Upon awareness of the cyber security incident, the government agency shall conduct the notification of the cyber security incident within one hour in the manner and to the objects as designated by the competent authority.
In case of the change to the level of the cyber security incident under the preceding paragraph, the government agency shall continue the notification as provided for in the preceding paragraph.
When the notification conducted in the manner as specified in Paragraph 1 is unavailable for some reason, the government agency shall conduct the notification in another appropriate manner within the timeframes prescribed under the same paragraph, and note the cause of unable notification from being conducted in the required manner.
After eliminating of the cause of unable notification from being conducted in the manner as required under Paragraph 1, the government agency shall supplement the notification in the same manner.

After the completion of the notification of the cyber security incident, the competent authority shall complete the review of the level of such cyber security incident within the following timeframes, and may change its level according to the review results:
1. Within eight hours after receipt of the notification of a level-1 or level-2 cyber security incident.
2. Within two hours after receipt of the notification of a level-3 or level-4 cyber security incident.
The Presidential Office, the agencies directly subordinate to the central first-level agencies, and special municipalities and county (city) governments shall, after the notification of the cyber security incident, conducted by themselves, their subordinate or supervisory government agencies, their governed villages (townships/cities), mountain indigenous district offices of special municipalities, and the subordinate or supervisory government agencies of such governed villages (townships/cities) and mountain indigenous district offices of special municipalities, and the representative councils of the above said villages (townships/cities) and Mountain Indigenous Districts of Special Municipalities councils, complete the review of level of such cyber security incident within the timeframes as required under the preceding paragraph, and may change its level according to the review results.
After completion of the required review of the level of the cyber security incident, the agencies under the preceding paragraph shall notify the competent authority of the review results within one hour, and shall provide information relating to the basis of the reviews.
The Presidential Office, the National Security Council, the Legislative Yuan, the Judicial Yuan, the Examination Yuan, the Control Yuan, and special municipalities and county (city) councils shall, after completion of their own notification of cyber security incident, conduct the review of the level of such cyber security incident within the timeframes as specified under Paragraph 1, and shall notify and provide the competent authority with relevant information as required under the preceding paragraph.
Upon receipt of the notifications under the preceding two paragraphs, the competent authority shall further review the level of the cyber security incident according to the relevant information, and may change its level according to the review result. However, if it is deemed necessary, or if the agencies under Paragraph 2 and the preceding paragraph fail to notify of the required review results, the competent authority may directly review such cyber security incident and may change its level.

Upon awareness of the cyber security incident, the government agency shall complete the damage control or recovery operation within the following timeframes, and shall conduct the notification in the manner and to the objects as designated by the competent authority:
1. Within seventy-two hours of the awareness of a level-1 or level-2 cyber security incident;
2. Within thirty-six hours of the awareness of a level-3 or level-4 cyber security incident.
After completion of the damage control or recovery operation under the preceding paragraph, the government agency shall continue the investigation and management of the cyber security incident, and shall submit the investigation, management and improvement report within one month in the manner designated by the competent authority.
The timeframe of submission of the investigation, management, and improvement reports under the preceding paragraph may be extended with the consent of the superior or supervisory authority and the competent authority.
If the superior or supervisory authority or the competent authority deem necessary or deem there is any non-compliance with the regulatory requirement, improper matters or other matters to be improved in respect of the damage control or recovery operation under Paragraph 1 and the report submitted under Paragraph 2, they may require the government agency to give explanations and make adjustments.

The Presidential Office, the agencies directly subordinate to central first-level agencies, and the special municipalities and county (city) governments shall provide necessary assistance or support in respect of the notification and response operation of the cyber security incident implemented by the government agency which is subordinate to, or supervised or regulated by, or whose businesses are related to them, if circumstances so require.
The competent authority may provide necessary support and assistance in respect of the response operation of the cyber security incident implemented by the government agency, if circumstances so require.
After the government agency becomes aware of a level-3 or level-4 cyber security incident, its Cyber Security Officer shall convene the meetings to discuss relevant matters, and may request relevant agencies to provide assistances.

The Presidential Office, the agencies directly subordinate to central first-level agencies, and the special municipalities and county (city) governments shall plan and conduct cyber security exercise for themselves, their subordinate or supervisory government agencies, their governed villages (townships/cities), mountain indigenous district offices of special municipalities, and the subordinate or supervisory government agencies of such governed villages (townships/cities) and mountain indigenous district offices of special municipalities, and the representative councils of the above said villages (townships/cities) and Mountain Indigenous Districts of Special Municipalities councils, and shall submit the implementation status thereof and the result reports thereon to the competent authority within one month after the completion thereof.
Content of the exercise operation under the preceding paragraph shall include the following items at least:
1. Social engineering exercise shall be conducted once every six months.
2. The notification and response exercise of the cyber security incident shall be conducted once a year.
The Presidential Office and the central first-level agencies and special municipalities and county/city councils shall plan and conduct the cyber security exercise operation required under the preceding paragraph.

The government agency shall stipulate the operational regulations on the notification of the cyber security incident, the content of which shall include the following matters:
1. The process and the accountabilities of judgment and determination of levels of the incident.
2. Assessment of the impact scope and damage degrees of the incident and the response abilities of the agencies.
3. The process of internal notification on the cyber security incident.
4. The method and time of notification to other agencies impacted by the cyber security incident.
5. The exercises under the preceding four paragraphs.
6. The contact window and methods of notification of the cyber security incident.
7. Other matters relating to the cyber security incident.

The government agency shall stipulate the operational regulations on the response of the cyber security incident, the content of which shall include the following matters:
1. The organization of the response team.
2. The exercise prior to the occurrence of the incident.
3. The mechanism of damage control on the occurrence of the incident and request for technical support or other necessary assistance from the central authority in charge of relevant industry concerned.
4. Recovery, identification, investigation, and improvement mechanisms after the occurrence of the incident.
5. The preservations of records relating to the incident.
6. Other matters relating to the response of the cyber security incident.