of Law 116/2025/QH15, Law 86/2015/QH13 ceases to have effect from the effective date of Law 116; Article 45 transitional provisions must also be reviewed. |
| Scope | Cyber information security activities; rights and responsibilities of organizations and individuals; civil cryptography; standards/technical regulations; trading in cyber information security products and services. |
| Regulated subjects | Vietnamese and foreign agencies, organizations and individuals directly involved in or related to cyber information security activities in Vietnam. |
KEY POINTS TO NOTE
For import/export operations, the key issue is not only IT law, but also the ability to identify whether a product’s security, encryption, access-control or data-protection functions trigger specialized product policies.
Businesses processing customer, account, identity or user data should control their information-protection obligations.
Production, e-commerce, warehouse, ERP, industrial IoT and logistics systems may need review under information-system security rules.
Products used for system protection, intrusion detection, access control, anti-malware or data security may trigger business conditions or import licensing.
Products using encryption or secure communication/storage functions should be reviewed against civil cryptography regulations and import/export lists.
AFFECTED ENTERPRISES / PRODUCT GROUPS
| Analysis group | Operational review |
|---|---|
| Enterprise groups | Importers/exporters, ICT companies, network equipment distributors, trading companies, EPE/FDI factories, manufacturers with industrial control systems and logistics providers. |
| Product groups | Firewalls, VPN devices, HSM, security tokens, encryption devices, security software, network monitoring devices and ICT products with cyber security functions. |
| Affected stage | Pre-import review, HS classification, product policy check, permit application if required, customs declaration, post-clearance record keeping and market circulation control. |
| Documents to check | Catalogue, datasheet, user manual, security feature list, encryption description, invoice, packing list, contract, C/O, model list and permits if any. |
| Trigger conditions | Not based on HS code only; product name, model, security/encryption function, technical documents and current specialized regulations must be reviewed. |
IMPACT ON IMPORT / EXPORT AND LOGISTICS
| Impact area | Control point |
|---|---|
| Customs declaration | Check HS code, commercial/technical name, model, security/encryption functions and applicable specialized product policy before declaration. |
| Import documents | Invoice and packing list should match model and product description; catalogue/datasheet should clearly describe technical functions. |
| Permits / specialized control | If the product is listed as a cyber information security product subject to import permit or as a civil cryptography product, permits should be handled before clearance as applicable. |
| Logistics timeline | Missing technical dossiers may lead to storage cost, channel change, explanation request or additional document submission. |
| Post-clearance compliance | Keep technical dossiers, permits, model review records and import documents for post-clearance audit or specialized inspection. |
OPERATIONAL DOSSIER CHECKLIST
| Document / data | Purpose | Control note |
|---|---|---|
| Catalogue / Datasheet | Identify technical function, security or encryption features. | The document should clearly show model and key functions. |
| Invoice / Packing List | Cross-check name, quantity, model and serial number if any. | Avoid overly generic names if products have specific security features. |
| Expected HS code | Review tariff and product policy. | HS code is not the only basis; function must also be checked. |
| Encryption/security description | Identify civil cryptography or cyber security scope. | Separate default functions from optional/licensed functions. |
| Permit / specialized document | Basis for clearance and record keeping. | Submit only when the product is within regulated scope. |
| C/O and transport documents | Control origin, route and delivery terms. | Ensure consistency with contract, invoice and customs declaration. |
SPECIALIZED TERM NOTES
| Term | Brief explanation |
|---|---|
| Cyber information security | Protection of information and information systems against unauthorized access, use, disclosure, disruption, modification or destruction. |
| Cyber information security product | Hardware/software product used to protect systems, detect attacks, control access, prevent malware or secure data. |
| Civil cryptography | Cryptographic technology/products used to protect non-state-secret information. |
| Datasheet | Technical specification document used to identify product function, model and configuration. |
| ETA | Estimated Time of Arrival – expected arrival time at port, warehouse or border gate. |
RELATED LEGAL DOCUMENTS TO REVIEW
| Document group | Title / number | Issuing authority | Validity / note | Role | Articles / annexes to note | Review note |
|---|---|---|---|---|---|---|
| Law | Law on Cyber Information Security 86/2015/QH13 | National Assembly | Effective from 1 July 2016 | Foundational law | Chapters on cyber information security, products/services and civil cryptography | Check together with current implementing instruments. |
| Replacing / transitional law | Cybersecurity Law 116/2025/QH15 | National Assembly | Effective from 1 July 2026 | Terminates Law 86/2015/QH13 and Law 24/2018/QH14 under Article 44 | Articles 44 and 45 | Review for licences, classified information systems and products/services already in use before the transition date. |
| Decree | Decree 85/2016/ND-CP | Government | Effective from 1 July 2016 | Information system security by level | Criteria, responsibilities and authority | Relevant to enterprise information systems. |
| Circular | Circular 13/2018/TT-BTTTT | MIC | Effective from 1 December 2018 | Import licensing list/procedure for cyber information security products | Product list and licensing dossier | Review when importing security products. |
| Amending circular | Circular 10/2022/TT-BTTTT | MIC | Effective from 15 September 2022 | Amends Circular 13/2018/TT-BTTTT | Licensing authority and dossier rules | Use consolidated text if available. |
| Decree | Decree 211/2025/ND-CP | Government | Effective from 9 September 2025 | Civil cryptography activities and related amendments | Lists and conditions if applicable | Review for products with encryption functions. |
VIEW / DOWNLOAD ORIGINAL DOCUMENT
Businesses should check the Vietnamese original before applying the law to import dossiers, especially for ICT products with security or encryption functions.
