The Legislative Yuan of Taiwan enacted the Cybersecurity Management Act (the “Act”) on May 11, 2018. It is expected that the President will make a public announcement of the Act in June this year. The Act grants the competent authority of cybersecurity, i.e., the Executive Yuan, the power to determine the effective date of the Act after the Act is publicly announced by the President. Local news media reported that the Executive Yuan plans to announce three effective dates for the three different agencies, organizations, and entities that are subject to the Act whereby the Act will apply to “Government Agencies”, “Critical Infrastructure Providers”, and other “Certain Non-government Agencies” within 6 months, 12 months and 18 months following its enactment, respectively.

Subjects of the Application of the Act

The Act imposes cybersecurity management obligations on “Government Agencies”, “Certain Non-government Agencies” and “Critical Infrastructure Providers”.

The term, “Government Agencies”, refers to a government agency or administrative juridical person at the central or local government level which is empowered to exercise sovereign power but excludes military and intelligence agencies. “Certain Non-government Agencies” include “Critical Infrastructure Providers”, state-owned enterprises, and government-funded institutions.

As for “Critical Infrastructure Providers”, the Act defines “Critical Infrastructure” as the “physical or virtual assets, systems, or networks, the area of which will be periodically reviewed and publicly announced by the competent authority, and once the function of which stops or the efficiency of which reduces, there may be material impact on national security, public social interest, life of nationals, or economic activities”.

The term “Critical Infrastructure Provider” is defined as “those that are operating or providing all or a part of Critical Infrastructures and have been appointed by the central authority in charge of the business and approved by the competent authority of cybersecurity. The actual scope of “Critical Infrastructure Providers” will be further determined by the competent authority.

Cybersecurity Management Obligations

The Act imposes on Government Agencies and Certain Non-government Agencies different cybersecurity management obligations. With regard to Certain Non-government Agencies, the major obligations are to (i) comply with the required cybersecurity level and establish a cybersecurity plan in accordance with the requirements set forth by the competent authority; (ii) report the implementation status of its cybersecurity plan to the competent authority; (iii) be audited by the competent authority and submit improvement report, if any; and (iv) report to competent authority on any cybersecurity incident and the relevant responsive mechanism. The competent authority will promulgate regulations under the Act to set forth the relevant details.

Pursuant to Article 20 of the Act, in the event that a Certain Non-government Agency violates the Act, the central authority in charge of regulating its business may order it to rectify the non-compliance by a deadline, and impose an administrative fine ranging from NTD100,000 to NTD1,000,000 on the agency if no rectification is made by the deadline. Article 21 of the Act states that if a Certain Non-government Agency fails to report a cybersecurity incident to the authority pursuant to the Act, the central authority in charge of regulating its business may impose an administrative fine ranging from NTD300,000 to NTD5,000,000, order it to rectify the non-compliance by a deadline, and impose the fine consecutively until the non-compliance is rectified.

Follow-up Actions – Promulgation of Rules and Regulations

According to the Department of Cybersecurity, Executive Yuan, after the Act is enacted, further rules and regulations to implement the Act will be promulgated, including the “Enforcement Rules of the Cybersecurity Act”, “Guidelines on Cybersecurity Obligation Levels and Classifications”, “Cybersecurity Intelligence Sharing Measures”, “Guidelines on Cybersecurity Incident Reports and Responsive Measures”, “Cybersecurity Plan for Certain Non-government Agencies”, and “Reward and Punishment Guidelines on Cybersecurity Matters of Public Agency Personnel”. The relevant companies should pay attention to the developments.