Decree No. 23/2025/ND-CP dated February 21, 2025 on digital signatures and trust services
|
GOVERNMENT OF
VIETNAM |
THE SOCIALIST
REPUBLIC OF VIETNAM |
|
No: 23/2025/ND-CP |
Hanoi, February 21, 2025 |
DECREE
ON DIGITAL SIGNATURES AND TRUST SERVICES
Pursuant to Law on Governmental Organization dated June 19, 2015; Law on amendments to Law on Government Organization and Law on Local Governmental Organization dated November 22, 2019;
Pursuant to Law on Electronic Transactions dated June 22, 2023;
Pursuant to Law on Fees and Charges dated November 25, 2015;
At the request of the Minister of Information and Communications;
The Government issues a Decree on digital signatures and trust services.
Chapter I
GENERAL PROVISIONS
Article 1. Scope
This Decree provides for digital signatures and trust services, except civil service digital signatures, civil service digital signature authentication services.
Article 2. Regulated entities
This Decree applies to agencies, organizations, individuals (hereinafter referred to as "entities" that directly engaging in or related to digital signatures and trust services.
Article 3. Term interpretation
For the purposes of this Decree, these terms are construed as follows:
1. “Key" means a string of binary digits (0 and 1) used in the cryptographic system.
2. "Digital signing" means the putting the private key into a software program to automatically generate and add digital signatures to data messages.
3. “Valid digital signature certificate" means a digital certificate which is unexpired; not be suspended or revoked.
4. "Code for checking integrity of data message" (integrity-checking code) means a sequence of characters used to check the integrity of the data message.
5. "Subscriber" means an entity entering trust service provision and use contract with a trust service provider.
6. “National e-authentication service provider” is The National E-Authentication Centre affiliated to the Ministry of Information and Communications.
7. "Authentication regulation” means document on policies, procedures for issuance, management of e-signatures or e-signature certificate and use of special-use qualified e-signatures or trust services of the National e-authentication service provider, trust service providers, organizations generating special-use qualified e-signatures.
8. “Service fees for maintaining systems for checking status of digital signature certificates” means the amount of money to maintain the information system for checking status of digital signature certificates for public digital signature authentication services, time stamping services, and data message authentication services.
9. “Secure key storage medium" is a medium containing the subscriber's secret key.
Chapter II
E-SIGNATURES
Section 1. E-SIGNATURE CERTIFICATES
Article 4. E-signature certificates
E-signature certificates are classified as follows:
1. Original digital signature certificates of the national e-authentication service provider are digital signature certificates that the national e-authentication service provider granted for themselves corresponding with each trust service.
2. Digital signature certificates of trust service providers are digital signature certificates that the national e-authentication service provider granted for trust service providers corresponding with each trust service, including: digital signature certificates for time stamping services, digital signature certificates for data message authentication services, digital signature certificates for public digital signature authentication services.
3. Public digital signature certificates are digital signature certificates granted for subscriber by public digital signature authentication service providers.
4. Special-use e-signature certificates are e-signature certificates granted by agencies, organizations generating special-use e-signatures.
Article 5. Contents of e-signature certificates
Contents of e-signature certificates include:
1. Information about agencies, organizations generating e-signature certificates.
2. Information about entities granted e-signature certificates, including name; identification code or e-identification of entities granted e-signature certificates and other necessary information (if any).
3. Official number of the e-signature certificates.
4. Validity period of e-signature certificates.
5. Data used to check e-signatures of entities granted e-signature certificates.
6. E-signatures of entities generating e-signature certificates.
7. Purposes and scope of use of the e-signature certificates.
8. Legal liability of entities generating e-signature certificates.
Article 6. Contents of digital signature certificates
1. Contents of original digital signature certificates of the national e-authentication service provider include:
a) Name of the national e-authentication service provider;
b) Official number of digital signature certificates.
c) Validity period of digital signature certificates.
d) Public key of the national e-authentication service provider;
dd) Digital signature of the national e-authentication service provider;
e) Purposes and scope of use of the digital signature certificates.
g) Legal liability of the national e-authentication service provider;
h) Asymmetric algorithm.
2. Contents of original digital signature certificates of the trust service provider for each type of trust service include:
a) Name of the organization granting digital signature certificate;
b) Name of the trust service provider;
c) Official number of digital signature certificates;
d) Validity period of digital signature certificates;
dd) Public key of the trust service provider;
e) Digital signature of the organization granting digital signature certificate;
g) Purposes and scope of use of the digital signature certificates.
h) Legal liability of the trust service provider;
i) Asymmetric algorithm.
3. Contents of public digital signature certificates include:
a) Name of the organization publishing digital signature certificate;
b) Name of the subscriber;
c) Official number of digital signature certificates;
d) Validity period of digital signature certificates;
dd) Public key of the subscriber;
e) Digital signature of the organization publishing digital signature certificate;
g) Purposes and scope of use of the digital signature certificates.
h) Legal liability of the public digital signature authentication service provider;
i) Asymmetric algorithm.
Article 7. Validity period of e-signature certificates, digital signature certificates
1. The validity period of original digital signature certificates of the national e-authentication service provider is 25 years.
2. The validity period of digital signature certificates of the trust service provider:
a) Digital signature certificates for time stamping services: maximum of 05 years;
b) Digital signature certificates for data message authentication services: maximum of 05 years;
c) Digital signature certificates for public digital signature authentication services: maximum of 10 years;
3. The validity period of public digital signature certificates: maximum of 03 years.
4. The validity period of special-use digital signature certificates in cases where special-use signatures are secured by special-use digital signature certificates is 10 years.
Article 8. Format of e-signature certificates, digital signature certificates
When granting, publishing e-signature certificates and digital signature certificates, agencies and organizations generating special-use e-signatures and trust service providers must comply with regulations on format of e-signature certificates and digital signature certificates as prescribed by the Minister of Information and Communications.
Section 2. SPECIAL-USE QUALIFIED E-SIGNATURES
Article 9. Special-use qualified e-signatures
1. Special-use qualified e-signatures must satisfy requirements specified in clause 2 of Article 2 of the Law on e-transactions.
Special-use e-signatures secured by e-signature certificates designated by agencies, organizations are considered satisfied requirements specified in clause 2 of Article 2 of the Law on e-transactions.
2. Special-use qualified e-signatures designated and used by agencies and organizations for their particular purposes according with their functions and tasks, including:
a) Internal operation of generating agencies, organizations;
b) Operation in fields or sector, having the same nature of activities or purpose of the work and associated together through the operation charter or legal documents defining the common organizational structure or form of association, collective activities;
c) Operation representing the agency or organization itself to create special-use e-signatures to ensure safety in transactions with other organizations and individuals.
3. Agencies and organizations generating special-use qualified e-signatures shall be accountable for the use of special-use qualifies e-signatures as prescribed in Clause 2 of this Article.
