Cybersecurity 2026

Last Updated March 17, 2026

Japan

Law and Practice
Trends and Developments

Law and Practice

Authors

Yoshifumi Onodera

Hiroyuki Tanaka

Naoto Shimamura

Rio Ichii

Mori Hamada is a full-service law firm that has served clients with a proven track record since its establishment in December 2002. The firm has experienced lawyers with significant expertise in the constantly evolving and increasingly complex areas of information technology, life sciences, and intellectual property, offering a wide range of legal services tailored to the diverse needs of its clients. These services include advising on regulatory requirements, business formation, corporate housekeeping, contract negotiations, and dispute resolution. In the area of data protection, the firm has recognised expertise in leveraging user information while safeguarding clients’ business interests. Mori Hamada’s data protection team comprises approximately 150 lawyers across its offices in Tokyo, Osaka, Nagoya, Fukuoka, Beijing, Singapore, Manila, and New York.

1. General Overview of Laws and Regulators

1.1 Cybersecurity Regulation Strategy

The Basic Act on Cybersecurity is Japan’s fundamental law on cybersecurity, and the Act on the Protection of Personal Information (APPI) is the country’s principal data protection law. On 16 May 2025, the Cyber Response Capabilities Enhancement Act and an Act to Amend the Related Laws (the “Active Cyber Defence Acts”), which enhance active cyberdefence, were approved for the government to proactively respond to the increasing threat posed by cyber-attacks.

Pursuant to the APPI, personal data breaches are subject to mandatory reporting and notification requirements – see 2.3 Incident Response and Notification Obligations.

The Active Cyber Defence Acts establish a framework for public-private collaboration in cybersecurity, permit the use of communications information for cybersecurity, and authorise access to attackers’ servers for the purpose of neutralisation. The Unfair Competition Prevention Act prohibits the infringement of trade secrets, and the Act on Prohibition of Unauthorised Computer Access outlaws unauthorised computer access. The Penal Code also includes penalties for some cybersecurity crimes. The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications.

Japan does not have specific regulations for secure software development.

For more details on the laws cited above and other relevant laws, see 1.2 Cybersecurity Laws.

1.2 Cybersecurity Laws

The Basic Act on Cybersecurity regulates the responsibility of the national and local governments for cybersecurity (Articles 4 and 5). It also stipulates the obligation of critical information infrastructure operators, cyberspace-related business providers, and research institutions such as universities (Articles 6, 7 and 8) to exert efforts to ensure cybersecurity.

The APPI, Japan’s principal data protection law, provides the basic principles for the government’s regulatory policies and authority, as well as requirements for private business operators who handle personal information (“handling operators”).

Another important law is the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (the “My Number Act”), which stipulates special rules for “My Number”– a 12-digit individual number assigned to each resident of Japan.

The Active Cyber Defence Acts aim to enable the government to respond proactively to the growing threat of cyber-attacks. They consist of four pillars:

public-private collaboration;
the use of communications information by the government;
government access to attackers’ servers and the neutralisation of cyberthreats; and
the development of organisational and institutional frameworks.

Private-sector entities directly affected by the Active Cyber Defence Acts include critical infrastructure operators (see 2.1 Scope of Critical Infrastructure Cybersecurity Regulation), businesses related to systems used by critical infrastructure operators, telecommunications carriers, and IT vendors.

In addition to the regulatory framework applicable under the Economic Security Promotion Act (see 2.2 Critical Infrastructure Cybersecurity Requirements), critical infrastructure operators are subject to obligations to submit notifications upon the introduction of specified critical computers that could affect core systems in the event of a cybersecurity breach, as well as obligations to report security incidents when they become aware of such incidents. They may also be requested by the government to engage in consultations towards the conclusion of agreements concerning the sharing of communications information, and to co-operate by participating as members of government-established councils.

Telecommunications carriers may be required to take measures to provide specified communications data in response to requests from the government.

IT vendors may be required to implement damage prevention measures and to submit reports or materials concerning vulnerabilities related to hardware designated as specified critical computers by critical infrastructure operators, as well as programmes incorporated therein. In addition, they may be required to co-operate with critical infrastructure operators to enable them to properly fulfil their obligations to report security incidents. The jourei, or ordinances, enacted by local governments contain public-sector obligations.

The Unfair Competition Prevention Act prohibits the infringement of trade secrets and provides for causes of actions in civil cases, such as compensation for damages and injunctive relief, as well as criminal sanctions. Data used in services that are accumulated to a significant extent and managed by electronic or magnetic means and shared with limited specific persons are protected as “limited provision data”. Unauthorised acquisition or utilisation of data for limited provision may be deemed to be unfair competition, which is subject to compensation for damages and injunctive relief but not criminal sanctions.

The Act on the Prohibition on Unauthorised Computer Access outlaws:

the use of another person’s identification codes (eg, passwords) to access remote computers via telecommunications networks;
inputting information (excluding identification codes) or commands to evade access restrictions on remote computers via telecommunications networks;
obtaining, supplying or storing someone else’s identification codes without legitimate reason (Articles 3, 4, 5 and 6); and
phishing or creating a false impression of being a network administrator and requesting identification codes (Article 7).

