(Jan. 30, 2019) On December 5, 2018, Taiwan’s executive branch of government (Executive Yuan) decided that the Information and Communication Security Management Act (enacted by the President on June 6, 2018) would enter into force on January 1, 2019. (Xingzheng Yuan Ling [Executive Yuan Order], Yuan Tai Hu Zi No. 1070217128 (Dec. 5, 2018), 235 EXECUTIVE YUAN GAZETTES (2018) (in Chinese); Zitong Anquan Guanli Fa [Information and Communication Security Act], Laws and Regulations Database of the Republic of China (in Chinese).)
The Act provides cybersecurity management obligations for government agencies and certain nongovernment entities, in particular the providers of critical infrastructure. “Critical infrastructure” under the Act refers to tangible or intangible assets, systems, or networks whose outage or drop in efficiency will have a substantial impact on national security, social and public interests, or citizens’ lives or economic activities. The central competent authorities, after obtaining approvals from the Executive Yuan, are to designate specific business operators as providers of critical infrastructure. (Id. art. 3; Louis Hsieh & H. Henry Chang, Taiwan Cybersecurity Management Act Passed, LEXOLOGY (June 14, 2018).)
A provider of critical infrastructure must implement a cybersecurity maintenance plan that complies with requirements for the provider’s cybersecurity responsibility level. (Information and Communication Security Act art. 16(2).) Failure to implement the plan, as well as a violation of other obligations under the Act, is punishable by a fine of NT$100,000 to $1 million (about US$3,240 to $32,400). (Id. art. 20.)
In addition, providers of critical infrastructure must notify the competent authorities of any cybersecurity incidents. (Id. art. 18(2).) A violation of this specific obligation is punishable by a fine of NT$300,000 to $5 million (about US$9,700 to $162,000). (Id. art. 21.)
The Act authorizes the Executive Yuan to formulate the requirements for providers at different cybersecurity responsibility levels. (Id. art. 7.) On November 21, 2018, the Executive Yuan issued the Measures of Classification of Cybersecurity Responsibility Levels and five other rules for implementing the Act, all six of which entered into force on January 1, 2019. (Executive Yuan Order, Yuan Tai Hu Zi No. 1070217128.)