Cybersecurity Requirements for Non-Government Agencies in Taiwan

Implementation of Corrective Measures

In Taiwan, non-government agencies are required to implement corrective measures within a specified period of time by the central government authority in charge of their industry under specific circumstances. These circumstances include:

• Failure to develop or implement a cybersecurity maintenance plan
• Failing to report on the progress of implementing cybersecurity plans or violating reporting requirements
• Not submitting an improvement report following audit instructions, or failing to comply with regulations for submitting reports
• Not setting up a notification and response mechanism for cybersecurity incidents, or failing to comply with necessary matters
• Failing to submit a report of investigation, reaction, and improvement on cybersecurity incidents, or failing to comply with reporting requirements
• Failure to comply with report requirements

Consequences of Non-Compliance

In cases where non-government agencies fail to take appropriate security measures to protect personal data or fail to inform affected data subjects, the competent authority may require the agency to implement corrective measures within a specified period. If improvements are not done as required, the agency may be imposed with a fine of NT$20,000 to NT$200,000 for each offense.

Authorized Measures to Protect IT Systems

Organizations in Taiwan are permitted to use specific measures to protect their IT systems, including:

• Honeypots: digital traps designed to trick cyber threat actors into taking action against a synthetic network
• Sinkholes: measures to re-direct malicious traffic away from an organization’s own IP addresses and servers

However, the use of beacons is not explicitly allowed or limited by laws in Taiwan. If used to collect personal data, such as IP addresses, the purpose of collection will be considered, and if deemed unjustifiable, may constitute an offense.