Finland’s Technology Innovation System

Introduction to the “Public Procurement for Startups” mechanism I.Backgrounds 　　According to the EU’s statistics, government procurement budget accounted for over 14% of GDP. And, according to the media report, the total amount of government procurement in Taiwan in 2017 accounted for nearly 8%. Therefore, the government’s procurement power has gradually become a policy tool for the government to promote the development of innovative products and services. 　　In 2017, the Executive Yuan of the R.O.C.（Taiwan）announced a government procurement policy named “Government as Good Partners with Startups （政府成為新創好夥伴）”[1] to encourage government agencies and State-owned Enterprises to procure and adopt innovative goods or services provided by startups. This policy was subsequently implemented through an action plan named “Public Procurement for Startups”（新創採購）[2] by the Small and Medium Enterprise Administration（SMEA）.The action plan mainly includes two important parts：One created the procurement process for startups to enter the government contracts market through inter-entities contracts. The other accelerated the collaboration of the government agencies and startups through empirical demonstration. II.Facilitating the procurement process for startups to enter the government market 　　In order to help startups enter the government contracts market in a more efficient way, the SMEA conducts the procurement of inter-entity supply contracts with suppliers, especially startups, for the supply of innovative goods or services. An inter-entity supply contract[3] is a special contractual framework, under which the contracting entity on behalf of two or more other contracting parties signs a contract with suppliers and formulates the specifics and price of products or services provided through the public procurement process. Through the process of calling for tenders, price competition and so on, winning tenderers will be selected and listed on the Government E-Procurement System. This framework allows those contracting entities obtain orders and acquire products or services which they need in a more efficient way so it increases government agencies’ willingness to procure and use innovative products and services. 　　From 2018, the SMEA started to undertake the survey of innovative products and services that government agencies usually needed and conducted the procurement of inter-entity supply contracts for two rounds every year. As a result, the SMEA plays an important role to bridge the demand and supply sides for innovative products or services by means of implementing the forth-mentioned survey and procurement process. Moreover, in order to explore more innovative products and services with high quality and suitable for government agencies and public institutions, the SMEA actively networked with various stakeholders, including incubators, accelerators, startups mentoring programs sponsored by private and public sectors and so on. 　　Initially the items to be procured were categorized into four themes which were named the Smart Innovations, the Smart Eco, the Smart Healthcare, and the Smart Security. Later, in order to show the diversity of the innovation of startups which response well to various social issues, from 2019, the SMEA introduced two new theme solicitations titled the Smart Education and the Smart Agriculture to the inter-entities contracts. 　　Those items included the power management systems, the AI automated recognition and image warning system, the chatbot for public service, unmanned flying vehicles, aerial photography services and so on. Take the popular AI image warning system as an example, the system is used by police officers to make instant evidence searching and image recording. Other government agencies apply the innovative system to the investigation of illegal logging and school safety surveillance. 　　Moreover, the SMEA has also offered subsidy for local governments tobuy those items provided by startups. That is the coordinated supporting measure which allows startups the equal playing field to compete with large companies. The Subsidy scheme is based on the Guideline for Subsidies on Procurement of Innovative Products and Services[3] (approved by the Executive Yuan on March 29, 2018 and revised on Feb. 20, 2021). In the Guideline, “innovative products and services” refer to the products, technologies, labor, service flows or items and services rendered with creative activities through deploying scientific or technical means and a certain degree of innovations by startups with less than five years in operation. Such innovative products and services are displayed for the inter-entity supply contractual framework administered by the SMEA for government procurement. III.Accelerating the collaboration of the government agencies and startups through empirical demonstration 　　To assist startups to prove their concepts or services, and become more familiar with the governemnrt’s needs, the SMEA also created a mechanism called the “Solving Governmental Problems by Star-up Innovation”（政府出題˙新創解題）. It plans to collect government agencies’ needs, and then solicit innovative proposals from startups. After their proposals are accepted, startups will be given a grant up to one million NT dollars to conduct empirical studies on solution with government agencies for about half a year. 　　