Taiwan’s Cybersecurity Regulatory System and the Legislative Purpose

Taiwan faces national-level organised cyber threats due to its special political and economic status. As such, cybersecurity is a key policy focus. In May 2021, the Executive Yuan listed cybersecurity as one of the six core strategic industries meriting special promotion. Accordingly, the primary objective of the Cyber Security Management Act (CSMA) is to “proactively carry out national cyber security policies and accelerate the construction of an environment for national cyber security” to guarantee national security and protect the public interest (Article 1 of the CSMA). In this context, cybersecurity is recognised as a national security priority in Taiwan, and the government is empowered to allocate resources, co-ordinate private sector capabilities and foster the development of professional expertise to achieve these goals.

Recent Amendment of the CSMA and the Relevant Regulations

On 1 December 2025, the Executive Yuan announced the enforcement of amendments to the CSMA. This marks the first revision of the CSMA since its original enactment in 2019, reflecting a response to the growing severity of cyber threats and a commitment to strengthening the industry’s overall cybersecurity posture. Notably, the amendment transfers the authority overseeing the CSMA from the Executive Yuan to the Ministry of Digital Affairs (MODA). It also introduces key provisions, including a clear prohibition on government agencies from downloading, installing or using products that may compromise national cybersecurity. Additionally, the amendment broadens MODA’s audit authority over government agencies, mandates that agencies engaging in outsourcing enter into written contracts and requires their co-operation in cybersecurity drills.

Enactment of the Regulations Governing the Review of Products Endangering National Cybersecurity

As noted in the foregoing, to protect government operations from potential cybersecurity threats, the CSMA expressly prohibits the use of products that could compromise national cybersecurity. Furthermore, pursuant to the authority granted by the amended CSMA, MODA has issued regulations establishing a standardised process for government and specific non-government agencies to report information and communication technology (ICT) products suspected of posing risks to national cybersecurity.

CSMA

The CSMA governs the management of information and communications security by government agencies and certain non-government agencies (ie, critical infrastructure providers, public utilities and government-sponsored foundations). The Enforcement Rules of the CSMA further define and set forth the rules, guidelines and key terms of the CSMA.

The CSMA establishes obligations for two main categories of entities:

• government agencies, which include central and local government bodies as well as public legal entities, excluding military and intelligence agencies; and
• specific non-government agencies, such as critical infrastructure providers, government-owned enterprises, designated foundations and any enterprise, organisation or institution under government control.

At this time, there has been no indication or discussion concerning the application of the CSMA beyond Taiwan’s jurisdiction.

The CSMA establishes the primary legal framework, while concurrently empowering the MODA to promulgate supplemental and technical regulations that delineate the substantive requirements for cybersecurity management. The relevant regulations include but are not limited to the following.

Regulations on Classification of Cybersecurity Responsibility Levels

The Regulations categorise government agencies and specific non-government agencies into levels A–E, primarily based on the sensitivity of the data they handle, such as national secrets; the volume of personal information; and the critical nature of their infrastructure. This includes operations related to foreign affairs, national defence, national security or the management of essential public services and inter-agency shared ICT systems.

Accordingly, the Regulations set forth specific cybersecurity operational standards within the statutory appendices tailored to each classification level. Agencies are required to implement the prescribed administrative, technical and training measures corresponding to their assigned level. These measures are designed to ensure that their information systems meet the stringent control requirements mandated under the CSMA.

Regulations Governing the Review of Products Endangering National Cybersecurity

The Regulations are enacted to establish a clear and consistent framework for government agencies and specific non-government agencies to submit ICT products for review when those products may present risks to national cybersecurity.

Regulations on Audit of Implementation of Cyber Security Maintenance Plan

In accordance with the recent amendment to the CSMA, which grants MODA the authority to audit government agencies, these Regulations set forth the procedures for auditing both government and designated non-government agencies. The Regulations establish clear legal standards for compliance verification and require that competent authorities, either MODA or competent authorities of certain industries, conduct annual, scheduled audits. These audits include on-site inspections to assess the effective implementation of cybersecurity maintenance plans. To ensure impartiality and transparency, audit teams must include representatives from government agencies.

Sectoral Regulations

Although MODA functions as the central competent authority, the direct supervision of the private sector is delegated to the relevant central authorities within specific industries, such as the Financial Supervisory Commission (FSC) and the Ministry of Health and Welfare (MOHW). Under the authorisation of the CSMA, these competent authorities have established their own regulations governing the cybersecurity management practices of the non-governmental entities within their sectors. These regulations address essential requirements, including the development, implementation and auditing of cybersecurity maintenance plans.

