I. Preface

In December 2024, the Ministry of Economic Affairs and the Ministry of Finance amended and promulgated the Regulations Governing Tax Preferences for Small and Medium-Sized Enterprises on Additional Wage Payments (hereinafter referred to as the Regulations on Additional Wage Payments) and the Regulations Governing Tax Preferences for Small and Medium-Sized Enterprises on Wage Increases (hereinafter referred to as the Regulations on Wage Increases).

These amendments allow small and medium-sized enterprises (SMEs) to claim enhanced tax deductions for salary expenses applicable to the 2024 tax year. The amendments eliminate the economic cycle requirements, but increase the tax deduction rates, and expand eligibility to include employees aged 65 or older and part-time employees.

II. SME Tax deduction for Salary Expenses

SMEs in Taiwan account for more than 98% of all enterprises and employ over 9.167 million people, representing nearly 80% of the workforce. These figures highlight the critical role that SMEs play in maintaining wage stability and providing employment opportunities. The recently amended Regulations allow SMEs to apply an uplift to eligible payroll expenses as a tax deduction and aim to provide targeted tax relief.

According to the Standards for Identifying Small and Medium-sized Enterprises, the term “small and medium-sized enterprise (SMEs)” as referred to under the Standards shall mean an enterprise which has completed company registration, limited partnership registration, or business registration in accordance with relevant laws, and whose paid-in capital or capital contribution is no more than NT$100 million, or which hires fewer than 200 regular employees.

Newly established companies in Taiwan that meet these criteria are eligible to apply for the salary expense tax deduction.

III. Qualification Based on Employee Age and Salary level of junior employees

When applying for the salary expense tax incentives, employers must consider whether the employee’s status meets the legal requirements:

1. If, in the current year, the employer hires a new employee who is under the age of 24 or over the age of 65, the employer may apply for a tax deduction based on the aggregate gross salary payments made to that employee. (Article 3 of the Regulations on Additional Wage Payments)

2. If the employer increases the salary of an existing employee, the employer may apply for a tax deduction based on the incremental salary payments made to that employee, but the statutory minimum wage must be deducted. (Paragraph 1 of Article 3 of the Regulations on Wage Increases)

Most importantly, the employee must qualify as a junior employee, as defined by the Small and Medium Enterprise Administration, Ministry of Economic Affairs: (The Executive Yuan Gazette Vol. 030 No. 246)

For full-time employees: the employee must receive a monthly regular wage of no more than NT$63,000 on average.

For part-time employees:

● Part-time employees paid on a monthly basis: the employee must receive a monthly regular wage of no more than NT$63,000 on average, and the result of dividing such wage by the agreed monthly working hours must not exceed NT$394.

● Part-time employees paid on an hourly basis: the total hourly wage paid in the month must not exceed NT$63,000, and the hourly wage must not exceed NT$394.

● Part-time employees paid on a daily basis: the total daily wage paid in the month must not exceed NT$63,000, and the daily wage must not exceed NT$3,152.

IV. Increase of Salaries and Wages Expense

For the purpose of calculating the tax incentives, the additional tax benefit available to the employer is based on the salary expense accounting item, which may be multiplied by a specified percentage to be claimed as a tax deduction.

In the case of new hires, the aggregate gross salary payments made to the eligible employee may serve as the base amount, which is multiplied by 200% and deducted from the profit-seeking enterprise income of the current year. In other words, the cost of hiring a qualified new employee is effectively reduced to 50% (i.e., 0.5 times the original cost). (Article 3 of the Regulations on Additional Wage Payments)

In the case of salary increases, the base amount is calculated by subtracting the employee’s original salary and the statutory minimum wage from the total salary paid to the employee after the raise. This adjusted amount is then multiplied by 175% and deducted from the profit-seeking enterprise income of the current year. In other words, the cost of increasing the salary of a qualified employee is effectively reduced by approximately 43% (i.e., to 0.57 times the original cost). (Article 3 of the Regulations on Wage Increases)

Only regular wages—including base salary, fixed monthly allowances, and recurring bonuses—can be counted toward the eligible deductible salary expenses. For compensation provided in kind, employers must convert the value based on fair market rates before including it in the calculation. (Article 2 of the Regulations on Wage Increases)

V. Comparable Total Salaries and Wages

An employer shall be eligible to apply the Regulations on Increased Deduction for New Hires only if it can be confirmed that the total salaries and wages are higher than that of the preceding fiscal year. (Paragraph 1 of Article 4 of the Regulations on Additional Wage Payments)

The calculation steps are as follows:

1. Calculate the total regular wage payments made to junior employees in the previous year (a);

2. Calculate the total regular wage payments made to junior employees in the current year (b);

3. Calculate the total regular wage payments made to junior employees in the current year that are eligible for the tax deduction (c);

4.Confirm that (b - c) > a.

