What is AI regulation in Taiwan?
AI regulation: countries and regions
As of 5 June 2026, AI regulation in Taiwan is a layered system. Taiwan's Artificial Intelligence Basic Act took effect on 14 January 2026 and sets national principles, roles and a timetable for sector regulators, but it does not yet work like a single EU-style rulebook for all AI providers. In practice, organisations still face Taiwan's Personal Data Protection Act, sector rules such as FSC finance guidance and TFDA medical device controls, plus separate public sector AI guidance.
What this means
Taiwan now has an AI framework law, but not a single all-purpose compliance code for every AI product and service. The AI Basic Act gives the country a statutory backbone for AI governance. It sets core principles, assigns responsibilities across government and tells ministries to build more detailed risk-based rules.
That does not mean the older legal picture has disappeared. For most organisations, the rules that bite first are still the Personal Data Protection Act, sector supervision, product regulation, cybersecurity duties and procurement controls. In Taiwan, AI regulation therefore means understanding both the new framework act and the other laws that already apply to your use case.
A practical way to read Taiwan's position is this: the country has moved beyond pure soft law, but much of the binding detail still arrives sector by sector.
Why it matters
This matters because organisations do not need to wait for a future "big AI law" before legal and governance risk appears. If your system uses personal data, supports lending or insurance decisions, assists diagnosis, is sold into government, or could materially affect people's rights or safety, Taiwan already has rules and supervisory expectations that can apply. The new act also signals where scrutiny will intensify next: high-risk uses, warnings and disclosures, human oversight, privacy by design, cybersecurity, impact on children and rights, and internal control systems that can be checked and explained.
How it works
The 2024 draft has become enacted law
Many summaries still talk about Taiwan's "draft AI Basic Act". That is no longer the current position. The National Science and Technology Council opened a draft for consultation in July 2024, but Taiwan now has an enacted Artificial Intelligence Basic Act. It was promulgated on 14 January 2026 and took effect the same day.
That change matters because older commentary often describes a proposal, not the law now in force. If you are checking Taiwan's AI position today, the starting point is no longer the consultation draft. It is the enacted Basic Act, read together with the sector rules and the Personal Data Protection Act.
The act is a framework statute rather than a full product code
The AI Basic Act is designed to set direction, principles and institutional responsibilities. It defines AI broadly as a system capable of autonomous operation that, through input or sensing and by means of machine learning and algorithms, can generate predictions, content, recommendations or decisions that affect physical or virtual environments.
Its core logic is constitutional and administrative rather than product-by-product. The act says AI policy should be human-centred and follow principles including sustainable development and well-being, human autonomy, privacy protection and data governance, cybersecurity and safety, transparency and explainability, fairness and non-discrimination, and accountability.
That makes it important, but it also shows its limits. The act does not read like a single licence or conformity framework for every AI deployer. It expressly says that matters not stipulated in the act are governed by other laws. In practice, this means the basic act frames the system, while older laws and sector regulators do much of the concrete work.
Roles are split across NSTC, MODA, the Executive Yuan and sector regulators
Taiwan has chosen a coordinated model instead of putting all AI powers in one specialist regulator. Under the act, the National Science and Technology Council is the central competent authority, while local governments are the local competent authorities. But where a matter falls within a specialist field, the relevant central sector authority handles it.
The Executive Yuan must establish a National AI Strategic Committee, chaired by the Premier, to coordinate, promote and supervise national AI affairs and to formulate National AI Development Guidelines. On 21 May 2026, the Executive Yuan announced that it would formally establish this committee and that NSTC would lead the drafting of Taiwan's first National AI Development Guidelines.
MODA has a distinct operational role. The act assigns it responsibility to promote an AI risk taxonomy and assessment framework aligned with international norms and to help sector authorities build risk-based management rules. The same structure also gives MODA and other relevant agencies a role in assessment and verification tools for high-risk AI.
For businesses, the practical message is simple: there is no single answer to "Who regulates my AI use in Taiwan?" The answer depends on whether your issue is system-wide governance, public sector use, data protection, finance, health, telecoms, procurement or another regulated field.
The act sets deadlines and immediate public sector duties
The AI Basic Act contains principles, but it also creates a timetable. It says government agencies must review laws, regulations and administrative measures under their jurisdiction and, within two years of the act taking effect, complete the needed enactment, amendment, repeal or administrative improvement work. Because the act took effect on 14 January 2026, that implementation window runs to January 2028.
The act also includes two practical ideas that operators should watch closely. First, where a sector authority, after consulting MODA, identifies an AI product or system as high-risk, the product or system must carry advisory notices or warnings. Second, when government uses AI to perform duties or provide services, it must conduct risk assessments and plan risk responses, then establish usage guidelines, regulations or internal control mechanisms suited to the task.