Article 10. Application for issuance, re-issuance of special-use qualified e-signature certificate
1. The application for issuance of special-use qualified e-signature certificate includes:
a) Application form for issuance of special-use qualified e-signature certificate using Form No. 01 specified in Appendix attached hereto;
b) Valid copy including a copy extracted from master register or a certified copy or a copy compared with the original copy of one of the following documents: Certificate of business registration, certificate of investment registration for foreign investors, decision on establishment or document regulating structure, organization or other valid equivalent certificates and licenses as prescribed by law on investment and law on enterprises;
c) Operation charter, documents on structure, organization; form of association, collective activities to demonstrate the use of special-use qualified e-signatures according to Clause 2 of Article 9 hereof;
d) Document proving that the generation of a special-use qualified e-signature satisfies all the requirements specified in Clause 1 of Article 9 hereof according to Form No. 03 in the Appendix attached hereto;
dd) Authentication regulations in accordance with Article 29 hereof.
2. The application for re-issuance of special-use qualified e-signature certificate includes:
a) Application form for re-issuance of expired special-use qualified e-signature certificate using Form No. 01 specified in Appendix attached hereto;
b) Document proving that the generation of a special-use qualified e-signature satisfies all the requirements specified in Clause 1 of Article 9 hereof according to Form No. 03 in the Appendix attached hereto;
c) Changes in information specified in issuance application specified in points b, c, dd of clause 1 of this Article;
d) Report on the implementation of the certificate from the date of issuance to the date of submission of application for re-issuance using Form No. 08 in the Appendix attached hereto.
Article 11. Procedures for receiving, settling applications for issuance, re-issuance of special-use qualified e-signature certificate
1. Agencies, organizations shall prepare 01 set of corresponding application for issuance or re-issuance in Article 10 hereof.
2. Applications are submitted directly to the Ministry of Information and Communications or sent by post or via the online public service system (National Public Service Portal, https://dichvucong.gov.vn or Public Service Portal of the Ministry of Information and Communications, https://dichvucong.mic.gov.vn).
3. The validity of the applications shall be checked based on the following criteria:
a) The application is prepared in accordance with clause 1 of this Article;
b) The application must be in Vietnamese language. The application must have the confirming stamp of the agency, organization, and certifying stamp; documents printed by agencies or organizations with multiple pages must have chopping seals on the edges.
4. Within 07 working days from the date of receiving the application for issuance or re-issuance of a special-use qualified e-signature certificate, the Ministry of Information and Communications shall check the validity of the application in accordance with Clause 3 of this Article.
a) In invalid cases, the Ministry of Information and Communications shall send a notice clearly stating the reasons;
b) In valid cases, the Ministry of Information and Communications shall request the Ministry of Public Security, the Government Cipher Committee and relevant agencies and organizations to cooperate in verifying the application. Within 15 days from the date of receipt of the request for cooperation in verifying the application, the Ministry of Public Security, the Government Cipher Committee and relevant agencies and organizations shall respond in writing;
c) Within 20 days from the date of receiving results of verification prescribed in Point b of this Clause, the Ministry of Information and Communications shall verify and assess the actual information system for creating and issuing and re-issuing special-use qualified e-signature certificates for agencies and organizations. Special-use qualified e-signature certificate form shall comply with Form No. 02 specified in Appendix attached hereto. In cases of refusal, the Ministry of Information and Communications shall send a notice clearly stating the reasons. The validity period of special-use qualified e-signature certificates of agencies and organizations shall be maximum of 10 years.
5. If the agency or organization chooses to carry out the procedure for issuance, re-issuance of special-use qualified e-signature certificate online, the receipt and processing of the application shall comply with the Government's regulations on performance of administrative procedures online, online public services provision of state agencies in the network environment and the law on e-transactions, except for the case of actual assessment specified in Point c of Clause 4 of this Article.
6. In case the special-use qualified e-signature fails to satisfy one of the requirements specified in Clause 2 of Article 22 of the Law on E-transactions, the Ministry of Information and Communications shall revoke the special-use qualified e-signature and publish this matter on their website (https://rootca.gov.vn/).
Section 3. DIGITAL SIGNATURE
Article 12. Public digital signature
A public digital signature is a digital signature that is used in public activities, secured by a public digital signature certificate and satisfies all requirements specified in Clause 3 of Article 22 of the Law on E-transactions.
Article 13. Digital signature certificates of agencies, organizations and competent persons thereof
1. All agencies, organizations, and competent persons thereof prescribed by law that are established and operate legally have the right to be granted and published digital signature certificates.
2. Digital signature certificates granted to competent persons of agencies and organizations must clearly state the title and name of the agency or organization of that person.
Article 14. Use of digital signature certificates of agencies, organizations and competent persons thereof
1. Digital signature certificates of agencies, organizations, and competent persons thereof granted, published digital signature certificate specified in Article 13 hereof shall only be used to perform transactions and activities under the jurisdiction of the agencies, organizations and titles granted, published digital signature certificates.
2. The signing by proxy, signing per procuration as prescribed by law performed by a person assigned or authorized to use his/her digital signature based on the title of the signer recorded on the digital signature certificate.
Article 15. Obligations of the signer before digital signing
1. Before digital signing, the signer shall carry out the procedures for digital certificate status checking as follows:
a) Check the status of his/her digital signature certificate on the information system of the agency or organization that generates, issues, and publishes that digital signature certificate;
b) Check digital signature certificate status of agency or organization that generates, publishes his/her digital signature certificate on trust service authentication system of the national e-authentication service provider;
c) If results of steps specified in points a and b of this clause are simultaneously valid, the signer may digitally sign. If results of steps specified in points a and b of this clause are simultaneously invalid, the signer may not digitally sign.
2. The digital signature software used must meet the requirements in Article 17 hereof.
Article 16. Obligations of the recipient when receiving digitally signed data message
1. 1. Before accepting the signer's digital signature, the recipient must check the following information:
a) Digital certificate’s status, scope of use, liability limitation and information on the digital signature certificate of the signer must be identified according to regulations on e-identification and authentication;
b) The digital signature must be created by the private key corresponding to public key on the signer's digital signature certificate;
c) Regarding digital signatures created by foreign digital signature certificate licensed to be used in Vietnam, recipients must check validity of digital signature certificate on both the trust service authentication system of the national e-authentication service provider and the e-signature authentication service provision system of foreign organizations.
2. Recipients must carry out procedures for digital certificate status checking as follows:
a) Check the status of the digital signature certificate at the time of using digital signature, scope of use, liability limitations and information on that digital signature certificate as prescribed in Article 6 of this Decree on the information system of the agency or organization that generates, issues, and publishes that digital signature certificate;
b) If the digital signer uses digital signature certificate issued by the public digital signature authentication service provider: Check status of that certificate at the time of digital signing on the trust service authentication system of the national e-authentication service provider;
c) The digital signature in the data message is only valid if the checking results in Clauses 1 and 2 of this Article are also valid.
3. The recipient is responsible for accepting the digital signature certificate in the following cases:
a) Failing to comply with the regulations in Clause 1 and Clause 2 of this Article;
b) Coming into knowledge or being informed of the suspension, revocation, or expiration of the subscriber's digital signature certificate.