FULL TEXT / PDF PREVIEW
This article embeds the official signed Vietnamese PDF for full-text reference. Because the signed file is a scanned PDF, this package uses PDF preview instead of OCR text to avoid legal wording errors. This English version is an operational reference translation, not an official legal translation.
Preferred official source: Vietnam Government legal document portal. The PDF preview is for full-text reference and does not replace case-specific legal review.
FAQ
1. When did Law No. 86/2015/QH13 take effect?
It took effect on 1 July 2016. Current implementing documents must also be checked.
2. Does the law directly change HS codes?
No. However, security or encryption functions may trigger specialized product controls in addition to HS classification.
3. Does ordinary network equipment require an import permit?
This cannot be concluded by product name alone. Model, datasheet and actual functions must be reviewed.
4. When should the dossier be reviewed?
Before final supplier documents are issued and before ETA, to leave time for datasheet clarification or permit application.
5. Should documents be retained after clearance?
Yes. Technical documents, permits and policy review records should be retained for post-clearance audit.
6. Which rules apply to encrypted products?
Review the Law on Cyber Information Security together with civil cryptography regulations and current implementing decrees/circulars.
7. What if the product scope is uncertain?
Review datasheet, user manual, expected HS code and intended use, and seek technical/legal confirmation before shipment arrives.
SOLUTIONS FROM TGIMEX
For ICT, security and encryption-related products, the core task is to identify the actual technical function, determine the correct legal basis and lock the dossier before shipment arrival.
Review Law 86/2015/QH13, implementing documents, cyber security product lists and civil cryptography rules against the actual dossier.
Cross-check invoice, packing list, catalogue, datasheet, model list, C/O and technical descriptions to avoid mismatched model/function.
Build a pre-ETA timeline, identify risk checkpoints, coordinate customs declaration, international transport and specialized dossiers if required.
Keep shipment records, technical explanations and compliance evidence for post-clearance audit or specialized inspection.
Importers should complete the legal and technical review before final documents and before ETA to reduce storage, channel change and delay risks.
NEED TO REVIEW IMPORT PROCEDURES OR A SHIPPING PLAN?
Send us the product name, shipping route, current dossier, or implementation request in advance so we can suggest a suitable approach that is practical, focused, and aligned with your shipment.
Declaration procedure for equipment subject to strict OSH requirements: dossier, timeline and import-compliance notes
Law 86/2015/QH13 on Cyber Information Security: ICT import notes and transition to Law 116/2025/QH15
CIRCULAR 13/2018/TT-BTTTT: INFORMATION SECURITY PRODUCTS SUBJECT TO IMPORT LICENSING
Circular 10/2022/TT-BTTTT: amendments to import licensing for cyberinformation security products
Circular 41/2023/TT-BTC: Fees in pharmaceuticals and cosmetics for import-export compliance
Circular 53/2016/TT-BLDTBXH: List of machinery and equipment subject to strict occupational safety requirements
IMPORT DECLARATION PROCEDURE FOR PRINTING EQUIPMENT: DOSSIER, CONDITIONS AND COMPLIANCE NOTES FOR IMPORTERS
EXPORT/IMPORT PERMIT PROCEDURE FOR CIVIL CRYPTOGRAPHIC PRODUCTS ON DVCQG: DOSSIER, CONDITIONS AND LOGISTICS NOTES
Decree 72/2022/ND-CP: amendments on printing activities and printing-equipment import compliance
Law on Cipher No. 05/2011/QH13: cipher activities, cryptographic products and import-compliance notes
Decree 211/2025/ND-CP: Civil Cryptography Activities and Import-Export Compliance Notes for ICT Equipment
Consolidated Document 19/VBHN-BNNPTNT 2024: Plant quarantine linked with food safety inspection for imports
Consolidated Document 19/VBHN-BNNPTNT 2024: Plant quarantine linked with food safety inspection for imports
Circular 33/2014/TT-BNNPTNT: Plant quarantine procedures for import, export, transit and post-import regulated articles
Circular 15/2021/TT-BNNPTNT: amendments to plant quarantine procedures for import-export businesses