VI. Comparable Level of Average Salaries and Wages

An employer shall be eligible to apply the Regulations of Salary Raises Increased Deduction only if it can be confirmed that the Level of total salaries and wages are higher than that of the preceding fiscal year. (Paragraph 1 of Article 4 of the Regulations on Wage Increases)

The calculation steps are as follows:

1. Calculate the total regular wage payments made to junior employees in the preceding year, divided by the total number of junior employees per month throughout the year (a);

2. Calculate the total regular wage payments made to junior employees in the current year, divided by the total number of junior employees per month throughout the year (b);

3. Confirm that b > a.

VII. Required to be Submitted

Relevant tax certification documents shall be submitted by the employer at the time of application: (Article 6 of Regulations on Additional Wage Payments & the Regulations on Wage Increases)

1. Labor Insurance enrollment lists for both the current year and the preceding year.

2. Detailed salary slips for newly hired employees in the current year.

3. Detailed salary slips for employees who received salary increases in both the current and preceding years.

4. A collective filing of employment income for employees who received salary increases.

An SME shall submit a declaration certifying that it is not involved in any of the following circumstances: (Article 5 of Regulations on Additional Wage Payments & the Regulations on Wage Increases)

1. Engagement in businesses such as dance halls, ballrooms, hostess clubs, bars, or special coffee and tea shops.

2. Being blacklisted from negotiable instrument transactions due to dishonored checks and not yet reinstated, or having confirmed and unpaid tax liabilities within the past three years.

3. Being found by the competent central authority for each industry to have violated environmental protection, labor, or food safety and sanitation laws within the past three years.

4. Engaging in disguised salary reductions or failing to provide actual salary increases in the current or preceding year.

VIII. Conclusion

Due to their relatively small capital scale, small and medium-sized enterprises (SMEs) are more vulnerable to market fluctuations. Given the substantial role SMEs play in Taiwan’s overall economy, improving wage levels and addressing employment supply and demand in the SME sector form a crucial part of the government’s legal and policy strategies for economic development.

The amended provisions take retroactive effect from January 1, 2024. With the removal of the activation threshold based on specific economic climate indicators, tax incentives for salary expenses are now subject to corporate decision-making. SMEs are expected to assess their actual operational circumstances in determining whether to increase hiring or raise employee wages.

On Dec. 2, 2022, Taiwan’s Legislative Yuan passed the third reading of the amendments to the Act for Promotion of Private Participation in Infrastructure Projects ( “PPIP Act”). The amendments were officially promulgated on December 22 in the same year and focus on three major directions:

The amendments add new categories of infrastructure projects. New categories such as green energy facilities, digital infrastructure, audiovisual and music facilities, and resource recycling and reuse facilities were added to broaden the scope of projects eligible for private participation.

It also introduce the internationally common mechanism of government paid public services to mitigate private investment risks. The authority in charge of the project may acquire all or part of the public services of the infrastructure with compensation during the private institution’s participation in the operations of the infrastructure.

To resolve performance disputes effectively, the Ministry of Finance established a dedicated mechanism for resolving contractual performance related disputes.

In parallel, to further attract private capital for national infrastructure and industrial development, enhance fiscal sustainability, and optimize the use of public resources, the National Development Council (NDC) introduced the “Trillion-Dollar Investment Initiative for National Development”, which aims to effectively guide funds into national construction and industrial development through innovative mechanisms. The important part of this initiative is the “Innovative PPP Promotion Mechanism” designed to leverage innovative approaches to guide private investment into national infrastructure and strategic industries.

Supporting measures include the Financial Supervisory Commission’s upcoming revisions to five interpretive rulings under the “Regulations Governing Use of Insurer's funds in Special Projects, Public Utilities and Social Welfare Enterprises” (hereinafter the “Special Project Regulations”). These revisions aim to expand the scope of insurance capital investments to include PPP infrastructure projects and domestic private equity funds targeting public infrastructure and strategic industries.

