On 12 May 2026, the Ministry of Public Security (“MPS”) issued Circular No. 48/2026/TT-BCA promulgating QCVN 11:2026/BCA, the new National Technical Regulation on basic cybersecurity requirements for Internet Protocol (“IP”) surveillance camera devices.
The issuance of QCVN 11:2026/BCA marks an important regulatory development in Vietnam’s cybersecurity and product compliance framework for connected devices. As the use of IP surveillance cameras continues to expand across residential, commercial, industrial, and public sectors, Vietnamese authorities are placing increasing emphasis on cybersecurity controls applicable to Internet-connected hardware and data-processing systems.
The new regulation will officially take effect from 1 July 2026 and replace QCVN 135:2024/BTTTT previously issued by the Ministry of Information and Communications under Circular No. 21/2024/TT-BTTTT. The transition also reflects a broader shift in regulatory oversight relating to cybersecurity matters involving surveillance and monitoring technologies.
Scope of Application
QCVN 11:2026/BCA applies to Vietnamese and foreign organizations and individuals engaged in the manufacturing, trading, importation, and circulation of IP surveillance camera devices within Vietnam.
Accordingly, manufacturers, importers, distributors, and technology companies operating within the supply chain for such products should assess whether their products fall within the scope of the new regulation and evaluate the compliance status of their current product portfolios before the implementation date.
Key Cybersecurity Requirements
QCVN 11:2026/BCA introduces a number of baseline cybersecurity requirements applicable to covered devices. The regulation sets out technical requirements relating to, among others:
- initialization of unique passwords upon first use;
- management and remediation of security vulnerabilities;
- secure software and firmware update mechanisms;
- protection and secure storage of security parameters;
- management of secure communication channels;
- protection against unauthorized access through device interfaces;
- protection of user data;
- recovery capability following incidents or software failures;
- secure deletion of user data stored on devices;
- validation of input data; and
- protection of data stored on the device.
In addition to the technical requirements themselves, the regulation also provides corresponding testing methods and conformity assessment requirements applicable to covered products.
These requirements are intended to establish minimum cybersecurity safeguards for IP surveillance cameras distributed in the Vietnamese market, particularly in relation to access control, data protection, software integrity, and resilience against common cybersecurity risks.
Conformity Certification Requirements
Under the new framework, products falling within the scope of QCVN 11:2026/BCA will be required to undergo conformity certification and bear the conformity mark prior to circulation on the Vietnamese market.
Businesses may therefore need to review existing conformity assessment documentation, technical specifications, firmware structures, and cybersecurity features to ensure alignment with the new regulatory requirements.
The issuance of QCVN 11:2026/BCA is also expected to serve as the basis for further implementing regulations and product management measures by the MPS, including guidance relating to:
- regulated product lists;
- conformity assessment procedures;
- designated conformity assessment bodies; and
- implementation and inspection requirements.
Practical Considerations for Businesses
Given the relatively short implementation timeline before the regulation becomes effective on 1 July 2026, businesses involved in the manufacture, importation, and distribution of IP surveillance cameras should consider conducting an initial compliance assessment as early as possible.
In particular, companies may wish to review:
- password and authentication mechanisms;
- firmware and software update procedures;
- vulnerability management processes;
- user data protection functions;
- data storage and deletion mechanisms;
- technical cybersecurity documentation; and
- existing conformity certification status under previous regulations.
Early preparation may help businesses minimize potential disruptions relating to importation, distribution, product registration, and commercialization activities once the new regulation takes effect.
Importantly, manufacturers already compliant with QCVN 135 should view QCVN 11 as a continuation rather than a disruption. The substantive cybersecurity requirements remain fundamentally consistent, allowing for a smooth and predictable transition process.
BDC will continue monitoring developments relating to QCVN 11:2026/BCA and provide further updates as additional guidance and implementation measures become available from the Ministry of Public Security.