The competent authority for the CSMA is MODA. Within MODA, the Administration for Cyber Security works closely with the National Institute of Cyber Security, a non-departmental public body supervised by MODA, to develop and implement national cybersecurity policies. Together, they promote cybersecurity programmes, designate critical infrastructure providers and co-ordinate efforts among the competent authorities across nine key industries. Their collective goal is to strengthen the national cybersecurity defence system, enhance incident reporting and response mechanisms, support agencies in meeting cybersecurity compliance requirements and foster the development of cybersecurity talent while raising awareness nationwide.

For government agencies, the relevant regulator is generally the supervisory agency at a higher level. This supervisory agency oversees the lower-level agency’s establishment, revision and implementation of its cybersecurity maintenance plan.

Regarding the specific non-governmental agencies, the central authority for the industry acts as the regulator. For instance, the FSC acts as the regulator for insurance companies, securities firms and futures commission merchants. This central authority is empowered by the CSMA to establish rules that require companies within the industry to develop, update and enforce their cybersecurity maintenance plans.

As mentioned in the foregoing, the CSMA imposes obligations on two primary categories of entities:

• government agencies – central and local government bodies and public legal entities (excluding military and intelligence agencies); and
• specific non-government agencies – including critical infrastructure providers, government-owned enterprises and designated foundations or any enterprise, organisation or institution under the control of the government.

Regarding critical infrastructure providers, the definition remains vague and lacks clear criteria for straightforward identification. Pursuant to Article 20 of the CSMA, the central competent authority responsible for the relevant industries must, after consulting with appropriate government agencies, private organisations and experts, designate critical infrastructure providers. This designation is then submitted to MODA for approval by the Executive Yuan. While designated critical infrastructure providers receive written notification of their status, the designation is treated as confidential and is not disclosed to the public.

That being said, in 2024, the Executive Yuan issued the Procedure for the Designation of Critical Infrastructure Providers. This process follows a four-step methodology:

• first, identifying critical domains;
• second, narrowing the focus to critical services;
• third, pinpointing the specific critical information infrastructure; and
• finally, ratifying the designated providers.

The primary critical domains include energy, water resources, communications and broadcasting, transportation, banking and finance, emergency services and healthcare, government agencies, science parks and industrial parks, and food. Following this, the central competent authorities for the relevant industries are tasked with conducting an inventory of ICT assets currently in use. They must then identify those ICT components essential to maintaining the continuous operation of the core functions of the relevant facilities, which are thereafter designated as critical infrastructure. Finally, the service providers responsible for maintaining this critical infrastructure are likely to be designated as the critical infrastructure providers.

Requirements or Prevailing Norms for Corporate Cybersecurity Governance

Entities subject to the CSMA shall comply with the Regulations on Classification of Cyber Security Responsibility Levels. The entities subject to the CSMA are classified into levels A–E under the Regulations on Classification of Cyber Security Responsibility Levels. Each must meet certain cybersecurity responsibilities at different levels with regard to management, technical measures, and awareness and training.

The information security management system of entities of levels A–C shall be verified by certain standards, with Chinese National Standard (CNS) 27001 or the International Organization for Standardization (ISO) 27001 standard given as examples. Other systems or standards with equal or stronger effect, or other standards developed by the government agency itself and approved by the competent authority, are also acceptable.

Entities at levels A–C are also required to assign dedicated cybersecurity personnel. Moreover, both non-government agency and government agency staff can hold the position of chief information security officer (CISO) under Articles 12 and 23 of the CSMA. Also, entities at every level shall conduct cybersecurity education and training regularly. In addition to the CSMA, entities may have different requirements under other regulations.

Requirements for Conducting Risk Assessment or Specific Cyber-Testing, Scanning and Analysis Operations

For entities subject to the CSMA, the Regulations on Classification of Cyber Security Responsibility Levels provide different levels of entities with technical measures for adoption. For example, for level A entities, security detection, cybersecurity health diagnosis, cybersecurity monitoring management mechanisms, vulnerability management and cybersecurity defence are required.

The specific personal data security maintenance plans stipulated by the competent authorities of certain industries may also demand that entities establish an audit mechanism for the security maintenance of personal data, and designate appropriate personnel to inspect the implementation status of the plan and its process.

Required Standards for Recovery and Resiliency of Business Operations and Necessary Data After Cyber-Attacks

The CSMA does not provides a specific standard for recovery and resiliency after cyber-attacks, providing only general obligations to plan for recovery and resiliency.

Government agencies and private entities subject to the CSMA should comply with the Regulations on Classification of Cyber Security Responsibility Levels.

As explained, the entities are required to file and submit a report on the investigation, response and improvement of cybersecurity under the CSMA after cyber-attacks. Article 12 of the Enforcement Rules of the CSMA explicates the items that should be included in the report, but it specifies no standards for the same.

Under the CSMA, a cybersecurity incident refers to any event where the status of a system, service or network is identified as having a potential violation of the cybersecurity policy, or a failure of protective measures, which affects the functionality of the information and communication system.

