Taiwan Sets the Rules on Semiconductor Cybersecurity with SEMI E187
Taiwan has taken an unusually assertive step in the global semiconductor industry: it is no longer merely being a follower complying with international standards—it is helping establish rules.
At the center of this shift is SEMI E187, a cybersecurity standard for semiconductor manufacturing equipment jointly promoted by TSMC, SEMI, and the Ministry of Digital Affairs (MODA). Designed to counter growing supply-chain cyber threats, SEMI E187 is the first international semiconductor equipment cybersecurity standard initiated by Taiwan, and it is now beginning to reshape how trust is enforced across the global chip supply chain.
“It not only helps protect TSMC and safeguard the democratic supply chain, but also creates substantial business opportunities for Taiwan’s cybersecurity industry,” wrote Minister of Digital Affairs, Lin Yi-jing.
Following the release in January 2022 of SEMI E187—the first semiconductor wafer equipment cybersecurity standard initiated by Taiwan—the standard has received broad attention and recognition from the global semiconductor industry and its supply chain. In addition to supporting the development of the SEMI E187 Reference Practice, ADI has organized promotional activities and expert-led sessions to facilitate understanding of the standard and its practical application. ADI has also showcased domestically developed cybersecurity solutions that support compliance at venues including the Shalun Cybersecurity Service Base in Tainan, CYBERSEC, and SEMICON Taiwan, enabling industry stakeholders to better understand the importance of supply chain cybersecurity and accelerate the adoption of standards.
“This initiative gives rise to three layers of business: certification services, consulting and compliance guidance, and the provision of cybersecurity software and services. Together, these form a new industrial ecosystem anchored in trust and standards, rather than manufacturing scale alone,” said Lin.
Addressing the Loopholes in Supply Chains
TSMC, the world’s largest contract chipmaker, is widely regarded as a pillar of what policymakers call the “democratic supply chain.” A successful cyberattack on TSMC would not only disrupt global electronics production but also pose serious risks to the economic security and defense capabilities of Taiwan, the United States, Europe, and Japan.
Yet directly hacking TSMC is extremely difficult; hence, hackers moved toward launching supply chain attacks, with cases reported in 2023 and 2025, respectively.
Rather than targeting TSMC head-on, attackers aim for weaker links—upstream and downstream suppliers whose systems may not be as well protected. In a typical scenario, a hacker compromises a semiconductor equipment vendor, embeds malware or a backdoor into the equipment itself, and waits. Once that equipment is delivered and installed at TSMC, the malicious code gains a trusted foothold inside the fab—what the minister describes as a modern-day “Trojan Horse.”
SEMI E187 was created precisely to address this risk. Under the standard, semiconductor equipment vendors seeking to supply TSMC are required to meet defined cybersecurity requirements and obtain third-party verification. The goal is to raise the baseline level of cybersecurity across the entire equipment supply chain, reducing the risk that trusted machines become vectors for attack.
MODA’s Administration of Digital Industries (ADI) has played a key role in turning the standard from policy into practice. The agency has supported Taiwanese cybersecurity firms in building compliance guidance capabilities, helped develop the SEMI E187 Reference Practice and Basic Implementation Checklist, and organized workshops with SEMI, TSMC, ASE, and the Taiwan Electrical and Electronic Manufacturers’ Association (TEEIA) to accelerate adoption.
For the first time, Taiwan is in a position to define the rules—and others must adapt.
The strategic significance is global. James Tu, Head of Global Security Management at TSMC, pointed out that E187 is SEMI’s first cybersecurity standard specifically developed for semiconductor equipment, embodying Taiwan’s expertise and contributions. Initiated in 2019 and officially released in 2022, the standard has since accumulated practical implementation experience through Verification of Conformity (VoC). With the support of the government and SEMI authorization, a formal cybersecurity certification and validation framework has now been launched. The framework has attracted significant international attention, and with continued collaboration among government, industry, academia, and research institutions, it is expected to be further promoted and applied across a wider range of manufacturing sectors—creating new business opportunities while comprehensively enhancing the cybersecurity resilience of the global supply chain.
As TSMC continues to expand overseas, Taiwan intends to require that local suppliers in host countries also comply with SEMI E187. In effect, the standard travels with TSMC, embedding Taiwan-led cybersecurity requirements into fabs and supply chains worldwide.
At SEMICON Taiwan in September 2025, MODA underscored this vision by hosting a SECPAAS Cybersecurity Pavilion themed “Strengthening Cyber Resilience of Industrial Supply Chains,” showcasing Taiwanese solutions designed to support SEMI E187 compliance. The message was clear: cybersecurity is no longer a peripheral concern—it is infrastructure.
In an era when geopolitical tensions increasingly intersect with technology, SEMI E187 represents more than a technical specification. It is a statement of intent: Taiwan is positioning itself not only as the world’s most critical semiconductor manufacturer, but also as a rule-setter for how that industry defends itself in the digital age.