Vietnam’s physical security market is growing rapidly, driven by investments in smart city infrastructure, public safety, and industrial modernization. But as the use of IP-based surveillance cameras expands across government, education, and commercial sectors, concerns about cybersecurity vulnerabilities have intensified.
In response, the government has introduced QCVN 135:2024/BTTTT, a national technical regulation requiring that all IP cameras sold or used in Vietnam meet stringent cybersecurity standards. The regulation targets a wide range of risks, including default login credentials, weak encryption, unpatched firmware, and unsecured data storage.
According to Bureau Veritas Vietnam, the regulation marks a turning point in Southeast Asia’s approach to securing physical surveillance infrastructure. Industry analysts point out that this regulation sends a clear signal to manufacturers, importers, and systems integrators that compliance with cybersecurity standards is becoming a market access requirement across Southeast Asia.
What the regulation requires
The regulation, issued by the Ministry of Information and Communications (MIC), applies to both imported and domestically manufactured IP cameras. It mandates security compliance across key areas including device access, data handling, software updates, and network communication.
Implementation is rolling out in two phases. Beginning on February 15, 2025, it entered a voluntary trial application phase for compliance testing and certification. The second stage is full enforcement set to start on January 1, 2026.
Bureau Veritas Vietnam noted that the regulation covers multiple layers of device and system security: “This includes device security, authentication management, vulnerability management, update management, and user data security.”
Key technical requirements include:
- Unique default passwords to avoid unauthorized access.
- Secure user authentication and access control.
- Regular firmware and security updates.
- Encrypted communication channels to prevent interception.
- Data protection policies aligned with Vietnam’s broader data privacy regulations.
- System recovery mechanisms in case of security breaches.
Wireless surveillance devices like drones and flycams will face additional licensing and inspection, adding compliance complexity.
Market impact: design, distribution, and deployment
The regulation’s ripple effects will be felt across the supply chain, from global OEMs and local importers to systems integrators.
“Manufacturers will need to redesign their IP cameras to incorporate the required security features, such as strong password management, secure data storage, and encrypted communication channels,” said the spokesperson from Bureau Veritas Vietnam.
“Meeting the new standards will likely require investments in research, development, and testing,” the spokesperson added. Non-compliant products may be barred from the market. “Cameras that do not meet the new standards may face restrictions on sale or import into Vietnam.”
The regulation may also benefit local manufacturers. “The regulations may create an advantage for Vietnamese manufacturers who can offer cameras that meet the new standards, potentially shifting user preference away from Chinese-made cameras, which are perceived to have security risks.”
Importers will need to adopt rigorous sourcing practices. “Importers will need to verify that all IP cameras they import meet the QCVN 135:2024/BTTTT standards,” said the spokesperson. “Importing non-compliant cameras could lead to delays and extra costs due to testing and re-exporting.”
“Importers need to be very fluently on the import/export regulation and inspections so that it could bring timely to the markets,” the spokesperson added.
For systems integrators, the regulation alters integration workflows and customer service.
“Integrators will need to ensure that the cameras they integrate into systems meet the required security standards, harmonizing with the current networks and follow the current regulations,” said the Bureau Veritas spokesperson.
They must also enhance technical support. “Integrators may need to train their staff on the new security features and provide support to customers on how to use and manage the secure cameras.”
Security lifecycle management will be essential. “Integrators may need to implement processes for identifying and patching vulnerabilities in the cameras they integrate, as well as reporting security incidents to the authorities – especially for those cameras installed on the stated or governmental facilities.”
“Integrators who can demonstrate expertise in integrating secure IP camera systems may find new business opportunities,” the spokesperson added.
Vulnerabilities the rules aim to fix
The regulation is designed to eliminate high-risk vulnerabilities that have become common in IP-based surveillance systems.
According to Bureau Veritas Vietnam, “The regulation requires manufacturers to implement robust security measures to protect against a range of vulnerabilities in IP-based surveillance systems, including unauthorized access, data breaches, and the potential for cameras to be exploited for cyberattacks.”
The regulation outlines several critical threat categories that it seeks to mitigate. Bureau Veritas Vietnam identified the following key risks:
Default credentials: The regulations aim to eliminate the risk of attackers gaining access through default usernames and passwords on cameras by requiring the use of strong, unique passwords.
Unsecured firmware: The need for secure firmware and software is emphasized, with mandates for regular updates and patches to address vulnerabilities.
Unencrypted communication: The regulations may require encryption for data transmitted to and from the camera to prevent interception of video streams and other sensitive information.