Pursuant to the CSMA, government agencies and private entities subject to the CSMA shall report to their supervisory agencies and MODA when they become aware of a cybersecurity incident.

The Regulations for Reporting and Responding Cybersecurity Incidents set forth further details about the reporting of cybersecurity incidents, as required under the CSMA. A specific non-government agency shall report to its regulator at the central government within one hour after it becomes aware of a cybersecurity incident, and the regulator shall respond within two to eight hours depending on the classification of the cybersecurity incident. Meanwhile, the specific non-government agency shall complete damage control or recovery of the system within 36–72 hours.

Responsibilities for Promoting National Cybersecurity Resilience

Pursuant to Article 4 of the CSMA, the government should bolster national cyber resilience by actively integrating private industry capabilities and providing essential resources to safeguard public interests. In this regard, MODA, as the competent authority of the CSMA, is responsible for establishing the National Cyber Security Development Program to advance these objectives. In addition, under Article 6 of the CSMA, MODA is responsible for creating and promoting national cybersecurity policies, advancing cybersecurity technologies, encouraging international co-operation and implementing comprehensive cybersecurity measures. Additionally, MODA must annually publish the National Cyber Security Status Report, and an audit summary report on cybersecurity maintenance plans, to enable all sectors to understand national cybersecurity trends.

Information Exchange

Article 9 of the CSMA dictates that MODA should set up a cybersecurity information sharing mechanism. The Cyber Security Information Sharing Regulations further provide that the competent authorities of the relevant industries should exchange cybersecurity information with the “specific non-government agencies” under their charge (Article 3 of the Regulations).

For individuals, entities and organisations that are not subject to the CSMA, the competent authorities or MODA may also exchange cybersecurity information with them, provided that they have agreed in writing to comply with the requirements under the Regulations (Article 10 of the Regulations).

In implementing the Regulations, and to establish the national-level Information Sharing and Analysis Center, (ISAC), computer emergency response team (CERT) and Information Security Control Center (SOC) in nine critical infrastructure domains, the Administration for Cyber Security under MODA has built a national information security joint defence system, which allows information sharing among governmental agencies and critical infrastructure providers. Additionally, some authorities of the industries, such as the National Communication Commission (NCC), also periodically hold training sessions and seminars to encourage companies to strengthen their information security.

In addition to information sharing, MODA also provides assistance to help agencies cope with cybersecurity incidents and help the competent authority in charge of the relevant industry provide necessary support or assistance to help a “specific non-government agency” report or respond to a cybersecurity incident, according to the Regulations for Reporting and Responding to Cybersecurity Incidents.

Previously, the FSC released the Financial Cyber Security Action Plan 1.0 to ensure the uninterrupted operation of financial systems, and Financial Cyber Security Action Plan 2.0 to enhance the financial institutions’ cybersecurity and secure a safe trading environment.

On 30 December 2025, in alignment with the National Cybersecurity Strategy 2025 and to safeguard the continuous operation of financial systems, the FSC announced the Financial Cyber Resilience Development Blueprint. The Blueprint sets forth 29 targeted measures structured around a four-pillar framework: goal-driven governance, ubiquitous protection, ecosystem collaborative defence and robust resilience. Its primary aim is to establish a financial ecosystem that is predictable, defensible and recoverable.

The ten strategic highlights of the Blueprint follow.

• Elevating governance and accountability: Establishing a “triad of governance” (responsibility, authority and resources) for CISOs, the Blueprint strengthens the accountability chain and ensures independent decision-making. Furthermore, it grants CISOs the flexibility to implement proactive control measures in response to a rapidly shifting threat landscape.
• Cultivating strategic talent: Shifting from a “one-size-fits-all” baseline to a strategic objective model, the FSC will continually update the Financial Cybersecurity Talent Competency Map. Through cross-institutional forums and “theme-based” workshops, the industry will share best practices to move towards a “measurable, growth-oriented, and differentiated” framework.
• Shift-left security and design: To minimise potential risks and remediation costs, the Blueprint advocates for shift-left security to integrate security into the early stages of development, as well as for producing software bills of materials (SBOM) to monitor vulnerabilities and establish the mechanism for version updates.
• Implementing zero trust architecture (ZTA): Following the Reference Guidance for Zero Trust Architecture in the Financial Sector, the FSC will prioritise adoption in high-risk areas. This transition will be measured through periodic surveys, gradually incorporating ZTA principles into fundamental regulatory standards to elevate the overall defence baseline.
• Enhancing security operations centres (SOC) effectiveness: Building on the foundation of SOC, the FSC will continuingly expand monitoring standards to include cloud environments and encourage financial institutions to regularly validate the effectiveness of their cybersecurity monitoring and defensive deployments.
• Proactive response to emerging technology: Recognising the hidden risks in AI, the FSC will develop security and testing guidelines to include both the traditional internet threats and AI-specific attacks. Additionally, to counter the threat posed by quantum computing to traditional encryption, the FSC will develop a migration plan for post-quantum cryptography (PQC)
• Enhancing the supply chain ecosystem: As financial institutions’ reliance on third-party providers grows, the FSC plans to classify vendors based on risk and data sensitivity. It will provide standardised outsourcing contract clauses and encourage risk assessments and joint cyber drills across the supply chain.
• Automated intelligence and global collaboration: The Financial Information Sharing and Analysis Center (F-ISAC) will be upgraded with automated sharing and analysis platforms. Additionally, the FSC plans to establish channels for financial cybersecurity vulnerability disclosure and response and hosting international online exchanges, to enhance cross-border early warning and incident response capabilities.
• Advanced cybersecurity offensive and defensive drills: The Blueprint mandates continuous cybersecurity offensive/defensive simulations. The scope will expand to include complex scenarios to validate the notification, co-ordination and support efficiency of the collaborative defence network.
• Multilayer redundancy for critical services: To ensure the availability of essential services, the FSC is pushing for a multilayer redundancy architecture.