The Executive Yuan then made this more concrete in May 2026. It directed government agencies at all levels to complete risk assessments for official AI use by July 2026 and to finish internal control rules within one year. It also told sector regulators to issue management rules, industry guidance, or legal adjustments for AI applications in their own domains by January 2028.
So the act is not merely symbolic. It creates a real implementation programme. The point, however, is that much of the heavy compliance detail is still being built and will arrive through sector-specific instruments rather than through one giant follow-on AI statute.
Data protection remains the main hard-law control for many AI deployments
For many real-world deployments, the most immediate legal risk in Taiwan is still personal data law. Taiwan's Personal Data Protection Act is not AI-specific, but it governs many of the activities that make AI deployment legally sensitive: collecting training data, using customer records, enriching profiles, prompt inputs containing personal data, model monitoring, incident response, and cross-border data transfers.
The PDPA requires a lawful basis for collection and processing, and it imposes notice duties when personal data is collected directly or indirectly. It gives data subjects rights to inquire, review, obtain copies, supplement or correct data, demand cessation of collection, processing or use, and demand erasure. It also requires security and maintenance measures to prevent theft, alteration, damage, loss or leakage of personal data.
The breach side matters too. Where an organisation becomes aware that personal data has been stolen, altered, damaged, lost or leaked, it must notify the data subject, and some cases must also be reported to the competent authority. The law also allows restrictions on cross-border transfers in specified circumstances.
Enforcement powers are substantial. The competent authority may inspect organisations, require documents and explanations, order rectification, prohibit collection, processing or use, order deletion or destruction of unlawfully handled data, and publicise violations. Depending on the breach, fines can escalate materially, especially for failures in security and maintenance. In serious misuse cases, criminal penalties can also apply.
Two further points are easy to miss. First, the amended PDPA names the Personal Data Protection Commission as the competent authority, but it also allows a transition in which some announced sectors may remain supervised by their industry regulators for part of the enforcement architecture. Second, the PDPA can apply outside Taiwan, because it also covers government and non-government agencies outside the territory of the Republic of China when they collect, process or use the personal data of ROC nationals.
That means foreign AI vendors, group entities and cross-border service providers should not treat Taiwan as relevant only when they have a local subsidiary.
Sector rules and public sector controls already shape practice
Taiwan's sector regulators are already using guidance and product law to govern AI in practice. In finance, the Financial Supervisory Commission issued Guidelines for Artificial Intelligence Applications in the Financial Industry in June 2024. They are administrative guidance rather than a standalone AI statute, but they set supervisory expectations across the AI life cycle. The guidelines tell financial institutions to apply core principles in a risk-based way, manage third-party operators contractually, consider independent review where needed, minimise personal data, preserve explainability, and keep human judgement in the loop where a third-party generative model cannot be fully controlled for fairness or reliability.
In healthcare, AI is already being pulled into existing medical device law. The Ministry of Health and Welfare states that the Medical Device Act is the anchor statute and that TFDA has issued digital health guidance covering AI and ML, software as a medical device, cybersecurity and registration. That means an AI diagnostic or decision-support tool is not treated as a free-floating software feature if it falls within regulated medical-device territory. It is dealt with through medical-device approval and post-market controls.
Taiwan's public sector posture is also unusually important because the government is using itself as the first large controlled deployment environment. In August 2023, the Executive Yuan released reference guidance for the use of generative AI by the Executive Yuan and affiliated agencies. The stated purpose was to let agencies use generative AI while preserving confidentiality and professionalism in official work, on principles including responsible and trustworthy use, safety, privacy and data governance, accountability, and control over the technology.
MODA then built this into operational machinery. Its Government AI Application Sandbox, called TryAI, gives agencies a dedicated testing environment so they can trial models and tools before procurement. By late 2025 it was already being used by more than 30 agencies. This matters not only for ministries. It matters for vendors selling into government, because the state is signalling the kind of controlled testing, procurement discipline and documentation it expects.
Taken together, these features show Taiwan's broader governance posture. It is not waiting for one exhaustive AI code before acting. It is using a framework law, data protection, sector oversight, public sector guidance and controlled experimentation to move from principle to practice.
Examples
A government department wants to use generative AI for routine office work. Under the May 2026 implementation plan, public agencies are expected to complete AI risk assessments in 2026 and then put internal control rules in place. In practice, agencies can test tools through MODA's TryAI environment before buying them. MODA says the Ministry of Health and Welfare used the platform to cut meeting-minute preparation from 30 to 40 hours to about 6 hours, while other agencies used it for report review, document research and procurement-law questions.
A bank wants to use a third-party generative model in customer service or internal operations. In Taiwan, that is not governed only by the new AI Basic Act. The bank is already expected to work to the FSC's 2024 AI guidelines, which push institutions to assess risk by use case, define vendor responsibility, protect customer data, maintain explainability where possible and ensure people manage risks from unreliable or unfair model content.
