Vietnam IP Camera Cybersecurity Rule: QCVN 11:2026/BCA
- 2 days ago
- 4 min read
Vietnam: QCVN 11:2026/BCA Sets Baseline Cybersecurity Requirements for IP Surveillance Cameras
Vietnam has tightened the rules governing internet-connected surveillance cameras. On 12 May 2026, the Ministry of Public Security (MPS / Bộ Công an) issued Circular 48/2026/TT-BCA, promulgating the national technical regulation QCVN 11:2026/BCA – National Technical Regulation for Surveillance Camera using Internet Protocol – Baseline Cybersecurity Requirements. The regulation takes effect on 1 July 2026 and applies to every organization and individual domestic or foreign that manufactures, imports, or distributes IP surveillance cameras in the Vietnamese market.
For any manufacturer or importer already serving Vietnam, this is a meaningful shift: the cybersecurity baseline for IP cameras now sits with the Ministry of Public Security rather than the telecommunications authority that previously oversaw it, and the technical bar that products must clear has been raised and consolidated into a single mandatory standard.
Regulatory Background: From QCVN 135 to QCVN 11
Until now, the cybersecurity baseline for IP cameras in Vietnam was set by QCVN 135:2024/BTTTT, issued by the former Ministry of Information and Communications (now folded into the Ministry of Science and Technology) under Circular 21/2024/TT-BTTTT. That standard became mandatory for imported and domestically produced IP cameras from 1 January 2026.
QCVN 11:2026/BCA replaces that framework. The substantive change is twofold. First, oversight moves to the Ministry of Public Security, reflecting Vietnam's treatment of network-connected surveillance devices as a national-security and public-order matter, not solely a telecommunications one. Second, the regulation is anchored in the same internationally recognized baseline as its predecessor, the European ETSI EN 303 645 standard for consumer IoT cybersecurity and the ETSI TS 103 701 conformance-assessment specification but folds the requirements into the MPS's enforcement remit.
The policy rationale is concrete. Vietnamese authorities have reported that more than 800,000 cameras in the country publicly share images online, and that a large share of deployed devices carry exploitable vulnerabilities. For households, a compromised camera can expose interior spaces and daily routines; for businesses, it can reveal floor plans, production lines, and personnel movements. QCVN 11:2026/BCA is designed to close those common weaknesses at the device level before products reach the market.
QCVN 11:2026/BCA: Vietnam's New IP Camera Cybersecurity Baseline
QCVN 11:2026/BCA sets out a group of mandatory technical requirements reported by the Vietnam Institute for Standards and Quality as 11 requirement groups that target the vulnerabilities most frequently exploited in network cameras. The core areas are:
Password management and authentication. Devices may not ship with universal default passwords shared across units. Each camera must use a unique per-unit password or allow the user to set their own, and the authentication mechanism must resist automated (brute-force) network attacks.
Secure software and firmware updates. Cameras must support a secure update mechanism, with updates authenticated (for example, via digital signatures) to prevent tampering. This directly addresses the long-standing problem of cameras that received no security updates after sale.
Vulnerability management. Manufacturers and suppliers must operate a mechanism to receive and act on reported security vulnerabilities, and provide timely patches over the device's service life.
Secure storage of sensitive parameters. Sensitive security parameters must be stored securely on the device.
Data protection in storage and transmission. Sensitive data, account credentials, authentication information, and image data, must be protected both at rest and in transit.
Data localization capability. Devices must provide configuration features allowing data to be stored in Vietnam in line with data-management and protection requirements.
Resilience and data lifecycle. Cameras must be able to restore normal operation after an incident, support deletion of user data when required, and validate input data to reduce the risk of vulnerability exploitation.
What This Means for Manufacturers
The practical impact falls on product design, documentation, and market-access planning:
Eliminate shared default credentials now. Any product line still relying on a common default password will not meet QCVN 11:2026/BCA. This is the single most common gap and the first thing to fix in firmware and provisioning.
Stand up a maintainable update and vulnerability-handling program. Compliance is not a one-time test event. The standard expects a working signed-update pipeline and a vulnerability-intake/patch process that lives across the product's supported life. Treat it as an ongoing operational commitment, not a certificate.
Plan for data-localization configuration. Products may need a configuration path that keeps data within Vietnam. Where designs route through regional cloud back-ends, confirm the device can be configured to satisfy this requirement.
Re-baseline existing QCVN 135 evidence. Because both standards rest on ETSI EN 303 645 / TS 103 701, much prior test evidence and engineering work is reusable — but it must be re-mapped to QCVN 11:2026/BCA and to the MPS's procedures rather than carried over unchanged.
Watch the risk-classification list. The conformity-declaration obligation for medium- and high-risk cameras only activates once the MPS publishes the product risk-classification list. Until then, the precise procedural route for those products is not fully operational. Build the technical conformance now, and be ready to file once the list is issued.
Certification Impact Summary
Aspect | Detail |
Instrument | Circular 48/2026/TT-BCA, issuing QCVN 11:2026/BCA |
Issuing authority | Ministry of Public Security (Bộ Công an / MPS) |
Regulation type | National technical regulation — baseline cybersecurity (mandatory) |
Scope | IP (internet-protocol) surveillance cameras manufactured, imported, or distributed in Vietnam |
Who is affected | Domestic and foreign manufacturers, importers, and distributors |
Standard replaced | QCVN 135:2024/BTTTT (under Circular 21/2024/TT-BTTTT) |
International basis | ETSI EN 303 645 V2.1.1; ETSI TS 103 701 |
Signed | 12 May 2026 |
Effective date | 1 July 2026 |
Conformity route | Declaration of conformity (công bố hợp quy) for medium- and high-risk cameras, applicable once MPS publishes the product risk-classification list (Art. 2(3); Sec. 4.1) |
Status of risk list | Not yet published as of this article — monitor for release |
Timeline and Required Actions
12 May 2026: Circular issued. MPS signs Circular 48/2026/TT-BCA and QCVN 11:2026/BCA. Action: confirm your affected SKUs and the markets they ship to in Vietnam.
Now through 30 June 2026: Transition window. Action: run a gap analysis against QCVN 11; remediate default-password, secure-update, and vulnerability-handling gaps; verify data-localization configuration; re-map existing QCVN 135 / ETSI EN 303 645 evidence to QCVN 11.
1 July 2026: Regulation effective. QCVN 11:2026/BCA applies and supersedes QCVN 135:2024/BTTTT. Action: ensure all in-scope products placed on the market meet the new baseline.
On publication of the MPS risk-classification list (date TBD): Conformity declaration activates. Action: identify whether your products fall into the medium- or high-risk categories and complete the declaration of conformity (công bố hợp quy) under the designated procedure.
Ongoing: Maintain compliance. Action: operate the signed-update pipeline and vulnerability-intake/patch process across the supported product life; retain records for inspection.
