Assessment prepared in accordance with the methodological specifications of the Digital Sovereignty Index (DSI v2.0), under the academic cooperation framework of the Global South Academic Forum.

Participating institutions:

  • Global South Insights (GSI) — DSI Assessment Team. Methodological coordination, framework specification, and compilation of the global index.
  • National University of General Sarmiento (UNGS) — University Programme on Digital Sovereignty. Implementation of the Argentina assessment, evidence collection from national sources, and drafting of the analysis.
  • Global South Academic Forum (GSAF) — Academic cooperation framework.
  • Prepared with artificial-intelligence assistance — Co-authored-by: Claude (Anthropic).

Chapter 1 — Executive Summary

Argentina exhibits a paradoxical pattern of digital sovereignty: a regulatory scaffolding and a software-engineering capability that are comparatively sophisticated for the region coexist with a deep structural dependence on infrastructure, institutional enforcement capacity and capability autonomy — all of it cross-cut by a trajectory of active deregulation that operates as a ceiling factor during the assessment period (2024–2026, Milei administration). The country knows how to legislate on data, and to export software services, but it does not capture the economic value of its data, it does not enforce with deterrent effect, and, in the cross-border flow, it has ceded sovereignty through the adequacy commitment with the United States. The result is a mid-to-low-grade digital sovereignty, without a single indicator reaching the competence level (Level 4), and with two indicators collapsed to the initial level (Level 1).

On the DSI framework’s 1–5 scale, Argentina obtains a sovereignty score of 2.00 / 5.0 (a total of 32 out of 80). The score is computed as the arithmetic mean of the sixteen indicator ratings; no indicator exceeds Level 3. The distribution by dimension reveals that the weakness is concentrated in data ownership.

Table 1.1. Indicator ratings (UNGS_2026 corpus).

Ind. Title Level Confidence
1.1 Data ownership legislation 3 — Developing High
1.2 Domestic data storage 2 — Aware Medium
1.3 Protection of cross-border flows 1 — Initial High
1.4 Data value for public benefit 1 — Initial High
2.1 Basic hardware autonomy 2 — Aware Medium
2.2 System software autonomy 2 — Aware High
2.3 Application software autonomy 2 — Aware Medium
2.4 Information security autonomy 2 — Aware Low
3.1 Legislative capacity in digital matters 2 — Aware High
3.2 Enforcement capacity 2 — Aware High
3.3 Leadership in international technical rules 2 — Aware Low
3.4 Leadership in international conduct rules 2 — Aware Low
4.1 Frontier-technology research 2 — Aware Medium
4.2 University talent development 2 — Aware Low
4.3 Industrial engineering capacity 3 — Developing High
4.4 Alignment with national strategy 2 — Aware Medium

Table 1.2. Averages by dimension.

Dimension Designation Average Qualitative reading
1 Data ownership 1.75 The weakest dimension; dragged down by the collapse of 1.3 and 1.4
2 Digital infrastructure 2.00 Uniform awareness without substantive capacity; cross-cutting dependence
3 Digital governance 2.00 Operational institutions but without deterrent effect or international leadership
4 Digital capacity 2.25 The highest dimension, sustained by the software industry (4.3)

Three principal strengths. First, a mature and long-standing data-protection framework: Law No. 25326 (Personal Data Protection Act), enacted in 2000, has been in continuous force, operated by a functional enforcement authority, and Argentina has retained the European Union’s adequacy status since 2003 1 — indicator 1.1 is the only one in the entire matrix that reaches Level 3 on its own legislative merit. Second, a software industry of international scale: revenue of USD 22,221 million and more than 158,000 registered jobs in 2024, with a domestic fintech subsector that commands 88% of digital banking 2 — indicator 4.3 is the second and last Level 3. Third, an installed base of policy recognition and bounded technical capacity in Dimension 2: a state GNU/Linux distribution, a national public cloud on open-source code, and citizen platforms authored by the State 3.

Three principal weaknesses. First, the collapse of cross-border flows: the commitment to recognise the United States as an adequate jurisdiction, formalised in November 2025 and February 2026, brings indicator 1.3 down to Level 1 through the mechanism of Principle #7 4. Second, the total absence of data value capture: Argentina gives its public data away for transparency but possesses no fiscal instrument, no B2G mandate, and no recognition of data as an economic asset, which places indicator 1.4 at Level 1 5. Third, a cross-cutting structural dependence in Dimensions 2 and 4: the country does not manufacture hardware, does not control its system-software stack, and exports its most capable talent abroad 6.

The cross-cutting finding that orders the entire assessment is the Milei administration’s deregulation trajectory as a ceiling factor. This is not a context that explains low ratings, but an active policy that subtracts capacity: 543 measures that modify or eliminate 2,519 norms across 15,144 articles 7, a cumulative real cut of 50.6% in the science-and-technology budget function 8, and the cession of sovereignty over data flows. Where other countries build, Argentina dismantles — and the DSI framework, through its trajectory clause and its Principle #7, registers that direction as a ceiling, not as a mitigating circumstance.

