CHAPTER I. GENERAL PROVISIONS |
| Article 1 | This Cyber Security Management Act (hereinafter referred to as the Act) is duly stipulated in an effort to proactively carry out national cyber security policies and accelerate the construction of an environment for national cyber security, thereby safeguarding national security and protecting the public interests of all of society. |
|
| Article 2 | The competent authority over the Act is the Ministry of Digital Affairs.
The execution of cyber security affairs shall be undertaken by a designated agency for cyber security as assigned by the Ministry of Digital Affairs. |
|
| Article 3 | The terms under the Act are defined as follows:
1.Information and Communication Systems: refers to any system used for collecting, controlling, transmitting, storing, circulating, or deleting information, or for otherwise processing, using, or sharing information.
2.Information and Communication Services: refers to any services relating to the collection, control, transmission, storage, circulation, deletion, other processing, use, or sharing of information.
3.Cyber Security: refers to the prevention of unauthorized access to, use of, control over, disclosure of, damage to, alteration of, destruction of information or information and communication systems, or any other circumstances affecting the confidentiality, integrity, or availability of information or information and communication systems.
4.Cyber Security Incident: refers to any event where the status of a system, service, or network is identified as having a potential violation of the cyber security policy or a failure of protective measures, which affects the functionality of the information and communication system.
5.Government Agency: refers to a central, local government agency (organization), or public juristic person that exercises public power according to law, but excluding military and intelligence agencies.
6.Specific Non-Government Agency: refers to a critical infrastructure provider, a government-owned enterprise, a designated foundation, or any enterprise, organization, or institution under control of the government.
7.Critical Infrastructure: refers to physical or virtual assets, systems, or networks, the functions of which, once they cease to operate or their performance is reduced, may have a significant impact on national security, social and public interests, people's lives, or economic activities, and which are subject to periodic review and designation by the Executive Yuan.
8.Critical Infrastructure Provider: refers to any entity that maintains, operates or provides, in whole or in part, critical infrastructure as designated by the the central competent authority in charge of the relevant sector, which shall be submitted to the Executive Yuan for approval.
9.Designated Foundation: refers to foundations that fall within the scope of Article 2, Paragraph 2 or 3, or Article 63, Paragraph 1 or 4 of the Foundations Act, and that qualify as nationwide foundations as defined in Article 2, Paragraph 8 of the same Act.
10.Enterprises, Organizations, or Institutions Controlled by Government: refers to enterprises, organizations, institutions publicly announced by the Ministry of Civil Service pursuant to Article 77, Paragraph 1, Subparagraph 2, Item 3 and 4 of the Public Service Pension, Severance and Compensation Act, that are of importance to cyber security, as designated by the central competent authority in charge of the relevant sector and approved by the competent authority; for those controlled by local governments, approval by the competent authority shall be granted only upon the consent of the relevant local competent authority.
11.Products Harmful to National Cyber Security: refers to information and communication systems, services, or products determined by the competent authority to pose a direct or indirect risk of harm to national cyber security, thereby affecting government operations or social stability. |
|
| Article 4 | In an effort to promote cyber security, the government shall provide resources and integrate the strengths of the private sector and industries to boost the cyber security awareness of all people, and implement the following matters:
1.Cultivation of cyber security professionals.
2.Cyber security technology research and development, integration, application, and industry-academia cooperation, as well as international exchange and cooperation.
3.Development of the cyber security industry.
4.Development of cyber security-related software and hardware specifications, relevant services, and verification mechanisms.
5.Assist the private sector in handling, responding to, and preventing major cyber security incidents.
The promotion of the matters provided in the preceding paragraph shall be carried out by the competent authority through the formulation of the National Cyber Security Development Program, which shall be implemented upon approval by the Executive Yuan. |
|
| Article 5 | For the purpose of implementing national cyber security policies, government agencies at all levels, both central and local, shall endeavor to cooperate in promoting and executing cyber security measures, jointly building a secure national cyber security environment.
