Vietnam: New Cyber Information Security Requirements Issued for IoT Devices

Summer 2021 is sweltering in Vietnam, but looks like things will be more hectic with important legislations are in the midst of being drafted and issued to govern the tech-related industries. Just to name a few - the Ministry of Information and Communications ("MIC") issued Decision No. 736/QĐ-BTTTT on 31 May 2021 ("Decision") Setting out Cyber Information Security Requirements for Internet of thing ("IoT") devices.

It is important to note that the list of cyber information security requirements provided under the Decision is for recommendation only. This means that such list of requirements is not mandatory. This said, thinking afar, this could be an initial stage before the MIC puts those regulations/standards into law.

I summarize below several key highlights of the Decision:

In the Terminology Annex of the Decision, the MIC defines IoT devices as network-connected (and network-connectable) devices having relationships with associated services and are used by the consumer typically in their home or as electronic wearables".

Also, the MIC provides a non-exhaustive list of IoT devices including: Cameras, TVs and smart speakers; Wearable health monitoring devices; Networked home appliances, such as washing machines and refrigerators; Smart home management support system, etc.

Cyber information security requirements for IoT devices are issued based on the intact acceptance of corresponding requirements (Section 5.1 to 5.13 and Section 6) of the European standard ETSI EN 303 645 V2.2.1 (2020-06).

In particular, here is the list of the requirements' headline:

I. Requirements on Cyber Information Security for Consumer IoT Devices

No universal default passwords
Implement a means to manage reports of vulnerabilities
Keep software updated
Securely store sensitive security parameters
Communicate securely
Minimize exposed attack surfaces
Ensure software integrity
Ensure that personal data is secure
Make systems resilient to outages
Examine system telemetry data
Make it easy for users to delete user data
Make installation and maintenance of devices easy
Validate input data

II. Data Protection Requirements for Consumer IoT

It is observed that almost all of the terminology definitions and technical requirements issued under the Decision were adopted from the European standard (as noted above). Though the MIC clearly states that the listed requirements are just for recommendation only, tech companies should take into account of those requirements when distributing their IoT devices in Vietnam.

It is observed that almost all of the terminology definitions and technical requirements issued under the Decision were adopted from the European standard. Though the MIC clearly states that the listed requirements are just for recommendation only, tech companies should take into account of those requirements when distributing their IoT devices in Vietnam.

Register now for your free, tailored, daily legal newsfeed service.

Vietnam: New Cyber Information Security Requirements Issued for IoT Devices
Blog Baker McKenzie Viewpoints

Filed under

Popular articles from this firm

Vietnam: New draft decree on fintech regulatory sandbox for fintech services in Vietnam *

Food Law Guide - Vietnam *

Vietnam: New Decree amending Decree No. 152/2020 on the management of foreign employees working in Vietnam *

ASEAN Single Window and the Electronic Transmission of Form D among Indonesia, Malaysia, Singapore, Thailand and Vietnam *

Vietnam: Change of the general minimum wage in 2023 *

More from Baker McKenzie Viewpoints

Thailand's PDPA: Exemptions for Data Controllers

Double Trouble

Problema Doble

The European Health Data Space: A Trojan horse for pharma and medtech?

ICO25: ICO sets out regulatory approach and priorities for the next three years

Related practical resources PRO

Related research hubs