Take the cooperation between the “Taoyuan Long Term Care Institute for Older People and the Biotech Startup” for example, a care system with sanitary aids was introduced to provide automatic detection, cleanup and dry services for the patients’discharges, thus saving 95% of cleaning time for caregivers. In the past, caregivers usually spent 4 hours on the average in inspecting old patients, cleaning and replacing their bedsheets as their busy daily routines. Inadequate caregivers makes it difficult to maintain the care quality. If the problem was not addressed immediately, it would make the life of old patients more difficult. IV.Achievements to date 　　Since the promotion of the products and services of the startups and the launch of the “Public Procurement for Startups” program in 2018, 68 startups, with the SMEA’s assistance, have entered the government procurement contracts market, and more than 100 government agencies have adopted the innovative resolutions. With the encouragement for them in adopting and utilizing the fruits of the startups, it has generated more than NT$150 million in cooperative business opportunities. V.Conclusions 　　While more and more startups are obtaining business opportunities from the favorable procurement process, constant innovation remains the key to success. As such, the SMEA has regularly visited the government agencies-buyers to obtain feedbacks from startups so as to adjust and optimize the innovative products or services. The SMEA has also regularly renewed the specifics and items of the procurement list every year to keep introducing and supplying high-quality products or services to the government agencies. Reference: [1] Policy for investment environment optimization for Startups（2017）,available athttps://www.ndc.gov.tw/nc_27_28382.（last visited on July 30, 2021 ) [2] https://www.spp.org.tw/spp/（last visited on July 30, 2021 ) [3] Article 93 of Government Procurement Act：I An entity may execute an inter-entity supply contract with a supplier for the supply of property or services that are commonly needed by entities. II The regulations for a procurement of an inter-entity supply contract, the matters specified in the tender documentation and contract, applicable entities, and the related matters shall be prescribed by the responsible entity. [4] https://law.moea.gov.tw/LawContent.aspx?id=GL000555（last visited on July 30, 2021）

Experiences about opening data in private sector Ⅰ. Introduction 　　Open data is the idea that data should be available freely for everyone to use and republish without restrictions from copyright, patents or other mechanisms of control. The concept of open data is not new; but a formalized definition is relatively new, and The Open Definition gives full details on the requirements for open data and content as follows: 　　Availability and access: the data must be available as a whole with no more than a reasonable reproduction cost, preferably by downloading over the internet. The data must also be available in a convenient and modifiable form. 　　Reuse and redistribution: the data must be provided under terms that permit reuse and redistribution including the intermixing with other datasets. The data shall be machine-readable. 　　Universal participation: everyone must be able to use, reuse and redistribute the data— which by means there should be no discrimination against fields of endeavor or against persons or groups. For example, “non-commercial” restrictions that would prevent “commercial” use, or restrictions of use for certain purposes are not allowed. 　　In order to be in tune with international developmental trends, Taiwan passed an executive resolution in favor of promoting Open Government Data in November 2012. Through the release of government data, open data has grown significantly in Taiwan and Taiwan has come out on top among 122 countries and areas in the 2015 and 2016 Global Open Data Index[1]. 　　The result represented a major leap for Taiwan, however, progress is still to be made as most of the data are from the Government, and data from other territories, especially from private sector can rarely be seen. It is a pity that data from private sector has not being properly utilized and true value of such data still need to be revealed. The following research will place emphasis to enhance the value of private data and the strategies of boosting private sector to open their own data. Ⅱ. Why open private data 　　With the trend of Open Government Data recent years, countries are now starting to realize that Open Government Data is improving transparency, creating opportunities for social and commercial innovation, and opening the door to better engagement with citizens. But open data is not limited to Open Government Data. In fact, the private sector not only interacts with government data, but also produces a massive amount of data, much of which in need of utilized. 　　