The Ministry of Digital Affairs (MODA) is designated as the competent authority for digital infrastructure. In coordination with the Ministry of Finance’s implementation of the amended PPIP Act, MODA is actively preparing relevant planning measures. The digital infrastructure specified in the Act refers to digital software, hardware and affiliated facilities needed for promoting advanced networks, completing digital inclusion, shortening the digital gap, accelerating digital transformation of industries, and promoting cross-domain innovative applications. Drawing on international policy trends, specific categories of digital public infrastructure (DPI) may include: DPI for security and trust, such as foundational systems for digital identity and digital payments; DPI for data and information sharing, including interoperable registries and data exchange platforms; DPI for communications and public service interaction, such as digital postal services, notification systems, and unified digital gateways; emerging forms of DPI evolving with sectoral needs and technological advancements, such as software infrastructure supporting artificial intelligence development.

Currently, MODA is promoting digital projects with potential for PPP structuring, such as AI computing power platforms, digital wallets, and Public Code Platforms. The potential for these projects to be implemented through PPP models remains under active evaluation.

I. Introduction

The Public Construction Commission of the Executive Yuan (hereinafter referred to as the "PCC") has established various standard government procurement contract templates based on the authorization of Article 63, Paragraph 1 of the Government Procurement Act. Among these, the PCC has also issued the Standard Contract for Information Service Procurement (latest version released on December 26, 2024, hereinafter referred to as the "Information Service Procurement Standard Contract"), which is periodically updated to provide reference for government agencies based on their procurement needs.

Although the Information Service Procurement Standard Contract is already in place, with the increasing trend of cloud-based information and communication systems as well as digital data, government agencies adopting cloud services to enhance operational efficiency and improve public services has become the norm. Meanwhile, the cloud service industry has matured in both technology and service models, with established basic information security requirements and regulatory standards. To streamline the process for agencies to adjust contract terms in response to cloud service usage scenarios and needs, and to clearly define the rights and obligations of both parties, it is necessary to establish a separate contract for government procurement of cloud services. This will help mitigate risks related to information security incidents or contractual disputes, enhance procurement efficiency, and ensure procurement quality.

After discussions with the Ministry of Digital Affairs (hereinafter referred to as the "MODA"), representatives of cloud service providers (hereinafter referred to as “CSP”), and industry associations, the PCC issued the Standard Contract for Cloud Service Procurement (hereinafter referred to as the "Cloud Procurement Standard Contract") on May 17, 2024.The Cloud Procurement Standard Contract applies to “Software as a Service” (SaaS, such as instant messaging, email, and various online application services) and cloud platforms (PaaS/IaaS) for both public and private cloud online services (such as hosting, data storage management, and computing services). However, it does not apply to cases where ownership is transferred after leasing cloud services.

This standard contract is based on the Standard Contract for Information Service Procurement and has been modified to account for government agencies' information security needs, cloud service trends, and practical operational considerations. Since government procurement is guided by principles of fairness, transparency, and efficiency, procurement requirements often reflect government policy directions and values, influencing private-sector vendors.

This document aims to analyze the key differences between the Cloud Procurement Standard Contract and the Information Service Procurement Standard Contract, providing a reference for stakeholders in the cloud service industry. It serves as a preliminary assessment tool for those interested in participating in the government procurement market.

II. Key Regulations in the Cloud Service Procurement Contract Template (Version 20240517)

The following section will focus on the cyber security requirements for cloud services under the Cloud Procurement Standard Contract, as well as special provisions that are not included in the existing Information Service Procurement Standard Contract.

(1) Basic Information Security Requirements for Contract Performance

According to Article 2, Subparagraph 4 of the Cloud Procurement Standard Contract:

This Reference Table for Information Security Requirements (hereinafter referred to as the "Security Reference Table") was jointly issued by the PCC and the MODA on September 25, 2023. Its purpose is to help government agencies enhance information security protection in information service procurement in a timely and effective manner.

The Security Reference Table categorizes information service procurement into nine types, including four types of cloud services. According to the contract provisions, the procuring agency must determine the required level of security protection for the information and communication systems involved in the procurement (classified as common, medium, or high) and ensure that the security requirements listed in the Security Reference Table are included as part of the contract performance obligations.

Although the Security Reference Table itself is for reference and is not legally binding, its inclusion in the Cloud Procurement Standard Contract makes compliance with its security requirements mandatory for vendors. Therefore, vendors must carefully review and adhere to the corresponding security requirements specified in the Security Reference Table.

The Security Reference Table includes several “recommended” security measures that apply to all three levels (common, medium, and high). Examples include:

A.Cloud information systems or stored data must not be moved outside the country without prior review and approval by the procuring agency.

This falls under the "data security" category for cloud services and is directly related to the physical location of cloud service data centers. In practice, different CSP may use data centers located outside the country, meaning government agencies must carefully evaluate the storage location when selecting cloud services.

