2018 BSA Global Cloud Computing Scorecard

Powering a Bright Future

Download the Report
Tweet This!


The 2018 BSA Global Cloud Computing Scorecard — the newest version of the only global report to rank countries’ preparedness for the adoption and growth of cloud computing services — features an updated methodology to better reflect cloud computing’s exponential growth over the past five years, putting additional emphasis on policy areas, including privacy laws, cybersecurity laws, and broadband infrastructure. Most countries continue to make improvements, the study finds, but some markets are falling further behind.

By examining the legal and regulatory framework of 24 countries, the Scorecard aims to provide a platform for discussion between policymakers and cloud service providers. This dialogue can help develop an internationally harmonized regime of laws and regulations that facilitate cloud computing.

Bar graph in descending order of top countries with high scores on the cloud scorecard list

See Full Checklist

Scorecard Themes

- Data Privacy

Cloud users need to trust that their data, which may be stored anywhere in the world, will not be used or disclosed by a cloud provider in unauthorized ways. Countries can provide these assurances with appropriate privacy laws. But it is a delicate balance —unnecessarily burdensome restrictions will hinder the important advantages of cloud computing that users want and need.

This section of the Scorecard examines how countries are managing these competing interests. Overall, the concern for privacy has produced many positive results across jurisdictions, including significant law reform and a greater public awareness of data privacy issues.

Most countries in the Scorecard have data protection frameworks in place and have established independent privacy commissioners. Many of the data protection laws are now being updated to meet new international standards — such as the European Union General Data Protection Regulation (GDPR) and the APEC Cross Border Privacy scheme (CBPRs).

Unfortunately, privacy laws are still absent or insufficient in several countries. Brazil and Thailand have no comprehensive laws in place, while laws in China, India, Indonesia, and Vietnam remain very limited.

A small number of countries have adopted or proposed prescriptive data localization regimes that would require cloud providers to restrict the free flow of data or build costly — and unnecessary — servers in order to provide services in a specific market.

Canada and Mexico score highest in the privacy section, offering comprehensive privacy regimes without onerous registration requirements. Countries with no laws (Brazil and Thailand) and countries with prescriptive data localization requirements (such as Russia and Indonesia) score poorly in this section.


+ Security

Users of cloud computing and other digital services need to be certain that cloud service providers can manage the security risks of storing their data and running their applications on cloud systems. Largescale national and international cybersecurity attacks are now common.

This section examines how countries manage and regulate cybersecurity, security certification, and security testing.

This year’s Scorecard indicates that many countries have implemented national cybersecurity strategies. Many of these national strategies promote a joint public-private approach to the management of cybersecurity. Overall, this is a positive development, although Argentina, Mexico, and Vietnam are yet to develop and implement strategies.

Most cloud computing applications are designed to meet internationally recognized security standards, and this approach is supported by most countries in the Scorecard. This means that a product tested in one country can be recognized in other countries. However, the Scorecard reveals that some overly prescriptive security requirements that duplicate accepted international standards and impose onerous local requirements have been introduced. For example, China, India, and Korea have all introduced some local security testing requirements.

The United Kingdom, Germany, France, Australia, the United States, and Japan score highest in the security section. Mexico, Argentina, and Vietnam record the lowest scores — mainly due to delay in implementing national cybersecurity strategies.


+ Cybercrime

The huge quantities of data that companies and governments store in their computer networks have long attracted the attention of bad actors. In order to protect data holders and deter cyber criminals, governments must use legislative, investigative, and enforcement tools.

This section examines cybercrime laws, as well as rules relating to investigation and enforcement.

Overall, the Scorecard finds that most countries are rising to the challenge of creating legal regimes to protect data from cyberattack and physical security breaches. Most countries studied have legislation to combat the unauthorized access of data stored in the cloud. Most also have implemented cybercrime laws, many of which are compatible with the Convention on Cybercrime. Italy, Japan, Poland, and Spain all score very highly in this section of the Scorecard.

Unfortunately, a few key jurisdictions still have gaps and inconsistencies in their cybercrime laws. China and Vietnam score poorly in this section of the Scorecard.

The Scorecard also asks whether local laws and policies on access to data by law enforcement authorities avoid technology specific mandates (e.g., requirements for specific tools that allow access to encrypted data). These mandates may act as a barrier to the supply of security products and services. There was a wide divergence on this issue and on other issues related to the investigation and prosecution of cybercrime.


