There is currently no specific legislation governing the digital economy. Instead, operators in digital economy sectors must remain mindful of various applicable laws and regulations, including the Consumer Protection Act, the Fair Trade Act, and the Personal Data Protection Act (PDPA).

It is worth noting that as public use of internet services continues to grow, competition issues in this sector have attracted the attention of the regulator, the Taiwan Fair Trade Commission (TFTC). In 2022, the TFTC published its White Paper on Competition Policy in the Digital Economy, which addresses several potential antitrust concerns related to digital platforms. In addition, the competent authority for telecommunications, the National Communications Commission (NCC), is also considering the introduction of specific legislation to address practical issues in the digital services market, drawing on the experience of other jurisdictions ‒ such as the EU’s Digital Services Act. However, there is currently no clear timeline for the promulgation of such draft legislation.

Passage of the Dedicated Food Delivery Legislation

On 6 January 2026, the Legislative Yuan passed the Delivery Workers’ Rights Protection and Delivery Platform Management Act, providing Taiwan’s delivery industry with its first central-level specialised legislation. Among others, the Act requires delivery platforms to set up a complaint system, allowing delivery workers to raise concerns about pay, account suspensions or contract terminations, and disputes with co-operating businesses or customers. It is expected that the market will undergo a period of adjustment, including cost redistribution, revision of order assignment logic, and a restructuring of platform operating models.

Anti-Fraud Obligations of E-Commerce Operators

In response to the rising number of fraud cases, the Taiwan government enacted and implemented the Fraud Crime Hazard Prevention Act (FCHPA) in 2024. The FCHPA imposes various preventive obligations on relevant industries and business operators, including telecommunications enterprises, third-party payment service providers, online advertising platform operators, and e-commerce operators.

With respect to e-commerce operators, the FCHPA provides that when an e-commerce operator is notified by the judicial police or the competent authority responsible for the relevant business that its services are suspected of being involved in fraudulent activities, the e-commerce operator must co-operate with the judicial police or the competent authority in handling the matter. Furthermore, the e-commerce operator is required to suspend the provision of services to users whose accounts are suspected of involvement in fraudulent activities within a reasonable period.

Taiwan imposes a 5% business tax on digital services. For offshore e-commerce operators, in B2C transactions, when the annual sales of digital services to individuals in Taiwan exceed TWD600,000 (the threshold to be raised starting from April 2025), the offshore e-commerce operator is required to apply for tax registration in Taiwan and issue cloud invoices.

For domestic individual sellers/influencers, if their monthly sales of digital services (such as online courses, advertisements, or paid subscriptions) exceed TWD50,000, or if their sales of physical goods exceed TWD100,000, they must complete tax registration.

According to the new regulations for influencers, effective from 1 January 2026, platform operators (such as YouTube and Patreon) that have completed tax registration in Taiwan will be deemed as tax withholding agents when making payments to Taiwanese influencers, and will be required to report and withhold income taxes in accordance with the law. The applicable withholding tax rate will vary depending on the type of services provided by the Taiwanese influencers.

On 10 September 2025, Taiwan’s Ministry of Finance promulgated the Operational Guidelines for the Levy of Business Tax on Individuals Regularly Publishing Creations or Sharing Information Online (the “Guidelines”). These Guidelines provide a unified basis for tax registration and business tax filing for individuals (“Influencers”) who regularly publish creations or share information online (including but not limited to social media, video platforms, and online media, “Platforms”), as well as for Platforms that broadcast advertisements or provide related paid services using the content created by such Influencers.

The Guidelines specify that domestic Influencers who have a physical fixed place of business in Taiwan, possess a business licence, employ personnel to assist with sales matters, or conduct sales via the internet, and whose monthly sales reach the business tax threshold (ie, currently TWD100,000 for goods and TWD50,000 for services), must complete tax registration. According to the Ministry of Finance, as this is a new tax regime for emerging Influencer transactions, and considering that Influencers and Platforms may not be familiar with the relevant regulations at the initial stage of implementation, a counselling period has been set until 30 June 2026. During this period, Influencers and Platforms who fail to comply with tax registration, invoice issuance and delivery, or business tax filing requirements will be exempt from penalties under the relevant regulations.

