On July 25, 2025, the Government issued Decree No. 211/2025/ND-CP, which details activities related to Civil Cryptography (CC) and amends and supplements several provisions of Decree No. 15/2020/ND-CP (which had been amended and supplemented by Decree No. 14/2022/ND-CP) regarding penalties for administrative violations in the fields of postal services, telecommunications, radio frequency, information technology, and electronic transactions. This Decree introduces several important updates that contribute to enhancing the legal framework for network information security and Civil Cryptography in Vietnam.

The key updates in the Decree are: (1) comprehensive regulations on CC activities, (2) new provisions on simplifying administrative procedures and enhancing data interoperability, and (3) new regulations on administrative violation penalties in the CC field.

1. Detailed Regulations on CC Activities

Decree 211/2025/ND-CP provides detailed regulations on CC activities, including the business of CC products and services, export and import of CC products, and the evaluation of product compliance. In addition to the provisions inherited from Decree No. 58/2016/ND-CP, which clearly stipulates the specific conditions for businesses to be granted licenses for the business of CC products and services, and for the export and import of CC products, the Decree also issues the List of CC Products and Services (in Appendix I attached to the Decree) and the List of CC Products for Export and Import under License (in Appendix II attached to the Decree), with significant changes.

A notable point in the Decree is that the List of CC Products and Services (in Appendix I) and the List of CC Products for Export and Import under License (in Appendix II) have undergone significant changes compared to the lists issued in previous documents. Some products or product groups that are no longer relevant to practice have been removed (such as channel security products and cryptographic components in PKI systems), which reduces the number of product groups from 8 to 7. The list of CC products excluded from management has increased from 9 to 12 groups to eliminate unnecessary items in business and usage management. To facilitate the export and import procedures for CC products by businesses and the monitoring and customs clearance by customs authorities, the structure and content of the List of CC Products for Export and Import under License have also been modified compared to the List issued in Decree No. 32/2023/ND-CP.

Another noteworthy update concerns the evaluation of product compliance, as stipulated in Chapter III, which consists of three articles. It assigns the Government Cipher Committee as the authority to manage this activity, including issuing certificates of registration, designating conformity assessment organizations, and accepting compliance declarations for CC products. Article 10, Clause 2 states: "The Government Cipher Committee assists the Minister of National Defense in considering and deciding to recognize the unilateral results of the conformity evaluation of CC products by international or foreign conformity assessment organizations to serve the state management of CC." This provision is a new addition based on the application of new regulations in the amended Law on Standards and Technical Regulations, enacted on June 14, 2025, which states, "Ministries, ministerial-level agencies, and the Minister of National Defense shall consider and decide to recognize the unilateral results of conformity assessments by international or foreign conformity assessment organizations to serve state management activities" (amending Clause 2, Article 57 of the 2006 Law on Standards and Technical Regulations).

2. Simplification of Administrative Procedures and Enhanced Data Interoperability

The new Decree introduces improvements in the licensing process. Specifically, for procedures related to the issuance, modification, amendment, reissuance, and extension of business licenses for CC products and services and export and import licenses for CC products, the Government Cipher Committee will be responsible for checking certain components of the application in the National Database, without requiring businesses to provide them. This helps reduce paperwork and time for enterprises. Furthermore, online submission with digital signatures is encouraged.

The processing times for application reviews are also clearly defined, based on a reduction in the time required: issuance of a new business license for CC products and services: 20 working days; reissuance (due to modification, amendment, or extension): 10 working days; reissuance (due to loss or damage): 4 working days; issuance of export and import licenses for CC products: 7 working days.

3. Addition and Strengthening of Penalties for Administrative Violations in the CC Sector

This is one of the most prominent updates in the Decree, with the addition of Articles 93a and 93b to Decree No. 15/2020/ND-CP, specifying violations and corresponding penalties:

• Violations related to the business of CC products (Article 93a): The Decree stipulates fines of up to 180,000,000 VND depending on the severity and value of the violated goods. Violations subject to penalties include: late submission of reports, failure to record/retain customer information, failure to maintain business conditions, failure to suspend services when violations are detected, use of CC products not provided by the licensed business without declaration, providing incorrect information to obtain a license, engaging in business not aligned with the contents of the license, refusal to provide information related to encryption keys to authorized government agencies, and failure to cooperate with authorities. Notably, conducting business with unlicensed CC products will attract hefty fines ranging from 50,000,000 VND to 180,000,000 VND depending on the value of the violated goods. Additional penalties include revocation of licenses, suspension of activities, and confiscation of violating goods and vehicles.

• Violations related to the export and import of CC products (Article 93b): Fines of up to 100,000,000 VND are imposed for violations such as delayed submission of export/import reports, failure to maintain conditions for licensing, exporting/importing without a license, and failure to stop or suspend exports/imports when required by competent authorities for national defense or security purposes.

Additionally, the Decree expands the authority to impose administrative penalties. It adds Article 114a, clarifying the administrative penalty powers of the Cipher Inspectorate and the Head of the Government Cipher Committee. This enhances the role of the Cipher Committee in enforcing laws on CC activities, ensuring information security and national defense. The Decree also grants penalty powers to local authorities, including the Chairman of the People's Committees at various levels, inspectors, the police, border guards, market management authorities, and customs officers, in alignment with the new local government and ministry models. The Decree also adjusts the fine levels for various officials to align with the new Law on Administrative Penalties, effective in 2025.

Decree 211/2025/ND-CP will come into effect on September 9, 2025, and replace previous decrees on CC: Decree No. 58/2016/ND-CP, Decree No. 53/2018/ND-CP, and Decree No. 32/2023/ND-CP. The issuance and implementation of this Decree is an important step in improving the legal framework, creating favorable conditions for the proper development of CC activities, and enhancing the effectiveness of state management to ensure network security and national defense in the context of accelerating administrative reforms and digital transformation.