+ Intellectual Property Rights

As with the creators of other highly innovative and fast-evolving products, providers of cloud computing services rely on a combination of patents, copyrights, trade secrets, and other forms of intellectual property protection. To encourage investment in cloud research and development, intellectual property laws must provide clear protections and effective enforcement of misappropriation and infringement. Online intermediaries should be offered incentives to operate responsibly and should enjoy safe harbor from copyright liability when they do so.

This section examines the intellectual property protections in place in the countries studied, as well as their approaches to implementation and enforcement. The Intellectual Property criteria for this year’s Scorecard was extensively revised to focus on issues that are most relevant to cloud computing, including new questions on trade secrets and patents.

The United Kingdom, Singapore, and the United States all score very highly in the Intellectual Property section, reflecting their combination of modern laws and effective enforcement. Unfortunately, many countries struggled to achieve good results in this section, with Vietnam, Malaysia, Turkey, and India recording the lowest scores. However, numerous proposed and draft laws and regulations exist across the countries in the study, and this may be a section where we see strong improvements in the coming years.


+ Support for Industry-Led Standards and International Harmonization of Rules

Users need data portability and seamless interoperable applications if they are to make full use of cloud-computing services and the digital economy. IT industry organizations are developing international standards that will ensure optimal portability. Government support for these voluntary, industry-led efforts is highly important. Countries must also promote global harmonization of e-commerce rules, tariffs, and relevant trade rules.

This section examines the extent to which governments have encouraged industry-led processes and promoted harmonization of e-commerce rules.

The Scorecard reveals that some countries have moved away from accepting international standards and international certifications, most notably China, India, Indonesia, Korea, and Russia.

Although tariffs and trade barriers for online software and applications continue to be rare, they continue to hinder new technology products used to access cloud services in a few countries. Argentina, Brazil, and Russia all score poorly in this section.


+ Promoting Free Trade

Cloud services operate across national boundaries, and their success depends on access to regional and global markets. Restrictive policies that create actual or potential trade barriers will inhibit or slow the evolution of cloud computing.

This section examines government procurement regimes and the existence or absence of barriers to free trade, including each country’s requirements and preferences for particular products. The section also examines whether countries support international efforts to standardize and liberalize trade and procurement policies, allow cloud providers to operate free from tariffs and other trade barriers, and avoid laws or policies that impose data localization requirements.

The Scorecard indicates that a number of countries still provide preferential treatment for domestic suppliers in government procurement or have introduced other barriers to international trade. Indeed, this section of the Scorecard reveals the widest divergence between countries. A small group of countries scored close to the maximum points — Canada, Germany, the United States, Poland, and Japan — while a number of countries score no points or almost no points, including China, India, Vietnam, and Russia.


+ IT Readiness and Broadband Deployment

Digital economies and cloud computing require extensive, affordable broadband access, which in turn requires incentives for private sector investment in infrastructure and laws and policies that support universal access.

This section of the Scorecard examines and compares the infrastructure available in each country to support the digital economy and cloud computing. It is based on detailed comparative statistics on a range of important IT indicators, including the presence of a national broadband plan, a country’s International Connectivity Score and International Internet Bandwidth. In addition, the Scorecard includes statistics on the number of subscribers for key services, such as mobile broadband subscriptions.

Despite major infrastructure improvements underway in a number of countries, broadband penetration remains very inconsistent. As a result, some countries continue to have low infrastructure scores. Countries that do not yet have sufficient infrastructure continue to be at risk of missing the economic benefits of the digital economy and cloud computing.

Singapore, Japan, and Korea achieve the highest results in this section of the report. As IT Readiness and Broadband Deployment is worth 25 percent of the overall score in this year’s Scorecard, this strong result helps to lift the overall rankings for these countries. For example, Japan jumps from 10th in the Scorecard rankings to 2nd once the infrastructure scores are included. Most of the other countries in the Scorecard receive a similar ranking whether or not infrastructure scores are included.

The poorest performers in this section of the Scorecard are Vietnam, Indonesia, and India.


Country Reports

See the summaries and full report below for detailed information on each country.