Under the authorisation of the Consumer Protection Act, the competent authority for digital services, the Ministry of Digital Affairs (MODA), has promulgated the Required and Prohibited Terms for Standardised Online Retail Contracts (“Regulations”). Among others, the online retailers are required to disclose the following information:

• information on the business operator”;
• principle of interpretation of standardised contract clauses (if there is any ambiguity in these contract clauses, the interpretation shall be made in favour of the consumer);
• product information;
• right of return and contract termination; and
• personal data protection, etc.

Therefore, it is advisable for e-commerce operators to align their terms of use with the Regulations. 

The consumer protection mediation mechanism in Taiwan is primarily based on the Consumer Protection Act. If a consumer has a dispute with a business operator, they may file a complaint or apply for mediation directly through the online complaint system of the local government.

Procedure

• Complaint (first step): the consumer raises a dispute, and the business operator must address it within 15 days.
• Mediation (second step): if the complaint is not properly resolved, the consumer may apply for mediation.

If mediation is unsuccessful, the consumer must still pursue compensation from the business operator through civil litigation.

Based on local practice, TMT companies are inclined to first negotiate with the consumers and seek to reach a consensus during the mediation process, unless the consumers’ claim is unreasonable or the amount involved is substantial.

In Taiwan, cryptocurrencies are legal but regulated primarily as highly speculative “virtual commodities”.

Please note that on 25 March 2025, Taiwan’s Financial Supervisory Commission (FSC) introduced the draft Virtual Asset Service Act (the “Draft Act”) to strengthen the operation and development of virtual asset businesses in Taiwan. The Draft Act mandates that Virtual Asset Service Providers (VASPs) must obtain approval from the FSC for their operations, establishing branches (including branches set up in Taiwan by foreign VASPs), opening physical business locations, or providing automated services. VASPs are prohibited from concurrently engaging in any businesses not approved by the FSC. However, financial institutions may, with the FSC approval, concurrently provide virtual asset services.

The Draft Act further requires that VASPs must include virtual asset-related words in their official names, and their responsible persons and personnel must meet the qualification requirements prescribed by the FSC. VASPs are also required to meet the minimum capital requirement, provide an operation bond, and are subject to limits on total liabilities. In terms of internal control and audit, VASPs must implement information security management system, operational data management and confidentiality policies, and business continuity plan. The Draft Act also regulates the outsourcing of operations by VASPs. Given that stablecoins involve receiving funds from the public, the Draft Act requires stablecoin issuers to obtain approval from the FSC before issuance. Issuers must also maintain sufficient reserve assets in domestic financial institutions, including fully funded reserve accounts to back the stablecoin issuance.

There is currently no specific legislation governing edge computing in Taiwan, but different sectors’ use of cloud services may be subject to additional regulations. 

When government agencies establish or utilise cloud services, they should refer to the Reference Guidelines for Information Security in Cloud Services Applications for Government Agencies, which includes common cybersecurity management planning, IaaS, PaaS, SaaS, and cybersecurity control measures for self-built cloud services, among others.

For financial institutions, they are subject to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operations (“Outsourcing Regulations”). Pursuant to Paragraph 6, Article 19 of the Outsourcing Regulations, if a financial institution has its user data processed by cloud service provider, the following rules shall be observed:

• the financial institution shall retain the right to designate the location for the processing and storage of the data;
• the local data protection regulations at the offshore location shall be no less rigorous than the requirements of Taiwan; and
• as a general principle, the storage location of user data related to significant retail financial business information systems should be within Taiwan ‒ if located abroad, except as approved by the competent authority, important user data should have a back-up retained within Taiwan.

Furthermore, according to Article 18 of the Outsourcing Regulations, when a financial institution outsources material operations related to retail financial business information systems to overseas service providers, it is required to submit certain documents to the competent authority, the FSC for its prior approval.

On 14 January 2026, the Artificial Intelligence Basic Act (the “AI Basic Act”) was officially promulgated and entered into force. The AI Basic Act aims to:

• build a smart nation;
• promote human-centric AI research and development (R&D) and industry development;
• safeguard fundamental rights; and
• ensure digital equality and sustainable social development.