4. Digital signature verification software that meets the requirements in Article 17 hereof shall be used.
Article 17. Requirements for digital signature verification software
1. Digital signing software and digital signature verification software must comply with technical standards for digital signatures on data messages; do not use technical or technological barriers to limit the verification of digital signature validity.
2. Digital signing software must have the following functions:
a) Authenticating the signatory and digital signing;
b) Verifying of the validity of digital signature certificates where the information in such certificates is identified in accordance with law on e-identification and e-authentication; connecting to the Public digital signature authentication service portal;
c) Storing and canceling information attached to digitally signed data messages;
d) Changing (adding, removing) digital signature certificates of agencies and organizations that generate, issue, and publish digital signature certificates;
dd) Notifying (in words/symbols) the signer whether the digital signing on the data message is successful or unsuccessful.
3. Digital signature verification software must have the following functions:
a) Verifying the validity of digital signatures on data messages;
b) Storing and canceling information attached to digitally signed data messages;
c) Changing (adding, removing) digital signature certificates of agencies and organizations that generate, issue, and publish digital signature certificates;
d) Notifying (in words/symbols) whether the digital signatures are valid or invalid.
4. The Minister of Information and Communications shall provide for technical requirements for the functions of digital signature software and digital signature verification software.
Chapter III
TRUST SERVICES
Section 1. TRUST SERVICE BUSINESS
Article 18. Business requirements
Enterprises may register for one or multiple trust services. When registering for any trust service, enterprises must satisfy all the requirements specified in Clause 1 of Article 29 of the Law on E-transactions. The requirements specified in Points b, c, d, and dd of Clause 1 of Article 29 of the Law on E-transactions are elaborated as follows:
1. Regarding financial conditions to resolve risks and recompenses that may occur during the process of providing services and paying for the costs of receiving and maintaining the database of information related to the service provision, enterprises may choose to implement one of the following forms:
a) Deposit at a commercial bank in Vietnam applicable to one or multiple trust services. The deposit level is 10 billion VND for every 300,000 subscribers and not less than 10 billion VND, provided that enterprises are not allowed to collect down payments for more than 01 year from subscribers;
b) Purchase liability insurance for trust service provision to ensure the rights of subscribers during the service provision period.
2. Managerial and technical personnel requirements:
a) Personnel for system operation, including: administration, operation, information safety, information security, access control, monitoring and inspection, digital signature certificate life cycle management, key life cycle management;
b) Personnel for service provision, including: technical audit, security, issuance, suspension, cancellation, installation and warranty; verification of subscriber’s identity (for public digital signature authentication services and data message authentication services);
c) Personnel in charge of information safety, security, and confidentiality must hold a bachelor's degree or higher in information security and have at least 02 years of experience corresponding to the trained major;
d) Personnel in charge of administration, operation, technical audit, issuance, suspension, cancellation, installation and warranty, monitoring and inspection, and key life cycle management must hold a bachelor's degree or higher in/closely related to information technology and have at least 02 years of experience corresponding to the trained major.
3. Technical plans for service provision applicable to all types of trust services must include the following contents:
a) Comply with standards, technical regulations, technical requirements for digital signatures, digital signature certificates; trust services; cyberinformation security; cybersecurity;
b) Store complete, accurate, and updated subscribers’ information; update the list of unexpired, suspended, and revoked digital signature certificates; subscribers can access and use the Internet for 24/7 access;
c) Ensure that each pair of keys is generated randomly and only once; has the feature to ensure that the secret key shall not be detected when the corresponding public key is available;
d) Warn, prevent and detect illegal online access;
dd) The digital signature certificate lifecycle management component is designed to minimize direct contact with the electronic environment and is independent of systems that do not serve trust services;
e) The information system must ensure at least level 3 cyberinformation security and protect personal data according to the law on cyberinformation security and cybersecurity;
g) Control entry and exit, system access, and access to the location of the device;
h) Have backups to ensure safe and continuous operation and recovery when incidents occur, procedures for data backup, online data backup, data recovery, and the capability to recover data within 08 working hours from the time of system error; the backup center is at least 20 kilometers away from the main data center and is ready to operate upon error occurring in the main system;
i) The service provision information system is located in Vietnam;
k) Authentication regulations in accordance with Article 29 hereof.
4. For public digital signature authentication services, the technical plan must comply with Clause 3 of this Article and supplement the following contents:
a) The key distribution system for subscribers must ensure the integrity and security of the key pair. In the case of key distribution through a computer network environment, the key distribution system must use the security protocols to ensure the confidentiality of information on the transmission line.
b) Solution to provide information (digital signature certificates, periodic and ad hoc reports as prescribed) by electronic means to the national e-authentication service provider for state management.
5. For time stamping services and data message authentication services, the technical plan must comply with Clause 3 of this Article and supplement the following contents:
a) Time source in accordance with law on national standard time source;
b) Solution to provide information (integrity-checking codes, event log, periodic and ad hoc reports as prescribed) by electronic means to the national e-authentication service provider for state management.
Article 19. Application for issuance, re-issuance, change of information, renewal of the trust service business license
1. Application for issuance of the trust service business license:
a) Application form for issuance of the trust service business license using Form No. 04 specified in Appendix attached hereto, clearly stating the type of trust service;
b) Valid copy including a copy extracted from master register or a certified copy or a copy compared with the original copy of one of the following documents: Certificate of business registration, certificate of investment registration for foreign investors, decision on establishment or other valid equivalent certificates and licenses as prescribed by law on investment and law on enterprises;
c) Documents proving that the applicant satisfies financial conditions specified in Clause 1, Article 18 of hereto;
d) Dossier on managerial and technical personnel, including: Judicial records, certified copies of bachelor’s degree or higher of managerial and technical personnel as prescribed in Clause 2 of Article 18 hereof, job descriptions and previous experience corresponding to such positions, employment contracts and assignment decisions;
dd) Technical plans for service provision applicable to each type of trust services to ensure compliance with clauses 3, 4, and 5 of Article 18 hereof
e) Authentication regulations in accordance with Article 29 hereof.
2. Application for re-issuance of the trust service business license:
a) Application form for re-issuance of expired license using Form No. 05 specified in Appendix attached hereto;
b) Documents proving that the applicant satisfies financial conditions specified in Clause 1, Article 18 of hereto;
c) Enterprise’s changes in information related to business conditions in accordance with Article 29 of the Law on E-transactions (if any);
d) Report on the implementation of the license from the date of issuance to the date of submission of application for re-issuance using Form No. 08 in the Appendix attached hereto.
3. Application for change of information of the trust service business license:
a) Application form for change of information of the license using Form No. 05 specified in Appendix attached hereto;
b) The report detailing the proposed change and related documents.
