November 2025
Specific Non-Government Agencies Should Pay Attention to the New Cyber Security Management Requirements (Taiwan)
To address the rapid changes and challenges in domestic and international cybersecurity environments, Taiwan’s Legislative Yuan passed amendments to the Cyber Security Management Act (“CSMA”) on August 29, 2025. The amendments were promulgated by the President on September 24, 2025, and will take effect on a date to be determined by the Executive Yuan. This is the first amendment to the CSMA since its enactment in 2018, expanding the original 23 articles to 35, reflecting the significant scope of this revision.
The CSMA applies to Government agencies and Specific non-government agencies. A "Specific non-government agency” refers to providers of Critical infrastructure, state-owned enterprises, certain foundations, or enterprises, groups, or institutions under government control (Article 3, Subparagraph 6 of the CSMA). “Critical infrastructure” refers to physical or virtual assets, systems, or networks whose interruption or reduced functionality may significantly affect the public interest (Article 3, Subparagraph 7 of the CSMA). The designation of Critical infrastructure providers is based on sectors announced by the Executive Yuan, and further designated by the central industry competent authority (“Competent Authority”) and submitted to the Executive Yuan for approval (Article 3, Subparagraph 8 of the CSMA). Examples include power supply facilities or systems in the energy sector, communication service systems in the communications sector, and bank transaction systems in the financial sector.
In addition, the amendments include “enterprises, groups, or institutions under government control” within the scope of Specific non-government agencies. Such entities refer to enterprises in which the government and its subordinate business or non-business funds hold 20% or more of the total capital through direct or indirect investment, or groups or institutions whose personnel, finance, or business operations are directly or indirectly controlled by the government (Article 3, Subparagraph 10 of the CSMA). Examples include enterprises invested in by the National Development Fund, the Executive Yuan, and banks controlled by the Ministry of Finance that meet the criteria announced by the Ministry of Civil Service.
The key obligations for Specific non-government agencies under the amendments are summarized as follows:
I. Specific non-government agencies must appoint a Cyber Security Officer and dedicated cyber security personnel
In the past, only Government agencies were required to appoint a Cyber Security Officer. Under the amendments, Specific non-government agencies must also appoint a Cyber Security Officer. This position shall be held by the legal representative, a manager, another person with representative authority, or designated appropriate personnel, and is responsible for promoting and supervising cybersecurity affairs within the agency (Article 23 of the CSMA). In addition, to ensure sufficient cybersecurity protection capabilities, Specific non-government agencies are required to appoint dedicated cyber security personnel in accordance with their assigned cyber security responsibility levels (Article 20, Paragraph 2, and Article 21, Paragraph 1 of the CSMA).
II. Strengthening cyber security requirements for outsourced services of Specific non-government agencies
Previously, when Specific non-government agencies outsourced for setup, maintenance of the Information and communication system, or for provision of Information and communication services (collectively, the “outsourced party”), they were only required to appropriately select the outsourced party and supervise its cyber security maintenance. Considering that outsourced parties should also maintain adequate cyber security protection, the amendments additionally require outsourced parties to establish cyber security management measures or obtain certification from an impartial third party (Article 10, Paragraph 2 of the CSMA). Furthermore, to clarify supervisory responsibilities, the amendments require Specific non-government agencies to execute a written contract with the outsourced party specifying the rights, obligations, and liabilities for breach of contract (Article 10, Paragraph 3 of the CSMA).
III. The Competent Authority may restrict or prohibit the download, installation, or use of products harmful to national cyber security
The amendments introduce regulation of “products harmful to national cyber security.” Such products refer to information and communication systems, services, or products identified by the Competent Authority as posing direct or indirect risks to national cyber security, affecting government operations or social stability (Article 3, Subparagraph 11 of the CSMA). The amendments expressly allow the Competent Authority to restrict or prohibit Specific non-government agencies from downloading, installing, or using such products. Where necessary for cyber security protection, these restrictions also apply to broadcasting equipment or internet access services provided by Specific non-government agencies at self-operated or outsourced-operated premises for public audiovisual use (Article 27, Paragraph 1 of the CSMA).
IV. The Competent Authority may conduct administrative investigations into cyber security incidents involving Specific non-government agencies
To enhance supervisory authority, the amendments allow the Competent Authority to investigate cyber security incidents involving Specific non-government agencies, including requiring relevant parties to appear and provide statements, and such parties may not refuse (Article 25 of the CSMA). If a party evades, obstructs, or refuses the investigation, the Competent Authority may impose a fine ranging from NT$100,000 to NT$1,000,000 (Article 31 of the CSMA).
V. Dual-track mechanism for personal data protection
Given the different purposes of the CSMA and the Personal Data Protection Act (“PDPA”), where the CSMA governs cyber security obligations and the PDPA governs appropriate security measures for personal data, both laws operate concurrently. Therefore, where a cyber security incident involves a personal data breach, Specific non-government agencies must comply with the PDPA and its related regulations (Article 33 of the CSMA).
The amendments designate the Ministry of Digital Affairs as the competent authority under the CSMA (Article 2 of the CSMA). The Administration for Cyber Security, MODA, will complete amendments to eight subordinate regulations within six months of the presidential promulgation, including The Enforcement Rules of the CSMA, the Regulations on Classification of Cyber Security Responsibility Levels, and the Regulations on Audit of Implementation of Cyber Security Maintenance Plan of Specific Non-Government Agency. Upon the simultaneous implementation of the CSMA and its subordinate regulations, ongoing monitoring will be essential to evaluate how relevant entities should comply with the revised framework and develop internal policies accordingly.