According to the G20 open data policy agenda made in 2014, the potential economic value of open data for Australia is up to AUD 64 billion per annum, and the potential value of open data from private sector is around AUD 34 billion per annum. Figure 1 Value of open data for Australia (AUD billion per annum) Source: McKinsey Global Institute 　　The purpose for opening data held by private entities and corporations is rooted in a broad recognition that private data has the potential to foster much public good. Openness of data for companies can translate into more efficient internal governance frameworks, enhanced feedback from workers and employees, improved traceability of supply chains, accountability to end consumers, and with better service and product delivery. Open Private Data is thus a true win-win for all with benefiting not only the governance but environmental and social gains. 　　At the same time, a variety of constraints, notably privacy and security, but also proprietary interests and data protectionism on the part of some companies—hold back this potential. Ⅲ. The cases of Open Private Data 　　Syngenta AG, a global Swiss agribusiness that produces agrochemicals and seeds, has established a solid foundation for reporting on progress that relies on independent data collection and validation, assurance by 3rd party assurance providers, and endorsement from its implementing partners. Through the website, Syngenta AG has shared their datasets for agricultural with efficiency indicators for 3600 farms for selected agro-ecological zones and market segments in 42 countries in Europe, Africa, Latin America, North America and Asia. Such datasets are precious but Syngenta AG share them for free only with a Non-Commercial license which means users may copy and redistribute the material in any medium or format freely but may not use the material for commercial purposes. Figure 2 Description and License for Open data of Syngenta AG Source: http://www.syngenta.com 　　Tokyo Metro is a rapid transit system in Tokyo, Japan has released information such as train location and delay times for all lines as open data. The company held an Open Data Utilization Competition from 12 September to 17 November, 2014 to promote development of an app using this data and continues to provide the data even after the competition ended. However, many restrictions such as non-commercial use, or app can only be used for Tokyo Metro lines has weakened the efficiency of open data, it is still valued as an initial step of open private data. Figure 3 DM of Tokyo Metro Open data Contest Source: https://developer.tokyometroapp.jp/ Ⅳ. How to enhance Open Private Data 　　Open Private Data is totally different from Open Government Data since “motivation” is vital for private institutions to release their own data. Unlike the government data can be disclosed and free to use via administrative order or legislation, all of the data controlled by private institutions can only be opened under their own will. The initiative for open data therefore shall focus on how to motivate private sectors releasing their own data-by ensuring profit and minimizing risks. 　　Originally, open data shall be available freely for everyone to use without any restrictions, and data owners may profit indirectly as users utilizing their data creating apps, etc. but not profit from open data itself. The income is unsteady and data owners therefore lose their interest to open data. As a countermeasure, it is suggested to make data chargeable though this may contradict to the definition of open data. When data owners can charge by usage or by time, the motivation of open data would arise when open data is directly profitable. 　　Data owners may also worry about many legal issues when releasing their own data. They may not care about whether profitable or not but afraid of being involved into litigation disputes such as intellectual property infringement, unfair competition, etc. It is very important for data owners to have a well protected authorization agreement when releasing data, but not all of them is able to afford the cost of making agreement for each data sharing. Therefore, a standard sample of contract that can be widely adopted plays a very important role for open private data. 　　