4. Application for renewal of the trust service business license:
a) Application form for renewal of the expired trust service business license using Form No. 05 specified in Appendix attached hereto;
b) Documents proving that the applicant satisfies financial conditions specified in Clause 1, Article 18 of hereto;
c) Report on the implementation of the license from the date of issuance to the date of submission of application for renewal using Form No. 08 in the Appendix attached hereto.
Article 20. Procedures for receipt of the application for issuance, re-issuance, change of information, renewal of the trust service business license
1. Enterprises shall prepare 01 set of application for issuance, re-issuance, change of information, or renewal of the trust service business license as prescribed in Article 19 hereof.
2. Applications are submitted directly to the Ministry of Information and Communications or sent by post or via the online public service system (National Public Service Portal, https://dichvucong.gov.vn or Public Service Portal of the Ministry of Information and Communications, https://dichvucong.mic.gov.vn).
3. The validity of the documents shall be checked based on the following criteria:
a) The application shall be prepared in accordance with Clause 1 of this Article;
b) The language used in the application must be Vietnamese. The application must have confirming stamp of the agency, organization, and certifying stamp; documents printed by agencies or organizations with multiple pages must have chopping seals on the edges.
4. Within 07 working days from the date of receiving the application for issuance, re-issuance, change of information, renewal of the trust service business license, the Ministry of Information and Communications shall check the validity of the application in accordance with Clause 3 of this Article.
a) For inadequate application, the Ministry of Information and Communications shall send a notice clearly stating the reasons;
b) For adequate application, the Ministry of Information and Communications will review and settle in accordance with Article 21 hereof.
5. In case enterprises choose to carry out procedures for issuance, re-issuance, change of information, renewal of the trust service business license online, the receipt and processing of applications shall comply with the Government's regulations on performing online administrative procedures, providing online public services of state agencies, and the law on electronic transactions, except for the case of actual assessment specified in Clause 1 and Clause 2 of Article 21 hereof.
Article 21. Procedures for settlement of the application for issuance, re-issuance, revision of information, renewal of the trust service business license
1. For applications for issuance of the trust service business license:
a) Within 07 working days from the date of receipt of adequate documents, the Ministry of Information and Communications shall request the Ministry of Public Security, the Government Cipher Committee and relevant agencies and organizations to cooperate in verifying the application. Within 20 days from the date of receipt of the request, the Ministry of Public Security, the Government Cipher Committee and relevant agencies and organizations shall respond in writing;
b) Within 20 days from the date of responses regarding verification prescribed in Point a of this Clause, the Ministry of Information and Communications shall verify and issue license in accordance with Form No. 06 specified in the Appendix attached hereto. In cases of refusal, the Ministry of Information and Communications shall send a notice clearly stating the reasons;
c) Within 01 year from the date of being licensed, the trust service provider must implement the conditions specified in Article 18 hereof; report on the implementation of trust service provision according to Form No. 07 in the Appendix attached hereto;
d) The digital signature certificate shall be issued or reissued to the trust service provider within 30 days from the date of receipt of the report specified in Point c of this Clause and based on the actual assessment of the system operation process and authorization regulations; the conformity of the information system providing trust services with the application for license issuance and witness the creation of the key pair (private key and public key) of the trust service provider. In cases of refusal, the national e-authentication service provider shall send a notice clearly stating the reasons.
2. For applications for reissuance of trust service business license:
a) If enterprises wish to continue providing the service, they must apply for reissuance of the license at least 90 days before the license expires;
b) Within 10 working days from the date of receipt of adequate documents, the Ministry of Information and Communications shall request the Ministry of Public Security, the Government Cipher Committee and relevant agencies and organizations to cooperate in verifying the application. Within 20 days from the date of receipt of the request, the Ministry of Public Security, the Government Cipher Committee and relevant agencies and organizations shall respond in writing;
c) Within 15 days from the date of receiving responses regarding verification prescribed in Point a of this Clause, the Ministry of Information and Communications shall verify the application and reissue license based on the satisfaction of the business conditions as prescribed in Article 18 hereof and the actual assessment of the results of trust service provision. In cases of refusal, the Ministry of Information and Communications shall send a notice clearly stating the reasons
3. For applications for revising information on the trust service business license
a) In case of changes to any of the information regarding the head office address or transaction name, the enterprise must send application for revising the contents of the license;
b) Within 07 working days from the date of receipt of complete documents, the Ministry of Information and Communications verify the information and issue a license with the revised information. In cases of refusal, the Ministry of Information and Communications shall send a notice clearly stating the reasons; The validity period of the revised license is the remaining validity period of the issued license.
4. For applications for renewal of trust service business license
a) In case the trust service business license has at least 60 days left before the license expires but the enterprise is in the process of full division, separation, consolidation, merger and has not been administratively sanctioned for violations in trust service provision within 12 months from the date of submitting the application for renewal, if they wishing to renew their trust service business license, they must submit a renewal application;
b) Within 30 days from the date of receiving adequate application, the Ministry of Information and Communications renew the license in accordance with Form No. 06 specified in the Appendix attached hereto. In cases of refusal, the Ministry of Information and Communications shall send a notice clearly stating the reasons; The validity of the renewed license shall not exceed 01 year from the date of expiration.
Article 22. License suspension
1. Trust service providers shall have their licenses suspended for no more than 06 months if they:
a) Provide services that are not in accordance with the content stated on the license;
b) Fail to satisfy one of the business conditions specified in Article 18 hereof from the time of starting to provide the service;
c) Fail to properly and fully fulfill the responsibility to declare and pay the service fee for maintaining the system to check the status of digital signature certificates in accordance with law on fees and charges for more than 06 months.
2. 2. Procedures for suspension of licenses, digital signature certificates
a) The Ministry of Information and Communications shall organize a meeting and make a record of the meeting with the trust service provider in one of the cases specified in Clause 1 of this Article. Within 07 working days from the date of issuance of the record, the Ministry of Information and Communications shall review and issue a suspension decision;
b) Within 05 working days, the national e-authentication service provider shall suspend the digital signature certificate of the trust service provider and publish such matter on the website (https://rootca.gov.vn/) in case the trust service business license is suspended or the trust service provision information system does not meet the technical audit requirements.
3. During the period of license suspension, if the trust service provider has resolved issue leading to suspension, the Ministry of Information and Communications shall allow the trust service provider to continue providing services; restore the digital signature certificate within 07 working days from the date of resolving the issue.
Article 23. License revocation
1. Trust service providers shall have their licenses revoked if they:
a) Do not want to continue providing services
c) Dissolve or cease operations;
c) Are declared bankrupt by a court decision;
d) Are merged or consolidated;
c) Fail to implement the conditions specified in Article 18 hereof within 01 year from the date of being licensed, except for force majeure events or objective obstacles as prescribed by law that they have reported in writing to the Ministry of Information and Communications;
e) Forge documents in the application for issuance, renewal, and reissuance of license or erase or change the content of the granted license;
g) Fail to resolve issue leading to suspension specified in Clause 1 of Article 22 hereof after the suspension period specified by the competent authority expires;
h) Perform prohibited acts as prescribed in Article 6 of the Law on E-transactions.