As the statutory framework for regulating and promoting AI in Taiwan, the AI Basic Act sets key standards and guiding principles.

According to the Copyright Act, the original video may qualify as an audiovisual work protected under the Copyright Act. In principle, the economic rights to such a work are vested in the individual who filmed the video or the company that produced it. Therefore, if a third party, without the consent or authorisation of the copyright holder, exploits the content of the video by employing deepfake technology to alter facial features and subsequently disseminates the modified video via the internet or social media, such conduct may constitute an infringement of the rights of “reproduction” and “public transmission” under copyright law. The infringer may be subject to criminal liability. The copyright holder is entitled to initiate legal proceedings against individuals who produce or distribute deepfake videos for both civil and criminal liability, thereby safeguarding their copyright.

As for the victim whose facial image has been transplanted in the video, since the replaced element pertains to the individual’s facial features, this raises issues concerning the right of portrait. The victim may raise a claim for infringement of portrait rights pursuant to the provisions on legal personality under the Civil Code.

In Taiwan, there is currently no specific legislation governing the internet of things (IoT). Nevertheless, IoT communications typically require the use of radio frequencies, and users of such frequencies may be subject to regulation under the Telecommunications Management Act (TMA) and related legislation.

With the ongoing advancement of 5G technology, 5G Mobile Broadband Dedicated Telecommunications Networks (“5G Dedicated Networks”) are anticipated to play a pivotal role in enabling applications such as the IoT, big data, and AI.

To facilitate this development, Taiwan has designated the 4.8–4.9 GHz frequency band for use by 5G Dedicated Networks. In June 2023, the MODA promulgated the Regulations Governing the Establishment and Use of 5G Dedicated Telecommunications Networks (“5G Dedicated Networks Regulations”). Pursuant to these regulations, enterprises may apply for the allocation of frequencies to establish and operate their own dedicated 5G networks for internal purposes.

According to MODA’s website, as of July 2025, a total of 124 applications have been approved, with more than 88 networks already built and officially licensed. Most of these networks are being used for smart factory applications.

According to the 5G Dedicated Networks Regulations, where an applicant intends to establish a base station whose radio coverage area is adjacent to or overlaps with the coverage area of an existing network or the interference protection co-ordination zone of an existing station, the applicant must obtain the consent of the existing operator prior to submitting the application. Furthermore, the applicant is required to submit a spectrum harmonisation and sharing agreement or other relevant consent documents at the time of application.

In addition, should the frequencies utilised by the operator’s base station be subject to interference from other pre-existing and lawfully established radio stations, the operator is responsible for co-ordinating directly with the relevant parties to resolve the matter. Conversely, if the operator’s base station causes interference to the frequencies of other pre-existing and lawfully established radio stations, the operator must employ effective technical measures to mitigate such interference. Where necessary, the operator shall suspend the operation of the affected base station until the interference has been rectified.

At present, there are no specific laws that address data sharing in the context of IoT companies. The issue of data sharing would largely depend on whether the data is related to personal data. If it is, then the PDPA would apply.

In view of the rapid development of the media industry and the different regulatory needs of businesses within the industry, Taiwan’s media law adopts a decentralised legislative framework. There is no comprehensive codified source of media law in Taiwan, but several laws and acts regulate the media industry. Taking pay TV for example, currently, Taiwan regulates pay TV through three laws, including the Cable Radio and Television Act, the Radio and Television Act, and the Satellite Broadcasting Act. The Radio and Television Act governs terrestrial broadcasting; the Cable Radio and Television Act governs the cable broadcasting sector; and the Satellite Broadcasting Act governs satellite broadcasting.

With the development of technology and communications, over-the-top (OTT) services that are being provided via the internet have not only gradually impacted the existing industries, but have also brought various challenges for regulatory bodies. It is noted that at present, the NCC does not yet regulate OTT television being provided online. In order to respond to the expanding OTT industry, on 15 July 2020, the NCC passed the draft of Internet Audiovisual Service Management Act (“draft Act”).

