Importing Civil Cryptographic Products (CCP) for Banks and Credit Institutions in Vietnam
- Chau Nguyen Nam Ky
- Jun 2
- 4 min read
Updated: Aug 14
As digital transformation accelerates across Vietnam’s credit sector, the demand for secure communication, encrypted data transmission, and trusted authentication tools is rising. This has made the import of civil cryptographic products (CCP), such as secure routers, hardware security modules (HSMs), and encryption-based software, essential for banks and credit institutions.
However, importing such products into Vietnam is subject to specific regulatory conditions and licensing governed by national cybersecurity and cryptography laws.
Here's what you need to know:
What Are Civil Cryptographic Products (CCP)?
Civil cryptographic products are designed for non-military, civilian use. Examples include:
HSMs (Hardware Security Modules)
Secure email and file encryption software
VPN and secure network devices
Digital signature devices
Authentication tokens and smart cards
Encryption-enabled storage devices
Banks often utilize these tools to comply with digital banking standards, facilitate electronic transactions, and protect customer data.
Legal Basis
The import and use of civil cryptographic products in Vietnam are governed by:
Law on Cyberinformation Security No. 86/2015/QH13
Decree No. 53/2018/NĐ-CP on the management of civil cryptographic products and services
Decree No. 32/2023/NĐ-CP, which updated the regulations for Decree No. 53/2018/NĐ-CP
Circular No. 161/2016/TT-BQP for the technical specifications of products used in banks
These documents define civil cryptographic products and outline the responsibilities of importers, users, and service providers.
Note: CCP products for banks and credit institutions, excluding grassroots people's credit funds with assets under VND 10 billion (approximately less than 384,000 USD) and microfinance institutions, are regulated by Circular No. 161/2016/TT-BQP.
Conditions to Import CCP products for Banks and Credit Institutions
For banks and credit institutions, importing these products requires compliance with the following conditions:
1. Product Must Be on the NACIS's Permitted List
The product must fall under the list of civil cryptographic products and services allowed for import, issued by the National Agency of Cryptography and Information Security (NACIS).
If the product is not on the list, it may need a technical review or approval before import.
2. Import License Required
Importers must obtain a Civil Cryptographic Product Import License from the NACIS of the GCC.
Required documents include:
- Product specifications and datasheets
- Intended import purpose
- Trading license
3. Qualified Importers
The importer must be an enterprise licensed to trade in civil cryptographic products and services, or partner with such a licensed company in Vietnam.
The trading license must explicitly authorize the provision of products and services to banks or for use within banking institutions.
Many foreign companies partner with local licensed agents or service providers to handle compliance and licensing requirements.
4. Compliance with National Standards
Products must meet Vietnamese technical standards (QCVN), especially if used in regulated sectors like finance, telecommunications, or e-government.
For products used in banks and credit institutions, they must meet specific standards outlined in regulations, including:
Block Size
Block Size | Algorithm Name | Required Key Length |
64-bit | TDEA | Not less than 192 bits |
128-bit | AES | Not less than 256 bits |
Camellia | Not less than 256 bits |
Regulations on Key Lifetime Threshold and Security Level:
Security Level (bits) | Block Cipher Algorithm | Regulated Usage Period |
112-bit | 3TDEA | Until the end of 2030 |
256-bit | AES-256 | From 2030 onward |
Camellia-256 | From 2030 onward |
What Banks & Credit Institutions Should Do
If you're a bank or fintech company looking to import encryption products for use in Vietnam, follow these guidelines:
Determine Product Type: Assess whether the product is civil cryptographic or IT security equipment without encryption. Seek local compliance experts if you're unsure.
Obtain Necessary Licenses: If a bank wishes to import civil cryptographic products independently, it must secure a trading license and an import license from NACIS.
Consider IOR Services: Alternatively, engage a licensed Importer of Record (IOR). In this case, banks do not need their own licenses if the products are strictly for internal use.
Customs Declaration: After approval, declare the import at customs with the appropriate documents, including the import license and product specifications. Be aware that products without a license can be detained or rejected at the border.
What to Avoid
Avoid Unlicensed Imports: Do not import encryption-enabled devices (e.g., routers, servers, USBs) without confirming they require licensing.
Be Specific: Avoid using vague terms like “security module” or “network appliance” without detailing cryptographic functions. This vagueness could lead to customs delays.
Final Thoughts
Importing civil cryptographic products for banking use in Vietnam is entirely possible. However, it requires strict regulatory compliance. Institutions should plan ahead, partner with experienced providers, and ensure all licensing procedures are complete before shipment.
At Tron Chan, we specialize in customs compliance, IT product licensing, and cryptographic product import advisory. We have already obtained the license to import CCP products for banks and credit institutions. We can assist with various products from brands like Cisco, Juniper, Palo Alto, Check Point, Fortigate, Yubikey, Dell, VMware, Advantech, and more.
If you need help importing encrypted products or navigating CCP licensing in Vietnam, reach out—we’re here to assist you.
Comments