+ 1Germany84.0


Germany provides strong protection for cloud services, through a combination of comprehensive cybercrime legislation as well as an up-to-date cybersecurity strategy. Germany also has modern electronic commerce and electronic signature laws.

Germany has comprehensive privacy legislation, but it includes onerous registration requirements that may act as a cost barrier for the use of cloud computing.

Germany has a strong commitment to international standards and interoperability.

In the area of intellectual property, Germany offers good protection but there are some areas in which improvement could be made including further trade secrets protection.

Germany is making good progress on extending broadband access to the population. Its current target is to ensure that all households have access to broadband with speeds of at least 50 Mbps by the end of 2018.

Although Germany’s overall rank has improved since the last Scorecard — from third to first place — this stemmed largely from the rebalancing of the Scorecard methodology. The country’s improved scores in the security section of the report also contributed to the increase.

+ 2Japan82.1


Japan has a comprehensive suite of modern laws that support and facilitate the digital economy and cloud computing.

Japan has comprehensive privacy legislation, with a new central regulator in place and strong enforcement provision.

Japan ratified the Convention on Cybercrime in 2012, setting a positive example for other countries.

Japan’s intellectual property laws cover the full range of protections relevant to cloud computing, but improvements can be made in areas of protection against circumvention of technological protection measures.

Japan is very active in the development of international standards.

Japan is characterized by having one of the most extensive broadband fiber deployments in the world, with the largest number of fiber users in the world. Japan has an actively managed competitive access regime and has had at least six significant information technology (IT) strategies and plans over the past decade. Typically, the targets are met, and there is progression to the next strategy. This puts Japan in a unique position, with one of the most complete broadband infrastructures in the world. The high scores in this section of the scorecard positively impact Japan’s overall ranking position.

Japan’s ranking decreases slightly — from first to second — mostly because of improvements by Germany.

+ 3United States82.0


The United States has comprehensive and up-to-date laws for e-commerce, electronic signatures, and cybercrime.

The United States has signed and implemented the Convention on Cybercrime and plays a leading role in the investigation of global cybercrimes.

Although there are no general privacy laws in place, the United States does have useful sectoral privacy laws and an active regulator. There is an ongoing debate in the US regarding the balance between national security surveillance and privacy protection. There are numerous, but inconsistent, state data breach notification laws in place in the United States.

The United States scores well in the intellectual property section of the report. The country has signed all of the relevant international agreements, and a strong intellectual property enforcement culture is in place.

The United States is an active participant in international standards development processes and an advocate of free trade and harmonization.

The United States has high levels of Internet use, but access to fast broadband remains patchy. The National Broadband Plan has a goal that by 2020 at least 100 million households will have download speeds of 100 Mbps and upload speeds of 50 Mbps. Not all parts of the plan have been adopted or fully funded; however, significant parts of the plan have been implemented.

The United States’ position in the 2018 Scorecard rankings fell slightly — from second to third.

+ 4United Kingdom81.8


The United Kingdom has a comprehensive set of cyberlaws. Data protection laws are particularly strong, with regular enforcement. However, businesses are required to register their data sets with the regulator, which seems to be an unnecessary burden on business and may act as a barrier to some cloud services.

The United Kingdom is updating its laws to reflect the provisions of the EU General Data Protection Regulation (GDPR), which will come into force in May 2018. This update continues despite the BREXIT process.

The United Kingdom is free from Internet censorship and filtering, and up-to-date laws are in place for e-commerce and electronic signatures.

The United Kingdom is a signatory to the Convention on Cybercrime. There is significant debate in the United Kingdom on the regulation of law enforcement access to data, and some proposals could have a potential negative effect on cloud computing.

Advanced intellectual property laws are in place and are regularly enforced, although there is still a gap in relation to trade secrets protection and enforcement. The United Kingdom also scored very well in the information technology (IT) infrastructure section of this year’s report.

The United Kingdom’s ranking improved substantially, and the country went from ninth to fourth place in the 2018 Scorecard rankings. The UK released a national Cyber Security Strategy in late 2016 and outperformed other nations in the Security rankings.

+ 5Australia80.6


Australia promotes cloud computing through a mix of modern laws, regulations, and standards. For example, Australia has a strong commitment to international cooperation, free trade, and interoperability. Key laws are based on international models, and Australia is an active participant in the development of international standards.