The draft Act immediately sparked controversy upon its announcement. Given the diverse views on the draft Act, the OTT TV-related regulations have not been formally implemented since the draft Act was proposed in 2020. It is important to highlight that the term “Internet audiovisual service” defined in the draft Act refers to the service where the edited and filtered video content is provided by a service operator in its name to local viewers through the internet for the operator’s profits. That is, User Generated Content (UGC) and shared information on social media platforms, such as Facebook, YouTube, or Instagram, are not subject to the supervision, since the aforesaid content is mainly edited and uploaded by the users themselves, rather than by the service operator.

The telecommunications industry in Taiwan is governed by the TMA. Under the TMA, businesses are not required to obtain a telecommunications licence prior to providing telecommunications services. Furthermore, unless certain conditions stipulated under Article 5 of the TMA are met, an operator providing telecommunications services may elect whether or not to register as a telecommunications operator with the government agency, NCC. It should be noted that, under Taiwan law, purely IT-based services that utilise existing network connectivity are generally not considered telecommunications services, and thus are not subject to any telecommunications operator registration requirements.

In particular, Paragraph 1, Article 5 of the TMA provides that “Any entity that provides telecoms services and engages in any of the following activities shall register itself as a telecommunications operator with the NCC:

• negotiate interconnection with other telecommunications enterprises or apply for a ruling in connection therewith;
• apply for the assignment of a radio frequency outside Article 56;
• apply for the assignment of identification code or signal point code for establishing a PSTN; or
• apply for the assignment of subscriber numbers.”

Furthermore, according to newly added Paragraph 2, Article 5 of the TMA Amendments, (i) service providers engaging in wholesale, by leasing or purchasing telecommunications services bundled with subscriber numbers from other telecoms operators (who have been allocated subscriber numbers), and reselling such services to subscribers in their own names (the “Resellers”), and (ii) service providers offering internet access services (IASPs), are required to complete telecoms operator registrations.

The current TMA does not explicitly establish specific provisions under the heading of “net neutrality.” Nevertheless, the TMA and the NCC’s policies still encompass regulations that reflect the spirit of net neutrality.

• Principle of Fair Service Provision: the TMA requires telecommunications enterprises to provide services fairly and prohibits any improper discriminatory conduct.
• Protection of Consumer Rights: through mechanisms such as the telecoms service quality indicators or tariff management regulations, telecoms operators are not permitted to arbitrarily block or significantly throttle the internet speed of specific lawful services without proper disclosure.
• Universal Service and Access Rights: Article 12 of the TMA stipulates that telecommunications enterprises shall share the responsibility for universal service, aiming to ensure that all citizens have fair opportunities to access information. 

In the era of 5G networks, in addition to public telecommunications networks for the general public, many enterprises are also seeking to establish their dedicated telecommunications networks (DTN). According to the Regulations Governing the Establishment and Use of Dedicated Telecommunications Networks, a DTN is a telecommunications network that consists of radio station(s) and established with radio frequencies allocated by the MODA for private use, which means the establishment in one’s own name for its internal purposes only. DTNs come in various forms, such as experimental networks, public service networks, or private networks. As a general rule, a DTN applicant must clearly explain the purpose and necessity of their application. The frequency intended for use must be reviewed and approved by MODA to ensure there is no potential interference before it can be allocated.

Compliance with the EU GDPR can sometimes present significant challenges. Foreign regulations such as the EU GDPR do not have direct applicability in Taiwan. Although the PDPA shares certain features with the privacy frameworks of the EU and other foreign jurisdictions, it is not identical to the GDPR. Parties entering into technology contracts in Taiwan are generally not required to comply with foreign data protection regimes. However, they may elect to do so if either party falls within the jurisdiction of foreign data protection laws, or if the parties have adopted higher internal corporate governance standards.

As a general principle, parties to technology contracts in Taiwan enjoy contractual freedom and may independently negotiate and agree upon the relevant specifications and standards. Restrictions are more commonly encountered in the context of public procurement or government contracts. For example, public authorities may impose limitations on the nationality of developers or require that servers be located within Taiwan when procuring IT services.

At present, aside from specific statutory requirements applicable to certain regulated sectors (such as financial services or telecommunications), there are no general legal requirements governing technology outsourcing arrangements for non-governmental entities in Taiwan.