2. Procedures for revocation of business license of a trust service provider:
a) The Ministry of Information and Communications shall organize a meeting and make a record of the meeting with the trust service provider in one of the cases specified in Clause 1 of this Article. Within 30 working days from the date of issuance of the record, the Ministry of Information and Communications shall review, issue a revocation decision and request the trust service provider to: immediately stop entering into a trust service business contract; handover to other trust service providers in accordance with the agreement or as designated by the Ministry of Information and Communications the following records and databases related to service provision:
For public digital signature authentication services: subscribers’ information and records, digital signature certificate data (list of published digital signature certificates, lists of revoked digital signature certificates during the service provision period);
For data message authentication services: subscribers’ information and records, information confirming the recipient, sender (based on subscribers’ registration information); information on the time of sending and receiving data messages; data messages; integrity-checking codes;
For time stamping services: subscribers’ information and records, integrity-checking codes for confirmation.
b) Within 05 working days, the national e-authentication service provider shall revoke the digital signature certificate of the trust service provider and publish such matter on the website (https://rootca.gov.vn/) in the following cases: the trust service business license is revoked; the digital signature certificate has expired; there is a written request from a competent authority; a written request from a trust service provider stating the reason for revocation.
3. Enterprises shall not be issued a license within 03 years from the date of license revocation if they violate the Points d, e and g of Clause 1 of this Article.
4. The Ministry of Information and Communications shall supervise and provide guidance on the handover between trust service providers to ensure uninterrupted service use by subscribers; request the trusted service provider with license revoked to complete insurance or deposit procedures to resolve risks and compensation that occur and pay the costs of receiving and maintaining the database of information related to service provision.
Section 2. TRUST SERVICES
Article 24. Time stamping services:
Time stamping services provided by a trust service provider include:
1. Attaching time to a data message; the time attached to a data message is the date and time that the time stamping service provider receives the data message.
2. Providing necessary information to help authenticate that data message of the subscriber who has attached the date, month, year and time on the data message.
3. Performing the storage and management of service users’ information.
4. Issuing, renewing, suspending, restoring and revoking subscribers’ accounts.
5. Maintaining online data on service users' information and the issued timestamp.
Article 25. Data message authentication services
1. Data message authentication services include:
a) Storing and confirming the integrity of data messages;
b) Sending and receiving secured data messages.
2. Data message integrity storage and confirmation services include:
a) Storing and managing service users’ information (identification data and authentication data for service use);
b) Storing data on verified sender identity evidence;
c) Storing the log of activities of the secure sending and receiving services, verifying the identity of the sender and the recipient and the exchange of information or data between the sender and the recipient;
d) Storing the recipient identity verification evidence before sending;
dd) Proving the assurance of the integrity of information in the data during the sending and receiving process;
e) Providing reference information to or a list of the entire process, content of sending and receiving data messages and revised content (if any) with a time stamp.
3. Secure data message sending and receiving services include:
a) Authenticating the sender;
b) Authenticating the recipient before sending the data;
c) The sending and receiving of data secured by the digital signature of a qualified trust service provider;
d) Notify the sender and recipient of the data of any changes to the data necessary for the purpose of sending or receiving the data;
dd) Time stamping the sending and receiving of the data message.
Article 26. Public digital signature authentication services
1. Public digital signature authentication services are provided by public digital signature authentication service providers to authenticate the digital signature subject on a data message, ensure the non-repudiation of the signatory subject with the data message and ensure the integrity of the signed data message. Public digital signature authentication services include:
a) Public digital signature authentication services following the digital signature model on means of storing secret keys using hardware devices;
b) Public digital signature authentication service following the digital signature model on mobile devices;
c) Public digital signature authentication service following the remote digital signature model.
2. Public digital signature authentication services provided by trust service providers includes those specified in Articles 35, 36, 37, 38, 39, 40, 41, 42, 43 and 44 hereof.
Article 27. Technical audit
1. Technical audit is an independent and objective assessment of information systems and service provision procedures to determine compliance with mandatory technical standards, technical regulations, and technical requirements of qualified e-signature, qualified e-signature certificates, digital signatures, and digital signature certificates and trust services.
2. The Ministry of Information and Communications shall regulate technical audits as prescribed in Clause 1 of this Article in accordance with the law on technical standards and regulations.
Article 28. Device management code
1. The device management code is a series of numbers or letters or symbols used to identify devices in the trust service information system as prescribed in Clause 2 of this Article used for state management.
The management code includes the following information fields: name, configuration, serial number of the device; location of the device and function of the device.
2. Devices in the trust service provision information system that must be coded include: servers; devices belonging to the digital signature certificate lifecycle management component; secret key storage devices; storage devices; network and security devices.
3. Issuance of management codes
a) The implementation method is guided and automatically registered through the online public service system (National Public Service Portal, https://dichvucong.gov.vn or the Public Service Portal of the Ministry of Information and Communications, https://dichvucong.mic.gov.vn or the Public Service Portal of the National Electronic Authentication Center, https://neac.gov.vn);
b) Time of registering and attaching management codes before the system starts providing trust services and immediately upon any change in coded devices;
c) Time limit for issuance of management codes: within 08 working hours from the time of receiving the notification of automatic registration completion.
4. Trust service providers is responsible for registering and attaching the automatically issued code to the device as prescribed in Clauses 2 and 3 of this Article.
Article 29. Model authentication regulations
1. Model authentication regulations include at least the contents of the e-signature certificate policy, scope, purpose of use, subjects eligible to be issued, published requirements for the life cycle of the e-signature certificate/digital signature certificate.
2. The Ministry of Information and Communications shall issue the model authentication regulations specified in Clause 1 of this Article.
3. The national e-authentication service provider, trust service providers and the organization generating special-use qualified e-signatures shall be responsible for developing, publicizing and implementing the authentication regulations on the basis of the model authentication regulations. The Ministry of Information and Communications (National Electronic Authentication Center) must be informed of any changes to authentication regulations.
Article 30. Interconnection with national electronic certification service providers
The interconnection of national e-authentication service providers with public digital signature authentication service providers, with civil service digital signatures authentication service providers; the updating of the status of foreign e-signature certificates into the trust service authentication system must ensure the following requirements in accordance with regulations of the Ministry of Information and Communications:
1. The information system must ensure the checking of the status of e-signature certificates, digital signature certificates and the validity of digital signatures.
2. The information system must have tools and measures to protect data and authenticate data during the interconnection process.
3. Technical conditions for interconnection, connection to provide information to check the status of e-signature certificates, digital signature certificates and check the validity of digital signatures.
Article 31. Responsibilities of trust service providers
1. Perform responsibilities as prescribed in Article 30 of the Law on Electronic Transactions, regulations on cyberinformation security, network security, and personal data protection.
2. Conduct technical audits every 2 years.
3. In case of suspension, maintain the database system related to the issued public digital signature certificate until the digital signature certificate is restored.