Chapter 2 — Methodological Framework

2.1 The DSI 4×4 framework

The Digital Sovereignty Index evaluates the degree to which a country has attained independence in the digital domain: the extent to which its data, its infrastructure, its governance and its capabilities are determined by the country itself and not by foreign actors, jurisdictions, or platforms. The operational definition, set out in the DSI methodological specifications, rests on the word ‘independence’: the index does not measure whether a country aspires to be sovereign, but whether, in fact, it is. The framework organises the assessment into a matrix of four dimensions by four indicators — sixteen indicators in total — defined in the Digital Sovereignty Index specifications coordinated by Global South Insights through the DSI Assessment Team, under the Global South Academic Forum. This Argentina assessment was prepared by UNGS as an associate university, applying those methodological specifications to the national situation: evidence collection from Argentine sources, the local implementation of the assessment pipeline, and the drafting of the analysis in academic Spanish constitute UNGS’s contribution to the global index compiled by GSI.

The four dimensions are: Dimension 1 — Independence in data ownership (1.1 Data-ownership legislation; 1.2 Domestic storage; 1.3 Protection of cross-border flows; 1.4 Data value for public benefit); Dimension 2 — Digital infrastructure independence (2.1 Basic hardware; 2.2 System software; 2.3 Application software; 2.4 Information security); Dimension 3 — Digital governance independence (3.1 Legislative capacity; 3.2 Enforcement capacity; 3.3 Leadership in international technical rules; 3.4 Leadership in international conduct rules); and Dimension 4 — Digital capacity independence (4.1 Frontier research; 4.2 University talent; 4.3 Industrial engineering; 4.4 National strategic alignment).

2.2 The 1–5 scale

Each indicator is rated on a scale of five progressive levels of independence: 1 Initial (the issue has not been addressed; potentially complete dependence), 2 Aware (the importance of independence is recognised and discussions or actions have been initiated, typically at the planning stage), 3 Developing (work is actively underway towards independence, with policies implemented but still with strong external dependence), 4 Competent (international competitiveness and full potential autonomy) and 5 Independent (basic self-sufficiency, with minimal external constraints). The scale is applied per indicator and prohibits decimal ratings: each level must be tied to a defensible path through a four-node decision tree (existence of critical evidence → effective implementation → meaningful enforcement → international competitiveness vs. self-sufficiency).

2.3 Principles, pitfalls, and the decision tree

Rating is governed by seven immutable principles that prevail over the decision tree when they come into tension with it: Facts over Law (effective implementation prevails over legal text), Effectiveness Supreme (laws that cannot be enforced receive lower ratings), Pragmatism (real status, not declared goals), Dependency Penalty (dependence on foreign platforms caps the ceiling), Corporate-Capture Degradation (legislative blocking by Big Tech lowers the rating), Context Explains but Does Not Excuse (geopolitical pressure explains but does not modify consequences), and the Digital Hegemony Reality Check — Principle #7 (designating the United States as an ‘adequate jurisdiction’ significantly lowers ratings). To the principles are added eight pitfalls, or rating traps — among them confusing activity with outcomes, underestimating weaknesses, and geographic presence without control — that must be cleared before finalising a rating, together with a horizontal-consistency check against the anchors of China, Russia, and Brazil.

2.4 The UNGS 2026 corpus

The assessment is grounded in the UNGS_2026 corpus, built by the UNGS agent pipeline. The collector gathered 373 raw pieces of evidence across the three search rounds; the verifier removed 91 for verification failures (invalid URL, lack of content match, or suspected hallucination); the integrator consolidated the remainder by removing 41 duplicates through exact URL match, leaving 241 integrated pieces of evidence (AR-EV-001 to AR-EV-241) plus 31 documented gaps. The composition by type covers regulation, case studies, quantitative data, reports, analysis, policy, and gaps; confidence is distributed across 125 high-confidence items, 80 medium, and 36 low. The share of Tier-1 sources (official domains *.gob.ar, InfoLEG, Boletín Oficial (Official Gazette)) reaches 48.5%, above the 40% minimum but below the 60% target. Each [AR-EV-NNN] citation in this report is traceable to a verified URL in evidence_base_UNGS_2026.json.

2.5 The Principle #7 override mechanism

One methodological element deserves anticipating because it proves decisive for indicator 1.3. Principle #7 does not function as a gradual downward adjustment but as a categorical-collapse mechanism: the active designation of the United States as an adequate jurisdiction for personal-data transfers relocates indicator 1.3’s rating to Level 1, overriding the result that the decision tree would have yielded on its own merits. The reasoning is that ceding adequacy to a jurisdiction without comprehensive federal privacy legislation and with statutory extraterritorial-access regimes (CLOUD Act) hollows out the protective purpose of the indicator, regardless of how sophisticated the rest of the framework may be.

2.6 Limitations

The assessment acknowledges four limitations. First, 31 candidate items were discarded as URL_BLOCKED owing to anti-bot barriers, TLS, or 403 responses (ITU documentary databases, 3GPP partner listings, W3C sources); human re-retrieval is recommended for future runs, since these are transport limits, not veracity limits. Second, indicators 3.3 and 3.4 fell below the sufficiency threshold of 15 pieces of evidence (11 and 12 respectively) after the verifier’s removals, which limits their confidence to Low. Third, several de facto quantitative metrics rest on single Tier-3 sources or on inference (hyperscaler market shares, the brain-drain rate specific to computer science), which reduces confidence without invalidating the direction of the rating. Fourth, two items suspected of hallucination were removed by the verifier and do not appear in the library; this report does not reproduce their claims, in keeping with the anti-hallucination discipline that governs the pipeline.