The TMA imposes a series of consumer protection obligations on telecommunications service providers, such as the following.

• Transparent disclosure: providers must clearly and publicly disclose key consumer information, including service terms, network quality, and data traffic management practices and conditions, in a manner that is easily accessible to consumers.
• Separation of charges: charges for telecommunications services must be clearly separated from those for non-telecommunications services. Providers are prohibited from suspending telecommunications services on the grounds of non-payment of non-telecommunications service fees.
• Dispute resolution mechanisms: providers are required to offer accessible channels for users to file and resolve consumer disputes.

Telecommunications enterprises that reach a certain scale or user base are required to submit their standard form contracts to the NCC for approval. These standard form contracts must, at a minimum, address the following:

• the business area and scope of services provided;
• service tariffs and applicable conditions;
• performance guarantee obligations for prepaid services;
• procedures and tariff deductions in the event of network failures, disruptions, errors, delays, or interruptions that result in user losses;
• tariff deduction mechanisms for users in cases where the provider’s registration is revoked or terminated, or where business operations are suspended or ceased, resulting in user detriment;
• information on dispute resolution, complaint procedures, and the competent court for jurisdiction;
• restrictions and conditions on the collection, processing, and use of users’ personal data;
• mechanisms for confirming or cancelling trial or complimentary telecommunications services; and
• preservation of users' negotiation rights.

Despite the statutory obligations outlined above, both individual users and enterprise customers retain the right to negotiate more favourable terms with telecommunications service providers.

Taiwan’s electronic signatures and digital identity schemes are primarily governed by the Electronic Signatures Act (ESA) and overseen by the MODA.

The ESA was significantly amended (“Amendments”) in 2024 to modernise digital transactions. Key amendments include the following.

• The Amendments clarify that electronic documents and signatures are legally equivalent to their paper and handwritten counterparts. If a physical document or signature is legally valid, its electronic version should be as well.
• To promote the broader use of electronic documents and signatures, the Amendments eliminate the need to obtain prior consent from the other party before using electronic forms. However, when electronic documents or signatures are used in legal transactions with another party, that party must be given reasonable notice and a way to object in advance.
• Due to previous uncertainty about whether commonly used international electronic signature platforms met the requirements under the ESA, the Amendments now authorise the MODA to issue official guidance on which types of electronic signature technologies are acceptable, and to update this guidance as needed.
• The Amendments remove the provisions that allowed administrative authorities to issue public announcements exempting certain matters from the ESA. Any existing administrative announcements exempting matters from the ESA will expire one year after the Amendments take effect, although this transition period can be extended for up to three years with approval from the MODA.

Furthermore, in March 2025, the MODA launched the “Digital Certificate Wallet” policy. The source code has been gradually released, and multiple regulatory adaptation meetings and seminars had been held to encourage nationwide participation in testing and discussion. The Digital Certificate Wallet launched by the MODA is neither a payment tool nor a digital ID card. Instead, it allows individuals to autonomously and securely store their digital certificates, such as Citizen Digital Certificates, National Health Insurance cards, and driver’s licences. In the future, people will only need to carry their mobile phones when going out, enabling them to quickly verify various certificates via their phones, thereby streamlining procedures such as ticket collection, prescription collection, or applying for a telecoms number.

Game operators are required to comply with the five-category game rating system established under the Protection of Children and Youths Welfare and Rights Act (“Children Protection Act”) and the Regulations of Game Software Rating Management (“Game Software Regulations”). In particular, all online games should be age rated, and the game publishers/developers or distributors/operators should register the age rating of their game on the database designated by the competent authority before publishing the game software.

PRC-developed or PRC-funded games are subject to additional registration requirements. If a PRC game will be operated in Taiwan, a local distributor or so-called agent operator should be appointed first. The agent operator should register the PRC game (eg, the age rating) on the game-rating platform by submitting the required documents.

Under this regulatory scheme for PRC games, the principal challenge lies in the fact that developers of PRC games are not permitted to operate or publish such games directly in Taiwan. Instead, they are required to authorise a local agent to act as the exclusive operator and to handle all related matters within Taiwan.