Australia has up-to-date cybercrime laws and ratified the Convention on Cybercrime in 2012. Australia also has comprehensive electronic signature and electronic commerce laws. Australia’s data protection legislation is current and is broadly compatible with global frameworks.

Intellectual property laws in Australia provide good protection for cloud computing services and the digital economy. However, Australia provides limited “safe harbor” protections in the Copyright Act 1968, and the level of protection for cloud service providers remains uncertain.

Australian information technology (IT) infrastructure is reasonably well developed. Australia revised its model for the National Broadband Network in 2014. It is forecast to provide 8 million connections at speeds of 25–50 Mbps through fiber to the node (FttN) and hybrid fiber-coaxial (HFC) connections by 2020.

Overall, Australia’s Scorecard results were similar to the results reported in 2016. The country’s slight improvement in the ranking — from sixth to fifth — is mostly a result of other countries’ weaker performance in the areas relevant to cloud computing that are reflected in the Scorecard.

+ 6Singapore80.2


Singapore has modern digital economy laws in most areas. For example, the Electronic Transactions Act 2010 implements the United Nations Convention on Electronic Contracting, which Singapore has ratified. Singapore also has up-to-date cybercrime laws and intellectual property laws.

Singapore privacy law provides a balanced approach between protecting personal information and facilitating innovation in cloud computing and the digital economy. However, there have been some recent trends suggesting Singapore may be looking to establish unique national standards for the IT sector. For example, Singapore adopted the Singapore-specific Multi-Tier Cloud Security (MTCS) Singapore Standard, which arbitrarily assigns levels to cloud computing services imposing distinct requirements on particular levels.

Singapore has some minor Internet censorship in place but generally promotes innovative business practices that are free from tariffs and government intervention. Singapore is generally committed to adopting international standards throughout the IT and security sectors.

Singapore has excellent information (IT) infrastructure and is developing a national network to bring high-speed fiber to the home.

There were very few changes in Singapore’s results from the previous Scorecard. The minor jump in the rankings — from seventh to sixth — is a result of the rebalancing of the Scorecard methodology.

+ 7Canada80.0


Canada’s data protection regulations are compatible with globally recognized frameworks that facilitate international data transfers. In 2015, Canada also ratified the Council of Europe Cybercrime Convention and implemented computer crime legislation that apply to most cybercrimes, although there are some limitations. Canada’s Cyber Security Strategy, however, is not considered to be current and is undergoing review.

In 2014, Canada ratified the WIPO Copyright Treaty, sealing a recent period of improved copyright regulation and enforcement in areas relevant to cloud computing. However, Canada’s results in this section are somewhat affected by the limited protection offered to trade secrets.

Canada also achieves strong results in the sections covering international standards and the promotion of free trade.

Finally, Canada scores well in the information technology (IT) infrastructure section of the scorecard. In December 2016, the Canadian Radio-television and Telecommunications Commission issued a policy declaring high-speed broadband as an essential service. According to the policy, by 2021 90 percent of premises are to have access speeds of at least 50 Mbps download and 10 Mbps upload and unlimited data allowance. The remaining 10 percent of premises are to achieve this target by 2026–2031. This universal goal has been supplemented by a fund to pay for relevant projects.

There were very few changes in Canada’s results from the previous Scorecard. The minor difference in Canada’s position in the rankings — a slide from fourth to seventh — was caused not by policy changes in Canada but by the rebalancing of the Scorecard methodology.

+ 8France79.6


A combination of comprehensive cybercrime legislation and up-to-date intellectual property protection benefits cloud services in France. France also has up-to-date electronic signature and electronic commerce laws in place.

Comprehensive privacy legislation exists in France, although it includes onerous and cumbersome registration requirements that appear unnecessary.

There is no clear or comprehensive government policy or strategy on cloud computing in France, although France has invested heavily (through the French sovereign wealth fund) in supporting several local cloud service providers.

France’s national broadband plan, France Très Haut Débit, is a 10-year-funded initiative launched in 2013 and updated in 2015. It covers a range of infrastructure and constructions programs, which use a range of technologies. The overall broadband target for the France Très Haut Débit plan is 100 percent coverage of France with speeds in excess of 30 Mbps by 2022.

There were very few changes in France’s results from the previous Scorecard. The minor difference in France’s position in the ranking — a slide from fifth place to eighth — is based on the rebalancing of the Scorecard methodology.

