Upon awareness of the cyber security incident, the specific non-government agency shall conduct the notification of the cyber security incident within one hour in the manner as designated by the central authority in charge of relevant industry.
In case of change to the level of the cyber security incident under the preceding paragraph, the specific non-government agency shall continue the notification as provided for in the preceding paragraph.
If the notification conducted in the manner as specified in Paragraph 1 is prevented for any cause, the specific non-government agency shall conduct the notification in another appropriate manner within the timeframes prescribed under the same paragraph, and note the cause for not being able to report by the prescribed manner.
After the elimination of the cause for preventing the notification from being conducted in the manner as required under Paragraph 1, the specific non-government agency shall supplement the notification in the original manner.

After the specific non-government agency has completed the notifications of cyber security incident, the central authority in charge of relevant industry shall complete verification of the level of such cyber security incident within the following timeframes, and may change its level according to the verify results:
1. Within eight hours after receipt of the notification of a level-1 or level-2 cyber security incident.
2. Within two hours after receipt of notification of a level-3 or level-4 cyber security incident.
After completion of the verification of the cyber security incident as required under the preceding paragraph, the central authority in charge of relevant industry shall proceed with the following requirement:
1. If the verification result indicates a level-1 or level-2 cyber security incident, they shall periodically summarize the verification result, basis, and other necessary information, and then submit them to the competent authority in the manner as specified by the competent authority.
2. If the verification result indicates a level-3 or level-4 cyber security incident, they shall, within one hour of the completion of the verification, submit the verification result, basis, and other necessary information to the competent authority in the manner as specified by the competent authority.
Upon receipt of the documentation under the preceding paragraph, the competent authority may review the level of the cyber security incident, and may change its level.

Upon awareness of the cyber security incident, the specific non-government agency shall complete damage control or recovery operation within the following timeframes, and shall conduct the notification in the manner as designated by the central authority in charge of relevant industry:
1. Within seventy-two hours of the awareness of a level-1 or level-2 cyber security incident.
2. Within thirty-six hours of the awareness of a level-3 or level-4 cyber security incident.
After completion of damage control or recovery operation under the preceding paragraph, the specific non-government agency shall continue the investigation and management of the cyber security incident, and shall submit the investigation, management, and improvement report within one month in the manner as designated by the central authority in charge of relevant industry.
The timeframe of submission of the investigation, management, and improvement report under the preceding paragraph may be extended with the consent of the central authority in charge of relevant industry.
If the central authority in charge of relevant industry deems necessary or deems there is any non-compliance with regulatory requirement, improper matter or other matter to be improved in respect of the damage control or recovery operation under Paragraph 1 and the report submitted under Paragraph 2, they may require the specific non-government agency to give the explanation and make adjustment.
Upon review of the investigation, management, and improvement report on a level-3 or level-4 cyber security incident submitted by the specific non-government agency, the central authority in charge of relevant industry shall submit such report to the competent authority; if the competent authority deems necessary, or deems there is any non-compliance with regulatory requirement, improper matter, or other matter to be improved, it may require the specific non-government agency to give explanation and make adjustment.

The central authority in charge of relevant industry shall provide necessary support or assistance in respect to the notification and response of cyber security incident implemented by the specific non-government agency under its authority, if circumstances so require.
The competent authority may provide necessary support and assistance in respect to the notification and response operation of the cyber security incident implemented by the specific non-government agency, if circumstances so require.
After the specific non-government agency becomes aware of a level-3 or level-4 cyber security incident, it shall convene meetings to discuss relevant matters.

The specific non-government agency shall stipulate the operational regulations on the notification of the cyber security incident, the content of which shall include the following matters:
1. The process and the accountabilities of judgment and determination of levels of the incident.
2. Assessment of the impact scope and damage degrees of the incident and the response abilities of the agencies.
3. The process of internal notification on the cyber security incident.
4. The method and time of notification to other agencies impacted by the cyber security incident.
5. The exercises under the preceding four paragraphs.
6. The contact window and methods of notification of the cyber security incident.
7. Other matters relating to the cyber security incident.

The specific non-government agency shall stipulate the operational regulations on the response of the cyber security incident, the content of which shall include the following matters:
1. The organization of the response team.
2. The exercise prior to the occurrence of the incident.
3. The mechanism of damage control on the occurrence of the incident and request for technical support or other necessary assistance from the central authority in charge of relevant industry concerned.
4. Recovery, identification, investigation, and improvement mechanisms after the occurrence of the incident.
5. The preservations of records relating to the incident.
6. Other matters relating to the response of the cyber security incident.