4. In case of suspension, maintain the database of information related to service provision until the digital signature certificate is restored.
Article 32. Responsibilities of organizations and individuals when applying timestamps, checking timestamps of data messages and developing timestamp application
1. If requiring authentication of the time of signing a data message, the recipient shall check the timestamp attached to the data message, and related information about the timestamp must be issued by a licensed time stamping service provider.
2. The recipient shall use software and verification process that meets the technical standards and regulations on timestamps or check the timestamp on both the trust service authentication system of the national e-authentication service provider and the trust service provider information system.
3. The recipient shall be responsible for accepting the timestamp in the following cases:
a) Failing to comply with Clauses 1 and 2 of this Article;
b) Having known or been notified of the suspension, revocation, or expiration of the digital signature certificate of the time stamping service provider on https://rootca.gov.vn/.
Article 33. Responsibilities of national e-authentication service providers
1. Build, manage, operate, and develop the national e- authentication infrastructure; manage and provide services to trust service providers, agencies, organizations generating special-use qualified e-signature certificates, organizations, individuals using digital signatures, digital signature certificates, foreign e-signature authentication service providers, and agencies, organizations, and individuals using e-signatures, e-signature certificates recognized in Vietnam.
2. Publish and update on https://rootca.gov.vn/ the following information: list of trust service providers, agencies and organizations generating special-use qualified e-signature certificates, foreign e-signature authentication service providers, foreign e-signatures, foreign e-signature certificates recognized in Vietnam; authentication regulations; list of unexpired, expired, suspended, revoked digital signature certificates and other necessary information.
3. Coordinate incident handling activities related to digital signature certification and e-authentication services, time stamping services and other services in accordance with the law on e-transactions; update and store complete and accurate information required for authentication as prescribed.
4. Assess the actual operation process of the trust service provision information system, the authentication regulations, the conformity of the information system providing trust services with the licensing dossier, the generation of special-use qualified e-signatures and witness the generation of secret and public key pairs of trust service providers.
5. Self-issue digital signature certificates, generate key pairs for themselves and issue, suspend, and revoke digital signature certificates for trust service providers as prescribed in Chapter III hereof: national e-authentication service providers shall play the role and have the rights and obligations of trust service providers as prescribed in Chapter III hereof. Trust service providers shall play the role and have the rights and obligations of subscribers as prescribed in Chapter III hereof.
6. Organize the collection, management and use of service fees for maintaining the system to check the status of digital signature certificates in accordance with laws on fees and charges.
7. Research, build, manage and operate the system for testing, inspecting, assessing, calibrating and measuring standards and quality of special-use products and services related to e-signatures and trust services in accordance with laws on e-transactions.
8. Check the compliance with requirements for special-use e-signatures to ensure safety and compliance with conditions for trust service business.
9. Implement international cooperation activities on e-signatures and trust services; cooperate and support relevant agencies and organizations to integrate trust services into information technology applications to ensure authentication and safety.
Section 3. PUBLIC DIGITAL SIGNATURE AUTHENTICATION SERVICE PROVISION
Article 34. Application for issuance of public digital signature certificate
1. Application for issuance of public digital signature certificate shall be made in paper or electronic form according to the form of the public digital signature certification service provider.
2. Attached documents include:
a) For individuals: Identity documents including unexpired citizen identity (ID) card or ID card or e-identification or ID certificates or level-2 eID accounts or passports; unexpired entry visas or documents proving visa exemption (for individuals who are foreigners);
b) For organizations: establishment decisions or decisions on regulations on functions, tasks, powers, organizational structure or business registration certificates or investment certificates or business household registration certificates and ID documents of the legal representative of the organization, including citizen ID card or ID card or ID certificate or level-2 eID accounts or passport; or eID accounts of organizations.
3. Individuals and organizations have the right to choose to submit a copy from the original book, a certified copy or an electronic copy, or submit a copy with the original copy for comparison or use a level-2 eID account in accordance with laws on e-identification and e-authentication.
In the case of presenting the original copy for comparison, the public digital signature authentication service provider must confirm the copy and be responsible for the accuracy of the copy compared to the original. Consular legalization of documents issued by competent foreign authorities is carried out in accordance with law. In case the documents in the application are electronic copies, the public digital signature authentication service provider must have solutions and technology to collect, check and compare, ensuring that the electronic copy has complete, accurate content and matches the original copy in accordance with law.
4. In case an individual or legal representative of an organization provides or uses information in the citizen ID card or ID card or e-identification or ID certificate or information in the level-2 eID account of individual or eID account of organization, the public digital signature authentication service provider (receiving written approval to connect to the e-identification and e-authentication system in accordance with laws on e-identification and e-authentication or having sufficient means to read data in the chip, data in the level-2 eID account) shall use data in the electronic chip, data of the level-2 eID account of individual or eID account of organization; shall not require the individual or legal representative of the organization to submit records and documents as prescribed in Clause 2 of this Article.
Article 35. Request for issuance of public digital signature certificate
1. When wanting to request the issuance of a public digital signature certificate, the organization or individual shall prepare an application as prescribed in Article 34 hereof and submit it directly or by post or by electronic means to the public digital signature authentication service provider.
2. Upon receiving the application from the organization or individual, the public digital signature authentication service provider e must check and compare the documents in the application and process:
a) If the documents in the application for the issuance of a digital signature certificate are complete, legal, unexpired and the elements declared in the request completely match the documents in the application, the public digital signature authentication service provider shall issue the public digital signature certificate to the applicant as prescribed in Clause 3 of this Article;
b) If the documents in the application for issuance of a digital signature certificate are not complete, legal, or unexpired or the elements declared in the request for issuance of a public digital signature certificate do not match the documents in the application, the public digital signature authentication service provider shall notify the applicant to complete the application;
c) In case of refusal, there must be a written notice clearly stating the reasons.
3. After completing the inspection, comparison, and verification of identification of the organization or individual, the public digital signature authentication service provider shall enter into a contract and issue a public digital signature certificate to the subscriber in accordance with Article 38 hereof.
4. Public digital signature certificates shall be issued by electronic means in accordance with Article 36 hereof.
5. Public digital signature certificates shall be issued to organizations and individuals with whom the public digital signature authentication service provider has established a relationship and completed the identification and verification of identification of the organization or individual is decided by the public digital signature authentication service provider, but it must ensure that it has or collects complete information and documents in the application for issuance of public digital signature certificates as prescribed in Article 34 hereof.
Article 36. E-publication of public digital signature certificates
1. Public digital signature authentication service providers that issue public digital signature certificates electronically must develop, issue, and publicize procedures for issuing digital signature certificates electronically in accordance with this Article, laws on e-transactions, and relevant regulations on information security, cybersecurity, personal data protection, and issuance of public digital signature certificates includes at least the following steps:
a) Collect information on the application for issuance of public digital signature certificates in accordance with Article 34 hereof;
b) Conduct checks, comparisons, and verifications of identification of organizations and individuals;
c) Warn organizations and individuals about acts that must not be performed during the electronic issuance and use of public digital signature certificates;
d) Provide organizations and individuals with contract content and execute contracts with organizations and individuals.
