|
Article 20
|
The central competent authority in charge of the relevant sector shall, after consulting relevant government agencies, private organizations, and experts and scholars, designate critical infrastructure providers, submit the designation to the competent authority for approval by the Executive Yuan, and notify the approved entities in writing.<br/>Critical infrastructure providers shall comply with the requirements of their assigned cyber security responsibility levels, appoint dedicated cyber security personnel, and considering the types, volume, and nature of the information they possess or process, as well as the scale and nature of the information and communication systems, formulate, revise, and implement cyber security maintenance plans.<br/>Critical infrastructure providers shall report on the implementation of their cyber security maintenance plans to the central competent authority in charge of the relevant sector.<br/>The central competent authority in charge of the relevant sector shall, taking into comprehensive consideration the importance and sensitivity of the business of the critical infrastructure providers under its supervision, the scale and nature of the information and communication systems, the frequency and severity of cyber security incidents, and other cyber security-related factors, conduct periodic audits of the implementation of their cyber security maintenance plans.<br/>Where deficiencies or areas for improvement are identified in the implementation of a critical infrastructure provider’s cyber security maintenance plan, the provider shall submit a corrective action report to the central competent authority in charge of the relevant sector.<br/>The central competent authority in charge of the relevant sector shall, in the manner prescribed, submit the audit results and corrective action reports to the competent authority.
|