Cybersecurity · Taiwan
Cybersecurity - Taiwan
Taiwan has a dedicated comprehensive cybersecurity law — the Cyber Security Management Act — originally enacted in 2018 and in force since January 2019. A significant amendment was passed by the Legislative Yuan on 29 August 2025, promulgated on 24 September 2025, and entered into force on 1 December 2025, expanding scope, strengthening CISO mandates, doubling maximum incident-reporting fines, and barring government use of nationally harmful ICT products. Taiwan also launched Phase VII of its National Cybersecurity Development Program (2025–2028) with NT$8.8 billion in funding.
The CSMA (Law Code A0030297) has been the primary cybersecurity statute since 2019. The December 2025 amendment is the first major revision, expanding regulated entities to include government-controlled businesses and organisations beyond the original scope of critical infrastructure providers, state-owned enterprises, and government-endowed foundations.
Taiwan designates eight critical infrastructure (CI) sectors under Executive Yuan guidance: energy, water resources, telecommunications, transportation, banking and finance, emergency aid and hospitals, central and local governments, and high-tech parks. CI providers must comply with assigned cybersecurity responsibility levels and maintain written cybersecurity plans.
Under the Regulations on Notification and Response of Cyber Security Incidents (A0030305), regulated entities must report a cybersecurity incident to MODA/ACS within one hour of discovery. Damage-control or recovery measures must be completed within 36–72 hours depending on severity level; Level 3/4 incidents require a level-review result delivered to MODA within one hour.
The 2025 amendment expressly requires all regulated entities — both government agencies and specific non-government agencies — to appoint a Chief Information Security Officer (CISO) and at least one full-time dedicated cybersecurity staff member. For government agencies, the CISO must be designated from deputy-head-level or equivalent personnel.
The 2025 amendment doubled the maximum administrative fine for failing to report a cybersecurity incident from NT$5 million to NT$10 million (approx. US$310,000). The amendment also granted competent sectoral authorities new investigative powers over material cybersecurity incidents at specific non-government agencies.
Taiwan's Executive Yuan launched the seventh phase of its National Cybersecurity Development Program in 2025, allocating NT$8.8 billion (~US$300 million) to national defense cyber capabilities, critical infrastructure protection, and AI-driven cybersecurity adoption. NICS, established in January 2023 under MODA, supports Zero Trust Architecture testing and AI-threat research.
Machine-assisted translation · verified 5/24/2026 · orientation, not legal advice. English version →