Chapter 3 — Indicator-by-Indicator Analysis

Dimension 1 — Independence in Data Ownership

Dimension 1 asks who owns, controls, and benefits from the data generated by Argentine residents, firms and institutions. It is the dimension where Argentina displays its sharpest internal contrast: it has the oldest and most recognised data-protection legislative framework in Latin America — the first regional adequacy status before the European Union, in 2003 9 — but that historical asset coexists with a flow protection collapsed by US adequacy and with a categorical absence of value-capture mechanisms. The relevant institutional landscape includes the AAIP (Agency for Access to Public Information) as the enforcement authority and the Law No. 25326 regime as the central piece. The dimension finding is unequivocal: with an average of 1.75, data ownership is Argentina’s weakest dimension, dragged down by the simultaneous collapse of two of its four indicators to Level 1.

3.1.1 Indicator 1.1 — Data ownership legislation

Rating: 3 — Developing. Confidence: High.

Argentina has a general data-protection statute in continuous force since the year 2000 — Law No. 25326 10 — operationalised by Decree 1558/2001, verified as in force, and amended on thirty-two occasions 11, and administered by the AAIP, an autonomous statutory body with a permanent National Directorate for the Protection of Personal Data 12. The authority is not nominal: it issues resolutions of operational substance — security measures, model contractual clauses for transfers, and the tiering of sanctions 13 — and exhibits a multi-year activity trace (491 case files and 52 sanctions in 2022) 14. The framework retains current external recognition: the European Union’s adequacy status was reaffirmed in January 2024 15 and Convention 108+ was ratified by Law No. 27699 in 2022 16. This conjunction of an operative statute, a functional regulator, and international recognition defines the Level 3 profile.

What prevents an ascent to Level 4 is the conjunction of two independent failures. First: the modernised text is not in force. The reform bill (Message 87/2023), which incorporated breach notification, impact assessments, portability, and the data-protection officer, lost parliamentary status at the end of 2024 after more than thirty months without consideration 17; the post-GDPR-era provisions remain absent from the text in force 18. By Principle #1 (Facts over Law), a bill cannot anchor a higher rating. Second: enforcement is not deterrent. The fine cap was never updated by law and stands at around USD 70–100; AAIP Resolution 126/2024 graduated infractions but could not raise the legal ceiling, because an administrative resolution does not amend a law 19; the total of 2022 fines was some USD 30,621 20 and the mass leaks of 2024–2025 (Renaper, ARCA, ANSES) were not sanctioned 21. By Principle #2 (Effectiveness Supreme), enforcement without deterrent magnitude is capped at Level 3. It does not descend to Level 2 because the statute is in force — it is not a draft — the regulator operates and there is an enforcement trace: Argentina comfortably clears the band of ‘preliminary discussions or planning’. In the comparative frame, 1.1 sits well below the Chinese anchor (Level 5) and groups with Brazil (Level 3): both regimes are transplanted from external standards and their enforcement scaling has lagged, although the Argentine weakness is specific — an obsolete text from 2000 whose modernisation stalled. An ascent to Level 4 would require the modernised text to enter into force and the fine cap to reach deterrent magnitudes on the order of 2–4% of revenue; erosion towards Level 2 would only follow the dismantling of the AAIP or the repeal of the regime in force.

3.1.2 Indicator 1.2 — Domestic data storage

Rating: 2 — Aware. Confidence: Medium.

Argentina lacks a general data-localisation mandate. The personal-data regime (Law No. 25326, art. 12) governs cross-border flows through adequacy and contractual clauses, not through territorial storage, and the AAIP’s own security resolution imposes no geographic restriction whatsoever 22. The only operative sectoral rule is the Central Bank’s prudential regime on third-party control and delegated technology (BCRA (Central Bank of the Argentine Republic) Communication A 7724, updated by A 8401) 23, which structures the supervision of outsourced services but does not require storage in national territory. Two reform bills explicitly preserve the transfer-based model and decline to introduce a localisation mandate 24. A residual sovereign capacity exists — ARSAT’s Tier III data centre and the national public cloud on open-source code 25 — but it is niche, oriented to the public sector, and undergoing partial privatisation (49%) 26. This configuration — a sectoral-only rule, residual domestic infrastructure, non-localising bills — corresponds precisely to Level 2.