Malware and DDoS risks: The goal is to prevent IP cameras from being infected with malware, including ransomware or viruses, and to reduce their susceptibility to use in Distributed Denial of Service (DDoS) attacks.
Botnet infections: By improving the baseline security of IP cameras, the regulations aim to prevent them from being hijacked for botnet operations.
System-level administration: Devices must include secure administrative settings that allow users to configure parameters such as lockout timing and login attempt thresholds.
Patch management: The importance of automated patch management is emphasized to ensure cameras are continuously updated with the latest security fixes.
Data localization: The regulation may require that all video and user data be processed and stored within Vietnam to comply with national data protection frameworks.
How integrators can prepare
Bureau Veritas recommends that systems integrators begin aligning operations with existing Vietnamese laws, including:
- Law No. 24/2018/QH14 (Law on Cybersecurity)
- Decree 53/2022/NĐ-CP (Critical infrastructure security)
- Decree 13/2023/NĐ-CP (Personal Data Protection)
To prepare for the new regulatory landscape, Bureau Veritas Vietnam outlined five strategic steps that systems integrators should follow:
- Gap assessment: Systems integrators should evaluate their current IP camera systems and deployments against Vietnam’s cybersecurity and personal data protection laws. This includes identifying gaps in data storage, access control, encryption, and vendor compliance.
- Secure-by-design: Integrators should work only with IP camera manufacturers who comply with Vietnamese certification requirements, support over-the-air (OTA) security updates, and are not blacklisted under the Ministry of Information and Communications (MIC) or the Ministry of Public Security (MPS).
- Local data hosting: Integrators are encouraged to offer on-premise or Vietnam-hosted cloud storage options and avoid foreign platforms that do not comply with local data regulations.
- Cybersecurity training: Engineering and technical teams should be upskilled in cybersecurity practices based on NIST or ISO/IEC 27001 standards, alongside training in Vietnam-specific laws.
- Governance protocols: Integrators should work with clients to define clear data ownership structures, data retention policies, and breach response protocols.
Regional ripple effects and design innovation
Vietnam’s regulation could influence regional cybersecurity policy and product design trends.
“IP camera regulations, if effective and well-received in one ASEAN country, could serve as a model for other nations seeking to modernize their own regulations in areas like data privacy, security, and surveillance,” said the Bureau Veritas Vietnam spokesperson.
Cross-border businesses may welcome harmonization. “Companies operating across borders in Southeast Asia would prefer to have consistent regulations to avoid compliance complexities and costs.”
Standardized policies could also drive investment. “Regulatory alignment can facilitate cross-border trade and investment by reducing barriers and promoting a more predictable business environment.”
As for technology, Vietnamese mandates could spark product redesign across ASEAN. “New regulations might mandate specific security features, like enhanced encryption or data protection protocols, prompting manufacturers to develop and integrate these features into their products.”
Designing for compliance may also boost local innovation. “Regulations might also require or encourage localization of features or functionalities, potentially boosting innovation in customized solutions for specific regional needs,” the spokesperson said.
Emerging opportunities could include new business models. “The regulations could create opportunities for new business models around data management, cloud storage, and video analytics, fostering innovation in related fields.”
Looking ahead: readiness and regional impact
Vietnam’s QCVN 135:2024/BTTTT regulation marks a pivotal moment in the evolution of the country’s security technology landscape. By setting clear cybersecurity standards for IP cameras, the regulation not only addresses longstanding vulnerabilities but also drives a shift in how surveillance systems are designed, procured, and deployed.
While the new requirements may pose initial challenges, particularly around compliance costs, integration complexity, and market access, Vietnamese authorities and global stakeholders view this move as a proactive step toward future-proofing critical infrastructure.
For systems integrators and manufacturers, the message is clear: adapting early to this regulation will be essential to remain competitive in Vietnam’s fast-evolving security sector. Moreover, the ripple effect across ASEAN markets means that aligning product and deployment strategies with Vietnam’s cybersecurity framework may offer long-term strategic advantages in the region.
As the 2026 deadline approaches, industry players have a window of opportunity to reassess operations, partner wisely, and invest in cybersecurity as a core part of their value proposition. Vietnam’s cybersecurity regulation is more than a local compliance measure - it is a potential catalyst for regional regulatory alignment and technological advancement across the surveillance ecosystem.
More broadly, the regulation is seen as a catalyst. This is not just a local compliance measure - it is a potential catalyst for regional regulatory alignment and technological advancement across the surveillance ecosystem.