Taiwan’s Legislative Yuan recently passed the Cybersecurity Management Act (the Act, 資通安全管理法), and now awaits its implementation schedule (including effective date), which will be decided by the competent authority for the Act (Administrative Yuan) in the near future.

In addition to government agencies, the Act also requires Providers of Critical Infrastructure (關鍵基礎設施提供者) to establish and maintain a safe, stable and secure cyber environment.

Who is a Provider of Critical Infrastructure?

The Act applies to providers whose tangible or intangible assets, systems and/or internet resources are of high importance because their outage, drop in efficiency or impairment will make a substantial impact on or endanger national security, social and public interests and economic activities. The regulated industries
include the following sectors:

  • Energy
  • Water
  • Information Technology and Telecommunications
  • Transport and Traffic
  • Banks and Finance
  • Emergency Rescue and Hospitals
  • Central and Local authorities
  • High Technology Parks

The central competent authorities for each category of business (各中央目的事業主管機關) after obtaining approvals from the Administrative Yuan, will with written notice, designate certain business operators as Providers of Critical Infrastructure.

What obligations apply?

In general, Providers of Critical Infrastructure will need to (a) implement a Cybersecurity Maintenance Plan (資通安全維護計畫) and (b) notify the central competent authority for its business of any incidents of cybersecurity (資通安全事件).

Cybersecurity Maintenance Plan

Providers of Critical Infrastructure should formulate, revise and implement a
Cybersecurity Maintenance Plan to conform with the requirements of its level of
cybersecurity responsibility level (資通安全責任等級之要求) decided by the
Administrative Yuan and in accordance with the types, quantity of information
and nature of the data they keep or process as well as the scale and nature of
their cybersecurity system.

In addition, Providers of Critical Infrastructure are required to report the
implementation status of their Cybersecurity Maintenance Plan (資通安全維護計
畫之實施情形) to their competent authority for inspection. In case of any defects
or insufficiency, the Provider of Critical Infrastructure must rectify the defects and
submit an improvement report (改善報告).

Notification Requirements

To deal with potential cybersecurity incidents, the Act requires Providers of
Critical Infrastructure to establish a report and response mechanism (通報及應變
機制) in advance.

When there is an identified threat to the systems, services or internet status
which may affect the operation, availability, integrity, authenticity or confidentiality
of its IT system, the Provider of Critical Infrastructure must immediately notify its
competent authority after becoming aware of the incident.

In addition, the Provider of Critical Infrastructure should submit a report with
details about its investigation, handling and improvement (調查、處理及改善報告)
following each cybersecurity incident to the competent authority that oversees its
business. In the case of significant incidents, the report should be sent to the
Administrative Yuan as well.

Enforcement

The central competent authority for the business can directly impose a fine of
TWD300,000 to TWD5 million (approx. US$10,000 to US$168,000) and also
order the Provider to rectify the issue within a prescribed period of time when the
Provider of Critical Infrastructure fails to issue the required notifications about the
cybersecurity incident. If the Provider continues to be negligent about reporting,
the fine can be issued on a consecutive basis.

Regarding a violation of the other obligations stipulated in the Act, the competent
authority for the business will first order the Provider to remedy the shortcoming
within a prescribed time. If the Provider fails to improve before the deadline, fines
of TWD100,000 to TWD1 million (approx. US$3,400 to US$33,000) can be imposed
on a consecutive basis.