The indicator does not reach Level 3 because that would require effectively enforced localisation in multiple substantive sectors plus a domestic cloud industry with measurable share: Argentina meets neither. The installed national capacity (~32 MW) is orders of magnitude smaller than a single hyperscale facility 27, while the growth of the cloud market is captured by foreign providers — AWS’s Local Zone in Buenos Aires and the OpenAI/Sur Energy 500 MW project under the RIGI 28 — a configuration that the framework rates as geographic presence under foreign jurisdiction (CLOUD Act), not as sovereignty (Pitfall #8). State policy actively incentivises foreign-controlled infrastructure without a localisation counterpart 29. It does not descend to Level 1 because there coexist a sectoral mandate in force, an operative state alternative and documented legislative discussion — the presence of the three elements the criterion requires to clear the initial floor. Argentina groups with Brazil (Level 2): both lack a general mandate and see their markets dominated by hyperscalers, while Russia (Level 4, Law 242-FZ with documented enforcement) marks exactly the regime that the Argentine bills decline to adopt. An ascent to Level 3 would require a sectoral localisation mandate effectively audited in finance and health or government, together with a domestic cloud industry of non-residual share.

3.1.3 Indicator 1.3 — Protection of cross-border flows

Rating: 1 — Initial. Confidence: High.

On paper, Argentina possesses a comprehensive and operationally exercised cross-border transfer regime: article 12 of Law No. 25326 prohibits transfers to jurisdictions without adequate protection 30, Decree 1558/2001 empowers the regulator to assess adequacy 31, Disposition 60-E/2016 publishes model contractual clauses 32, AAIP Resolution 34/2019 maintains a granular adequacy list from which the United States was explicitly absent 33, and the country retains European adequacy status since 2003, revalidated in January 2024 34. This conjunction of an operative statute, a functional regulator and international recognition defines the Level 3 profile.

However, the Joint Statement of 13 November 2025 and the USTR Fact Sheet 36, formalised by the signing of the Agreement on Reciprocal Trade and Investment on 5 February 2026 37, commit Argentina to recognising the United States as an adequate jurisdiction for personal-data transfers. By Principle #7 (Digital Hegemony Reality Check) and the indicator’s ‘collapse through extreme permissiveness’ mechanism, an active US adequacy designation caps the rating at Level 1, overriding the narrowing of the decision tree. Sophistication on paper does not anchor the rating; the operational reality of structural deference to a hegemonic jurisdiction does (Principle #1). This is a Level 1 by way of collapse, not by regulatory void: the regime exists and is exercised, but the adequacy designation to the dominant jurisdiction of data platforms removes the only protective barrier — historically, US Big Tech operated via contractual clauses, not by adequacy 38. In the comparative frame, the decisive separator with respect to China (≈5) and Russia (≈4) is exactly the variable that Principle #7 isolates: neither anchor grants adequacy to the United States, while Argentina now does. The result coincides with the BRICS 2025 baseline (also Level 1) by identical collapse reasoning. The only possible upward move would be the non-entry-into-force or the reversal of the US adequacy commitment; without it, no level above 1 is attainable.

3.1.4 Indicator 1.4 — Data value for public benefit

Rating: 1 — Initial. Confidence: High.

Argentina sustains a mature and long-standing open-data programme — Decree 117/2016, Law No. 27275 on access to information, and the datos.gob.ar portal with 1,235 datasets from 42 agencies 39 — together with an active civic-tech ecosystem that reuses public data 40. But that programme operates entirely on a logic of transparency and reuse, not of economic value capture from the data. The conceptual distinction is decisive: a robust open-data programme ‘gives data away to enable innovation’, while the indicator measures ‘capturing the value of data for public benefit’. All of Argentina’s substantive positive evidence belongs to the first category.

The indicator’s critical enablers are absent and documented as gaps with Tier-1 search: there is no state recognition of data as a factor of production or economic asset 41, there is no operative B2G mandate requiring platforms to share datasets of public interest 42, there is no fiscal value-capture instrument — the PAIS tax was a consumption tax, excluded by criterion, and was moreover repealed in December 2024 43, and the OECD’s Pillar One and Pillar Two were not implemented 44 — antitrust is not applied to data monopolies — the CNDC (National Commission for the Defence of Competition) maintains a study group without sanctioning power, and none of the eleven concentrated markets under investigation is a digital-native platform 45 — and there are no institutional data trusts 46. Decree 780/2024, moreover, restricted the scope of active transparency: a regression, not an advance 47. By Principle #3 (Pragmatism), aspirational bills do not anchor higher levels; the categorical absence of the critical piece ends the decision tree at Level 1. The indicator does not ascend to Level 2 because there does not even exist governmental recognition of data as an asset — not merely civil-society discourse — in a strategy or bill. The sophistication of the open-data programme places Argentina at the high end of Level 1, above a country with no policy at all, but transparency is not value capture. Against China (Level 4–5: data as the fifth factor of production since 2019), Argentina exhibits a lag of several levels; even against Russia and Brazil it remains a step below, lacking the limited B2G mechanisms and the digital-services taxation that those countries possess. An ascent to Level 2 would require the BCRA’s Open Finance System to enter into force or a bill to recognise data as an economic asset.

Intra-dimensional analysis. Dimension 1 reveals the Argentine paradox in its pure state: indicator 1.1, the strongest of the entire matrix on its own merit (the only framework with 2003 European adequacy), coexists with the collapse of 1.3 to Level 1 through the 2026 US adequacy, and with the total void of 1.4. The common bottleneck is that Argentina built capacity for protection without capacity for exploitation: it legislates the data point, but neither retains it territorially, nor protects it on its way out to the hegemonic jurisdiction, nor captures its economic value. The regulatory sophistication of 1.1 does not compensate for, and in fact contrasts with, the cession of sovereignty of 1.3 and the absence of economic vision of 1.4.