A medtech company wants to market an AI-enabled diagnostic tool. In Taiwan, that use case goes through the medical-device route, not a generic AI registration regime. MOHW says the Medical Device Act is the governing statute and that TFDA has issued AI and ML software-as-medical-device guidance, plus related registration and cybersecurity guidance. In other words, changes that affect safety, performance or intended use are handled as regulated medical-device matters, not as ordinary software updates.
Common misunderstandings
Misunderstanding: Taiwan now has one single AI code that fully regulates every business use of AI. Correction: Taiwan has a framework AI statute, but much of the binding detail still comes from data law, sector supervision and product regulation.
Misunderstanding: The AI Basic Act already contains a full statutory list of prohibited and high-risk AI uses. Correction: The act points toward risk-based control, but the detailed classification and sector rules are still being built.
Misunderstanding: If a company is outside Taiwan, Taiwan's privacy law does not matter. Correction: Taiwan's PDPA can also apply to organisations outside the ROC when they handle the personal data of ROC nationals.
Misunderstanding: The FSC's AI guidance is irrelevant because it is not a dedicated AI statute. Correction: It is still a clear supervisory signal for financial institutions and can shape examinations, self-regulation and risk management practice.
Misunderstanding: Public sector generative AI guidance is the same thing as private-sector AI law. Correction: It directly governs government use, not the whole private market, but it still shows where Taiwan is heading on baseline control expectations and procurement practice.
Risks and boundaries
The biggest boundary is that Taiwan's AI Basic Act is not yet a complete private-sector compliance code. It sets principles, allocates roles and creates deadlines, but it leaves much of the operative detail to sector authorities and other laws. That means organisations can make two opposite mistakes: assuming there is no AI regulation at all, or assuming the Basic Act already answers every detailed compliance question. Neither is right.
As of 5 June 2026, several important pieces are still in build-out. The country is moving towards a more explicit risk-based model, and the Executive Yuan has given ministries until January 2028 to finish the required sector rules or legal adjustments. Until that work is complete, "high-risk AI" is not yet a single uniform category across the whole economy.
There is also a practical boundary between public sector governance and market-wide law. Government entities now face earlier deadlines on risk assessment and internal controls, and they operate inside controlled trial and procurement settings. Private organisations should learn from that direction of travel, but they should not assume every public-sector control is directly binding on them today.
Finally, a large share of legal exposure in Taiwan still comes from adjacent law, especially personal data, finance, medical devices, advertising, procurement and cybersecurity. If a team looks only for AI-specific obligations, it may miss the rules that are most immediately enforceable.
What to do next
Start with a use-case map, not a model map. List where AI is used, what decisions it supports, what data it touches, whether people are materially affected, and which sector regulator would care.
Treat personal data as the first legal checkpoint. Check lawful basis, notices, data-subject rights handling, vendor access, cross-border transfers, breach reporting and security controls before debating abstract AI ethics.
Separate public sector, regulated sector and general enterprise use. A tool sold into government, finance or healthcare will usually face tighter expectations than a low-risk internal productivity tool.
Build a basic evidence pack now. Keep a use-case inventory, risk rating, human-review design, vendor responsibilities, testing records, incident paths, change controls and explanations of where the model is used and where it is not.
Track the implementation timetable. Taiwan's framework law is already in force, the public sector is already under implementation deadlines, and sector-specific AI management rules are due to deepen before January 2028.
FAQs
Does Taiwan have an AI Act like the EU AI Act?
Not in the same sense. Taiwan now has an AI Basic Act, but it is a framework law and coordination statute, not a single all-economy product code with the same level of detailed operational control.
When did Taiwan's AI Basic Act take effect?
It was promulgated and took effect on 14 January 2026.
Does the AI Basic Act already impose direct penalties on every AI provider?
Not in the way a full compliance code would. The act is principle-setting and implementation-focused. In many real cases, enforcement risk still comes from the PDPA, financial supervision, medical-device regulation and other sector laws.
Which institutions matter most for AI regulation in Taiwan?
NSTC is the central competent authority under the Basic Act. The Executive Yuan coordinates national strategy through the planned National AI Strategic Committee. MODA builds the risk taxonomy and related tools. Sector regulators handle domain-specific rules.
What is the main privacy law affecting AI in Taiwan?
The Personal Data Protection Act. It governs lawful collection and use, notice duties, data-subject rights, breach handling, security measures, cross-border transfer restrictions, inspections and fines.
Is "high-risk AI" already fully defined across Taiwan's economy?
No. The Basic Act refers to high-risk AI, but the detailed risk-based classification and management rules are still being developed by MODA and the relevant sector authorities.
Are public sector generative AI rules binding on private companies?
Not directly as general private-sector law. They apply to government use, but they are still important because they signal the state's baseline expectations for controlled use, procurement and documentation.
When should organisations expect more detailed Taiwanese AI rules?
The key date to watch is January 2028. The Executive Yuan has told sector authorities to complete AI risk management rules, industry guidance, or legal adjustments in their own domains by then.