The Penal Code prohibits:

the creation of false electromagnetic records that are related to rights, duties or the certification of facts (Article 161-2);
fraud by using computers (Article 246-2);
the destruction of electromagnetic records in use by a public office or concerning private rights or duties (Articles 258 and 259);
the obstruction of business by damaging computers or electromagnetic records or causing them to operate counter to their original purpose (Article 234-2); and
the creation, provision, acquisition or storage of computer viruses (Articles 168-2 and 168-3).

The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications (Article 41.6(iii)) and to report serious breaches to the Ministry of Internal Affairs and Communications (MIC).

The Instalment Sales Act requires businesses handling credit card numbers to take necessary and appropriate measures to prevent the leakage, loss or damage of or to those credit card numbers (Article 35-16).

The Payment Services Act requires prepaid payment instrument issuers, funds transfer service providers, and virtual currency exchange service providers to take necessary and appropriate measures to prevent the leakage, loss or damage of or to information pertaining to their respective businesses (Articles 21, 49 and 63-8).

Sector-specific regulators impose additional information security obligations on some industries including the financial and healthcare sectors. For the financial sector, the Financial Services Agency (FSA) has issued the Comprehensive Guidelines for the Supervision of Major Banks, etc, which provide for cybersecurity obligations of financial institutions. For details on cybersecurity guidelines in finance, see 3. Operational Resilience in the Financial Sector. As for the healthcare industry, an enforcement order on the Medical Care Act requires hospitals, clinics and birthing centres to take appropriate steps to ensure cybersecurity (Article 14.2) and an enforcement order of the Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices also requests pharmacies to do the same (Article 11.2). Further, various ministries have issued other relevant guidelines:

the Ministry of Health, Labour and Welfare (MHLW) issued the Guidelines on Safety Management of Medical Information Systems (last amended in May 2023);
the Ministry of Economy, Trade and Industry (METI) and MIC jointly issued the Guidelines on Safety Management for Providers of Information Systems and Services Handling Medical Information (last amended in July 2023);
MIC published comprehensive measures for the security of the internet of things (IoT) (July 2016); and
MIC published guidelines on the application of the Telecommunications Business Act to reports of serious accidents (volume 7, December 2023).

1.3 Cybersecurity Regulators

The regulator tasked with enforcing and implementing the APPI is the Personal Information Protection Commission (PPC”, which has the following powers under the law:

to require handling operators to report or submit materials regarding their handling of personal information (Article 146), which the APPI defines as information about living individuals that can identify specific individuals or contains what is referred to in the law as an “individual identification code” (Article 2.1);
to enter a handling operator’s offices or other locations to investigate, make enquiries, or view records or other documents (Article 146);
to provide guidance or advice to handling operators (Article 147);
to recommend that handling operators cease any acts constituting a violation of the APPI and take other necessary measures to correct the violation (Article 148.1);
to order handling operators to take necessary measures to implement the PPC’s recommendations and to rectify certain violations of the APPI (Articles 148.2 and 148.3); and
when the PPC issues orders pursuant to Articles 148.2 and 148.3, and handling operators violate the order, the PPC may publicly announce the violation (Article 148.4).

The National Police Agency and the Public Prosecutors Office are responsible for the criminal investigation and prosecution of cybercrimes.

Among the non-regulatory government authorities that are also directly involved with cybersecurity, the Information-technology Promotion Agency of Japan (IPA) and the National Cybersecurity Office (NCO) are particularly notable. The NCO was formerly known as the National Center for Incident Readiness and Strategy for Cybersecurity (NISC) and was established in July 2025 as its enhanced successor. The IPA regularly publishes important guidelines and provides information on cybersecurity. The more important guidelines include the Cybersecurity Management Guidelines for small and mid-sized companies on information security, and guidelines on preventing insider data breaches. The IPA also runs the J-CSIP (Initiative for Cybersecurity Information Sharing Partnership of Japan), which shares cybersecurity information of critical information infrastructure operators (ie, operators of businesses that provide infrastructure that is the foundation of people’s living conditions and economic activities, the functional failure or deterioration of which could have a highly significant impact on society).

The NCO’s responsibilities include:

serving as the secretariat of the Cybersecurity Strategic Headquarters;
monitoring and analysing unauthorised activities targeting information systems of administrative organs;
providing necessary advice, information and other assistance, as well as conducting audits, to ensure cybersecurity; and
carrying out comprehensive co-ordination concerning the assurance of cybersecurity.

The NCO was established in light of the enactment of the Active Cyber Defence Acts. For more on other regulators, refer to 1.1 Cybersecurity Regulation Strategy and 1.2 Cybersecurity Laws.