Dimension 2 — Digital Infrastructure Independence

Dimension 2 evaluates whether the country can operate its digital infrastructure without dependence on, or interruption by, foreign providers, across four layers: hardware, system software, application software and security. The relevant institutional landscape includes ARSAT and the national public cloud, the Tierra del Fuego regime, INTI, and INVAP on the technical plane, and CERT.ar in security. The dimension finding is notably uniform: all four indicators sit at Level 2 (average 2.00), a pattern of ‘awareness without substantive capacity’ in which Principle #4 (Dependency Penalty) — which the framework declares dominant for this dimension — operates across the board. Argentina recognises its dependencies and possesses real traces of capacity, but in each layer the structural dependence on the foreign stack caps the rating.

3.2.1 Indicator 2.1 — Basic hardware autonomy

Rating: 2 — Aware. Confidence: Medium.

There is explicit recognition of hardware dependence in national-level instruments — the Compre Argentino (Buy Argentine) regime (Law No. 27437) and the Knowledge Economy promotion regime (Law No. 27506) 48 — and an at-scale capacity for assembling imported components under the Tierra del Fuego regime (Law No. 19640), where close to 93% of telephones, air conditioners, and televisions sold are assembled domestically 49. But assembly is not manufacturing: by the principle ‘assembly is not autonomy’, assembling imported boards is value-added activity, not the substitution of foreign capacity. There exists no funded foundational hardware programme reaching the hinge threshold of ~USD 1,000 million over five years oriented to chip design or wafer fabrication: the RIGI attracts foreign investment in an enclave model without a technology-transfer obligation 50, the Knowledge Economy benefits target software and services, not manufacturing 51, and the national science-and-technology strategy (CTI Guidelines 2025–2027) explicitly omits microelectronics and semiconductors 52. Semiconductor capacity is design-only: the INTI provides integrated-circuit design services that are synthesised in foreign foundries, and Argentina operates no wafer plant 53.

The trajectory, moreover, is downward within the band: Decree 333/2025 reduces the import tariff on mobile phones from 8% to 0% by January 2026 54, Decree 111/2025 dilutes the Fuegian promotion fund, and the Mirgor Group suspended around 360 workers in response 55. The indicator does not reach Level 3 because that requires a funded foundational programme in design or fabrication, or a domestic-supplier share of 10–30% in some hardware category designed in the country: Argentina meets neither. It does not descend to Level 1 because both policy recognition and an operative assembly capacity persist. In the comparative frame, Argentina sits alongside Brazil (Level 1–2, with its failed CEITEC plant) and on a par with the Russian anchor (Level 2); Level 3 in this region requires extraordinary evidence — a sustained fabrication programme with output measured in wafers. An ascent to Level 3 would require a funded foundational programme; erosion towards Level 1 would follow the complete collapse of the Fuegian assembly base.

3.2.2 Indicator 2.2 — System software autonomy

Rating: 2 — Aware. Confidence: High.

Argentina presents the canonical Level 2 pattern: policy recognition and demonstrated engineering capacity, without a funded national programme or measurable domestic share. There is explicit recognition of software sovereignty — the ONTI Public Software initiative, ONTI Disposition 2/2019 requiring code to be shared under open licences across the entire National Public Sector, and Santa Fe’s provincial law on the preferential use of free software 56 — and a bounded implementation footprint: a state GNU/Linux distribution (Huayra, developed at EDUCAR) 57, a national public cloud on open-source code 58 and an ecosystem of official repositories (argob, 43 repositories) 59. This satisfies the existence and implementation nodes, but no piece crosses the Level 3 thresholds.

Foreign dominance is overwhelming and quantified: the domestic desktop operating system is marginal (Windows 81.64%, total Linux 2.21%) 60, the mobile market is more than 99.97% foreign 61 and the database market is dominated by Oracle, SAP, Microsoft, and IBM, with effectively zero domestic share 62. Decisively, ARSAT’s own state cloud runs its network operations centre on Red Hat OpenShift — control software from a US provider 63 — so the control plane is not domestic: the physical location of the data centre does not equate to autonomy (Principle #7). The only domestic operating-system footprint (Huayra) was confined to the education sector and was suspended and intervened in the Milei era: the Conectar Igualdad and Educ.ar platforms were left in ‘construction mode’ and Decree 963/2024 appointed an intervenor for EDUC.AR S.E. 64, downgrading that single case to symbolic status. Linux adoption is necessary but not sufficient, because its upstream is controlled from outside the country. It does not descend to Level 1 because a documented state distribution and a nationally scoped public-software regulation persist. Argentina is directly comparable to Brazil (Level 2) and remains a step below Russia (Level 3–4, with certified Astra Linux and sanctions-accelerated substitution). An ascent to Level 3 would require critical-infrastructure systems running on a domestic operating system with audited patching independence, or more than 5% domestic share in cloud, databases, or server operating systems.

