Cybersecurity · Taiwan
Cybersecurity regulation in Taiwan (2026)
Taiwan shaded by its cybersecurity status
Taiwan has a dedicated comprehensive cybersecurity law — the Cyber Security Management Act — originally enacted in 2018 and in force since January 2019. A significant amendment was passed by the Legislative Yuan on 29 August 2025, promulgated on 24 September 2025, and entered into force on 1 December 2025, expanding scope, strengthening CISO mandates, doubling maximum incident-reporting fines, and barring government use of nationally harmful ICT products. Taiwan also launched Phase VII of its National Cybersecurity Development Program (2025–2028) with NT$8.8 billion in funding.
Key points
The CSMA (Law Code A0030297) has been the primary cybersecurity statute since 2019. The December 2025 amendment is the first major revision, expanding regulated entities to include government-controlled businesses and organisations beyond the original scope of critical infrastructure providers, state-owned enterprises, and government-endowed foundations.
Taiwan designates eight critical infrastructure (CI) sectors under Executive Yuan guidance: energy, water resources, telecommunications, transportation, banking and finance, emergency aid and hospitals, central and local governments, and high-tech parks. CI providers must comply with assigned cybersecurity responsibility levels and maintain written cybersecurity plans.
Under the Regulations on Notification and Response of Cyber Security Incidents (A0030305), regulated entities must report a cybersecurity incident to MODA/ACS within one hour of discovery. Damage-control or recovery measures must be completed within 36–72 hours depending on severity level; Level 3/4 incidents require a level-review result delivered to MODA within one hour.
The 2025 amendment expressly requires all regulated entities — both government agencies and specific non-government agencies — to appoint a Chief Information Security Officer (CISO) and at least one full-time dedicated cybersecurity staff member. For government agencies, the CISO must be designated from deputy-head-level or equivalent personnel.
The 2025 amendment doubled the maximum administrative fine for failing to report a cybersecurity incident from NT$5 million to NT$10 million (approx. US$310,000). The amendment also granted competent sectoral authorities new investigative powers over material cybersecurity incidents at specific non-government agencies.
Taiwan's Executive Yuan launched the seventh phase of its National Cybersecurity Development Program in 2025, allocating NT$8.8 billion (~US$300 million) to national defense cyber capabilities, critical infrastructure protection, and AI-driven cybersecurity adoption. NICS, established in January 2023 under MODA, supports Zero Trust Architecture testing and AI-threat research.
Timeline - major decisions & events
Taiwan's National Security Bureau reported that Chinese state-linked cyber operations reached an average of 2.63 million intrusion attempts per day in 2025 — a 113% jump from 1.23 million in 2023 — with attacks coordinated to coincide with 23 of China's 40 military patrol exercises and targeting telecom networks, hospitals, and the defence supply chain.
National Security Bureau, R.O.C. (Taiwan) ↗The first CSMA revision (Legislative Yuan passed 29 Aug; President promulgated 24 Sep 2025) took effect, formally designating MODA as competent authority, mandating CISO appointments and dedicated cybersecurity staff at covered non-government entities, tightening outsourcing controls, granting MODA investigative powers, and doubling maximum incident-reporting fines to TWD 10 million.
Administration for Cyber Security, MODA ↗Cabinet approved a NTD 8.8 billion (≈ USD 301 million) four-year plan organised around four pillars: whole-of-society resilience, critical-infrastructure joint defence, domestic industry alignment with international standards, and AI-driven threat detection — the largest dedicated cybersecurity investment in Taiwan's history.
Executive Yuan, R.O.C. (Taiwan) ↗The Preparatory Office of the PDPC opened on 5 December 2023 and assumed interpretive authority over the PDPA from the National Development Council on 1 January 2024, creating Taiwan's first dedicated data-protection supervisory authority and a key complement to CSMA enforcement.
Laws & Regulations Database, R.O.C. (Taiwan) ↗Taiwan's Financial Supervisory Commission fined Shanghai Commercial & Savings Bank TWD 10 million — the heaviest cybersecurity-related banking penalty in Taiwan to that point — after a breach exposed names and national ID numbers of approximately 14,000 customers, signalling escalating financial-sector enforcement priorities.
Baker McKenzie Resource Hub ↗MODA launched as a dedicated cabinet-level body consolidating digital, telecommunications, and cybersecurity oversight; it houses the Administration for Cyber Security and the new National Institute of Cyber Security (NICS), centralising authority previously dispersed across NICST, NCC, and NICI.
Administration for Cyber Security, MODA ↗Attackers directed up to 8.5 million requests per minute at Taiwan's presidential-office website and government English portal coinciding with U.S. House Speaker Nancy Pelosi's arrival; convenience-store displays and railway stations were simultaneously defaced, demonstrating coordinated use of cyber operations as a geopolitical pressure tool.
The Record (Recorded Future News) ↗The sixth consecutive four-year national cybersecurity programme expanded sector-specific security requirements, strengthened NCCST's incident-response mandate, and reinforced protections across nine designated critical-infrastructure sectors, building on two decades of phased governmental planning since 2001.
Administration for Cyber Security, MODA ↗The CSMA, Enforcement Rules, Incident Reporting and Response Regulations, and Classification of Cybersecurity Responsibility Regulations became simultaneously effective, imposing binding obligations — risk assessments, annual cybersecurity plans, and mandatory breach reporting — on all government agencies and designated critical-infrastructure providers.
Laws & Regulations Database, R.O.C. (Taiwan) ↗The Executive Yuan created the National Information and Communication Security Taskforce (NICST) and promulgated the first four-year national information-security plan; in March 2001 the National Center for Cyber Security Technology (NCCST) was established to provide incident response and technical support — the foundational institutions underpinning all subsequent cybersecurity governance.
National Information and Communication Security Taskforce, Executive Yuan ↗Taiwan - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →