In response to the growing cyberthreats and to strengthen the resilience of the government and society, the amendment (“Amendment”) to the Cybersecurity Management Act (“Act”) was passed by the Legislative Yuan on 29 August 2025, and promulgated by the President on 24 September. The effective date of the Amendment will be decided by the Executive Yuan and is expected to take effect soon.
The Ministry of Digital Affairs (MODA) will serve as the competent authority of the Act, with the Administration for Cyber Security (ACS) of MODA responsible for implementation.
The Amendment broadens the scope of application of the Act to a wider range of specific non-government agencies (特定非公務機關). It requires the appointment of a Chief Information Security Officer (CISO) and full-time cybersecurity personnel, strengthens outsourcing requirements, and grants MODA investigative powers. The use of products endangering national cybersecurity will or can be restricted, and the penalties for failing to report a cybersecurity incident or failing to act in accordance with the Act have been significantly increased.
Key points of the Amendment
1. Competent authority
MODA will be the competent authority of the Act, while ACS is responsible for implementing cybersecurity affairs (Article 2).
2. Scope of application
The Act applies to government agencies and specific non-government agencies (collectively “Regulated Entities”). Before the Amendment, specific non-government agencies only include critical infrastructure (CI) providers, state-owned enterprises, and government funded foundations. After the Amendment, government-controlled businesses, organizations, or institutions would also be included.
3. CISO and cybersecurity personnel
Regulated Entities are required to appoint a CISO and a full-time cybersecurity personnel (Articles 12, 20, 21, 23).
4. Outsourcing requirements
When Regulated Entities outsource the establishment or maintenance of Information Systems (資通系統), they must ensure contractors have robust cybersecurity management measures or third-party certifications, sign written contracts, and participate in cybersecurity drills as planned by MODA (Article 10).
5. Investigation power
The Amendment granted the competent authority in charge of the industry concerned the power to conduct administrative investigations into specific non-government agency’s material cybersecurity incidents. The procedure may include requesting the specific non-government agency or its contractor to attend a meeting to express opinions, to provide third-party forensic or investigation reports, and conducting on-site inspections. Specific non-government agency or its contractor must not evade, obstruct, or refuse such investigations (Article 25).
6. Restrictions on use of products endangering national cybersecurity
The competent authority in charge of the industry concerned is authorized to restrict or prohibit specific non-government agencies from using products endangering national cybersecurity, which are defined as information systems, services, or products identified by MODA as posing direct or indirect threats to national cybersecurity, and impact government operations or social stability.
If such products are essential and no alternatives exist, their use may be permitted with case-by-case approval and subject to oversight (Article 27).
This not only codified what was previously regulated by administrative orders into law, but also expand the scope of restrictions to CI providers, granting the competent authority in charge of the industry concerned clear legal authority to enforce these restrictions.
7. Increased penalties
The maximum fine for specific non-government agency failing to report cybersecurity incidents is raised from TWD 5 million (approximately USD 166,666) to TWD 10 million (approximately USD 333,333) (Article 29). Additionally, if personnel of such entities fail to comply with regulations and the situation is severe, the entity shall impose disciplinary actions (Article 28).
Impact
The Amendment follows the global trend of enhancing regulations to combat cyberthreats (such as EU’s NIS2 Directive). Given the new regulatory requirements and increased penalties for non-compliance, companies are advised to assess if they are specific non-government agencies, and if yes, immediately review and adjust the current policies and operations for compliance with these requirements. If you have any questions, please feel free to contact us.