3.2.3 Indicator 2.3 — Application software autonomy

Rating: 2 — Aware. Confidence: Medium.

Argentina presents the textbook Level 2 profile for this indicator: a capable software industry and genuine domestic dominance in several vertical categories, against complete foreign control of every horizontal category. On the vertical plane the evidence is strong and verified: Mercado Libre led national app downloads in 2024 (11.7 million) 65, Mercado Pago surpassed 50 million monthly active users in Latin America with USD 8,600 million in revenue 66, three domestic neobanks retain 88% of digital banking 67 and the State deploys self-authored citizen platforms at scale — Mi Argentina, with 21 million registered users 68. On the horizontal plane, dependence is almost total and quantified: WhatsApp with 93% penetration in messaging, Instagram with 86.7% 69, Google with 94.01% of searches 70, and productivity, ERP, and CRM dominated by Microsoft, SAP, Oracle, and Salesforce with no domestic provider of measurable share 71.

The decisive test of the indicator is horizontal share: an ascent to Level 3 requires ≥30% domestic share in at least one major horizontal category (office software, ERP, or industrial software). The Argentine shares above 30% are all in vertical categories — e-commerce, payments, digital banking — which the criterion explicitly excludes from the horizontal denominator. Policy is one of promotion, not substitution: Law No. 27506 sustains a service-export industry (USD 2,674 million in 2024, 46.9% to the United States) 72 rather than the substitution of horizontal products, and a domestic champion in a horizontal-adjacent category (Auth0, authentication) was acquired by the US firm Okta, reversing the sovereignty relationship (Principle #5) 73. It does not descend to Level 1 because there are measurable domestic products, policy recognition, and a substantive software industry. Argentina groups with the lower band of Brazil but below it, because Brazil has, in TOTVS, a domestic ERP provider with measurable horizontal share — exactly what Argentina lacks — and remains a level below Russia (Level 3, with 1C in ERP and MyOffice in office software). An ascent to Level 3 would require a domestic provider to reach 30% share in a horizontal category or the public-procurement preference for nationally originated software to be applied with auditing.

3.2.4 Indicator 2.4 — Information security autonomy

Rating: 2 — Aware. Confidence: Low.

Argentina possesses a comparatively rich cybersecurity institutional architecture but fails the three substantive tests that separate Level 2 from Level 3. There is a national CERT in regulation (CERT.ar, Disposition 1/2021) 74, operative on paper — it registered 438 incidents in 2024, 15% above 2023, with 61% in the state sector 75 — and internationally recognised through FIRST membership. The scope of that figure must be made explicit: CERT.ar’s mandate is confined to the National Public Sector, within a deliberately federated incident-response architecture. Alongside it operate a second national-level team at the Ministry of Security and a network of sub-national centres — among them the BA-CSIRT of the Autonomous City of Buenos Aires, the CSIRT of the Province of Buenos Aires, and that of the Province of Córdoba, several of them integrated into the OAS CSIRT Americas Network — each with its own jurisdiction and sectors. These teams do not aggregate into the national score of this indicator, which measures federal-level capacity; their existence, however, means that CERT.ar’s register must not be read as an exhaustive count of the country’s incident activity, but as the activity of the federal-level team. A layered regulatory regime governs the public sector: the PNICIC critical-infrastructure programme, minimum security requirements with a duty to notify the CERT within 48 hours (Administrative Decision 641/2021) 76, a second National Cybersecurity Strategy and the reorganisation of Decree 941/2025 that creates the National Cybersecurity Centre, and the Federal Cyberintelligence Agency 77. But, by Principles #1 and #2, strategies, and constitutive instruments are activity, not measured effectiveness.

The triple test fails simultaneously: the CERT’s capacity (438 total incidents — not ‘major’ — reported without standardised FIRST-type operational metrics — mean time to respond, severity classification, or a trace of advisories adopted; the count is a raw aggregate that, moreover, reflects only the National Public Sector perimeter, and does not evidence the handling of major incidents with disclosed timelines) 78; the market test (no measurable domestic share and no documented sovereign cryptographic research) 79; and the product test (no verifiable domestic security product in critical infrastructure) 80. Three major breaches of the period are reverse evidence that the regime does not protect: the leak of the national driver’s-licence database (~5.7–6 million records, 1.25 TB, April 2024) 81, the December 2024 defacement of Mi Argentina and SUBE — where the attackers reported the absence of two-factor authentication on central-government sites 82 — and the recurring RENAPER incidents 83. Confidence is capped at Low because the evidence subset (14 items) falls below the sufficiency threshold and the corpus entirely lacks market-share data. It does not descend to Level 1 because CERT.ar exists in a constitutive instrument and registers incidents, and a substantive strategy is published and under active reform. Argentina sits at the lower edge of the Brazilian band (Level 2–3) and well below Russia (Level 4, with Kaspersky and the sovereign GOST cryptography). An ascent to Level 3 would require a public trace of major incidents with response times, a domestic security-product industry of measurable share, and a sovereign cryptographic regime applied in critical infrastructure.

