Newsletter
The President announced the amendments to the Cyber Security Management Act
The President announced the amendments to the Cyber Security Management Act
Ken-Ying Tseng/ Winona Chen/ Roger Kai
On September 24, 2025, the President announced the amendments to the Cyber Security Management Act (“CSMA”), which passed the third read of the Legislative Yuan on August 29, 2025. The implementation date of the amended articles is yet to be determined by the Executive Yuan. The CSMA has been in effect since January 1, 2019, and has now been implemented for over six years. This amendment represents the first revision of the CSMA since its enactment, aiming to address increasingly severe cyber security threats and to enhance the overall cyber security capabilities of the industry. In addition to changing the competent authority of the CSMA from the Executive Yuan to the Ministry of Digital Affairs (“MODA”), this amendment also introduces and revises several provisions. Please find below the key points of the amendments:
1. Explicit Prohibition for Government Agencies from Downloading, Installing, or Using Products that Pose Risks to National Cyber Security
Under the current regulations, government agencies are generally prohibited from downloading, installing, or using products that pose risks to national cyber security (“Risky Products”) according to the “Principles for Restricting the Use of Risky Products by Government Agencies.” This amendment elevates said principles to the level of law and authorizes the MODA to establish review procedures and related implementation details. Additionally, the amendment empowers central competent authorities of respective industries to restrict or prohibit specific non-government agencies from using Risky Products.
2. Expanding Audit Measures for Agencies
To assist government agencies in reviewing the implementation of their cyber security maintenance plans (“CMP”), the amendment authorizes the MODA to audit government agencies. If any deficiencies or areas requiring improvement are identified after the audit, the audited agencies should submit an improvement report to their superior or supervisory authorities, or, if no such authorities exist, to the designated guidance authorities (collectively, the “Guidance Authorities”). To better enable Guidance Authorities to supervise and guide the audited agencies, the amendment also stipulates that, if deemed necessary, the Guidance Authorities may require the audited agency to provide explanations or make adjustments to properly address deficiencies or areas needing improvement.
3. Signing Written Outsourcing Contracts and Cooperating with Cyber Security Drills
To strengthen agencies’ supervision of outsourced services, the amendment requires that, when agencies outsource cyber security-related tasks, they must enter into written contracts with the contractors specifying rights, obligations, and liabilities for breach of contract. Furthermore, agencies must cooperate with the MODA in the planning and execution of cyber security drills.
4. Strengthening Professionalism and Competency Verification of Cyber Security Personnel
Given that the professional knowledge and skills of cyber security personnel are closely related to the cyber security protection capabilities of government agencies, the amendment enhances the deployment and functional training of dedicated cyber security personnel. It also requires competency verification for those who have passed the relevant employment examinations. Those who refuse or fail verification are prohibited from handling cyber security tasks involving state secrets, military secrets, or national defense secrets.
5. Requirement for Certain Non-Government Agencies to Appoint Dedicated Cyber Security Personnel and Cyber Security Officers
To ensure cyber security protection capabilities and to prevent other business operations from affecting cyber security operations, the amendment requires critical infrastructure providers and certain non-government agencies that meet specific cyber security responsibility levels to appoint dedicated cyber security personnel to handle cyber security affairs. Additionally, in alignment with the original CSMA’s requirements for government agencies, the amendment also requires certain non-government agencies to appoint a Cyber Security Officer responsible for promoting and supervising cyber security-related matters.
6. Supervisory Authority of Central Competent Authorities over Major Cyber security Incidents in Certain Non-Government Agencies
The amendment grants central competent authorities the power to investigate major cyber security incidents occurring in certain non-government agencies, including notifying the parties involved or related persons to appear and present opinions, requiring them to submit third-party reports, or assigning personnel to conduct necessary inspections. If the parties involved or related persons evade, obstruct, or refuse cooperation, an administrative fine ranging from NT$100,000 to NT$1,000,000 may be imposed.
7. Increased Penalties for Non-Government Agencies Violating Security Maintenance Obligations
For failure to report cyber security incidents in accordance with the CSMA, the maximum administrative fine is increased to NT$10 million. Moreover, for violations of the CMP, reporting, and response mechanism-related provisions, if the central competent authority orders corrections within a time limit and the agency fails to comply, the maximum administrative fine is increased to NT$5 million.
Our firm’s “Digital, TMT, and Data Privacy Practice Group” has extensive experience in assisting companies with the prevention and response to cyber security issues. Should you require any assistance, please do not hesitate to contact our team of experts.