Regulations governing ratings for cybersecurity responsibility levels

by Michael Fahey

Article 7(1) of the Cybersecurity Management Act authorizes the Executive Yuan to define standards for rating cyber security responsibility levels. These standards are set out in the Regulations Governing Ratings for Cybersecurity Responsibility Levels (the “Rating Regulations”). The Rating Regulations took force on January 1 2019.

While the Rating Regulations consist of just 12 articles, there are ten tables appended to the Rating Regulations that contain detailed requirements for cyber security management.

The Regulations define five ratings from A to E. A is the strictest rating with the highest requirements while E is the lowest. Rating Regulations §2.

Critical Infrastructure operators (“CI Operators”) are rated A or B depending on an evaluation by the CI Operator’s regulator. Factors considered in the evaluation include the number of users, market share, region, replicability, and the impact of a failure of the CI operator’s information system. Rating Regulations §4(6) and §5(5).  For example, critical infrastructure includes industries such as energy, transport, telecoms, the banking system and certain medical facilities.

The specific requirements for each rating level are set out in tables attached to the Rating Regulations. Each table covers three aspects of cyber security: management, technology, and awareness/training.


All CI Operators are required to rate their information systems within one year of designation. Systems must be evaluated for secrecy, integrity, usability, and legal compliance.  The standards for high, medium, and low ratings are defined in the attached Table 9.  CI Operators are also required to implement the security measures set out in the attached Table 10 within one year. These security measures are grouped in the following categories: access control, auditing/accountability, operational continuity plan, identity, system and service obtainability, system and communication protection, and system/information integrity.  Rating Regulations, Table 10.

Management requirements for a CI Operator with an A rating include implementing the CNS 27001 information security standard within two years and having at least four dedicated information security specialists. CI Operators with a B rating must also implement CNS27001 within two years but are required to have just two information security specialists. Rating Regulations, Tables 2 and 4.


Technology requirements include security testing, security checkups, threat detection management mechanisms, and security protections. For example, an A rated CI Operator is required to do system penetration testing once each year. In contrast, a B rated CI Operator is required to do system penetration testing once every other year. Rating Regulations, Tables 2 and 4.

Awareness and Training

Awareness/training requirements include required training for security personnel and ordinary users as well as certification requirements for security specialists. For example, CI Operators with  A or B Ratings are required to train ordinary users for three hours per year. Rating Regulations, Tables 2 and 4.