+ 9Italy79.0


Italy’s data protection laws are comprehensive but include certain registration requirements that are onerous and appear unnecessary, as well as some limitations to data flows like other European Union countries.

Italy provides adequate intellectual property protection for cloud computing services, including appropriate “safe harbor” protection from liability for third-party infringement.

Italy has strong cybercrime laws and a comprehensive cybersecurity strategy in place, which works in conjunction with the Italian Digital Agenda — a government-led initiative to invest in digital development.

In addition, Italy has modern electronic signature laws and electronic commerce laws, and it is committed to international standards and interoperability.

Italy’s overall ranking fell slightly — to ninth from eighth in the 2016 report. This was the result of better performance by other countries, particularly in IT Readiness and Broadband Deployment, as well as the rebalancing of the Scorecard methodology.

+ 10Spain78.4


Spain has comprehensive privacy legislation, although it relies heavily on registration requirements that could act as a barrier for cloud computing services.

Spain has up-to-date cybercrime legislation and has ratified the Convention on Cybercrime. Spain also has comprehensive electronic commerce and electronic signature legislation, and Internet service providers (ISPs) are free from any Internet filtering or censorship.

Some minor gaps exist in intellectual property protection, and enforcement is poor particularly in relation to circumvention of technological protection measures.

Spain is a very active participant in international forums and supports international standards development and interoperability.

Spain recorded significant gains in information technology (IT) infrastructure in recent years. In the Digital Agenda for Spain, released in 2013, Spain reaffirmed its commitment to achieve the European Commission set targets for all households to have download speeds of at least 30 Mbps by 2020, and 50 percent of households at 100 Mbps by 2025.

Spain’s overall scores remained fairly steady. The country’s position in the Scorecard rankings improved slightly — to 10th in 2018 from 11th in 2016.

+ 11Poland77.0


Poland has up-to-date electronic signatures, electronic commerce, and cybercrime laws. These laws provide a good platform for promoting confidence in cloud computing and the digital economy.

Although Poland has a comprehensive data protection law in place, data controllers are bound by registration requirements. In addition, data breach notification requirements are limited.

Poland has a good regime for the protection of intellectual property, including specific rules for Internet service provider liability. However, some gaps still exist in copyright enforcement and protection against the circumvention of technological protection measures.

Poland promotes innovation and interoperability and has nondiscriminatory policies for government procurement.

Poland’s National Broadband Plan 2014–2020 was adopted in January 2014 and remains valid until 2020. The plan sets the targets that, by 2020, 100 percent of households and companies should have access to Internet connectivity of at least 30 Mbps and 50 percent of households and companies have access to Internet connectivity of 100 Mbps.

Poland’s place in the Scorecard rankings fell one place in 2018, from 10th to 11th.

+ 12Korea72.2


Korea has a strong commitment to the promotion of the digital economy, and its laws and standards are generally based on international models. Korea scored well in the IT readiness and broadband deployment section of the scorecard.

Although Korea has a personal data protection law in place, it imposes complex and inflexible notice and consent requirements, which effect data flows that are paramount for cloud computing.

Korea’s strong intellectual property laws facilitate the development and use of cloud computing services. However, the implementation and enforcement of these laws could be improved in some instances. Korea’s cybercrime law does not cover the full range of relevant issues.

Korea is an active proponent of free trade and interoperability and is a member of the World Trade Organization (WTO) Agreement on Government Procurement. However, one current area of concern is that Korea imposes a national encryption standard for the procurement of information technology (IT) security devices and related equipment, when a suitable international encryption standard is available.

In addition, some IT products that have already passed international Common Criteria for Information Technology Security Evaluation are required to undergo additional local testing in Korea.

Overall, Korea’s position in the Scorecard rankings remains unchanged from 2016.

+ 13Mexico60.6


Mexico has implemented many relevant cyberlaws, including privacy legislation, rules on data breach notification, and up-to-date cybercrime legislation.

Improvement is required in intellectual property protection and enforcement in Mexico. Significant gaps in legal coverage and enforcement remain. Intellectual property safe harbor has not been implemented for cloud service providers in Mexico and the bar for prosecution of intellectual property crimes is high.

Mexico also scores poorly in the section on promoting free trade.