Taiwan’s ICT industry includes the following four sectors:

• CR – Manufacture of electronic parts and components;
• CS – Manufacture of computers, electronic and optical products;
• JB – Telecommunications; and
• JC – Computer-related and information services.

In Taiwan, the term “ICT service providers” primarily refers to enterprises classified under “JC: Computer-related and information services industry” according to the official statistical definitions of the directorate-general of budget, accounting and statistics (DGBAS). This classification encompasses entities engaged in computer programming, system design, consultancy, data processing, information supply and other related information technology services.

Official Classification

The ICT sector in Taiwan is divided into manufacturing and services, with the services segment including:

• computer programming, consultancy and related services; and
• information services, such as data processing, internet service providers and other information technology support services.

This classification is consistent with international standards, such as those of the OECD, and covers non-manufacturing ICT activities, including software development and digital services.

The FSC has established a comprehensive regulatory framework governing the outsourcing of services by financial institutions to third-party service providers, such as data processing and cloud service vendors. For instance, under the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operations (Outsourcing Regulations), the scope of permissible outsourcing is clearly defined and includes services related to:

• the financial institution’s registered business activities, as specified on its business licence; and
• operations involving customer information, whether pertaining to individuals or legal entities.

Permissible outsourced activities are limited to certain functions, including but not limited to:

• data entry, processing and output within information systems;
• the development, monitoring, control and maintenance of such systems; and
• logistical support related to data processing.

Furthermore, outsourcing arrangements must comply with specific regulatory requirements designed to ensure operational integrity and protect customer information.

The key provisions governing these outsourcing activities include the following.

Contractual requirements

According to Article 10 of the Outsourcing Regulations, the financial institutions should implement outsourcing contracts with the service providers, stating, among other things, that:

• the FSC and the central bank may obtain relevant information or reports, conduct financial inspections or order the provision of relevant information or reports within a specified period, with respect to the scope of the outsourcing matters; and
• without the prior written consent of the financial institution, the service providers should not subcontract the outsourced operations – the scope, restrictions and conditions of any subcontracting, if any, should be specified in the outsourcing contract as well.

Cross-border outsourcing

According to Article 17 of the Outsourcing Regulations, financial institutions, when outsourcing services outside of Taiwan, should follow certain requirements, including:

• maintain a clear understanding of the service provider’s data usage, processing and control measures;
• ensure that customer data is distinctly segregated from the service provider’s own data as well as that of other clients;
• guarantee that customer data processed by the service provider remains accessible to both the financial institution and the FSC upon request;
• conduct regular examinations and supervision of the service provider’s operations, either through external audits or internal review processes; and
• in the event of a foreign financial regulator seeking information concerning Taiwanese customers from the service provider, notify the FSC and obtain its prior approval before any disclosure is made.

Critical consumer information system outsourcing

Pursuant to the Outsourcing Regulations, a financial institution must obtain prior approval from the FSC before outsourcing any critical consumer information system to a service provider located outside of Taiwan. This approval is a prerequisite for engaging such service providers to perform outsourcing services. Additionally, the service providers engaged by financial institutions are required to submit all documentation requested by the FSC to facilitate the approval process.

Criteria for critical consumer information system

The FSC has issued explanatory guidance to clarify the application of the Outsourcing Regulations. This guidance outlines key factors that financial institutions should consider when assessing the criticality of an outsourcing arrangement, including but not limited to:

• whether the outsourced function constitutes a core component of the institution’s business operations;
• the potential impact of the outsourcing on the institution’s earnings, solvency, liquidity, funding capacity, capital adequacy and overall risk profile;
• the extent to which service disruptions or data breaches could affect the institution’s reputation, operational objectives, customer rights or counterparties, or the stability of the broader financial market;
• the costs associated with the outsourcing services;
• the costs involved in transitioning to an alternative service provider should the original arrangement fail;
• the aggregate exposure of risk to a single service provider when multiple operations are consolidated under one vendor; and
• the financial institution’s capacity to maintain effective internal controls and comply with regulatory obligations throughout the outsourcing relationship.