A data sharing platform would be a solution to help data owners sharing their own data. It can not only provide a convenient way to collect profit from data sharing but help data owners avoiding legal risks with the platform’s standard agreement. All the data owners have to do is just to transfer their own data to the platform without concern since the platform would handle other affairs. Ⅴ. Conclusion 　　Actively engaging the private sector in the open data value-chain is considered an innovation imperative as it is highly related to the development of information economy. Although many works still need to be done such as identifying mechanisms for catalyzing private sector engagement, these works can be done by organizations such as the World Bank and the Centre for Open Data Enterprise. Private-public collaboration is also important when it comes to strengthening the global data infrastructure, and the benefits of open data are diverse and range from improved efficiency of public administrations to economic growth in the private sector. However, open private data is not the goal but merely a start for open data revolution. It is to add variation for other organizations and individuals to analyze to create innovations while individuals, private sectors, or government will benefit from that innovation and being encouraged to release much more data to strengthen this data circulation. [1] Global Open Data Index, https://index.okfn.org/place/（Last visited: May 15, 2017）

Post Brexit – An Update on the United Kingdom Privacy Regime 2021/9/10 　　After lengthy talks, on 31 January 2020, the United Kingdom (‘UK’) finally exited the European Union (‘EU’). Then, the UK shifted into a transition period. The UK government was bombarded with questions from all stakeholders. In particular, the data and privacy industry yelled out the loudest – what am I going to do with data flowing from the EU to the UK? Privacy professionals queried – would the UK have a new privacy regime that significantly departs from the General Data Protection Regulation (‘GDPR’)? Eventually, the UK made a compromise with all stakeholders – the British, the Europeans and the rest of the world – by bridging its privacy laws with the GDPR. On 28 June 2021, the UK obtained an adequacy decision from the EU.[1] This was widely anticipated but also widely known to be delayed, as it was heavily impacted by the aftermaths of the invalidation of the US- EU Privacy Shield.[2] 　　While the rest of the world seems to silently observe the transition undertaken by the UK, post-Brexit changes to the UK’s privacy regime is not only a domestic or regional matter, it is an international matter. Global supply chains and cross border data flows will be affected, shuffling the global economy into a new order. Therefore, it is crucial as citizens of a digital economy to unpack and understand the current UK privacy regime. This paper intends to give the reader a brief introduction to the current privacy regime of the UK. The author proposes to set out the structure of the UK privacy legislation, and to discuss important privacy topics. This paper only focuses on the general processing regime, which is the regime that is most relevant to general stakeholders. UK Privacy Legislation 　　There are two main privacy legislation in the UK – the Data Protection Act 2018 (‘DPA’) and the United Kingdom General Data Protection Act (‘UK GDPR’). These two acts must be read together in order to form a coherent understanding of the current UK privacy regime. 　　The UK GDPR is the creature of Brexit. The UK government wanted a smooth transition out of the EU and acknowledged that they needed to preserve the GDPR in their domestic privacy regime to an extent that would allow them to secure an adequacy decision. The UK government also wanted to create less impact on private companies. Thus, the UK GDPR was born. Largely it aligns closely with the GDPR, supplemented by the DPA. ICO 　　The Information Commissioner’s Office (‘ICO’) is the independent authority supervising the compliance of privacy laws in the UK. Prior to Brexit, the ICO was the UK’s supervisory authority under the GDPR. A unique feature of the ICO’s powers and functions is that it adopts a notice system. The ICO has power to issue four types of notices: information notices, assessment notices, enforcement notices and penalty notices.[3] The information notice requires controllers or processors to provide information. The ICO must issue an assessment notice before conducting data protection audits. Enforcement is only exercisable by giving an enforcement notice. Administrative fines are only exercisable by giving a penalty notice. Territorial Application 　　Section 207(1A) of the DPA states that the DPA applies to any controller or processor established in the UK, regardless where the processing of personal data takes place. Like the GDPR, the DPA and the UK GDPR have an extraterritorial reach to overseas controllers or processors. The DPA and the UK GDPR apply to overseas controllers or processors who process personal data relating to data subjects in the UK, and the processing activities are related to the offering of goods or services, or the monitoring of data subjects’ behavior.[4] Transfers of Personal Data to Third Countries 　　On 28 June 2021, the UK received an adequacy decision from the EU.[5] This means that until 27 June 2025, data can continue to flow freely between the UK and the European Economic Area (‘EEA’). 　　As for transferring personal data to third countries other than the EU, the UK has similar laws to the GDPR. Both the DPA and the UK GDPR restrict controllers or processors from transferring personal data to third countries. A transfer of personal data to a third country is permitted if it is based on adequacy regulations.