There is no specific national broadband plan in Mexico and no speed or connectivity targets have been published. The country continues to face challenges in delivering a modern information technology (IT) infrastructure that can facilitate cloud computing.

Overall, Mexico’s Scorecard ranking improved slightly, from 15th place in 2016 to 13th in 2018.

+ 14Malaysia59.3


Malaysia has modern electronic signature laws, and electronic commerce laws in place. These measures provide good level of protection for computing in Malaysia.

Malaysia has data protection regulation in place that is generally compatible with globally recognized frameworks. However, the law does not include data breach notification provisions and data controllers are required to register with the Personal Data Protection Department.

Malaysia has specific provisions in place for law enforcement access to encrypted data that, in some instances, may act as de facto mandate for the use of specific security technology.

Malaysia’s copyright laws are aligned with international standards, although enforcement remains patchy.

Malaysia has a moderate level of broadband penetration. In 2015, the government committed to new broadband targets: by 2020, 100 percent of households in capital cities and high-impact growth area to have access to speeds of 100 Mbps and 50 percent of households in suburban and rural areas to have access to speeds of 20 Mbps.

Malaysia fell slightly in the Scorecard rankings — from 13th place in 2016 to 14th place in 2018.

+ 15South Africa57.3


South Africa’s comprehensive privacy law is gradually being implemented. The country also has some useful cybercrime and electronic commerce laws in place.

However, some limited Internet filtering and censorship still occurs, which may inhibit development of the digital economy, and South Africa has only very basic copyright laws, which are not aligned with current international best practice. In Mid-2015, the Government of South Africa started a process to amend the copyright law, but the process has faced considerable delays. South Africa has not yet signed the WIPO Copyright Treaty.

Another potential barrier in South Africa is the existence of a complex system of domestic preferences in government procurement opportunities.

South Africa has low levels of broadband penetration, but they have been improving in recent years. The government released ambitious targets in December 2013 for the South Africa Connect plan.

South Africa’s ranking in the 2018 Scorecard fell slightly — from 14th to 15th — based largely on the rebalancing of the Scorecard methodology.

+ 16Turkey54.3


Turkey’s Law on the Protection of Personal Data came into force in April 2016. Turkey has also signed the Convention on Cybercrime, which came into force in the country in 2015. These developments help create a positive environment for building trust in cloud services.

However, Turkey continues to have some gaps in other areas that affect cloud computing. For example, rules on Internet content regulation may act as a barrier to cloud services.

Intellectual property protection in Turkey is reasonably up-to-date, but enforcement is patchy.

Turkey’s progress toward integration with the European and international communities has stalled, and some domestic preferences are still in place for government procurement opportunities.

The government has an ambitious target of providing fast broadband to 95 percent of households by 2020.

Turkey’s overall ranking rose from 19th in 2016 to 16th in 2018 mostly because of its new privacy law, which came into force in 2016, and the rebalancing of the Scorecard methodology.

+ 17Argentina51.8


Argentina has data protection laws in place and is updating some aspects of the law. There are effective laws in place on cybercrime and electronic signatures in the country. Although Argentina’s scores for IT infrastructure (and broadband access in particular) improved since the Scorecard was first launched in 2012, progresses in this area is still necessary.

The country has a poor track record of protecting and enforcing intellectual property rights relevant to cloud computing. For example, Argentina does not provide specific “safe harbor” protection for intermediaries. Some gaps also exist in the important areas of standards development and technology neutral and nondiscriminatory government procurement of information technology (IT).

Argentina also scored poorly on promotion of free trade because it imposes numerous tariffs and other trade barriers that negatively affect the digital economy.

There were very few changes in Argentina’s results from the previous Scorecard. Argentina fell slightly in the 2018 report rankings mostly because of progress made by other countries.

+ 18Brazil50.3


Brazil recognizes the importance of information technology (IT) and the digital economy, but has struggled to implement a policy framework to foster the development of cloud computing. Some trade barriers to IT innovation remain in Brazil. Gaps also exist in the technology neutral and nondiscriminatory government procurement of IT.

Brazil still does not have specific privacy legislation in place, and is falling behind its peers in this area. Brazil has some gaps in intellectual property protection and enforcement in areas relevant cloud computing. Although positive trends are present, there is room for improvement. Brazil has implemented an effective intellectual property “safe harbor” process for cloud service providers. On the other hand, the Brazilian Patent and Trademark Office has a large backlog of pending applications, which prevents patents from being issued in a timely manner. Similarly, Brazilian courts also have a large backlog of cases.

