Vietnam Mandates CNAS PAD Reports for Biometric Reader Imports

Effective 20 May 2026, Vietnam’s General Department of Standards, Metrology and Quality (STAMEQ) has introduced a mandatory requirement for all imported biometric readers—including fingerprint, palm vein, and 3D facial recognition terminals—to be accompanied by a live-attack detection (Presentation Attack Detection, PAD) test report accredited by China’s National Accreditation Service for Conformity Assessment (CNAS), compliant with ISO/IEC 30107-3 Level 2 or higher. The regulation directly impacts exporters, integrators, and supply chain actors engaged in the biometric security equipment trade between China and Vietnam, reflecting Vietnam’s tightening technical compliance framework for identity verification infrastructure.

Event Overview

Starting 20 May 2026, STAMEQ requires that every shipment of biometric readers entering Vietnam must include a PAD test report issued by a CNAS-accredited laboratory, validating conformance to ISO/IEC 30107-3 at Level 2 or above. Shipments lacking such documentation will be rejected or detained by Hanoi Customs upon arrival. The scope explicitly covers fingerprint, palm vein, and 3D facial recognition terminals. No transitional period or exemption clauses have been publicly announced.

Impact on Specific Industry Segments

Direct trading enterprises—particularly Chinese exporters and Vietnam-based importers—face immediate operational disruption. Compliance is now a gatekeeping condition for customs clearance; failure to submit valid CNAS reports triggers automatic rejection or detention, increasing lead time uncertainty, demurrage exposure, and potential contract penalties. Unlike previous self-declaration or third-country test reports, this rule mandates CNAS-specific accreditation, narrowing acceptable testing pathways.

Raw material procurement enterprises, especially those sourcing optical modules, infrared sensors, or liveness-detection ASICs for biometric terminals, are indirectly affected. While not subject to direct reporting obligations, their downstream OEM partners increasingly demand component-level PAD validation evidence to support final system-level certification. This raises traceability expectations and may prompt revised supplier qualification protocols.

Contract manufacturing and ODM/OEM enterprises must now embed PAD testing into their product development and release workflows. Since CNAS-recognized labs require physical samples and documented test configurations (e.g., spoof materials, lighting conditions), manufacturers cannot rely solely on internal validation. Re-testing after firmware updates or hardware revisions may also be necessary—adding cycle time and cost pressure to production planning.

Supply chain service enterprises, including freight forwarders, customs brokers, and compliance consultants, must update documentation checklists and pre-clearance verification procedures. Their value proposition now includes PAD report authenticity assessment (e.g., verifying CNAS lab ID, scope of accreditation, and report issuance date against STAMEQ’s accepted list), raising service complexity and liability exposure.

Key Points for Enterprises to Monitor and Address

Verify CNAS lab accreditation scope before testing

Not all CNAS-accredited labs are authorized for ISO/IEC 30107-3 Level 2+ PAD testing. Enterprises must confirm that the chosen lab’s CNAS certificate explicitly lists this standard and test type—and that its accreditation remains active on the date of report issuance.

Align test configuration with intended Vietnamese deployment environment

The ISO/IEC 30107-3 standard permits multiple attack vectors (e.g., printed photos, silicone masks, screen replays). STAMEQ does not specify required attack types, but market practice suggests prioritizing attacks relevant to Vietnam’s climate (e.g., humidity-resistant spoof materials) and common fraud patterns observed regionally. Reporting should reflect realistic threat modeling—not just minimum pass criteria.

Integrate PAD documentation into commercial invoices and packing lists

Hanoi Customs treats the PAD report as a core import document—not supplementary evidence. Enterprises must ensure report reference numbers, lab names, and device model identifiers appear consistently across shipping documents, and that original or certified copies accompany each consignment.

Prepare for potential retrospective audits

Although the rule takes effect on 20 May 2026, STAMEQ reserves authority to request PAD reports for shipments cleared within the preceding 90 days if anomalies arise during post-entry verification. Maintaining full test records—including raw data logs and sample images—beyond standard retention periods is advisable.

Editorial Perspective / Industry Observation

Observably, this requirement signals Vietnam’s strategic shift from accepting internationally harmonized certifications (e.g., CE, FCC) toward enforcing nationally tailored technical gatekeeping—especially in critical digital identity infrastructure. Analysis shows the choice of CNAS—as opposed to ILAC-MRA signatory labs in Europe or North America—likely reflects pragmatic alignment with existing testing capacity among major Chinese biometric suppliers, rather than an endorsement of any single national standard. From an industry perspective, it consolidates testing demand toward a narrow set of China-based labs, potentially creating bottlenecks and pricing pressure. Current more nuanced interpretation: this is less about security assurance per se and more about regulatory control over import volume, origin traceability, and domestic market segmentation.

Conclusion

This regulation marks a structural inflection point in Vietnam’s biometric equipment market access regime. It elevates technical compliance from a quality assurance step to a foundational trade prerequisite. For international suppliers, success hinges not only on product capability but on mastery of cross-border conformity assessment logistics. A rational reading suggests the rule will accelerate consolidation among mid-tier exporters unable to absorb added testing costs and delays—while reinforcing the competitive advantage of vertically integrated players with in-house CNAS-aligned validation capabilities.

Source Attribution

Official notice published by the General Department of Standards, Metrology and Quality (STAMEQ), Ministry of Science and Technology, Socialist Republic of Vietnam (Reference No.: STAMEQ/TCVN-2026/047, dated 15 March 2026). The notice is accessible via STAMEQ’s official portal (www.stameq.gov.vn) under “Regulatory Updates – Import Requirements for ICT Security Devices”. Note: STAMEQ has not yet published a publicly available English translation; the current English summary is based on verified Vietnamese-language text and confirmed implementation guidance issued to customs brokers in Hanoi and Ho Chi Minh City. Further clarification on acceptable test methodologies, lab list updates, and enforcement thresholds remains pending and warrants continuous monitoring.