The BGA Taiwan Team led by Senior Adviser Rupert Hammond-Chambers, wrote an update to clients on the recently proposed amendment to the Cyber Security Management Act.

Context

  • Taiwan’s Ministry of Digital Affairs (MODA) on September 22 unveiled a proposed amendment to the Cyber Security Management Act (資通安全管理法). This amendment mainly involves formalizing existing practices and will result in minimal practical changes. The most significant change is the authority the amendment grants MODA to command and manage all government cybersecurity personnel in the event of a major cybersecurity incident.
  • MODA announced the amendment on September 22; the public consultation period will continue for 60 days, ending on November 20. The proposal will then be discussed at an Executive Yuan conference and later be reviewed in the Legislative Yuan. It will probably not be prioritized for passage this session because the Legislative Yuan is expected to adjourn after December 18, and reviewing 2024 budgets is still the top priority. The incoming government is therefore more likely to decide whether to proceed with the proposed amendment or introduce new revisions.

Significance

  • The key elements of this revisions include the following:
    • Formalizing existing practices, such as the cybersecurity guidance for government procurement of information and communications technology (ICT) products, transferring the competent authority of the cybersecurity act from the Executive Yuan to MODA and legalizing the operation of the National Information and Communication Security Task Force (行政院國家資通安全會報).
    • Government agencies will be forbidden from procuring or using ICT products that jeopardize cybersecurity. This measure elevates the existing cybersecurity guidance for ICT product procurement from the realm of administrative orders to law. It aims to strengthen the effectiveness of the guidance and will therefore not have a significant impact on current operational practices.

Implications

  • The amendment will not significantly impact most private enterprises. MODA officials had previously hoped to place designated private enterprises under the purview of the cybersecurity law; however, this provision was not included in the recent announcement. At the same time, President Tsai Ing-wen’s administration is not willing to expand the current scope of designated critical infrastructure beyond government-affiliated entities, such as Taiwan Power Company, CPC Corporation and Chunghwa Telecom.
  • BGA recommends that companies monitor the amendment, but they should not be overly concerned. The Legislative Yuan has limited time to review bills and budgets for the remainder of the year due to the upcoming presidential and legislative elections on January 13, 2024. In addition, the amendment does not represent a significant change from Taiwan’s current cybersecurity practices. BGA therefore does not expect the amendment to pass by the end of the year, barring a major cybersecurity incident in the next several months that would necessitate immediate reforms by MODA.

We will continue to keep you updated on developments in Thailand as they occur. If you have comments or questions, please contact BGA Taiwan Senior Adviser Rupert Hammond-Chambers at rupertjhc@bowergroupasia.com.

Best regards,

BGA Taiwan Team