With the explosion of science and technology in the 4.0 era, cyberspace is developing with breakthroughs such as artificial intelligence, the Internet of things, quantum computers, cloud computing, and data systems. Parallel to bringing great benefits to the economy, the outstanding development of cyberspace also poses the problem of ensuring cyber information security and demand for trading-related products and services. Accordingly, cyber information security means the protection of information and information systems in cyberspace from being illegally accessed, utilized, disclosed, interrupted, altered, or sabotaged to ensure the integrity, confidentiality, and usability of the information. Therefore, doing business in the field of cyber information security is a conditional business sector, including trading cyber information security products and services. The following article will present the business conditions in the field of cyber information security so investors can have an overview before choosing this service to invest in.

1. Market access conditions

According to Vietnam’s commitments in the WTO Schedule of Commitments, trading in cyberinformation security products and services is a wholesale service (CPC 622).

Accordingly, this service currently has no restrictions on the form of commercial presence as well as the percentage of capital contributed by foreign investors.

2. Business conditions

According to the provisions of the Law on Cyberinformation Security and Decree 108/2016/ND-CP, trading in cyberinformation security products and services is a conditional business sector. Therefore, regardless of the establishment process, when conducting trading activities in the field of cyber information security, an enterprise (Vietnamese or foreign-owned enterprises alike) must obtain a License for trading in Cyber information security products and services.

2.1 Types of products

  • Information security risk evaluation products.
  • Information security monitoring products.
  • Instruction detection and prevention products.

2.2 Types of services

  • Information security monitoring services provided aim to monitor and analyze electronic information, collect and analyze real-time data logs, detect and give warning of potential risks or events that may threaten information security;
  • Intrusion detection and prevention services aim to monitor, collect and analyze real-time activities on the system or network to detect and prevent malicious activities targeted into the network or system;
  • Information security consulting services aims to give advice, testing, assessment, offer, design, and execution of information security solutions;
  • Incident response services are provided to respond or adopt appropriate measures to promptly remedy information security incidents;
  • Data recovery services are provided to salvage data that has been damaged or deleted.

2.3 Requirements for Conformity

The trading plan of the enterprise shall comply with the national strategy, and plan for cyber information security development.

2.4 The business plan

It includes the contents of the description of the equipment system, the facilities of the enterprise, the description of the personnel’s experience, the range of products provided; the type of product being traded; the fulfillment of relevant technical standards and regulations for each type of product.

2.5 Facilities

Having facilities, equipment and production technology that are appropriate for the business method available

2.6 Personnel

Having a management team satisfying professional requirements for information security and technicians with bachelor’s degrees in information security or certificates of information security or certificates of information technology or certificates of electronics and telecommunications with a sufficient number of employees for the scale and requirements of the business plan

2.7 Application forms

A dossier for issuance of the License for trading in cyber information security products and services shall be made in five sets, including :

An application specifying the types of cyber information security products and services to be traded.

A copy of the enterprise registration certificate, investment registration certificate or another paper of equivalent validity.

A written explanation of the technical equipment system compliant with the law.

A business plan specifying the scope, users, standards and quality of the products and services.

Copies of information security diplomas or certificates of managerial, administrative and technical employees.

3. Steps for company establishment

To establish a company trading in cyberinformation security products and services, investors need to take the following steps:

Step 1: Apply for an investment registration certificate

Step 2: Apply for an enterprise registration certificate

Step 3: Apply for the License for trading in cyberinformation security products and services.

The article is based on laws applicable at the time noted as above and may no longer be appropriate at the time the reader approaches this article as the applicable laws and the specific cases that the reader may wish to apply may have changed. Therefore, the article is for referencing only.