• Font Size:
  • S
  • M
  • L

Amended Article

Title:

Enforcement Rules of Cyber Security Management Act  CH

Amended Date: 2021.08.23 
Article Content Content Search Article No. Search Legal Basis Amended Article Legislative History Chinese
Article 6 The cyber security maintenance plan under Article 10, Paragraph 2 of Article 16, and Paragraph 1 of Article 17 of the Act shall include the following:
1. Core businesses and their significance.
2. Cyber security policy and objectives.
3. The organization promoting cyber security.
4. The deployment of dedicated manpower and fund.
5. The deployment of Cyber Security Officer of the government agency.
6. The inventory of information and communication systems and information, and indicating the core ones and relevant assets.
7. Risk assessments of cyber security.
8. Protection and control measures for cyber security.
9. The notification, response and rehearsal mechanisms relating to cyber security incidents.
10. Cyber security information assessment and response mechanism.
11. Management measures for outsourced information and communication system or service.
12. Assessment mechanism for personnel of the government agency who conducts business involving cyber security matters.
13. The continual improvement and performance management mechanism for the cyber security maintenance plan and implementation status.
The implementation of cyber security maintenance plans submitted by each agency under Article 12, Paragraph 3 of Article 16, or Paragraph 2 of Article 17 of the Act shall include the implementation results of and relevant explanations for those under each subparagraph of the preceding paragraph.
The stipulation, amendment, and implementation of the cyber security maintenance plans under Paragraph 1, and the submission of the implementation thereof to be conducted by a government agency may, with consent of its superior or supervisory authority, be conducted by its superior or supervisory authority or another government agency subordinate to its superior or supervisory authority; and in case of a specific non-government agency, the same may, with consent of its central authority in charge of relevant industry, be conducted by its central authority in charge of relevant industry, a subordinate government agency of such central authority in charge of relevant industry, or another specific non-government agency regulated by the central authority in charge of relevant industry.
Article 7 The scope of the core businesses specified in Subparagraph 1 of Paragraph 1 of the preceding article are as follows:
1. Businesses that are considered as the core accountabilities of the government agency as determined by its organizational regulation.
2. Major services or functions of government-owned enterprise and government-endowed foundation.
3. Businesses that are required by each agency for the maintenance and provision of critical infrastructure.
4. Businesses in which each agency is involved in accordance with Paragraphs 1 to 5 of Article 4, or Paragraphs 1 to 5 of Article 5 of the Regulations on Classification of Cyber Security Responsibility Levels.
The term “core information and communication system” as used in Subparagraph 6 of Paragraph 1 of the preceding article refers to the system that is necessary for supporting the continual operation of core business, or that is of high level of defense requirements as determined in accordance with Schedule 9 to the Regulations on Classification of Cyber Security Responsibility Levels – principles of classification of cyber system defense requirement levels.
Article 13 The implementation date of the Rules shall be stipulated by the competent authority.
The amendments to these Enforcement Rules shall take effect on the date of promulgation.