The Transportation Committee of the Legislative Yuan passed draft amendments to specific articles of the Cyber Security Management Act on May 22; regarding several media concerns on suspicion of expanding administrative investigation powers by the Administrative Yuan, the Ministry of Digital Affairs hereby provides the following clarification:

Article 25 of the draft amendments is for investigating major cybersecurity incidents involving specific non-government agencies; competent central authorities for the relevant sector are authorized to request the involved parties or related individuals to provide statements in person, submit forensic or investigative reports issued by an independent third-party institution, or permit designated personnel to conduct necessary inspections at the premises of the involved parties. Those who are subject to such investigations are strictly limited to parties and related individuals involved in major cybersecurity incidents and do not include general private enterprises or individuals. Such provisions already exist in other laws, such as the Fair Trade Act, the Commodity Inspection Act, and the Telecommunications Management Act, which authorize administrative agencies to conduct fact-finding procedures; therefore, it is a common administrative practice, not unique to the Cyber Security Management Act. These procedures are entirely distinct from criminal investigations, such as searches or seizures, and should not be confused.

According to the Cyber Security Management Act, there are currently approximately 350 entities that fall under the category of “specific non-government agencies” regulated by the Act. The scope is restricted to critical infrastructure providers, state-owned enterprises, and nationwide foundations that receive government subsidies or grants. When such entities experience major cybersecurity incidents, they can pose significant impacts on governmental functions and societal operations, leading to severe consequences for national security and welfare. The administrative investigation proposed by the draft amendment helps identify the root causes and sources of relevant cyberattacks or intrusions, preventing the spread of cyberattacks and advancing cybersecurity prevention capabilities through public-private partnerships. 

Since the Cyber Security Management Act was enacted on June 6, 2018, and came into force in 2019, some of its provisions are now inadequate to address emerging cybersecurity threats and evolving governance needs. To strengthen the overall cyber security legal framework, fostering cross-governmental cooperation and regional joint defense, the Ministry sincerely calls on all sectors of society to support the passage of these critical legislative amendments.