The MODA is the authority responsible for game software ratings and has the power to regulate the digital industry. Local competent authorities (eg, the Taipei City Office of Commerce) have the power to investigate the non-compliance with the rating requirements.

If the age rating does not comply with the Game Software Regulations, the game rating obligors should correct, take down or remove the content upon being notified by the central or local competent authorities. In addition, if Taiwan users may access or download a game software operated/provided overseas and the game rating obligors fail to comply with the requirements under the game software regulations, the competent authorities may (i) order the internet platform providers to restrict the access to or display of or remove such game; or (ii) order the local service providers/operators to cease providing such game.

In practice, MODA typically notifies major app platforms about games that have not properly completed content rating procedures. These platforms then independently inform the game developers and request that the necessary improvements be made.

The propriety rights in software are mainly provided under the Copyright Act and the Patent Act. The Copyright Act follows the principle of “protection upon creation,” which means that a work is protected as long as it possesses originality, without the need for registration or recordation. Protection under the Copyright Act arises automatically upon the completion of the work. “Computer program works” are among the categories of works protected under the Copyright Act of Taiwan. According to the Patent Act and the Examination Guidelines for Invention Patents Related to Computer Software, computer software is essentially regarded as one form of implementing an algorithm. Where computer software is an essential element of an invention for which a patent is sought, such invention is considered a computer software-related invention patent.

In the digital environment, both trade marks and copyrights remain protected under Taiwanese law. Pursuant to Article 5 of the Trade Mark Act, the definition of trade mark “use” expressly encompasses acts conducted via digital audio-visual means, electronic media, the internet, or other similar mediums. Furthermore, Article 95 of the Trade Mark Act stipulates that unauthorised use of a trade mark through electronic media or online platforms incurs the same criminal liability as traditional forms of infringement. Copyright protection similarly extends to works exploited in digital formats, with the scope of protection adapting to various modes of use. For instance, infringing acts in the digital context may include unauthorised public transmission or reproduction of copyrighted works, both of which are punishable under the relevant copyright provisions.

The Copyright Act provides a series of safe harbour provisions under Article 90-4 and subsequent articles, offering legal protection to network service providers for IP infringement of user-generated content (UGC), including access providers, caching service providers, information storage service providers, and search service providers. Under these provisions, network service providers who implement IP protection measures, whether through contractual arrangements, electronic transmission, automated detection systems, or other means, and who duly notify and suspend or terminate the accounts of infringing users, may be exempt from liability for damages arising from their users’ copyright infringements, provided that certain statutory conditions are met.

There are currently no laws that apply exclusively to social media. However, online platform providers must comply with various content moderation laws that govern internet content.

The general regulations governing content accessible to children (defined as individuals under 12 years old) and youth (defined as individuals under 18 years old) via the internet are stipulated in Article 46-1 of the Children Protection Act. According to this provision, it is prohibited for any person to: (i) distribute or transmit any material that may be detrimental to the physical or mental health of children or youth (“Harmful Content”); or (ii) permit children or youth to access or view any Harmful Content without implementing appropriate protective measures.

Furthermore, pursuant to Article 46 of the Children Protection Act, online platform providers are obligated to adopt protective measures (such as implementing an age rating system) to prevent children and youth from accessing or viewing Harmful Content. Upon notification by regulators, online platform providers are required to remove or restrict access to harmful content.

The digital industry, including social media platforms, is generally governed by the MODA. However, with respect to different regulations, the respective competent authorities have regulatory powers within their respective jurisdictions. For instance:

• the protection of children and youth falls under the authority of the Ministry of Health and Welfare (MOHW);
• the prohibition of tobacco advertising is within the purview of the Health Promotion Administration, MOHW;
• the regulation of food and drug advertisements is the responsibility of the Taiwan Food and Drug Administration, MOHW; and
• the regulation of advertisements for illegal meat products falls under the authority of the Ministry of Agriculture.