Intra-dimensional analysis. The four indicators of Dimension 2 share a single bottleneck: the Dependency Penalty. Argentina recognises every dependence — it has Compre Argentino, Public Software, a thriving software industry, and a CERT — but in each layer the real capacity is assembly (2.1), foreign upstream (2.2), vertical strength without horizontal substitution (2.3) or architecture without effectiveness (2.4). The symptomatic tension is that the dimension’s most visible asset — the software industry — feeds service exports to foreign clients and champions that are acquired by US firms, so that engineering capacity does not translate into infrastructure autonomy. The uniformity of Level 2 is no coincidence: it is the hallmark of an economy that is a net integrator of every layer of the digital stack.

Dimension 3 — Digital Governance Independence

Dimension 3 asks whether the country governs its digital space or is governed within others’ rules, through legislative capacity, enforcement, and leadership in international rules. The institutional landscape includes the Congreso de la Nación (National Congress), the AAIP, and the competition authority (CNDC, succeeded by the National Competition Authority), IRAM in technical standards and the Cancillería (Ministry of Foreign Affairs) in multilateral fora. The dimension finding (average 2.00) combines two high-confidence profiles — legislative capacity and enforcement, both capped at Level 2 by a subtractive trajectory and symbolic enforcement — with two low-confidence profiles owing to insufficient evidence (3.3 and 3.4), both also at Level 2: international participation without leadership.

3.3.1 Indicator 3.1 — Legislative capacity in digital matters

Rating: 2 — Aware. Confidence: High.

Argentina possesses a foundational but dated digital legal corpus: a cybercrime law (Law No. 26388, 2008), electronic signature (Law No. 25506, 2001), grooming (Law No. 26904, 2013), a statute on internet-provider content (Law No. 25690, 2002) and the telecommunications framework (Law No. 27078, 2014) 84, alongside a data-protection statute (Law No. 25326, 2000) never substantively modernised. On a static reading, this corpus sits at the high end of Level 2: the foundational statutes are pre-2015 in substance, the frontier domains (artificial intelligence, platforms, statutory cybersecurity) are governed by executive instruments or non-binding guidance 85, and the modernisation bills remain pending without enactment 86.

Decisively, the trajectory is subtractive. The Ministry of Deregulation accumulates 543 measures that modify or eliminate 2,519 norms across 15,144 articles — verified textually against the official source 87 — article 15 of Law No. 27078 was repealed by decree in April 2024 88 and the national artificial-intelligence strategy was institutionally discontinued 89. By the indicator’s trajectory clause, a corpus under active dismantling cannot exceed Level 2 regardless of its historical base: this is the binding constraint, and it confirms Level 2 regardless of the static result of the decision tree. The indicator does not reach Level 3 because that would require at least one enacted — not proposed — frontier statute plus a trace of legislative modernisation in the last five years, conditions that the deliberate deregulatory trajectory (Argentina articulated as a ‘low-regulation hub’ for AI) 90 renders unattainable. It does not descend to Level 1 because a genuine digital corpus is in force and the Budapest Convention and Convention 108+ have been incorporated. Against Brazil (Level 3, with the operative LGPD and an AI bill advancing), Argentina remains a level below precisely because its frontier bills do not advance to enactment and its existing corpus is being dismantled. The convergence with the BRICS 2025 rating (also Level 2) validates the reading. An ascent to Level 3 would require the enactment of a frontier statute (AI or platforms) and the cessation of the subtractive trajectory.

3.3.2 Indicator 3.2 — Enforcement capacity

Rating: 2 — Aware. Confidence: High.

Argentina has operative digital regulators with statutory sanctioning powers — the AAIP in data protection, the CNDC (replaced by the National Competition Authority on 17 November 2025) in competition, and the BCRA in financial cybersecurity — but enforcement is symbolic rather than consequential. The AAIP’s statutory fine scale runs from ARS 1,000 to ARS 100,000 (~USD 88–100 at its maximum) 91, orders of magnitude below the GDPR’s 4%-of-revenue standard; the largest sanction against a Big Tech firm ever imposed is the one against Google, for ARS 280,000 aggregated (~USD 215, 2020), equivalent to around 0.0001% of the offender’s revenue 92. The competition authority issued 89 merger-control decisions and a single procedural fine for late notification in 2024, with zero anticompetitive-conduct sanctions 93.

The binding fact is the closure of the flagship case: the CNDC shelved the abuse-of-dominant-position investigation against WhatsApp and Meta on 2 July 2025 without a final sanction, after four years and two rounds of precautionary measures confirmed judicially 94. A regulator that opened, litigated, and then abandoned its emblematic case against a foreign Big Tech firm without extracting any concession exemplifies the Level 2 ceiling. The indicator does not reach Level 3 because that requires at least one concluded enforcement action that produces documented behaviour change among the regulated, together with non-testimonial sanctions proportional to the infraction: the behaviour-change test is mandatory and fails resoundingly. It does not descend to Level 1 because the AAIP has concluded real monetary sanctions — even against a Big Tech firm — and the competition authority processes merger control at volume with professional staff. Argentina remains below Brazil (Level 2–3), whose CADE demonstrated the capacity to extract compliance even from foreign platforms (the X/Twitter episode), and well below China (Level 5, with the structural decisions against Alibaba and Didi). An ascent to Level 3 would require a concluded sanction with verifiable behaviour change and the updating of the fine cap to deterrent magnitudes.

