Summer 2021 is sweltering in Vietnam, but looks like things will be more hectic with important legislations are in the midst of being drafted and issued to govern the tech-related industries. Just to name a few - the Ministry of Information and Communications ("MIC") issued Decision No. 736/QĐ-BTTTT on 31 May 2021 ("Decision") Setting out Cyber Information Security Requirements for Internet of thing ("IoT") devices.
It is important to note that the list of cyber information security requirements provided under the Decision is for recommendation only. This means that such list of requirements is not mandatory. This said, thinking afar, this could be an initial stage before the MIC puts those regulations/standards into law.
I summarize below several key highlights of the Decision:
- In the Terminology Annex of the Decision, the MIC defines IoT devices as network-connected (and network-connectable) devices having relationships with associated services and are used by the consumer typically in their home or as electronic wearables".
Also, the MIC provides a non-exhaustive list of IoT devices including: Cameras, TVs and smart speakers; Wearable health monitoring devices; Networked home appliances, such as washing machines and refrigerators; Smart home management support system, etc.
- Cyber information security requirements for IoT devices are issued based on the intact acceptance of corresponding requirements (Section 5.1 to 5.13 and Section 6) of the European standard ETSI EN 303 645 V2.2.1 (2020-06).
In particular, here is the list of the requirements' headline:
I. Requirements on Cyber Information Security for Consumer IoT Devices
- No universal default passwords
- Implement a means to manage reports of vulnerabilities
- Keep software updated
- Securely store sensitive security parameters
- Communicate securely
- Minimize exposed attack surfaces
- Ensure software integrity
- Ensure that personal data is secure
- Make systems resilient to outages
- Examine system telemetry data
- Make it easy for users to delete user data
- Make installation and maintenance of devices easy
- Validate input data
II. Data Protection Requirements for Consumer IoT
It is observed that almost all of the terminology definitions and technical requirements issued under the Decision were adopted from the European standard (as noted above). Though the MIC clearly states that the listed requirements are just for recommendation only, tech companies should take into account of those requirements when distributing their IoT devices in Vietnam.
It is observed that almost all of the terminology definitions and technical requirements issued under the Decision were adopted from the European standard. Though the MIC clearly states that the listed requirements are just for recommendation only, tech companies should take into account of those requirements when distributing their IoT devices in Vietnam.