Documents to be submitted to the FSC for approval and financial institutions’ additional obligations

Key documents include, but are not limited to:

• internal policies for engaging an outsourcing arrangement;
• board meeting resolution document;
• the necessity and legal compliance analysis;
• outsourcing arrangement proposals, including risk analysis and management, customer data protection mechanisms, cybersecurity and contingency plans;
• outsourcing agreements; and
• a statement from the service provider certifying no major fraud, security or operational incidents over the past three years.

Additionally, the financial institution must adhere to further obligations, including performing security examinations of its information systems at prescribed intervals. It should also conduct, or engage qualified third parties to conduct, both general and special examinations annually. Furthermore, outsourcing agreements must clearly outline the responsibilities related to the transition of outsourced services, as well as the penalties applicable in the event of service failures.

In addition to what has been established under the CSMA and its relevant regulations, the FSC, along with the associations of various financial institutions (eg, the Bank Association, the Insurance Association and the Securities Association), has announced several self-regulatory rules and guidelines to maintain the cybersecurity resilience of the financial institutions’ ICT systems. For instance, the Banking Association has stipulated the Resilience Standards for Information Operations of Financial Institutions (Resilience Standards), which have been submitted to the FSC for its reference.

According to the Resilience Standards, financial institutions must establish specific practices. Key provisions include the following.

• Governance: (i) establish a business continuity management unit, with appropriate manpower and budget, to promote, co-ordinate and review business continuity management matters; and (for subsidiaries or branches of foreign financial institutions) (ii) compare the provisions of the resilience regulations of the parent company’s jurisdiction with Taiwan’s regulations, and adopt the stricter provisions.
• Risk management: (i) identify critical business, critical ICT and important supporting information systems on an annual basis – additionally, the business should execute a business impact analysis (BIA) and produce the specific results (eg, the recovery time objective (RTO) and the recovery point objective (RPO)); and (ii) based on the analysis result, establish a backup and redundancy mechanism.
• Incident management obligations: (i) establish a business continuity plan (BCP), identifying the risk scenarios that could interrupt the critical business and critical ICT systems, and enactment of the response plan; and (ii) perform annual drills to verify the implementation of the BCP and determine if the recovery mechanism successfully met expectations (such as the RTO and RPO).

For incident reporting, the FSC has also stipulated corresponding regulations. For instance, the Reporting Procedures and Other Compliance Matters for Financial Institutions on Material Incidental Events (Reporting Procedures) stipulate that when a bank encounters a material cybersecurity incident (material cybersecurity incident), the bank should, within 30 minutes after confirmation of the incident, notify the FSC through the designated channel. Within seven days upon reporting the incident, the bank should provide detailed information (eg, investigation result, handling and improvement mechanism) to the FSC.

Public information concerning enforcement actions involving critical ICT service providers remains limited. Nonetheless, certain cases addressing operational resilience obligations merit consideration.

Taishin International Bank Fined TWD6 Million for Internal Control Deficiencies in Debt Collection and Credit Card Billing

On 8 May 2025, the FSC fined Taishin International Bank TWD6 million for violations of paragraphs 1 and 3, Article 45-1 of the Banking Act. The penalty was issued following a regulatory investigation into systemic errors that led to incorrect mailing addresses for debt collection letters and the misplacement of credit card billing data.

The FSC stated in its disposition that Taishin Bank had failed to establish an adequate internal control system and had not effectively implemented its operational procedures. The investigation revealed that the bank lacked robust testing and verification mechanisms for information system changes and failed to provide effective oversight of its outsourced service providers. Specifically, in November 2024, an equipment malfunction at an outsourced vendor caused the transaction details of 358 customers to be printed on the wrong billing statements. The FSC found that Taishin Bank had not ensured that the vendor maintained an effective error-verification mechanism prior to mailing.

The FSC imposed the fine and demanded that the bank rectify its internal control and audit systems.

Investigation of the First Commercial Bank Security Breach

In July 2016, the ATM network of First Commercial Bank in Taiwan was hacked, which made selected ATMs spew cash out to 12 waiting “bagmen”. More than USD2.63 million was stolen through the 41 ATMs. While the police department worked on finding the bagmen, the Investigation Bureau, under the Ministry of Justice, which is responsible for investigating computer crimes, handled the digital forensics of the breached ATMs and located the installed malware. After the investigation wrapped up, about USD2.44 million was recovered by the police. Though 22 suspects from nine countries involved, only three were apprehended and indicted for fraud, in September 2016.