However, Brazil does achieve better scores in relation to security and infrastructure, with significant improvements recorded in relation to Internet freedom in the past years.

Although Brazil’s overall rank changed substantially since the last Scorecard — from 22nd to 18th — this improvement did not stem from major improvements in Brazil’s policy or IT infrastructure development. Rather, this change was caused mostly from the rebalancing of the Scorecard methodology to reflect the developments that have occurred since the Scorecard was first launched and by other countries’ poorer performance in the areas relevant to cloud computing that are reflected in the Scorecard.

+ 19Thailand48.4


Thailand’s laws and policies in relation to cloud computing and the digital economy are patchy, with strengths in some areas and significant gaps and weaknesses in others.

Thailand has implemented comprehensive cybercrime legislation, which helps to enhance confidence in information technology (IT). Thailand also has good laws for electronic commerce and electronic signatures. However, Thailand has no privacy laws, and this is a major weakness.

In January 2015, two Copyright Amendment laws were approved: the Copyright Act (No. 2) B.E. 2558 (A.D. 2015), and Copyright Act (No. 3) B.E. 2558 (A.D. 2015). These two new laws implement many of the key provisions of the WIPO Copyright Treaty. They also introduced an Internet service provider (ISP) liability scheme for copyright infringements that applies in broad circumstances.

Additional risks in Thailand include mandatory Internet censorship (some of which is clearly political in nature) and filtering, and procurement preference policies.

Overall, Thailand’s position in the Scorecard rankings has risen slightly since 2016 — from 21st to 19th — mostly because of incremental improvements in the Cybercrime and Intellectual Property Rights sections. Improvements in the IT Readiness and Broadband Developments based on the Thailand Digital Economy and Social Development Plan 2016 are also ongoing.

+ 20India48.4


Laws and regulations in India have not entirely kept pace with developments in cloud computing, and some gaps exist in key areas of protection; notably, India has not yet implemented effective privacy legislation, although work is underway to address this issue.

India has a comprehensive national cybersecurity strategy in place and strong cybercrime legislation. Some laws and standards in India are not technology neutral (e.g., electronic signatures), and these may be a barrier to interoperability.

This year’s report notes that India imposes some local security testing requirements in addition to international testing requirements. These local testing arrangements have been the subject of criticism by India’s trading partners, including the European Union.

There is a gap in trade secrets protection in India. In addition, guidance for examiners on how to evaluate patent applications for software-enabled inventions is lacking, although the revocation of guidelines that would have prevented most computer related inventions from being subject to patent protection if novel hardware was not present is a step in the right direction. Furthermore, India still has not ratified the WIPO Copyright Treaty.

Overall, India’s ranking in 2018 is 20th. India fell two places because of its poor results in the Data Privacy and IT Readiness and Broadband Deployment.

+ 21Russia45.0


Russia has a patchwork of laws that apply to the digital economy and cloud computing, and these laws contain significant gaps and limitations.

For example, its laws on both privacy and cybercrime do not follow recognized international standards. Russia requires personal data of Russian citizens to be stored on servers based in Russia. This requirement has a significant negative effect on the digital economy.

In addition, any personal data information system (even a simple database) must be certified by the Federal Service for Technical and Export Control (FSTEC). Furthermore, only hardware and software that has been approved by the FSTEC and the Federal Security Service (FSB) can be used for personal data processing in Russia. Russian allows certain flexibility regarding whether local or international standards should be used but no preference is given to international standards.

Russia also has cumbersome Internet filtering and censorship regulations that act as a barrier to cloud computing. Russia mandates the use of certain products and software in government procurement opportunities.

Russian law addresses copyright infringement liability, as well as “safe harbors” from such liability for intermediaries, including cloud service providers, that comply with relevant requirements. However, Russia has a poor record of intellectual property enforcement in general, and laws protecting against circumvention of technological protection measures are limited and poorly enforced.

Overall, Russia’s place in the Scorecard rankings fell sharply in 2018. The negative effect of the data localization regulations and lack of promotion of free trade contributed to the country’s ranking falling by four spots — from 17th to 21st.

