Amendment to the Cyber Security Management Act: Enhancing Taiwan’s Cybersecurity Governance Framework

On September 24, 2025, the President promulgated amendments to the Cyber Security Management Act (the “Act”) passed by the Legislative Yuan. The effective date of implementation will be determined by the Executive Yuan.

The Act governs two categories of regulated entities: government agencies and specific non-government agencies. The latter encompasses: (1) critical infrastructure providers, (2) government-owned enterprises, and (3) specific foundations or government-controlled enterprises, organizations, or institutions. Critical infrastructure comprises assets, systems, or networks whose disruption would significantly impact national security, social stability, or economic activities, as designated by the Executive Yuan. Operators of such infrastructure are designated by the sectoral regulatory authorities and subject to Executive Yuan ratification.

In response to evolving cybersecurity threats, this marks the first amendment since the Act’s implementation in 2019. The amendment establishes the Ministry of Digital Affairs as the regulatory authority and implements enhanced cybersecurity governance measures, including:

1. Restrictions on Products Harmful to National Cybersecurity
   Government agencies are prohibited from downloading, installing, or using products harmful to national cybersecurity. Products harmful to national cybersecurity refer to systems, services, or products which the regulatory authority has determined to pose risks to national cybersecurity and potentially undermine government operations or social stability. This includes products provided by foreign entities, China, hostile foreign forces, or their de facto controllers as defined under the National Security Act and Anti-Infiltration Act. The prohibition extends to audio-visual equipment and internet access services provided in government-operated or outsourced facilities. Exceptions may be granted through special project approval by the regulatory authority where business necessities exist and no alternatives are available, subject to inventory management.
   For specific non-government agencies, the sectoral regulatory authorities may restrict or prohibit the use of such products, including audio-visual equipment and internet access services provided in their operational facilities.

2. Appointment Requirements for Chief Information Security Officer and Dedicated Cybersecurity Personnel in Specific Non-Government Agencies
   Specific non-government agencies must appoint a Chief Information Security Officer, either the agency’s representative or a designated qualified person, to supervise cybersecurity maintenance operations. Agencies meeting specified cybersecurity responsibility levels must also assign dedicated personnel for cybersecurity operations.

3. Investigative Authority Granted to Sectoral Regulatory Authorities for Major Cybersecurity Incidents in Specific Non-Government Agencies
   The scope of investigation includes requesting relevant parties to appear and provide statements, requiring submission of third-party investigation reports, and conducting on-site inspections. Parties under investigation shall not evade, obstruct, or refuse such investigations, with violations subject to fines ranging from NT$100,000 to NT$1,000,000.

4. Increased Penalties for Specific Non-Government Agencies
   The maximum penalty for failing to report cybersecurity incidents has been raised to NT$10,000,000. Other violations are subject to fines up to NT$5,000,000 if not corrected within prescribed periods, including failure to implement cybersecurity maintenance plans, non-submission of implementation reports and improvement reports, lack of incident reporting and response mechanisms, non-submission of incident investigation reports, and non-compliance with reporting requirements and drill regulations. These fines may be imposed repeatedly for continued non-compliance.

5. Contractual Requirements for Outsourced Cybersecurity Services
   Agencies outsourcing cybersecurity operations must execute written contracts with service providers specifying rights and obligations. Agencies must also participate in cybersecurity exercises coordinated by the Ministry of Digital Affairs.

6. Dual Compliance for Cybersecurity and Personal Data Incidents
   Cybersecurity incidents involving personal data breaches require separate compliance with both the Act and the Personal Data Protection Act due to their distinct regulatory objectives.