Chapter I. General Provision |
| Article 1 | This Cyber Security Management Act(hereinafter referred to as the Act)is duly stipulated in an effort to positively carry out the national cyber security policy, accelerate the construction of environment for national cyber security to safeguard national security, and protect public interests of the entire society. |
|
| Article 2 | The competent authority over the Act is the Executive Yuan. |
|
| Article 3 | The terms under the Act are defined as follows:
1. Information and communication system: That refers to the system to be used to collect, control, transmit, store, circulate, delete information or to make other processing, using and sharing of such information.
2. Information and communication service: That refers to the service to be used to collect, control, transmit, store, circulate, delete information or to make other processing, using and sharing of such information.
3. Cyber security: That refers to such effort to prevent information and communication system or information from being unauthorized access, use, control, disclosure, damage, alteration, destruction or other infringement to assure the confidentiality, integrity and availability of information and system.
4. Cyber security incident: That refers to an event where the state of a system, service, or network is identified as having a potential violation of the cyber security policy or a failure of protective measures, which affects the functionality of the information and communication system and constitutes a threat against the cyber security policy.
5. Government agency: That refers to central, local government agency(institution)or public juristic person that exercises public power according to law, excluding military and intelligence agency.
6. Specific non-government agency: That refers to critical infrastructure provider, government-owned enterprises and government-endowed foundation.
7. Critical infrastructure: That refers to physical or virtual assets, systems or networks, the functions of which, once ceased to operate or their performance is reduced, may have a significant impact on national security, social and public interests, people's lives, or economic activities, and which are subject to regular inspection and announcement by the competent authorities.
8. Critical infrastructure provider: That refers to the ones who maintain or provide critical infrastructure either in whole or in part, as designated by the central authority in charge of relevant industry, which shall be submitted to the competent authority for ratification.
9. Government-endowed foundation: That refers to a foundation of which the operation and capital utilization plan of its funds shall be submitted to the Legislative Yuan in accordance with Paragraph 3 of Article 41 of the Budget Act and its annual budget statement shall be submitted to the Legislative Yuan for deliberation in accordance with Paragraph 4 of the same Article. |
|
| Article 4 | In an effort to promote cyber security, the government shall provide resources and integrate the strengths of the private sector and the industry to boost cyber security awareness of all people, and implement the following issues:
1. Cultivation of cyber security professionals.
2. Cyber security technology research and development, integration, application, and industry-academia cooperation, as well as interchange and cooperation with international community.
3. Development of cyber security industry.
4. Development of cyber security related software and hardware specifications, relevant services and verification mechanism.
Issues Promotion in the preceding Paragraph shall be stipulated by the competent authority under the national cyber security development program. |
|
| Article 5 | The competent authority shall plan and promote the national cyber security policy, and the cyber security technology development, international interchange and cooperation, and the comprehensive cyber security protection relevant undertakings, as well as regularly announce national cyber security status reports, the summary auditing report on the implementation of the cyber security maintenance plan for the government agency, and the national cyber security development programs.
The status report, summary auditing report and the national cyber security development programs of the preceding Paragraph shall be submitted to the Legislative Yuan for review. |
|
| Article 6 | The competent authority may commission or entrust other government agency, juristic person or organization to implement integrated protection of cyber security, international interchange and cooperation, and other cyber security related issues.
The government agency, juristic person or organization, or re-delegated subcontractor of the preceding Paragraph shall not divulge the secret of critical infrastructure provider which becomes known in the process of enforcement or implement of relevant issues. |
|
| Article 7 | The competent authority shall stipulate the cyber security responsibility levels by considering the criteria on the importance, confidentiality and sensitivity of the business, the hierarchy of the agency, and the category, quantity and attribute of the information reserved or processed, as well as the scale and attribute of the information and communication system of the government agency and specific non-government agency. The relevant regulations regard the baseline for responsibility levels, application for a change in the level, content of obligation, staffing of dedicated personnel and other regulations and issues concerned shall be stipulated by the competent authority.
The competent authority may audit a specific non-government agency in its implementation of cyber security maintenance plan, of which the frequency, content, method and other issues concerned shall be stipulated by the competent authority.
A specific non-government agency is audited as per preceding Paragraph, and found defective or needing improvement in the cyber security maintenance plan, it shall submit the improvement report to the competent authority and to the central authority in charge of relevant industry. |
|
| Article 8 | The competent authority shall set up the cyber security information sharing mechanism.
Regulation regarding analysis, integration, and the sharing of content, procedure and method, and other matters of the cyber security information in the preceding Paragraph shall be stipulated by the competent authority. |
|
| Article 9 | A government agency or specific non-government agency outsources for setup, maintenance of the Information and communication system, or for provision of Information and communication services, such government agency or specific non-government agency shall, within the realm of this Act, take into account outsourced party’s professional capability and experience, as well as nature of the outsourced project and requirement of cyber security, select the appropriate party for outsourcing and oversee its cyber security maintenance service. |
|