Business & M&A, Legal Knowledge

Must Internet Service Providers Comply with National Incident Response Coordination Requirements?

Lượt xem: 26
Đánh giá bài viết

Whether Internet service providers (ISPs) must comply with coordination requirements is a legal matter that readers should carefully review before implementing in practice. This article is organized by ANT Legal in an accessible way to help individuals and enterprises understand the key issues, common risks and appropriate handling direction.

I have a question as follows: must an enterprise providing Internet services (ISP) comply with incident response coordination requirements of the national coordinating agency? The question was submitted by Mr. Q.B.B from Ho Chi Minh City.

Must an enterprise providing Internet services (ISP) comply with incident response coordination requirements of the national coordinating agency?

Under applicable law

Pursuant to Article 7 of Decision 05/2017/QD-TTg of 2017 on the national cybersecurity incident response network, regulations on enterprises providing Internet services are as follows:

National cybersecurity incident response network

1. Members obliged to participate in the national cybersecurity incident response network, hereinafter referred to as the incident response network, include:

dd) Enterprises providing telecommunications infrastructure and Internet services (ISPs); organizations and enterprises providing data center services and digital information storage space leasing services; units managing and operating national databases; specialized information security and information technology units of banking, finance, treasury, tax and customs organizations;

4. Network members are responsible for complying with the network’s operating regulations, complying with coordination requirements of the coordinating agency, and actively participating in and contributing to the network’s operations. Telecommunications enterprises and Internet service providers (ISPs) are responsible for storing and providing information relating to subscriber IP addresses, servers, IoT devices, log files and DNS service logs within the enterprise’s management scope; establishing an environment for installing monitoring and sampling equipment and providing network data streams for monitoring and incident detection at the request of the national coordinating agency; establishing a permanent 24/7 contact point and arranging personnel and resources ready to coordinate and implement solutions for responding to and remedying incident consequences when the attack source is determined to originate from subscribers under the enterprise or when requested by the national coordinating agency.

Thus, an enterprise providing Internet services (ISP) is obliged to participate in the national cybersecurity incident response network.

At the same time, an enterprise providing Internet services (ISP) is responsible for complying with coordination requirements of the coordinating agency.

How much may an Internet service provider (ISP) be fined for failing to comply with incident response coordination requirements of the national coordinating agency?

Pursuant to Clause 4 Article 78 of Decree 15/2020/ND-CP on violations of regulations on ensuring information security and cybersecurity incident response:

Violations of regulations on ensuring information security and cybersecurity incident response

4. A fine ranging from VND 50,000,000 to VND 70,000,000 shall be imposed for any of the following acts:

a) Failing to appoint a contact point to conduct coordination activities for incident response or failing to participate in the national cybersecurity incident response network;

b) Failing to comply with incident response coordination requirements of the national coordinating agency;

c) Failing to arrange premises, connection ports and necessary technical conditions as required by the Ministry of Information and Communications or the Ministry of Public Security;

d) Failing to organize incident response activities in the sector, locality or scope under its management;

dd) Failing to coordinate with the national coordinating agency, service providers and competent agencies to restore certain essential activities, data or connections in order to minimize damage to the information system or adverse social impacts;

Accordingly, where an enterprise providing Internet services (ISP) fails to comply with incident response coordination requirements of the national coordinating agency, it may be fined from VND 50,000,000 to VND 70,000,000

Note on Applying Current Legal Regulations

This article belongs to the Business & M&A group and is presented for reference purposes, helping readers understand the legal issue at an overview level before preparing a dossier or carrying out a transaction.

Legal regulations may vary depending on the timing, locality, type of dossier and specific circumstances. If you need to determine the exact legal basis applicable to your case, you should contact ANT Legal’s lawyers at 0966.475.966 for review and advice before proceeding.

Common Legal Risks to Note

  • Applying legal instruments that have been amended, supplemented or replaced.
  • Preparing an incomplete set of documents, materials or necessary evidence.
  • Misunderstanding the conditions, procedure, timeline or competent authority.
  • Signing, submitting a dossier or carrying out a transaction before fully assessing legal risks.

How Can ANT Legal Support You?

ANT Legal can review the specific circumstances, examine the dossier, identify the applicable legal basis, advise on an appropriate handling plan and represent clients in working with individuals, organizations or competent authorities where necessary.

For prompt advice, you may contact a lawyer at 0966.475.966.

Related Articles

Tư vấn Luật ANT Legal

Leave a Reply

Your email address will not be published. Required fields are marked *