The Legislative Yuan adopted the Information and Communications Security Administration Law (hereinafter, the “Law”) on May 11, 2018. The objectives of this Law are to proactively promote national information and communications security policy and accelerate the development of a national information and communications security environment in order to safeguard national security and maintain social and public interests. The legislative highlights are summarized below:
The competent authority under this Law shall be the Executive Yuan (Article 2). The entities to which this Law shall apply include public agencies and specific non-public agencies. Public agencies refer to central and local agencies (organizations) or public juristic persons which exercise government authority pursuant to law, provided that this shall not include military and intelligence agencies (Article 3, Subparagraph 5). Specific non-public agencies refer to providers of key infrastructure, state-run enterprises and foundations established out of government donations and contribution (Article 3, Subparagraph 5). In particular, the key infrastructure refers to physical or virtual assets, systems or networks which, if they ceased to operate or if their performance is reduced, are likely to have major impact on national security, social and public interest, national livelihood or economic activities and which are subject to regular inspection and announcement by the competent authority (Article 3, Subparagraph 7). The key infrastructure provider refers to the entity which maintains, operates or provides key infrastructure in whole or in part, and which is designated by the central competent authority for specified business and referred to the competent authority for approval (Article 3, Subparagraph 8). The Executive Yuan will send a written notice to the key infrastructure providers to whom this Law applies after an approval is granted (Article 16, Paragraph 1).
The obligations that a public agency shall assume pursuant to this Law primarily include: compliance with the requirements for its information and communications security responsibility level (Article 10); establishment of a chief information security officer (Article 11); formulation of an information and communications security maintenance plan whose implementation status shall be reported every year along with an improvement report on its implementation irregularities (Articles 10, 12, and 13); and formulation of reporting and emergency response mechanisms for information and communications security incidents, reporting upon knowledge of information and communications security incidents and the submission of a report on the investigation, handling and improvement of the information and communications security incident (Article 14).
The obligations that shall be assumed by a key infrastructure provider under this Law primarily include: compliance with the requirements for its information and communications security responsibility level (Article 16, Paragraph 2); formulation and submission of an information and communications security maintenance plan and submission of an improvement report on its implementation irregularities (Article 16, Paragraphs 2-5); and formulation of reporting and response mechanisms for information and communications security incidents, reporting upon knowledge of information and communications security incidents and the submission of a report on the investigation, handling and improvement of the information and communications security incident (Article 18). As for a specific non-public agency which is not a key infrastructure provider, although it is also obligated to formulate an information and communications security maintenance plan, still it is not required to submit a voluntary report and is only required to submit an implementation status report and an improvement report on implementation irregularities at the request of the competent authority for specified business (Article 17) with the remaining obligations the same as those of key infrastructure providers.
Articles 19 through 21 of the Law contain relevant penal provisions. A specific non-public agency which fails to report an information and communications incident pursuant to Article 18, Paragraph 2 of the Law may be subject to a fine of NT$300,000 to NT$5,000,000, and the fine may be imposed continuously for failure to rectify within a stated period (Article 21).
This Law was announced on June 6, 2018 without a confirmed effective date before this essay was completed. The Executive Yuan is expected to implement the Law by stages. This Law will be applied to public agencies first, followed by key infrastructure providers and by specific non-public agencies other than key infrastructure providers. Relevant ancillary laws authorized under this Law, which include the Enforcement Rules of the Information and Communications Security Management Law, the Rules for the Tiering of Information and Security Responsibilities, the Rules for Sharing Information and Communications Intelligence, the Rules for the Reporting and Emergency Responses for Information and Communications Security Incidents, the Information and Communications Security Maintenance Plan for Specific Non-public Agencies, and the Rules for Rewarding and Penalizing Public Agency Personnel for Handling Information and Communications Security Business, will be successively formulated.