2. Public digital signature authentication service providers are allowed to decide on measures, forms, and technologies to identify and verify organizations and individuals serving the electronic issuance of public digital signature certificates; be responsible for any arising risks (if any) and must meet the following minimum requirements:
a) Have solutions and technologies to collect, check, compare, and ensure the correct match between the identification of the organization, individual, biometric data of the legal representative of the organization, individual (which are biological factors and characteristics associated with the legal representative of the organization, individual performing the identification, difficult to fake, with a low overlap rate such as fingerprints, face, iris, voice and other biometric factors) with the corresponding biometric information and factors on the ID documents of the legal representative of the organization, individual specified in Clause 2, Article 34 hereof and ensure that the subject is correctly identified and identity is authenticated in accordance with law on e-identification and e-authentication;
b) Have technical measures to confirm that the identified organization or individual agrees with the contents of the contract;
c) Develop a process for managing, controlling, and assessing risks, including measures to prevent acts of impersonation, interference, editing, and falsification of the verification of identification of organizations and individuals before, during, and after issuing digital signature certificates to subscribers; in case of detecting risks, discrepancies, or signs of abnormalities between identification organizations and individuals and biometric factors of organizations and individuals or detecting suspicious transactions during the digital signing process, the public digital signature authentication service provider must promptly refuse or suspend the public digital signature certificate and re-verify the identification of organizations and individuals. The risk management and control process must be regularly reviewed and improved based on information and data updated during the service provision process;
d) Store and preserve fully and in detail over time information and data identifying organizations and individuals during the process of issuing public digital signature certificates and using public digital signature authentication services such as: Identification of organizations and individuals; biometric factors of the legal representative of the organizations or individuals; audio, video, audio recordings; transaction phone numbers; transaction logs. Information and data must be stored safely, securely, backed up, ensuring the completeness and integrity of the data to serve the work of inspection, comparison, and settlement of inquiries, complaints, disputes and provision of information upon request from competent state regulatory authorities. Storage time shall be in accordance with laws on storage and protection of personal information.
Article 37. Key generation, distribution and management for subscribers
1. Organizations and individuals applying for the issuance of public digital signature certificates may create key pairs or request in writing the public digital signature authentication service provider to generate key pairs for them.
2. If organizations and individuals applying the issuance of public digital signature certificates can key pairs, they must ensure that they have used the key pair generation device in accordance with the technical regulations and mandatory technical standards applied to generate and store the key pairs.
3. If the organization providing public digital signature authentication services creates key pairs, the organization must ensure that it uses secure methods to transfer the secret key to the organization or individual applying the issuance of public digital signature certificates and may only store a copy of the secret key when the organization or individual applying the issuance of public digital signature certificates requests in writing.
4. If organizations provide public digital signature authentication services using the remote digital signing model, they are allowed to store the secret key of the organizations or individuals applying for issuance of public digital signature certificates and must use secure methods for storage.
5. Regarding key management activities, the public digital signature authentication service provider has the following responsibilities:
a) Immediately notify the subscriber, and at the same time apply timely preventive and remedial measures in case it detects signs that the subscriber's secret key has been leaked, is no longer intact, or has any other errors that may adversely affect the subscriber's rights;
b) Advise the subscriber to change the key pair when necessary to ensure the highest reliability and security for the key pair;
c) Restore the means of storing the secret key upon the subscriber's request.
Article 38. Issuance of public digital signature certificates to subscribers
1. Public digital signature authentication service providers shall issue public digital signature certificates to subscribers after verifying the following contents:
a) The information in the subscriber's application for issuance of public digital signature certificates is correct;
b) The public key on the public digital signature certificate to be issued is unique and is paired with the secret key of the organization or individual applying for issuance of the public digital signature certificate.
2. The public digital signature certificate shall only be issued to the organization or individual applying the issuance and must contain all the information specified in Article 6 hereof.
3. The public digital signature authentication service provider shall only publish the public digital signature certificate issued to the subscriber on the basis of its public digital signature certificate database after receiving confirmation from the subscriber of the accuracy of the information on that digital signature certificate; the deadline for publication shall be no later than 24 hours after receiving confirmation from the subscriber; unless otherwise agreed.
4. The public digital signature authentication service provider shall ensure security throughout the process of creating and transferring the public digital signature certificate to the subscriber.
Article 39. Renewal of public digital signature certificates to subscribers
1. Before the expiration date of the public digital signature certificate, the subscriber has the right to apply for a renewal of the public digital signature certificate.
2. Upon receiving renewal application from a subscriber, the public digital signature authentication service provider is obliged to complete the procedures for renewing the public digital signature certificate before its expiration and must ensure that the subscriber is correctly identified as the subject and performs identity authentication in accordance with laws on e-identification and e-authentication.
3. For case of renewal of the public digital signature certificate that have to change the public key, the subscriber must prepare an application and state the reason; the generation, distribution and publication of the renewed public digital signature certificate shall be carried out in accordance with Articles 37 and 38 hereof.
Article 40. Changing the key pair for the subscriber
If subscribers want to change the key pair, they must submit an application for changing the key pair. The generation, distribution and publication of public digital signature certificates with new public keys shall comply with Articles 37 and 38 hereof.
Article 41. Suspension and restoration of public digital signature certificates of subscribers
1. Public digital signature certificates of subscribers shall be suspended in the following cases:
a) When the subscriber requests in writing and this request has been verified by the public digital signature authentication service provider as accurate;
b) When there is a risk, discrepancy or abnormality between the identification of the organization or individual and the biometric factors of the organization or individual, or when a suspicious transaction is detected during the digital signing process, or when any error is detected that affects the rights of the subscriber and the recipient;
c) When the subscriber is an organization that has suspended all business activities;
d) Upon receiving written request from the prosecution agency, the police agency or the Ministry of Information and Communications;
dd) Being subject to the conditions for suspending the public digital signature certificate as stipulated in the contract between the subscriber and the public digital signature authentication service provider.
2. When there is a basis for suspending the public digital signature certificate as prescribed in Clause 1 of this Article, the public digital signature authentication service provider must suspend it, immediately notify the subscriber and publish on the public digital signature certificate database the suspension, the start and end time of the suspension.
3. The public digital signature authentication service provider must restore the public digital signature certificate when there is no longer a basis for suspending the public digital signature certificate or the suspension period has expired or at the request of a competent state agency.
Article 42. Revocation of public digital signature certificates of subscribers
1. Public digital signature certificates of subscribers shall be revoked in the following cases:
a) When the subscriber requests in writing and this request has been verified by the public digital signature authentication service provider as accurate;
b) When the subscriber is an individual who has died or gone missing as declared by a court or the subscriber is an organization that has dissolved or gone bankrupt as prescribed by law;
c) Upon receiving written request from the prosecution agency, the police agency or the Ministry of Information and Communications;
d) Following the conditions for revocation of the public digital signature certificate as stipulated in the contract between the subscriber and the public digital signature certification service provider.