+ 22China43.7


The continued promotion of indigenous development policies that discriminate against foreign technology companies continue to hinder China’s cloud computing readiness progress.

China does not follow international models in key areas that are relevant to cloud computing. For example, the privacy and security provisions in the 2015 National Security Law and 2016 Cybersecurity Law are controversial and have been the subject of extensive international debate. Key concerns include data localization mandates, extensive and duplicative tests, audits, and certifications. These concerns are exacerbated by pending and/or unclear implementing guidelines.

China achieved the lowest results from all countries in the areas of international standards and it also scored very poorly in the section on free trade promotion. China imposes a range of onerous local certification and accreditation requirements that are in addition to (and often inconsistent with) international cybersecurity standards and general IT standards. China also imposes local testing requirements for cybersecurity products.

Extensive regulation of Internet content, including mandatory Internet filtering and censorship, remains a key issue in China.

China’s poor results in relation to laws and regulation were partly offset by strong progress in IT infrastructure, which explains the slight improving in its ranking — from 23rd place to 22nd place.

+ 23Indonesia40.7


Indonesia continues to update and reform laws and regulations in the information technology (IT) sector, and the result is not always positive for cloud computing.

Regulations impose significant barriers for cloud service providers, including requirements for providers to register their services with a central authority and rules that force some providers to establish local data centers and hire local staff.

Copyright law in Indonesia is now mostly aligned with international models. However, several key aspects of the new law await more-detailed regulations before they can be implemented. In addition, improvements could be made in the areas of enforcement and safe harbor protection for intermediaries.

A gap in Indonesian regulatory environment exists in the areas of interoperability, free trade, and government procurement, negatively affecting cloud computing.

The Indonesian Broadband Plan was finalized in December 2013 and implementation began in 2014 with the objective to increase “meaningful” broadband penetration. However, information on implementation of the plan is limited.

Overall, Indonesia fell three places in the Scorecard rankings (from 20th to 23rd), as the country’s rank was overtaken by others.

+ 24Vietnam36.4


Vietnam continues to work on the development relevant cyberlaws that could enhance confidence in the digital economy and facilitate cloud computing. However, gaps still exist in key areas.

Vietnam has laws and regulations in place for electronic commerce and electronic signatures. However, only very limited laws are in place for cybercrime and Vietnam has not developed a national cybersecurity strategy yet.

Vietnam’s privacy laws are not comprehensive, but a patchwork of sectoral provisions provide some protection.

Vietnam continues to impose severe censorship and restrictions on Internet content. An additional risk is that Vietnam has not yet developed appropriate laws and policies on interoperability and government procurement. Also, some trade barriers may hamper the development of cloud computing and the digital economy.

There is also a gap in intellectual property protection and enforcement in Vietnam. Broadband penetration in Vietnam remains low, although there has been strong growth in a number of key infrastructure indicators in recent years.

Due to the many legal and policy gaps existing in Vietnam, as well as the poor performance in IT readiness and broadband development, the country has remained entrenched in last place — 24th — since the Scorecard was first launched.

Issue Briefs


The BSA Global Cloud Computing Scorecard examines the legal and regulatory framework of 24 countries around the world, identifying 72 questions that are relevant to determining readiness for cloud computing. The questions are categorized under the aforementioned policy categories, and are generally framed so as to be answerable by “yes” or “no.” The answers are also color coded:

YesIndicates a positive assessment, which is generally considered to be an encouraging step toward the establishment of a favorable legal and regulatory environment for cloud computing.

NoIndicates a negative assessment and the presence of a potential barrier to the establishment of a favorable legal and regulatory environment for cloud computing.

PartialIndicates that the assessment is positive in part, although some gaps or inconsistencies may exist that require further remedial work.

Not ApplicableIndicates a fact-finding question on relevant issues.

The Scorecard aims to provide a platform for discussion between policymakers and providers of cloud offerings, with a view toward developing an internationally harmonized regime of laws and regulations relevant to cloud computing. It is a tool that can help policymakers conduct a constructive self-evaluation, and determine the next steps that need to be taken to help advance the growth of global cloud computing.

Responses for the infrastructure portion of the Scorecard are color coded based on the scale below. That is, the “highest” answer to a particular question (e.g., the largest population or highest number of Internet users) is indicated in bright green, and the color for other responses graduates down to the lowest response in red.