Taiwan: Amendment to Cybersecurity Management Act

07 Oct 2025    2 minute read
Cybersecurity & Data Privacy Taiwan Data Privacy Cybersecurity

In brief

In response to the growing cyberthreats and to strengthen the resilience of the government and society, the amendment (“Amendment”) to the Cybersecurity Management Act (“Act”) was passed by the Legislative Yuan on 29 August 2025, and promulgated by the President on 24 September. The effective date of the Amendment will be decided by the Executive Yuan and is expected to take effect soon.

The Ministry of Digital Affairs (MODA) will serve as the competent authority of the Act, with the Administration for Cyber Security (ACS) of MODA responsible for implementation.

The Amendment broadens the scope of application of the Act to a wider range of specific non-government agencies (特定非公務機關). It requires the appointment of a Chief Information Security Officer (CISO) and full-time cybersecurity personnel, strengthens outsourcing requirements, and grants MODA investigative powers. The use of products endangering national cybersecurity will or can be restricted, and the penalties for failing to report a cybersecurity incident or failing to act in accordance with the Act have been significantly increased.

Contents

Key points of the Amendment

1. Competent authority

MODA will be the competent authority of the Act, while ACS is responsible for implementing cybersecurity affairs (Article 2).

2. Scope of application

The Act applies to government agencies and specific non-government agencies (collectively “Regulated Entities”). Before the Amendment, specific non-government agencies only include critical infrastructure (CI) providers, state-owned enterprises, and government funded foundations. After the Amendment, government-controlled businesses, organizations, or institutions would also be included.

3. CISO and cybersecurity personnel

Regulated Entities are required to appoint a CISO and a full-time cybersecurity personnel (Articles 12, 20, 21, 23).

4. Outsourcing requirements

When Regulated Entities outsource the establishment or maintenance of Information Systems (資通系統), they must ensure contractors have robust cybersecurity management measures or third-party certifications, sign written contracts, and participate in cybersecurity drills as planned by MODA (Article 10).

5. Investigation power

The Amendment granted the competent authority in charge of the industry concerned the power to conduct administrative investigations into specific non-government agency’s material cybersecurity incidents. The procedure may include requesting the specific non-government agency or its contractor to attend a meeting to express opinions, to provide third-party forensic or investigation reports, and conducting on-site inspections. Specific non-government agency or its contractor must not evade, obstruct, or refuse such investigations (Article 25).

6. Restrictions on use of products endangering national cybersecurity

The competent authority in charge of the industry concerned is authorized to restrict or prohibit specific non-government agencies from using products endangering national cybersecurity, which are defined as information systems, services, or products identified by MODA as posing direct or indirect threats to national cybersecurity, and impact government operations or social stability.

If such products are essential and no alternatives exist, their use may be permitted with case-by-case approval and subject to oversight (Article 27).

This not only codified what was previously regulated by administrative orders into law, but also expand the scope of restrictions to CI providers, granting the competent authority in charge of the industry concerned clear legal authority to enforce these restrictions.

7. Increased penalties

The maximum fine for specific non-government agency failing to report cybersecurity incidents is raised from TWD 5 million (approximately USD 166,666) to TWD 10 million (approximately USD 333,333) (Article 29). Additionally, if personnel of such entities fail to comply with regulations and the situation is severe, the entity shall impose disciplinary actions (Article 28).

Impact

The Amendment follows the global trend of enhancing regulations to combat cyberthreats (such as EU’s NIS2 Directive). Given the new regulatory requirements and increased penalties for non-compliance, companies are advised to assess if they are specific non-government agencies, and if yes, immediately review and adjust the current policies and operations for compliance with these requirements. If you have any questions, please feel free to contact us.

Contact Information
Grace Shao
Managing Partner
Taipei
Read my Bio
grace.shao@bakermckenzie.com
Sean J.C. Shih
Partner
Taipei
Read my Bio
sean.shih@bakermckenzie.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.