The FSC pointed out that First Bank did not provide sufficient cybersecurity protection to its ATMs and network, and thus imposed a TWD10 million fine on the bank and suspended its cardless withdrawal services until it improved its system.

Cathay United Bank Fined TWD12 Million for Repeated Electronic System Breakdowns

On 29 December 2022, Taiwan’s FSC fined Cathay United Bank TWD12 million for breakdowns of its ATM and internet banking electronic systems. The FSC further reduced the salary for the bank’s president Lee Wei-cheng by 30% for a period of three months and is requiring the bank to increase operational risk capital.

The FSC stated in its disposition that Cathay United Bank had not properly prepared an emergency response mechanism in the event of an incident like a breakdown of electronic systems and had not properly established or implemented an internal control system.

Cathay United Bank has previously been fined TWD2 million for four ATM system failures that occurred between 2020 and 2021. The FSC increased the fine to TWD12 million for the current case, which represents the highest penalty ever issued in Taiwan’s history for the breakdown of a bank’s electronic system.

According to Article 17 of the Outsourcing Regulations, financial institutions, when outsourcing services outside of Taiwan, should meet certain requirements. Key provisions include:

• maintaining a clear understanding of the service provider’s data usage, processing and control measures;
• ensuring that customer data is distinctly segregated from the service provider’s own data as well as that of other clients;
• guaranteeing that customer data processed by the service provider remains accessible to both the financial institution and the FSC upon request;
• conducting regular examinations and supervision of the service provider’s operations, either through external audits or internal review processes; and
• in the event of a foreign financial regulator seeking information concerning Taiwanese customers from the service provider, notifying the FSC and obtaining its prior approval before any disclosure is made.

At present, there are no legislative frameworks explicitly dedicated to penetration testing. However, publicly available information indicates that the FSC has previously implemented a penetration testing plan as part of its cybersecurity assessment operations for banks’ computer systems. It appears that these penetration testing requirements are grounded in the FSC’s supervisory authority.

The CSMA does not impose the same level of security-by-design obligations for specific ICT products and services as the Cyber Resilience Act (CRA) in the EU. That being said, the competent authorities of specific sectors have issues with product-focused guidelines. Specifically, the FSC has, mostly through co-operating with the financial industry association, announced various cybersecurity rules governing financial institutions’ use of certain products and services.

For instance, the Banking Association has stipulated several product/service-specific regulations, such as e-bank services, electronic signatures, mobile debit cards, internet of things (IoT) products and AI, in the Regulations Governing the Security Control of IoT Equipment Used by Financial Institutions. The Insurance Association and the Security Association have established similar guidelines for various products/services for their members to adopt.

Additionally, pursuant to the authority granted by Article 42 of the Telecommunications Management Act, the NCC has issued the Technical Specifications for Cybersecurity Testing of Critical Telecommunications Infrastructure ICT Equipment, which were subsequently amended by MODA (Cybersecurity Testing of Critical Telecommunications Infrastructure – CTCTI) to outline the technical standards for firewalls, switches and routers with ethernet interfaces installed at critical connection points (ie, those linking various core functions within critical telecommunications infrastructure, and those connecting critical telecommunications infrastructure with other operators’ public telecom networks) within facilities (critical telecommunications infrastructure equipment).

Exhibit 10 of Regulations on Classification of Cyber Security Responsibility Levels provides some requirements for entities subject to the CSMA to ensure the integrity and the availability of their information systems. For example, entities with a defence standard classified as “high” are required to implement at least the following control measures:

• the cyber system should adopt automatic tools to monitor the access of communication flows and, if unusual or unauthorised activities are found, conduct an analysis of such activities;
• conduct an inspection of the integrity of software and information;
• use integrity verification tools to detect any unauthorised change of specific software and information;
• examine the legitimacy of input data of users on the server terminal of the application system; and
• if any violation of integrity is found, implement the security protection measures designated by the agencies.

Financial Sector

For the financial sector, the regulations issued by the FSC and relevant financial industry associations vary significantly across products and services. This variation reflects the distinct needs of the industry as well as the differing levels of complexity inherent to each product or service. That being said, to ensure that financial institutions maintain a consistent baseline of system security, the Banking Association has promulgated the Measures for Financial Institutions to Conduct Information Security Assessments of Computer Systems (the “Security Assessment Measures”) and the Information Security Standards for Financial Institution Systems (the “Security Standards”). Some of the relevant key requirements are as follows.

Vulnerability management

The Security Assessment Measures establish a three-tiered framework for assessing computer systems based on their criticality – specifically, whether the system provides automatic customer access, requires human intervention or offers no access at all. Systems classified as Level 1 must undergo an annual assessment, Level 2 systems require assessment every two years and Level 3 systems are assessed every five years. Furthermore, the Security Assessment Measures impose specific obligations regarding vulnerability management. Additionally, financial institutions are required to conduct vulnerability scans and remediation for network equipment, servers and terminals, as well as targeted penetration testing for websites.