If a procuring agency specifies that data must be stored within the country, the CSP is not allowed to relocate the storage location outside the country without prior approval from the agency.

B. Restrictions on the Physical Location and Transmission Path of Cloud Service Data

Another recommended data security measure states:

"The physical location for accessing, backing up, and providing redundancy for cloud service data must not be in Mainland Area (including Hong Kong and Macau), nor should related data be transmitted through these regions."

This means that even if a government agency selects a cloud service with data centers located outside the country, those data centers must not be in Mainland Area (including Hong Kong and Macau). Additionally, data transmission routes must not directly or indirectly pass through these regions. This data security requirement is explicitly stated in Article 17, Subparagraph 1, Item 16 of the Cloud Procurement Standard Contract and is considered a ground for contract termination or rescission.

(2) Vendor Performance Management Requirements

Article 8 of the Cloud Procurement Standard Contract covers performance management. Overall, it is based on the performance management provisions in the Information Service Procurement Standard Contract, but includes additional rules tailored to the characteristics of cloud services. The key differences are summarized below:

A.Team Members Providing Services Must Not Be People of the Mainland Area

Article 8, Subparagraph 3 of the Cloud Procurement Standard Contract specifies requirements for the vendor’s service team. Item 1 clearly states that the vendor must establish a professional and complete service team within 10 working days after the contract takes effect. It also mandates that:

"Team members involved in executing this contract (including subcontractors) must not be Chinese (referring to personnel who have access to procurement-related data)."

In contrast, the Information Service Procurement Standard Contract includes a similar restriction as an optional clause, allowing the procuring agency to decide whether to apply it based on individual cases. However, in the Cloud Procurement Standard Contract, this requirement is mandatory by default for CSP. This aligns with the Administration of Cyber Security under the MODA and its FAQ on the Cyber Security Management Act, Section 8.7.

However, considering that the cloud service industry often operates across borders or through agents and distributors, it is common for vendors to work with subcontractors. The requirement that all subcontractor team members must not be people of the Mainland Area may create challenges in practical cloud service operations.

Since the main purpose of this rule is to protect the confidentiality of government data, and CSP typically have highly specialized internal divisions of labor, not all team members involved in a project will have access to government data. Therefore, this rule applies specifically to personnel who have access to procurement-related data, regardless of whether they are based inside or outside the country. This makes the regulation more practical and feasible in real-world cloud service operations.

B.Submission of Carbon Emission Reports for Cloud Services

According to Clause 22, Article 8 of the Cloud Service Procurement Contract Template, “vendors must provide a carbon emission report or other documents containing carbon emission data related to the energy used in fulfilling the contract. ” This requirement applies to both the vendor itself and any public cloud providers they work with.

This regulation aligns with the global ESG (Environmental, Social, and Governance) movement. In addition, Taiwan’s Financial Supervisory Commission (FSC) has recently introduced sustainability reporting requirements for publicly listed companies.

However, during discussions, industry representatives and associations raised concerns about the practical challenges of this requirement. The cloud service industry operates with a highly specialized division of labor. For example, SaaS providers often host their applications on third-party cloud infrastructure, making it difficult for them to directly track or report the carbon emissions of the underlying cloud infrastructure.

To address these concerns, after discussions with stakeholders, the PCC revised the rule to allow vendors to submit reports from their partnered public cloud providers. Additionally, the required documents were broadened to include other types of reports containing carbon emission data, without imposing strict formatting or third-party certification requirements.

During the initial implementation phase, this flexible approach aims to encourage and guide CSP toward ESG compliance gradually. The practical impact of this regulation on procurement operations will require ongoing observation.

(3) Vendor Obligations for Log Retention and Cybersecurity Incident Response

One of the most discussed topics during the drafting process of the Cloud Service Procurement Contract Template was the vendor’s obligation to retain logs and the required follow-up actions in the event of a cybersecurity incident involving either the procuring agency or the vendor.

A.Obligation to Retain Cloud Service Logs

According to Article 15, Section 14, Item 2 of the Cloud Service Procurement Contract Template, vendors providing cloud services must retain logs related to the procured service, including:

1. Application logs (AP log)

2. Logon logs

3. Website logs (If the vendor cannot provide these logs, they must submit proof and obtain agency approval for exemption.)

4. Operating system event logs (OS event log) (This is an optional requirement that the procuring agency can select based on its needs.)

All required logs must be retained for at least six months from the time they are generated. Vendors must also provide these logs upon the agency's request, including after contract termination, expiration, or cancellation. This means that once a log is generated, the vendor must keep it for at least six months, regardless of whether the cloud service contract is still in effect. During this retention period, vendors must supply logs as requested by the agency.