In addition to the power of each competent authority to impose fines on platforms pursuant to applicable regulations, Taiwan has incorporated the DNS RPZ (Response Policy Zone) mechanism into various statutes. This mechanism enables the restriction of access to specific unlawful content. For instance, with respect to child sexual exploitation material, fraudulent websites, or other illegal content requiring immediate enforcement, the competent authority may utilise the DNS RPZ mechanism to direct ISPs or IASPs to block the resolution of designated web content. Several competent authorities are also considering the inclusion of the DNS RPZ mechanism in individual statutes to further strengthen the regulation of online content.

In December 2025, the Ministry of the Interior determined that the PRC-developed Xiaohongshu app had an excessive number of fraud cases and posed cybersecurity concerns. Accordingly, pursuant to the Fraud Crime Hazard Prevention Act, the competent authority implemented measures to suspend internet resolution and restrict access to such social media services. As the relevant legal interpretations remain unclear, the implementation of such measures in certain cases warrants close observation of subsequent judicial review and court opinions.

In addition to the requirements set out under the PDPA, telecoms operators in Taiwan are also subject to the Regulations Governing the Security and Maintenance of Personal Data Files for Non-Governmental Agencies, as designated by the NCC. Under these regulations, telecoms operators must take into account the scale and nature of their business operations, and allocate appropriate management personnel and resources to plan and implement a personal data file security maintenance programme. This includes establishing procedures for the handling of personal data upon business termination. Furthermore, telecoms operators are required to formulate internal procedures for the management of personal data. Notably, where the collection, processing, or use of personal data is outsourced, operators must exercise appropriate supervision over the contractor, and the scope of such supervision must be clearly stipulated in the relevant outsourcing agreements or related documents.

In the event of a significant personal data breach, telecoms operators are obligated to notify the NCC within one hour of becoming aware of the incident, and to submit a formal report to the NCC within 72 hours.

Additionally, pursuant to the authority granted under the PDPA, the NCC has, since 2012, prohibited telecoms and communications service providers in Taiwan from transferring user personal data to Mainland China, citing the lack of comprehensive personal data protection legislation in China.

To promote consistency across relevant regulations and to ensure that the protection and management of personal data meet a certain standard, the competent authority under the PDPA, the Personal Data Protection Commission (PDPC), announced the draft Regulations for the Security Maintenance and Management of Personal Data Files (“Draft”) on 22 January 2026. The Draft provides both public and non-public agencies with a framework for developing internal management systems and security control measures, serving as fundamental guidelines for implementing personal data protection practices, as well as establishing the minimum requirements for the security maintenance of personal data files.

Notably, prior to the PDPC’s announcement of the Draft, several competent authorities ‒ including the MODA, which is the competent authority for digital media providers, had already promulgated their own regulations regarding the security maintenance and management of personal data files applicable to the industries under their supervision. As a result, compliance with these regulations can help address legal challenges related to user data protection, consent management, and data security, making such challenges more manageable.

With regard to cybersecurity, please note that the Cyber Security Management Act (CSMA) only applies to government agencies and Specific Non-Government Agencies, which refers to a critical infrastructure provider, a government-owned enterprise, a designated foundation, or any enterprise, organisation, or institution under control of the government. Therefore, digital media platforms are not likely to be subject to the CSMA.

That said, on 24 September 2025, the President announced amendments to the CSMA. This represents the first revision of the CSMA since its enactment, aiming to address increasingly severe cybersecurity threats and to enhance the overall cybersecurity capabilities of the industry. Among other changes, to strengthen agencies’ (including those private sectors subject to the CSMA) supervision of outsourced services, the amendment requires that, when agencies outsource cybersecurity-related tasks, they must enter into written contracts with the contractors specifying rights, obligations, and liabilities for breach of contract. Furthermore, agencies must co-operate with the MODA in the planning and execution of cybersecurity drills. In addition, to ensure cybersecurity protection capabilities and to prevent other business operations from affecting cybersecurity operations, the amendment requires critical infrastructure providers and certain non-government agencies that meet specific cybersecurity responsibility levels to appoint dedicated cybersecurity personnel to handle cybersecurity affairs. Additionally, in alignment with the original CSMA’s requirements for government agencies, the amendment also requires certain non-government agencies to appoint a Cybersecurity Officer responsible for promoting and supervising cybersecurity-related matters.