Patching and updates

According to the Security Assessment Measures, security assessments must include a review of security configurations, which entails verifying the update settings and current patch status of operating systems, antivirus software, office applications and related components. The frequency of these assessments aligns with the tiered schedule described in the foregoing. Notably, if a system experiences a material information security incident, a re-assessment must be completed within three months to address any potential vulnerabilities.

Post-market surveillance of products

The Security Standards mandate that financial institutions implement surveillance systems capable of early detection of anomalies. Additionally, system log data must be retained for a sufficient period to support audit trails and investigations.

Conformity assessment requirements

The Security Assessment Measures require that security assessments verify compliance not only with the Security Standards but also with the Standards for Safety Control of Electronic Banking Business.

Telecommunications

For the telecoms sector, the CTCTI outlines the general technical standards for testing CTI equipment in various respects, such as access control, audit and system vulnerability, as well as specific standards for each category of critical telecommunications infrastructure equipment (CTE) based on the nature of their operation. Key provisions include the following.

Vulnerability management

The CTCTI specifically references the vulnerabilities database provided by the National Institute of Standards and Technology (NIST) and the European Network and Information Security Agency (ENISA) for testing institutions to adopt when conducting vulnerability scanning. Additionally, the CTCTI utilises the common vulnerabilities and exposures (CVE) and common vulnerability scoring system (CVSS) for vulnerability management. For instance, CTE is prohibited from containing known vulnerabilities with a CVSS score of 7.0 or higher.

Patching and updates

For certified equipment, if a new vulnerability with a CVSS score of 7.0 or higher is later discovered, the manufacturer, importer, reseller or agent should submit a patch test report within 90 days of the disclosure of the said vulnerability.

Conformity assessment requirements

The CTCTI requires the external assessment to be conducted and tested by the accredited laboratories. The scope of testing covers a range of technical standards, including, but not limited to, the level of access control, the required components of security logs, encryption standards such as TLS 1.2 and AES-128 or above, as well as performance stability during an eight-hour anomalous traffic stress test (for firewall and router systems).

For government agencies and specific non-government agencies that are subject to the CSMA, the Regulations on Classification of Cyber Security Responsibility Levels classify their responsibilities into five levels (A–E) and prescribe the security requirements for each level in terms of management, technical measures, and awareness and training.

For government agencies and “specific non-government agencies”, each of the competent authorities for those agencies has issued guidelines in which ISO27001 is referred to and recommended. However, there is no reference to specific cybersecurity obligations that shall be imposed on government agencies or specific non-government agencies.

The specific cybersecurity obligations vary among industries. For instance, operators in the telecommunications industry are required to obtain ISO/IEC 27001 and ISO/IEC 27011 certifications, while financial institutions are required to meet the security standards stipulated by the relevant competent authorities.

According to Article 11 of the CSMA, the information security responsibility levels are classified into Level A, Level B and Level C agencies, which should respectively allocate at least four, two and one dedicated information security personnel. Each personnel must hold at least one professional information security certification. The Administration for Cyber Security has continuously updated a list of recognised information security certification on their website.

Data Breach Notification

According to the Personal Data Protection Act (PDPA), if personal data is involved in a data breach incident, either a public agency or a non-public agency shall inform the affected data subjects of the incident as soon as it investigates the same. In the notice to the data subjects, the relevant facts concerning the incident, such as what data was stolen, when the incident happened, the potential suspects with regard to the breach and the remedial actions that have been taken, shall be described. The PDPA does not set forth any threshold for the notification to the affected data subjects.

Technical and Organisational Measures (Including Data Breach Report)

The Taiwanese government has implemented a decentralised approach to supervise compliance with the PDPA. Under this approach, central government authorities in various industries, as well as local governments, are granted supervisory power to enforce specific provisions outlined in the PDPA, such as stipulating rules with regard to technical and organisational matters for the industry sectors under their purview, as well as requiring data controllers to report data security incidents to them via a designated form (normally within 72 hours).

Under the designated form, the report should normally include the following information:

• basic details of the reporting entities (such as the entity’s name, the notifier’s name and contact information);
• the time the incident occurred;
• the type of incident (including the volume of personal data affected);
• the cause of the incident, damage status and potential consequences;
• the response measures planned or implemented; and
• the anticipated timeframe and method for notifying affected data subjects.

Currently, the threshold for reporting a data breach varies across different industry sectors. Depending on the rules imposed by the competent authorities, some sectors do not have any threshold, while others may base reporting requirements on the incident’s severity or the number of affected data subjects.