[6] An EU adequacy decision is known as ‘adequacy regulations’ under the UK regime. 　　If there is no adequacy regulations, then a transfer of personal data to a third country will only be permitted if it is covered by appropriate safeguards, including standard data protection clauses, binding corporate rules, codes of conduct, and certifications.[7] The ICO intends to publish UK standard data protection clauses in 2021.[8] In the meantime, the EU has published a new set of standard data protection clauses (‘SCCs’).[9] However, it must be noted that the EU SCCs are not accepted to be valid in the UK, and may only be used for reference purposes. It is also worth noting that the UK has approved three certification schemes to assist organizations in demonstrating compliance to data protection laws.[10] Lawful Bases for Processing 　　Basically, the lawful bases for processing in the UK regime are the same as the GDPR. Six lawful bases are set out in article 6 of the UK GDPR. To process personal data, at least one of the following lawful bases must be satisfied:[11] The data subject has given consent to the processing; The processing is necessary for the performance of a contract; The processing is necessary for compliance with a legal obligation; The processing is necessary to protect vital interests of an individual – that is, protecting an individual’s life; The processing is necessary for the performance of a public task; The processing is necessary for the purpose of legitimate interests, unless other interests or fundamental rights and freedoms override those legitimate interests. Rights & Exemptions 　　The UK privacy regime, like the GDPR, gives data subjects certain rights. Most of the rights granted under the UK privacy regime is akin to the GDPR and can be found under the UK GDPR. Individual rights under the UK privacy regime is closely linked with its exemptions, this may be said to be a unique feature of the UK privacy regime which sets it apart from the GDPR. Under the DPA and the UK GDPR, there are certain exemptions, meaning organizations are exempted from certain obligations, most of them are associated with individual rights. For example, if data is processed for scientific or historical research purposes, or statistical purposes, organizations are exempted from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object in certain circumstances.[12] Penalties 　　The penalty for infringement of the UK GDPR is the amount specified in article 83 of the UK GDPR.[13] If an amount is not specified, the penalty is the standard maximum amount.[14] The standard maximum amount, at the time of writing, is £8,700,000 (around 10 million Euros) or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.[15] In any other case, the standard maximum amount is £8,700,000 (around 10 million Euros).[16] Conclusion 　　The UK privacy regime closely aligns with the GDPR. However it would be too simple of a statement to say that the UK privacy regime is almost identical to the GDPR. The ICO’s unique enforcement powers exercised through a notice system is a distinct feature of the UK privacy regime. Recent legal trends show that the UK while trying to preserve its ties with the EU is gradually developing an independent privacy persona. The best example is that in regards to transfers to third countries, the UK has developed its first certification scheme and is attempting to develop its own standard data protection clauses. The UK’s transition out of the EU has certainly been interesting; however, the UK’s transformation from the EU is certainly awaited with awe. [1] Commission Implementing Decision of 28.6.2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final,https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf.. [2] Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, C-311/18, EU:C:2020:559, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311. [3] Data Protection Act 2018, §115. [4] Data Protection Act 2018, §207(1A); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 3. [5] supra note 1. [6] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 44-50. [7] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 46-47. [8]International transfers after the UK exit from the EU Implementation Period, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ (last visited Sep. 10, 2021). [9] Standard contractual clauses for international transfers, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (last visited Sep. 10, 2021). [10] ICO, New certification schemes will “raise the bar” of data protection in children’s privacy, age assurance and asset disposal, ICO, Aug. 19, 2021, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/ (last visited Sep. 10, 2021). [11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 6(1)-(2); Lawful basis for processing, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ (last visited Sep. 10, 2021). [12] Data Protection Act 2018, sch 2, part 6, para 27. [13] id. at §157. [14] id. [15] id. [16] id.