The CSMA applies to Government agencies and Specific non-government agencies. A "Specific non-government agency” refers to providers of Critical infrastructure, state-owned enterprises, certain foundations, or enterprises, groups, or institutions under government control (Article 3, Subparagraph 6 of the CSMA). “Critical infrastructure” refers to physical or virtual assets, systems, or networks whose interruption or reduced functionality may significantly affect the public interest (Article 3, Subparagraph 7 of the CSMA). The designation of Critical infrastructure providers is based on sectors announced by the Executive Yuan, and further designated by the central industry competent authority (“Competent Authority”) and submitted to the Executive Yuan for approval (Article 3, Subparagraph 8 of the CSMA). Examples include power supply facilities or systems in the energy sector, communication service systems in the communications sector, and bank transaction systems in the financial sector.
In addition, the amendments include “enterprises, groups, or institutions under government control” within the scope of Specific non-government agencies. Such entities refer to enterprises in which the government and its subordinate business or non-business funds hold 20% or more of the total capital through direct or indirect investment, or groups or institutions whose personnel, finance, or business operations are directly or indirectly controlled by the government (Article 3, Subparagraph 10 of the CSMA). Examples include enterprises invested in by the National Development Fund, the Executive Yuan, and banks controlled by the Ministry of Finance that meet the criteria announced by the Ministry of Civil Service.
The key obligations for Specific non-government agencies under the amendments are summarized as follows:
I. Specific non-government agencies must appoint a Cyber Security Officer and dedicated cyber security personnel
In the past, only Government agencies were required to appoint a Cyber Security Officer. Under the amendments, Specific non-government agencies must also appoint a Cyber Security Officer. This position shall be held by the legal representative, a manager, another person with representative authority, or designated appropriate personnel, and is responsible for promoting and supervising cybersecurity affairs within the agency (Article 23 of the CSMA). In addition, to ensure sufficient cybersecurity protection capabilities, Specific non-government agencies are required to appoint dedicated cyber security personnel in accordance with their assigned cyber security responsibility levels (Article 20, Paragraph 2, and Article 21, Paragraph 1 of the CSMA).
II. Strengthening cyber security requirements for outsourced services of Specific non-government agencies
Previously, when Specific non-government agencies outsourced for setup, maintenance of the Information and communication system, or for provision of Information and communication services (collectively, the “outsourced party”), they were only required to appropriately select the outsourced party and supervise its cyber security maintenance. Considering that outsourced parties should also maintain adequate cyber security protection, the amendments additionally require outsourced parties to establish cyber security management measures or obtain certification from an impartial third party (Article 10, Paragraph 2 of the CSMA). Furthermore, to clarify supervisory responsibilities, the amendments require Specific non-government agencies to execute a written contract with the outsourced party specifying the rights, obligations, and liabilities for breach of contract (Article 10, Paragraph 3 of the CSMA).
III. The Competent Authority may restrict or prohibit the download, installation, or use of products harmful to national cyber security
The amendments introduce regulation of “products harmful to national cyber security.” Such products refer to information and communication systems, services, or products identified by the Competent Authority as posing direct or indirect risks to national cyber security, affecting government operations or social stability (Article 3, Subparagraph 11 of the CSMA). The amendments expressly allow the Competent Authority to restrict or prohibit Specific non-government agencies from downloading, installing, or using such products. Where necessary for cyber security protection, these restrictions also apply to broadcasting equipment or internet access services provided by Specific non-government agencies at self-operated or outsourced-operated premises for public audiovisual use (Article 27, Paragraph 1 of the CSMA).
IV. The Competent Authority may conduct administrative investigations into cyber security incidents involving Specific non-government agencies
To enhance supervisory authority, the amendments allow the Competent Authority to investigate cyber security incidents involving Specific non-government agencies, including requiring relevant parties to appear and provide statements, and such parties may not refuse (Article 25 of the CSMA). If a party evades, obstructs, or refuses the investigation, the Competent Authority may impose a fine ranging from NT$100,000 to NT$1,000,000 (Article 31 of the CSMA).
V. Dual-track mechanism for personal data protection
Given the different purposes of the CSMA and the Personal Data Protection Act (“PDPA”), where the CSMA governs cyber security obligations and the PDPA governs appropriate security measures for personal data, both laws operate concurrently. Therefore, where a cyber security incident involves a personal data breach, Specific non-government agencies must comply with the PDPA and its related regulations (Article 33 of the CSMA).
The amendments designate the Ministry of Digital Affairs as the competent authority under the CSMA (Article 2 of the CSMA). The Administration for Cyber Security, MODA, will complete amendments to eight subordinate regulations within six months of the presidential promulgation, including The Enforcement Rules of the CSMA, the Regulations on Classification of Cyber Security Responsibility Levels, and the Regulations on Audit of Implementation of Cyber Security Maintenance Plan of Specific Non-Government Agency. Upon the simultaneous implementation of the CSMA and its subordinate regulations, ongoing monitoring will be essential to evaluate how relevant entities should comply with the revised framework and develop internal policies accordingly.