This requirement aligns with Taiwan’s Cyber Security Management Act (CSMA), which mandates that regulated agencies promptly report and respond to cybersecurity incidents. The retention of logs ensures that sufficient evidence is available for incident investigation and root cause analysis. In accordance with Article 4, Section 3 of the Procedures for Reporting and Handling Cybersecurity Incidents of Agencies, agencies must specify log retention requirements in outsourcing contracts for information and communication systems or services.

From a CSP’s perspective, not all service models generate the four types of logs mentioned above, and some logs (especially website logs and OS event logs) may not be within the vendor’s direct control. Therefore, before signing a contract, vendors and procuring agencies should carefully assess whether these logs can be retained and provided as required.

To ensure vendors fulfill their log retention obligations even after contract expiration, termination, or cancellation, the Cloud Service Procurement Contract Template includes mechanisms such as gradual refund of performance guarantees under Article 15, Section 15 and Article 10, Section 1. If a vendor fails to provide the required cloud service logs for the past six months, the agency may withhold a portion of the performance guarantee. Additionally, Article 14, Section 4 stipulates penalties for vendors who fail to retain or provide logs due to reasons attributable to them.

B. Vendor’s Obligations in Responding to Cybersecurity Incidents

In addition to log retention requirements, the Cloud Service Procurement Contract Template establishes specific obligations for vendors regarding their response to cybersecurity incidents. These obligations differ from those in the IT Service Procurement Contract Template. According to Article 15, Section 14, Item 3 on Cybersecurity Responsibilities, vendors must:

1. Report cybersecurity incidents within 1 hour: If a vendor becomes aware of a cybersecurity incident involving either the procuring agency or the vendor itself, they must notify the agency within one hour of discovery.

2. Implement emergency response measures: Vendors must take immediate action to mitigate the impact of the incident.

3. Cooperate with the agency on follow-up actions: This includes: Disaster assessment, Risk analysis, Digital evidence preservation, Damage control, Security assessment, System recovery, Improvement tracking.

4. Provide necessary records and logs: Vendors must supply relevant data, including logs specified in previous sections, as required by the agency.

These requirements aim to ensure a rapid and coordinated response to cybersecurity incidents, minimizing risks and protecting sensitive government data. Compared to the IT Service Procurement Contract Template, which does not explicitly specify requirements ○3 and ○4 (although it could be interpreted that the provision requiring vendors to "cooperate with the agency on follow-up actions" allows agencies to request such cooperation), it is clear that government agencies have stricter and more detailed cybersecurity requirements for cloud services and cloud service providers. These requirements also reflect higher expectations for concrete actions in response to cybersecurity incidents.

III. Conclusion

The latest version of the IT Service Procurement Contract Template, published by the PCC on December 26, 2024, was released more than six months after the Cloud Service Procurement Contract Template, which was published on May 17, 2024. However, there are still significant differences in the regulations related to contract performance management and cybersecurity responsibilities. For example, the Cloud Service Procurement Contract Template explicitly requires that team members providing cloud services (including subcontractors) must not be people of the Mainland Area, mandates that vendors provide cloud service carbon emission documents for agency review, and specifies obligations for log retention and cybersecurity incident response. In contrast, the IT Service Procurement Contract Template does not have explicit requirements on these matters. This indicates that Taiwan's cybersecurity regulations and policies impose more advanced and detailed requirements on CSP participating in government procurement.

Regarding the log retention obligations for vendors, these requirements stem from the Regulations on Cybersecurity Incident Reporting and Response Procedures for Agencies, which mandate evidence preservation for regulated agencies (including government agencies and specific non-governmental agencies). According to Article 4, Paragraph 3 of these regulations, agencies must explicitly specify log retention requirements in procurement contracts when outsourcing information and communication systems or services. Therefore, log retention obligations are not exclusive to cloud service procurement—agencies also have similar evidence preservation needs for other types of IT service procurement. This suggests that log retention requirements for vendors may become a common issue across various IT service procurements in the future.

The Cloud Service Procurement Contract Template has yet to reach its first anniversary since its initial release. Given that the government procurement market often serves as a priority area for implementing government policies, it will be important to monitor how well the Cloud Service Procurement Contract Template is enforced in practice. Additionally, tracking future updates to both the Cloud Service Procurement Contract Template and the IT Service Procurement Contract Template could provide valuable insights into the future direction of cybersecurity regulations and policies in Taiwan's IT service industry.