Strengthening Taiwan’s Pharmaceutical Resilience: Legal Reflections from the European Union’s Critical Medicines Act 2025/11/15 Introduction: From Vulnerability to Vision For Taiwan, an island state positioned at the crossroads of geopolitical tension and globalized medical trade, the question of pharmaceutical resilience is no longer a technical concern but a constitutional one. A nation’s ability to secure the continuous availability of essential medicines defines not only its public health capacity but the very credibility of its governance. In this light, the European Union’s (hereunder, the “EU”) proposed Critical Medicines Act (hereunder, “EU CMA”) offers Taiwan an illuminating case of how law can move beyond crisis management toward systemic foresight[1]. Resilience in the pharmaceutical sector is not merely about supply stability; it embodies a triple constitutional function—protecting life and health as fundamental rights, safeguarding national security through stable access to critical goods, and reinforcing trust in regulatory governance. Law thus becomes the medium through which uncertainty is rendered governable. The global pandemic revealed that the absence of legal foresight can paralyze even the most advanced health systems, exposing the structural fragility behind administrative efficiency. While Taiwan’s current pharmaceutical regulatory framework remains largely event-driven, reactive, and post-facto, the EU CMA exemplifies an industry-oriented, anticipatory, and pre-emptive model. The contrast underscores a jurisprudential lesson: resilience cannot be legislated through emergency decrees alone; it must be architected through a continuous, legally structured process that anticipates vulnerabilities before they materialize. This article identifies three foundational principles embedded in the EU CMA—visibility, diversification, and agility—and explores how these principles could guide Taiwan in constructing a forward-looking pharmaceutical resilience regime. The goal is not imitation, but inspiration—extracting from the EU experience a conceptual framework for a resilient Taiwanese pharmaceutical order. The EU CMA as a Law of Foresight The EU CMA represents a paradigm shift in pharmaceutical governance. Instead of fragmented national reactions to shortages, the Act establishes a Union-wide framework “to strengthen the availability and security of supply of critical medicinal products” through coordinated information systems, joint vulnerability assessments, and strategic industrial actions[2]. Its architecture reflects a policy-cycle logic: identification of critical medicines (Union list), assessment of vulnerabilities (harmonized monitoring), and action to strengthen capacity (strategic projects, coordinated procurement). Each stage is legally codified and procedurally transparent. The EU CMA thus transforms resilience from a policy aspiration into a governance architecture mandated by law. This approach reveals a fundamental evolution in regulatory philosophy: from law as reaction to law as anticipation. The EU does not merely respond to pharmaceutical disruptions; it legislates the ability to foresee them. This transformation elevates resilience from a managerial tool to a juridical principle that guides administrative behavior and industrial coordination. In this sense, the EU CMA operates as a constitutional statute of preparedness—one that embeds strategic vigilance within the ordinary operations of the market. Moreover, the Act’s systemic design demonstrates a rare synthesis of industrial, health, and competition policies under a unified legal grammar. By integrating economic instruments (such as incentives for local production) with public health imperatives (such as the availability of essential drugs), the EU CMA transforms siloed policy domains into a coherent resilience regime. It institutionalizes coordination not as an afterthought but as a binding legal discipline. Crucially, the EU’s approach embodies what might be called the legality of anticipation: law as an instrument that compels foresight. Resilience here is treated as a public good, transcending national borders but rooted in legal coordination. For Taiwan—whose pharmaceutical imports are geographically concentrated and whose market size limits domestic leverage—the lesson is profound: foresight must be institutional, not intuitive. Visibility: Law as an Instrument of Anticipation At the heart of the EU CMA lies the principle of visibility—the legalization of information as a tool of preparedness. The Act mandates the creation of a Union list of critical medicines[3] and a continuous monitoring system for supply