Taiwan’s New Cybersecurity Requirements: A Paradigm Shift in Market Access
Background: Cybersecurity as a Market Access Imperative
Taiwan’s Bureau of Standards, Metrology and Inspection (BSMI) is introducing mandatory cybersecurity requirements for selected information technology and audiovisual products. This initiative marks a significant shift, making cybersecurity an integral part of product market access in Taiwan .
The new framework incorporates several key cybersecurity standards:
- CNS 16190 (harmonized with ETSI EN 303 645)
- CNS 18031-1 / CNS 18031-2 (harmonized with EN 18031)
- CNS 16120 / CNS 16132 (Cybersecurity requirements and test methods for video surveillance products)
More importantly, this regulatory update represents a fundamental change in Taiwan’s conformity assessment framework, moving beyond simply introducing additional cybersecurity testing to a new market access model .
Implementation Timeline: Preparing for the Transition
BSMI has established a clear transition period before full implementation, urging manufacturers to prepare early:
Taiwan BSMI Cybersecurity Transition Timeline
- From the announcement date: Manufacturers may apply under the revised certification scheme.
- 31 December 2027: Final deadline for transition.
- 1 January 2028: The revised requirements become fully mandatory, and the Declaration of Conformity (DoC) route will no longer be applicable for the affected product categories .
Insight 1: The Biggest Change Is Not Just About Cybersecurity Testing
While many manufacturers initially focus on the introduction of CNS 16190 or CNS 18031 testing requirements, the most significant change lies in the transformation of Taiwan’s market access framework. Products previously allowed to enter the Taiwan market through a manufacturer-issued Declaration of Conformity (DoC) will gradually transition to third-party certification schemes. These new schemes will require a comprehensive cybersecurity assessment alongside conformity evaluation, representing a fundamental shift from product testing alone to an integrated conformity assessment process .
Insight 2: Conformity Assessment Has Been Upgraded
The revised framework introduces substantial changes to the certification process. The table below highlights the key differences between the current and revised schemes:
Taiwan BSMI: Certification Scheme Upgrade
Consequently, manufacturers must prepare not only for cybersecurity testing but also for quality management documentation and factory assessment requirements .
Insight 3: Existing Products Must Also Be Transitioned
Products Currently under Declaration of Conformity (DoC)
Existing DoC declarations will cease to be valid from 1 January 2028. Manufacturers wishing to continue importing or marketing these products in Taiwan must obtain a Registration of Product Certification (RPC) or Type Approval (TA) certificate before 31 December 2027 .
Products Already Holding RPC or Type Approval Certificates
Existing RPC or TA certificates remain valid until their original expiry date. However, if a renewal is processed before 31 December 2027, the renewed certificate will only remain valid until 31 December 2027. Products intended to remain on the Taiwan market after 1 January 2028 must complete the revised conformity assessment procedure before that date, including submission of a Standard Quality Management System Certificate or Factory Inspection Report where required .
Recommendations for Manufacturers
Manufacturers are strongly encouraged to begin preparations early by:
- Reviewing affected product portfolios.
- Identifying applicable cybersecurity standards.
- Evaluating the applicable certification route.
- Preparing quality management documentation.
- Scheduling cybersecurity testing and certificate transition in advance.
Early preparation will help minimize certification bottlenecks and reduce potential delays in market access during the transition period .