3.3.3 Indicator 3.3 — Leadership in international technical rules

Rating: 2 — Aware. Confidence: Low.

Argentina is an active participant in international technical-standards bodies, with a genuine contribution but without leadership. It maintains its level of access through the general standards ecosystem — IRAM is the sole national representative before ISO and, together with CEA/AEA, before IEC, as well as a representative in the regional bodies COPANT and AMN 95 — and the country rejoined IEC in 2001. The strongest and verified contribution is that of Verónica Marinelli, of IRAM’s SC 27 mirror committee, as one of three editors of the adopted international standard ISO/IEC 27002:2022 96; alongside her, editors from a single institution (UTN’s Santa Fe Regional Faculty) act as editors of at least five Y-series Recommendation projects of the ITU-T’s Study Group 20 97.

But the concentration in a single institution and a single body is exactly what the criterion caps at Level 2: an isolated editor/rapporteur contribution — the lowest leadership level — does not cross the frontier to Level 3, which requires multi-body adoptions and a handful of leadership roles. The chair leadership level is verifiably absent: there is no Argentine vice-chair in the 2025–2028 leadership roster of the ITU-T’s Study Group 20 98, nor any Argentine organisation among the 329 members of the W3C 99 — Argentina is a rule-taker in web protocols. The regional engagement (chair of CITEL’s Steering Committee in 2018) is real but, by Pitfall #5, regional harmonisation is categorically distinct from global rule-making and does not raise the global rating 100. Confidence is capped at Low because the corpus lost around ten candidate items to verification failures and ended up at 11 items, below the sufficiency threshold. Argentina groups with the Brazilian anchor (Level 2): both are regional leaders with limited global presence. An ascent to Level 3 would require contributions adopted in multiple bodies by multiple institutions, plus leadership roles above the editor level.

3.3.4 Indicator 3.4 — Leadership in international conduct rules

Rating: 2 — Aware. Confidence: Low.

Argentina is a recurrent and substantive participant in the main arenas of international digital governance — the UN Open-Ended Working Group on ICT security, the Ad Hoc Committee that produced the Convention on Cybercrime, the Council of Europe’s Convention 108 system and regional internet-governance fora — but the evidence shows participation without independent agenda-setting. The strongest signal, the election of Beatriz Anchorena to chair the Council of Europe’s Convention 108 Committee 101, is a genuine credential of treaty engagement, but it is a rotating institutional chairmanship over an instrument anchored in the European Union that advances the Council of Europe’s own work programme, not a doctrine of Argentine origin adopted by other States. The interventions in the Working Group were carried out explicitly ‘without co-sponsoring substantive thematic resolutions’ 102.

Decisively, a domestic–international coherence failure undermines any claim to independent normative leadership: a data-protection bill with extraterritorial scope and anti-CLOUD Act provisions (1948-D-2025) runs contemporaneously with the Framework Agreement that grants the United States data-adequacy status 103 — Argentina advocates data sovereignty while conceding it. The indicator does not reach Level 3 because that requires co-sponsorship of a substantive instrument with documented impact on the final text, visible independent positioning, and domestic–international coherence, and the surviving evidence satisfies none of these. As to the Argentine withdrawal from the Pact for the Future and the Global Digital Compact, it is treated qualitatively as dissent-without-alternative — Level 2 positioning, not Level 3 leadership — without reproducing the specific date or cohort, whose evidentiary carrier was removed by the verifier. It does not descend to Level 1 because Argentina is an active participant of substance, with recurrent delegations and a treaty-committee chairmanship. Against Brazil (Level 3, with NETmundial 2014 and sustained leadership in the IGF), Argentina remains just below, at the upper edge of Level 2, for lacking a flagship convened process and for exhibiting the incoherence that Brazil does not show. An ascent to Level 3 would require a co-sponsored instrument with documented influence and the resolution of the domestic–international incoherence.

Intra-dimensional analysis. Dimension 3 exposes a coherent internal hierarchy: legislative capacity (3.1) exceeds enforcement (3.2) in its historical base, but both are capped at Level 2 for distinct reasons — a subtractive trajectory in 3.1, the absence of deterrent effect in 3.2 — satisfying the cross-cutting consistency rule that requires enforcement ≤ legislation. International leadership (3.3 and 3.4) remains at participation without influence, consistent with the rule that requires influence in international rules ≤ domestic R&D capacity. The common bottleneck is that Argentina possesses real institutions that operate within others’ rules: it legislates but dismantles, it enforces but does not deter, it participates but does not lead. The domestic–international incoherence of 3.4 — advocating data sovereignty while conceding US adequacy — is the dimension’s sharpest cross-cutting symptom.

Dimension 4 — Digital Capacity Independence

Dimension 4 analyses whether the country has the human, scientific, and industrial capacity to sustain digital sovereignty across generations, along four indicators: frontier research, university talent, industrial engineering, and strategic alignment. The institutional landscape includes CONICET, the free public university system, the MinCyT/Secretariat of Sci