vulnerabilities, coordinated through the Critical Medicines Coordination Group[4]. By institutionalizing information flows, the EU transforms data into a public good and transparency into an act of resilience. Visibility performs a dual function. On one hand, it is technocratic, enabling states to detect early signals of supply risk. On the other, it is constitutional, embedding accountability within knowledge. Uncertainty, when unregulated, leads to discretion; when structured, it becomes a risk, which law can govern. The EU CMA thus converts chaos into cognition—an epistemic transformation at the heart of modern administrative law. For Taiwan, this implies a shift from episodic crisis reporting toward permanent, cross-sectoral data governance. Information duties should not be seen as bureaucratic burdens but as civic infrastructures that permit collective foresight. Visibility, therefore, is not simply about surveillance but about legally enabling knowledge—the first step toward prevention rather than post-hoc management. Diversification: Embedding Resilience into Market Rationality The second principle, diversification, redefines efficiency itself. The EU CMA promotes manufacturing capacity within Europe under the doctrine of “open strategic autonomy”[5]. It supports Strategic Projects that enhance production, encourages cooperation with like-minded countries, and authorizes procurement methods that reward resilience factors alongside price—what EU law calls “MEAT” (Most Economically Advantageous Tender)[6]. This reframes the very idea of market rationality: security and competition are not opposites but complements. Law functions here as a corrective to market myopia, ensuring that the invisible hand does not ignore visible fragility. By quantifying resilience as a measurable value, the EU transforms precaution into an economic variable. For Taiwan—whose procurement and reimbursement systems have historically emphasized price containment—this perspective opens conceptual space. Resilience should not be perceived as inefficiency, but as intertemporal justice: a society’s investment in its future continuity. A diversified system—of suppliers, regions, and regulatory instruments—creates not redundancy but adaptability. In this sense, diversification is law’s expression of prudence in an interconnected economy. Agility: From Administrative Response to Legal Readiness The third principle, agility, captures the law’s capacity to act swiftly yet lawfully. The EU CMA institutionalizes flexibility through accelerated procedures for strategic projects, coordinated procurement frameworks, and crisis response mechanisms[7]. These powers are accompanied by procedural safeguards and sunset clauses, ensuring proportionality and reversibility. Agility thus represents legality in motion: action without arbitrariness. It reconciles speed with scrutiny by embedding emergency measures within predefined legal channels. The lesson for Taiwan is both institutional and philosophical—true readiness is not improvisation, but preparation that preserves legitimacy. In Taiwan’s current system, regulatory energy peaks during emergencies and dissipates thereafter. A mature resilience framework would instead cultivate continuous readiness—administrative structures that learn, anticipate, and adapt. Agility, understood legally, means codifying responsiveness as a standing competence of governance. It is the hinge connecting foresight and execution, legality and flexibility. Taiwan’s Legal Trajectory: From Event-Driven to Industry-Oriented Regulation Comparatively, Taiwan’s Pharmaceutical Affairs Act—even with its proposed amendments—remains largely event-driven and post-crisis in design[8]. Regulatory intervention often follows episodes of shortage or disruption. While recently introduced draft revisions strengthening supply chain obligations[9], these proposed revisions still operate primarily within a reactive paradigm. By contrast, the EU CMA envisions an industry-oriented, anticipatory, and system-based model. It embeds resilience into the legal DNA of pharmaceutical policy—linking regulation, industrial strategy, and public health. For Taiwan, this means evolving from regulatory firefighting to regulatory design: from curing failures to cultivating foresight. To achieve this, Taiwan’s legal development must transcend compliance formalism and embrace a culture of legal learning—where rules are not static commands but adaptive instruments of governance. The transition from event-driven to foresight-driven lawmaking will not only strengthen national health security but also elevate Taiwan’s position in the network of like-minded economies