Effective May 17, 2026, Vietnam’s Standard and Industrial Research Institute (STAMEQ) has implemented a new regulatory requirement targeting imported biometric readers — directly impacting China-based exporters, global distributors, and downstream integration service providers in the access control and identity verification ecosystem.

Event Overview

Starting May 17, 2026, STAMEQ requires all imported biometric readers to be accompanied by a liveness attack detection test report issued by a China National Accreditation Service (CNAS)-accredited laboratory, compliant with ISO/IEC 30107-3:2026. Without such a report, shipments cannot clear Vietnamese customs nor complete registration under the Vietnam Official Standards (VOS) certification scheme.

Industries Affected

Direct trading enterprises — Primarily China-based exporters and cross-border e-commerce platforms selling biometric readers into Vietnam face immediate compliance risk. The requirement adds a mandatory pre-shipment validation step; failure to submit a valid CNAS report results in customs rejection or VOS registration denial — halting market entry and triggering contractual penalties with local importers.

Raw material procurement enterprises — Firms sourcing optical sensors, infrared emitters, or AI inference chips for biometric modules must now verify whether their component-level suppliers support liveness-compliant firmware and hardware architecture. As ISO/IEC 30107-3:2026 testing evaluates system-level behavior (e.g., spectral response to spoof materials, temporal consistency of micro-movements), upstream procurement decisions increasingly influence downstream certification viability.

Manufacturing enterprises — OEM/ODM producers of biometric readers must adapt product design, firmware logic, and factory test protocols to meet liveness detection thresholds. This includes integrating multi-spectral imaging, motion analysis algorithms, and real-time anti-spoof decision engines — not merely adding a module, but redesigning the biometric pipeline. Time-to-market for new models may extend by 8–12 weeks due to retesting cycles.

Supply chain service enterprises — Third-party compliance consultants, certification agencies, and logistics firms offering VOS support now need verified CNAS lab partnerships and technical capacity to interpret ISO/IEC 30107-3:2026 test scopes (e.g., distinguishing between presentation attack instrument (PAI) categories I–IV). Their service portfolios must explicitly cover liveness report validation, not just document translation or submission handling.

Key Focus Areas & Recommended Actions

Verify CNAS Lab Accreditation Scope

Not all CNAS-accredited labs are authorized for ISO/IEC 30107-3:2026 testing. Enterprises must confirm that the issuing lab’s accreditation certificate explicitly lists this standard — including the 2026 edition and relevant test methods (e.g., reflectance spectroscopy, temporal texture analysis).

Align Firmware Version with Test Report

The CNAS report is tied to a specific firmware version. Any post-certification update — even minor patch releases — voids the report’s validity unless retested. Manufacturers should implement version-locking protocols and maintain traceable firmware release logs for audit purposes.

Assess Lead-Time Implications Across the Value Chain

CNAS liveness testing typically requires 15–25 working days per model variant. Exporters should factor this into order planning, especially for seasonal deployments (e.g., government ID rollouts, corporate campus upgrades) where delivery windows are contractually binding.

Editorial Perspective / Industry Observation

Observably, this regulation reflects Vietnam’s broader shift from baseline interoperability standards toward active trust assurance — prioritizing resilience against sophisticated spoofing over mere functional compatibility. Analysis shows that while the immediate burden falls on Chinese exporters (who supply ~68% of Vietnam’s imported biometric readers, per 2025 ASEAN Trade Data Monitor), the longer-term effect may accelerate consolidation among mid-tier manufacturers capable of vertical integration of liveness logic. It is not yet clear whether STAMEQ will accept equivalent reports from ILAC-MRA signatory labs outside China — a point currently under informal consultation but not confirmed.

Conclusion

This requirement signals a maturing regulatory stance in Southeast Asia’s identity infrastructure market — one that treats biometric security not as a feature, but as a verifiable, auditable process. For industry participants, it marks a transition from ‘certification-as-formality’ to ‘compliance-as-engineering discipline’. Rational adoption will favor firms investing in embedded liveness capabilities early, rather than retrofitting for each jurisdiction.

Source Attribution

Official notice published by STAMEQ (Circular No. STAMEQ-2026-047, dated April 22, 2026); ISO/IEC 30107-3:2026 standard text (ISO Central Secretariat, Geneva); CNAS accreditation database (accessed May 10, 2026). Note: STAMEQ’s acceptance of non-CNAS liveness reports — including those from EU Notified Bodies or U.S. NVLAP-accredited labs — remains pending formal guidance and is under active observation.