2. When there are grounds for revocation as prescribed in Clause 1 of this Article, the public digital signature authentication service provider must revoke the public digital signature certificate, immediately notify the subscriber and publish the revocation on the public digital signature certificate database.
Article 43. Information provision
1. Information disclosure:
Public digital signature authentication service providers must publicly disclose and maintain the following information 24/7 on their websites:
a) Regulations on authentication and digital signature certificates;
b) List of unexpired, suspended, and revoked public digital certificates of subscribers;
c) Necessary information as prescribed by law.
2. Information update:
Public digital signature authentication service providers must update the information specified in Clause 1 of this Article within 24 hours of any change.
3. Information provision:
Public digital signature authentication service providers must provide online real-time information of the number of public digital signature certificates that are in effect, suspended, or revoked to serve the state management of public digital signature certification services to the national e-authentication service provider.
4. Information storage:
a) Public digital signature authentication service providers shall ensure that the reception points, software, and applications requesting the issuance of public digital signature certificates fully comply with the regulations on authentication and storage of subscriber information; shall be fully accountable to the law for the fact that subscriber information is authenticated, stored, and managed as prescribed at the reception points, software, and applications requesting the issuance of public digital signature certificates;
b) Public digital signature authentication service providers shall develop a reliable service information system and a concentrated subscriber information database to input, store, and manage information throughout the subscriber's service use period, including: information on the application for issuance of public digital signature certificates as prescribed in Article 34 hereof, the start date of service use, the date of termination of service use for subscribers who have terminated service use; for subscribers who have terminated service use, subscriber information must continue to be stored in the database in accordance with the law on archives and for at least 02 years.
Public digital signature authentication service providers shall store all information related to the suspension or revocation of licenses and subscriber information databases, public digital signature certificates in accordance with the law on archives and for at least 05 years from the date the license is suspended or revoked or not eligible to be reissued;
c) Public digital signature authentication service providers shall connect the organization's concentrated subscriber information database with the Ministry of Information and Communications' Database to serve the state management of e-transactions; with the National Population Database to have reference and authenticate subscriber information to ensure that the subject is correctly identified and identity authentication is performed in accordance with the law on e-identification and e-authentication;
d) Public digital signature authentication service providers shall provide complete information: proof that subscriber information in the organization's concentrated database has been compared, authenticated, input, stored, and managed as prescribed.
Article 44. Connection to the Public digital signature authentication service portal
1. Public digital signature authentication service providers are responsible for connecting to the Public digital signature authentication service portal.
2. Information systems serving e-transactions using digital signatures are responsible for integrating with the Public digital signature authentication service portal to ensure the authenticity, integrity and non-repudiation of data messages.
3. The Ministry of Information and Communications shall elaborate the connection specified in Clauses 1 and 2 of this Article.
Article 45. Rights and responsibilities of subscribers using public digital signature authentication services
1. Have the right to request public digital signature authentication service providers to provide in writing information according to the signed contract.
2. Have the right to request public digital signature authentication service providers to suspend or revoke the issued digital signature certificate and be accountable for such request.
3. Provide information as prescribed honestly and accurately to the public digital signature authentication service provider. Inform the public digital signature authentication service providers of any changes to the provided information for them to make changes to the content of the public digital signature certificate.
4. In case of self-generating key pairs, the subscriber must ensure that the key pair generating device meets the technical regulations and mandatory standards.
5. Control and use their secret keys securely throughout the time the public digital signature certificate is valid and suspended.
6. Notify within 24 hours public digital signature authentication service providers if detecting signs that their secret key has been disclosed, stolen, or used illegally so the providers can take measures to handle such matters.
7. When agreeing to let public digital signature authentication service providers publish the public digital signature certificate as prescribed in Clause 3, Article 38 hereof or when issuing that public digital signature certificate to another person for the purpose of transaction, the subscriber is considered to have committed to the recipient (i) that the subscriber is the legal holder of the secret key corresponding to the public key on that public digital signature certificate and (ii) that the information on the public digital signature certificate related to the subscriber is true, and must perform the obligations arising from that public digital signature certificate.
8. Be accountable to the law for any committed violations against regulations specified in clauses 3, 4, 5, 6 and 7 of this Article and other relevant laws.
Chapter IV
IMPLEMENTATION CLAUSES
Article 46. Effect
1. This Decree shall come into force from April 10, 2025.
2. Decree No. 130/2018/ND-CP dated September 27, 2018 of the Government elaborating the Law on e-transactions regarding digital signatures and digital signature authentication services and Decree No. 48/2024/ND-CP dated May 9, 2024 of the Government amending Decree No. 130/2018/ND-CP dated September 27, 2018 shall cease to be effective from the effective date of this Decree, except for the case specified in Article 47 hereof.
Article 47. Transitional provisions
1. If an organization is granted a license to provide public digital signature authentication services under the legislative documents detailing the Law on e-transactions No. 51/2005/QH11 that are still in effect, the payment of the service fee for maintaining the digital certificate status checking system shall comply with the applicable regulations of the law on fees and charges until the competent authority issues a replacing document.
2. An organization granted a license to provide trust services that has been providing public digital signature authentication services since the effective date of the Law on e-transactions No. 20/2023/QH15 shall pay the service fee for maintaining the digital signature certificate status checking system as the service fee for maintaining the digital certificate status checking system in accordance with the applicable regulations of the law on fees and charges until the competent authority issues a replacing document.
3. For newly arising services under the Law on e-transactions No. 20/2023/QH15 for which there are no regulations on fee collection, no fee collection shall be made until the competent authority issues a document on such matter.
4. The public digital signature authentication service provider that is legally operating, within 02 years from the effective date hereof, must be responsible for reviewing and upgrading the information system and the management and technical staff to meet the regulations hereof, Except for the case where the public digital signature authentication service provider chooses to apply the Law on e-transactions No. 20/2023/QH15.
5. The issuance of digital certificates under the license to provide public digital signature authentication services that were issued before the effective date of the Law on e-transactions No. 20/2023/QH15 and are still valid on the effective date of the Law on e-transactions No. 20/2023/QH15 shall be carried out once. The maximum validity period of the issued digital certificate is 05 years and shall not exceed the remaining term of the license.
6. Application software that integrates digital signature software and digital signature verification software within 02 years from the effective date of this Decree must be reviewed and upgraded to meet the regulations of Article 17 hereof.
7. If the owner of the information system serving electronic transactions uses digital signatures in transactions, the owner of the information system shall review and upgrade the information system and application to integrate digital signature software and digital signature verification software to meet the regulations of Article 17 hereof.
Article 48. Responsibility for implementation
Ministers, heads of ministerial agencies, heads of government agencies, Presidents of People's Committees at all levels and relevant agencies, organizations and individuals are responsible for implementing this Decree.
|
|
ON BEHALF OF
GOVERNMENT OF VIETNAM |
Ý kiến bạn đọc