pursuing resilient supply systems. Conclusion: Toward a Resilient Legal Modernity The EU Critical Medicines Act demonstrates that law can be an architecture of anticipation. Its three pillars—visibility, diversification, and agility—form a grammar of resilience that integrates market mechanisms, administrative capacity, and democratic legitimacy. For Taiwan, the value of this model lies not in replication but in reflection. Visibility teaches that knowledge must be institutionalized. Diversification reminds us that resilience can coexist with efficiency. Agility shows that speed and legality are not mutually exclusive. Together, they suggest a new philosophy of governance: one that replaces reaction with design, and uncertainty with structured foresight. Yet the deeper lesson of the EU CMA is that resilience is not simply a functional attribute of a regulatory system—it is a constitutional virtue of modern states. To build resilience is to affirm the social contract anew: to promise citizens not that crises will never occur, but that when they do, institutions will stand ready, transparent, and just. This transforms law from a mirror of disorder into an instrument of collective composure. For Taiwan, embracing resilience as a constitutional principle means reimagining the relationship between law, science, and sovereignty. In a world where disruption is perpetual—whether by pandemics, trade shocks, or technological change—resilience becomes the language through which legality and modernity converge. It marks the transition from governing by reaction to governing by imagination. While the EU CMA relies on the Union’s vast market power to incentivize and coordinate pharmaceutical resilience, Taiwan faces a distinct structural challenge: its market size, though dynamic, cannot generate comparable leverage on a global scale. This asymmetry compels Taiwan to craft a dual strategy—anchoring its domestic resilience through legal foresight, while simultaneously aligning with international frameworks that promote secure and diversified supply chains. How Taiwan can reconcile these two imperatives—maintaining openness and integration with global partners, yet safeguarding autonomous resilience at home—will define the next frontier of its pharmaceutical governance. It is within this strategic and normative intersection that the Institute for Information Industry’s Science and Technology Law Institute (STLI) will continue its research efforts, exploring legal architectures capable of linking Taiwan’s national resilience with the broader ecosystem of global health security. Ultimately, resilience is not merely a regulatory principle but a moral commitment to time—a covenant between generations that law will foresee, prepare, and preserve. As Taiwan refines its pharmaceutical governance, the lesson from the EU CMA is both institutional and existential: to govern resilience is to govern the future itself, and to govern the future is to affirm the dignity of foresight as the highest form of rule of law. [1] EUROPEAN COMMISSION, Proposal for a Regulation of the European Parliament and of the Council laying down a framework for strengthening the availability and security of supply of critical medicinal products as well as for improving the availability of, and access to, medicinal products of common interest (Critical Medicines Act), COM(2025) 102 final (Mar. 11, 2025), https://health.ec.europa.eu/document/download/2abe4fc8-059e-47d9-a20a-d9e3bfc5dc2c_en?filename=mp_com2025_102_act_en.pdf (last visited Nov. 2, 2025). [2] id. at Page 17. [3] id. at Page 27. [4] id. at Page 35. [5] CRITICAL MEDICINES ALLIANCE, STRATEGIC REPORT OF THE CRITICAL MEDICINES ALLIANCE (Feb. 28, 2025), https://health.ec.europa.eu/document/download/3da9dfc0-c5e0-4583-a0f1-1652c7c18c3c_en?filename=hera_cma_strat-report_en.pdf (last visited Nov. 2, 2025). [6] EUROPEAN COMMISSION, Proposal for a Regulation of the European Parliament and of the Council laying down a framework for strengthening the availability and security of supply of critical medicinal products as well as for improving the availability of, and access to, medicinal products of common interest (Critical Medicines Act), COM(2025) 102 final (Mar. 11, 2025), https://health.ec.europa.eu/document/download/2abe4fc8-059e-47d9-a20a-d9e3bfc5dc2c_en?filename=mp_com2025_102_act_en.pdf (last visited Nov. 2, 2025). [7] id. at Page 7. [8] Pharmaceutical Affairs Act (Taiwan), Ministry of Justice, https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=L0030001 (last visited Nov. 2, 2025). [9] 〈衛生福利部公告「藥事法」部分條文修正草案〉，法源法律網，https://www.lawbank.com.tw/news/NewsContent.aspx?NID=206187.00（最後瀏覽日：2025/11/03）。