• Font Size:
  • S
  • M
  • L

Amended Article

Title:

Regulations on the Notification and Response of Cyber Security Incident 

Amended Date: 2021.08.23 
Article 6 Upon awareness of the cyber security incident, the government agency shall complete the damage control or recovery operation within the following timeframes, and shall conduct the notification in the manner and to the objects as designated by the competent authority:
1. Within seventy-two hours of the awareness of a level-1 or level-2 cyber security incident;
2. Within thirty-six hours of the awareness of a level-3 or level-4 cyber security incident.
After completion of the damage control or recovery operation under the preceding paragraph, the government agency shall continue the investigation and management of the cyber security incident, and shall submit the investigation, management and improvement report within one month in the manner designated by the competent authority.
The timeframe of submission of the investigation, management, and improvement reports under the preceding paragraph may be extended with the consent of the superior or supervisory authority and the competent authority.
If the superior or supervisory authority or the competent authority deem necessary or deem there is any non-compliance with the regulatory requirement, improper matters or other matters to be improved in respect of the damage control or recovery operation under Paragraph 1 and the report submitted under Paragraph 2, they may require the government agency to give explanations and make adjustments.
Article 13 Upon awareness of the cyber security incident, the specific non-government agency shall complete damage control or recovery operation within the following timeframes, and shall conduct the notification in the manner as designated by the central authority in charge of relevant industry:
1. Within seventy-two hours of the awareness of a level-1 or level-2 cyber security incident.
2. Within thirty-six hours of the awareness of a level-3 or level-4 cyber security incident.
After completion of damage control or recovery operation under the preceding paragraph, the specific non-government agency shall continue the investigation and management of the cyber security incident, and shall submit the investigation, management, and improvement report within one month in the manner as designated by the central authority in charge of relevant industry.
The timeframe of submission of the investigation, management, and improvement report under the preceding paragraph may be extended with the consent of the central authority in charge of relevant industry.
If the central authority in charge of relevant industry deems necessary or deems there is any non-compliance with regulatory requirement, improper matter or other matter to be improved in respect of the damage control or recovery operation under Paragraph 1 and the report submitted under Paragraph 2, they may require the specific non-government agency to give the explanation and make adjustment.
Upon review of the investigation, management, and improvement report on a level-3 or level-4 cyber security incident submitted by the specific non-government agency, the central authority in charge of relevant industry shall submit such report to the competent authority; if the competent authority deems necessary, or deems there is any non-compliance with regulatory requirement, improper matter, or other matter to be improved, it may require the specific non-government agency to give explanation and make adjustment.
Article 21 The implementation date of these Regulations shall be stipulated by the competent authority.
The amendments to these Regulations shall take effect on the date of promulgation.