This Cyber Security Management Act (hereinafter referred to as the Act) is duly stipulated in an effort to positively carry out the national cyber security policy, accelerate the construction of environment for national cyber security to safeguard national security, and protect public interests of the entire society.

The competent authority over the Act is the Executive Yuan.

The terms under the Act are defined as follows:
1. Information and communication system: That refers to the system to be used to collect, control, transmit, store, circulate, delete information or to make other processing, using and sharing of such information.
2. Information and communication service: That refers to the service to be used to collect, control, transmit, store, circulate, delete information or to make other processing, use and sharing of such information.
3. Cyber security: That refers to such effort to prevent information and communication system or information from being unauthorized access, use, control, disclosure, damage, alteration, destruction or other infringement to assure the confidentiality, integrity and availability of information and system.
4. Cyber security incident: That refers to an event where the state of the system, service or network ,through identification, likely shows violation of the cyber security policy, or failure of the security protective measures, thus adversely affect performance of information and communication system function, and constitute a threat against the cyber security policy.
5. Government agency: That refers to central, local government agency (institution) or public juristic person that exercises public power according to law, excluding military and intelligence agency.
6. Specific non-government agency: That refers to critical infrastructure provider, government-owned enterprises and government-endowed foundation.
7. Critical infrastructure: That refers to asset, system or network, either physical or virtual, once discontinued from operation or becoming less effective, would lead to significant negative impact upon the national security, public interests, living standard of citizen and economic activities, which shall be re-examined and promulgated by the competent authority regularly.
8. Critical infrastructure provider: That refers to the ones who maintain or provide critical infrastructure either in whole or in part, as designated by the central authority in charge of relevant industry, which shall be submitted to the competent authority for ratification.
9. Government-endowed foundation: That refers to a foundation of which the operation and capital employment plan of its funds shall be submitted to the Legislative Yuan in accordance with Paragraph 3 of Article 41 of the Budget Act and its annual budget statement shall be submitted to the Legislative Yuan for deliberation in accordance with Paragraph 4 of the same Article.

In an effort to promote cyber security, the government shall provide resources, and integrate the momentum of both civilian groups and private sectors, and boost cyber security awareness of all people, and implement the following issues:
1. Cultivation of cyber security professionals.
2. Cyber security technology research and development, integration, application, and industry-academia cooperation, as well as interchange and cooperation with international community.
3. Development of cyber security industry.
4. Development of cyber security related software and hardware specifications, relevant services and verification mechanism.
Issues Promotion in the preceding Paragraph shall be stipulated by the competent authority under the national cyber security program.

The competent authority shall plan and promote the cyber security policy, and the cyber security technology development, and interchange and cooperation with international community, and the comprehensive cyber security protection relevant undertakings, as well as announce the report of national cyber security status, the summary auditing report on the implementation of the cyber security maintenance plan for the government agency, and the national cyber security program.
The status report, summary auditing report and the national cyber security programs of the preceding Paragraph shall be submitted to the Legislative Yuan for review.

The competent authority may commission or entrust other government agency, juristic person or organization to implement integrated protection of cyber security, interchange and cooperation with international community, and other cyber security related issues.
The government agency, juristic person or organization, or second-tier subcontractor of the preceding Paragraph shall not divulge the secret of critical infrastructure provider which becomes known in the process of enforcement or implement of relevant issues.

The competent authority shall stipulate the cyber security responsibility levels by considering the criteria on the importance, confidentiality and sensitivity of the business, the hierarchy of the agency, and the category, quantity and attribute of the information reserved or processed, as well as the scale and attribute of the information and communication system of the government agency and specific non-government agency. The relevant regulations regard the baseline for responsibility levels, application for a change in the level, content of obligation, staffing of dedicated personnel and other regulations and issues concerned shall be stipulated by the competent authority.
The competent authority may audit a specific non-government agency in its implementation of cyber security maintenance plan, of which the frequency, content, method and other issues concerned shall be stipulated by the competent authority.
A specific non-government agency is audited as per preceding Paragraph, and found defective or needing improvement in the cyber security maintenance program, it shall submit the improvement report to the competent authority and tothe central authority in charge of relevant industry.

The competent authority shall set up the cyber security information sharing mechanism.
Regulation regarding analysis, integration, and the sharing of content, procedure and method, and other matters of the cyber security information in the preceding Paragraph shall be stipulated by the competent authority.

A government agency or specific non-government agency outsources for setup, maintenance of the cyber security system, or for provision of cyber security services, such government agency or specific non-government agency shall, within the realm of this Act, take into account outsourced party’s professional capability and hands-on experience, as well as attribute of the outsourced item and requirement of cyber security, select the appropriate party for outsourcing and oversee its cyber security maintenance service.