To provide consultation and deliberation on national cyber security policies, response mechanisms, and major projects, and to coordinate cyber security-related affairs among central and local government agencies, the Executive Yuan shall convene, on a regular basis, the National Information and Communication Security Taskforce, to be chaired by the Premier or Vice Premier of the Executive Yuan. Experts, scholars, and representatives of private organizations may be invited to attend; extraordinary meetings may also be convened when necessary. Secretariat affairs of the Taskforce shall be handled by the competent authority.
Resolutions adopted by the National Information and Communication Security Taskforce meetings as provided in the preceding paragraph shall be implemented by the relevant government agencies. The competent authority shall conduct regular follow-up reviews, performance monitoring, and, where appropriate, performance evaluations.
The rules governing the composition, functions, procedures, and other related matters of the National Information and Communication Security Taskforce under Paragraph 2 shall be prescribed by the Executive Yuan. |
|
| Article 6 | The competent authority shall plan and promote national cyber security policies, the development of cyber security technologies, international exchanges and cooperation, and overall cyber security protection measures, as well as publish annually a National Cyber Security Status Report, an Audit Summary Report on the implementation of cyber security maintenance plans, and a National Cyber Security Development Program.
The reports and program provided in the preceding paragraph shall be submitted by the competent authority to the Legislative Yuan for recordation. |
|
| Article 7 | Government agencies and specific non-government agencies shall, based on the importance and sensitivity of their operations, their hierarchical levels, the type, volume, and nature of the information they hold or process, and the scale and nature of their information and communication systems, report to the competent authority for approval or recordation of their respective cyber security responsibility levels.
Government agencies and specific non-government agencies shall comply with the requirements of their cyber security responsibility levels, and shall implement cyber security protection measures from the perspectives of management, technology, awareness, and training.
The criteria for distinguishing cyber security responsibility levels referred to in the preceding two paragraphs, the procedures for approval or recordation, applications for changes, the items and contents of cyber security protection measures, the qualifications and allocations of dedicated personnel, and other related matters shall be prescribed by the competent authority. |
|
| Article 8 | The competent authority may conduct periodic or ad hoc audits of the implementation of cyber security maintenance plans by government agencies and specific non-government agencies.
Where deficiencies or areas for improvement are identified in the audit provided in the preceding paragraph, the audited agency shall submit a corrective action report. Government agencies shall submit such reports to the authority designated under Article 14 to receive implementation reports; specific non-government agencies shall submit such reports to the central competent authority in charge of the relevant sector, which shall forward them to the competent authority after review.
The authority receiving the corrective action report, as provided in the preceding paragraph, may, where deemed necessary, require the audited agency to provide explanations or make adjustments.
The frequency, scope, and methods of audits of the implementation of cyber security maintenance plans, as provided in the preceding three paragraphs, the submission of corrective action reports, and other related matters shall be prescribed by the competent authority.
Audits under Paragraph 1 shall be carried out pursuant to an annual plan prepared by the competent authority and approved by the Executive Yuan. The annual plan and the annual results report shall be submitted to the National Information and Communication Security Taskforce for recordation. |
Info |
| Article 9 | The competent authority shall set up a mechanism for sharing cyber security intelligence.
The analysis and integration of cyber security intelligence provided in the preceding paragraph, the rules of sharing contents, procedures, methods, and other related matters shall be prescribed by the competent authority. |
|
| Article 10 | Government agencies or specific non-government agencies, within the scope of this Act, that outsource the implementation, maintenance and operation of information and communication systems or the provision of information and communication services shall select appropriate contractors, require the contractors to establish effective cyber security management mechanisms, and supervise the implementation of such mechanisms.
The procedures and environments in which contractors referred to in the preceding paragraph perform outsourced tasks shall incorporate comprehensive cyber security management measures or obtain impartial third-party certification.
Government agencies or specific non-government agencies that handle outsourced tasks as described in Paragraph 1 shall enter into a written agreement with the contractor, specifying the rights and obligations of both parties as well as liabilities for breaches.
Government agencies or specific non-government agencies shall cooperate with the competent authority in planning and conducting cyber security drills and, if necessary, incorporate third-party assistance mechanisms. The contents of such drills and other relevant matters shall be prescribed by the competent authority. |
|