Amendments to the PDPA and the Establishment of the PDPC

On 11 November 2025, the PDPA underwent another round of amendments, with the effective date to be set by the Executive Yuan. The amended PDPA mainly addresses the responsibilities of the soon-to-be-established Personal Data Protection Commission (PDPC) and its succession of power from other government authorities, becoming the only competent authority under the PDPA. According to the amended PDPA, the PDPC, after its establishment, will introduce a new rule regarding technical and organisational matters, including certain cybersecurity requirements relevant to personal data protection, which generally applies to all entities subject to the PDPA.

On 14 January 2026, the Artificial Intelligence Basic Act (the “AI Basic Act”) was formally promulgated and took effect. While the AI Basic Act is primarily principle-based and does not impose specific mandatory requirements, it establishes a foundational legal framework empowering government authorities to develop further regulations. For instance, under the AI Basic Act, government authorities should enhance data governance by minimising unnecessary collection, processing or use of personal data, while integrating data protection principles into the design of AI systems. Moreover, throughout the research, development and deployment of AI, appropriate cybersecurity measures must be implemented to guard against security threats and attacks, thereby ensuring the integrity and safety of AI systems. Furthermore, MODA is tasked with adopting international standards to create an AI risk classification framework and supporting competent authorities of various industries in establishing risk-based management rules.

In addition to the AI Basic Act, certain sectors have guidelines for implementing AI technology. Key guidelines are as follows.

The FSC and relevant financial industry associations have issued guidelines governing the use of AI in the financial sector. Notably, the Operational Guidelines for Financial Institutions Using Artificial Intelligence Technology (the “FSC AI Guidelines”), published by the Banking Association, require financial institutions to uphold the principle of fair treatment throughout all stages of AI algorithm development and deployment in financial services. Furthermore, during the AI model training phase, institutions must safeguard the integrity and security of AI models and algorithms by implementing robust measures such as data quality control, model validation and ongoing monitoring. The FSC AI Guidelines align with existing cybersecurity and data protection requirements, while also introducing specific obligations tailored to the responsible use of AI technology in the financial industry.

The Executive Yuan has promulgated the Guidelines for the Application of Artificial Intelligence in National Critical Infrastructure (the “CI AI Guidelines”), which are designed specifically for the competent authorities overseeing industry sectors and the critical infrastructure providers under their supervision.

The CI AI Guidelines establish recommended risk categories for the deployment of AI technologies and require the adoption of appropriate mitigation measures. In cases where no effective measures exist, the use of AI may be prohibited. Additionally, the CI AI Guidelines enhance the obligations set forth by the CSMA and the relevant regulations regarding the implementation of AI. For instance, regulated entities should incorporate safety design principles during the design phase of the product development life cycle. For incident reporting, the CI AI Guidelines adhere to the Regulations on the Notification and Response of Cyber Security Incident, mandating that incidents be reported within one hour of discovery. Similar to the FSC AI Guidelines, the CI AI Guidelines align with existing cybersecurity and data protection requirements.

The MOHW, under the authorisation of the CSMA, has issued the Regulations for Information Security Management of Specific Non-Government Agencies under the MOHW (the “MOHW Regulations”). The MOHW Regulations set forth clear and detailed requirements that designated non-government agencies must follow when developing and executing their cybersecurity maintenance plans.

In addition, on 19 December 2025, the Regulation on Management of National Health Insurance Data (the “NHI Data Regulation”) was formally promulgated, with its effective date to be determined by the Executive Yuan. The Regulation establishes comprehensive standards governing the collection, processing and use of National Health Insurance (NHI) data. From a cybersecurity standpoint, the NHI Data Regulation mandates that applicants seeking access to NHI data implement specific cybersecurity measures and comply with the directives issued by the MOHW and the National Health Insurance Administration (NHIA). Additional requirements are expected to be issued by the MOHW in due course.

For hospitals, the MOHW has promulgated the Guideline for Cybersecurity Protection in Primary Healthcare Facilities. This guideline outlines various recommendations for healthcare institutions, specifically primary care clinics and regional hospitals with limited budgets and awareness of cybersecurity, with respect to the implementation of certain measures for protecting patient data and operations. Key recommendations include immediate incident reporting for threats, requiring a security clause in procurement contracts and proof of vendor cybersecurity certification or training.

For medical devices, the MOHW has published two guidelines concerning security requirements.

• The Guideline on Medical Device Inventory Management and Risk Assessment: This guideline is merely advisory, and is aimed at helping information security staff and medical device managers in hospitals identify and assess the risks of medical devices so that they can take appropriate protective measures and lower security risks at hospitals.
• The Guideline on Cybersecurity of Medical Devices Applicable to the Medical Device Manufacturer: This guideline covers cybersecurity issues that manufacturers of medical devices should consider during product design, product development and application for market approval – and after the product is launched on the market. This guideline is also purely advisory, and is published to help manufacturers ensure the cybersecurity of their medical devices. However, it also notes that the MOHW examiner might ask a manufacturer to provide other documents that are not required in the guideline.

Both guidelines will be updated from time to time to adapt to technological advances.