2. Critical Infrastructure Cybersecurity Regulation

2.1 Scope of Critical Infrastructure Cybersecurity Regulation

The Cybersecurity Policy for Critical Infrastructure Protection defines the following 15 sectors as critical information infrastructure:

airports;
aviation;
chemical industry;
credit cards;
electric power supply;
financial services;
gas supply;
information and communication;
government and administration;
logistics and shipping;
medical;
petroleum industry;
ports and harbours;
railways; and
water supply.

The aforementioned cybersecurity policy also encourages critical information infrastructure operators to periodically assess their progress in implementing security measures and policies.

2.2 Critical Infrastructure Cybersecurity Requirements

Under the APPI, handling operators not limited to critical infrastructure must take necessary and appropriate action for security control over the personal data that they handle, including preventing the leakage, loss or damage of or to personal data (Article 23).

The PPC is the regulator primarily responsible for the APPI and the My Number Act; it has published guidelines for the handling of personal information (the “PPC Guidelines”).

The PPC Guidelines provide examples of these handling measures, such as establishing and implementing basic policies, internal rules, and organisational, personal and technical security measures, as well as understanding of the external environment. “Understanding of the external environment” is a security measure, newly introduced by the amendments to the Guidelines, which requires handling operators who process personal data in foreign countries to understand the local legal systems for personal information protection and, taking into consideration those legal systems, to take necessary and appropriate measures to ensure the security of personal data. Effective since April 2024, the PPC Guidelines also require handling operators to take security control over personal information that is collected and expected to be treated as personal data to prevent cyber-attackers from intercepting it on the operators’ behalf.

According to the APPI, when a handling operator allows its employees to handle personal data, it must exercise necessary and appropriate supervision over the employees to ensure security control over the personal data (Article 24). The APPI also requires handling operators to ensure that the entities to whom they have entrusted the handling of personal data (eg, third-party vendors) take appropriate measures to ensure security control over the personal data (Article 25).

Under the Economic Security Promotion Act, important critical infrastructure businesses are individually designated by the competent ministry as Specified Essential Infrastructure Service Providers. They are required to take measures to reduce or eliminate risk factors among parties involved in the supply chain. Some of the requirements include establishing measures to:

prevent unauthorised changes to specified critical facilities;
prevent service interruptions;
confirm any legal or contractual violations by parties involved in the supply chain; and
prevent unintended changes by subcontractors.

On 16 May 2025, the Act on the Protection of Economic Security Information took effect, introducing a security clearance system under which information designated by the government as important to national security, including information concerning critical infrastructure and supply chains of critical goods, may be handled only by persons who require access to it and whose reliability has been confirmed.

2.3 Incident Response and Notification Obligations

The Cybersecurity Policy for Critical Infrastructure Protection provides for the reporting obligations of critical information infrastructure operators in the following instances:

if there is a legal reporting requirement by law or regulation;
if the operator has determined that an incident has had a serious impact on people’s lives or the operator’s services and that information must be shared; and
in other cases where the operator has determined that information must be shared.

Definition of Data Security Incident, Breach or Cybersecurity Event

The APPI stipulates mandatory obligations to report data breach incidents to the PPC and to notify affected data subjects in cases where their rights or interests are likely to be infringed (Article 26). The PPC Ordinance defines a data security incident or breach as the actual or possible occurrence of the leakage, loss or damage of or to personal data. The details of the requirements are discussed below.

There is also a special rule for “My Number” under the My Number Act. There is no general regulation to impose a mandatory reporting obligation for cybersecurity events that do not involve a personal data breach. However, there are various regulations generally mandating certain types of service providers to report all incidents affecting their services to the authorities. This reporting obligation also covers cases where service failure results from a cyber-attack.

For example, under the Telecommunications Business Act, if an incident occurs and causes the suspension or deterioration of the quality of services for more than the prescribed number of hours and affects a certain number of users specified by the relevant ordinance, the telecommunications business operator must report the incident to MIC. Furthermore, MIC has the authority to issue orders to improve the business practices of licensed telecommunications service providers. Another example is financial institutions; many laws regulating financial sectors oblige them to report material service failure to the authorities.

Data Elements Covered

Breach of data security is applicable to personal data. The APPI defines personal data as personal information that is contained in a personal information database (Article 16.3), which is a collection of information (including personal information) that is systematically organised to enable a computer or some other means to search for particular personal information. However, this term excludes the collection of information that a cabinet order indicates as having little possibility of harming an individual’s rights or interests considering how that collection uses personal information (Article 16.4). Examples of collections of information that are excluded from this definition include commercially available telephone directories or car navigation systems.

The PPC Ordinance prescribes that a mandatory data breach report is required if a data breach includes personal data (excluding advanced encryption or other measures that are necessary to protect the rights and interests of the individual):

containing “special care-required personal information”;
that is likely to cause property damage if used inappropriately;
that is likely to have been committed for an improper purpose (effective since April 2024, personal information that is already or will be collected and expected to be treated as personal data is also included in this requirement); or
of more than 1,000 individuals.

Special care-required personal information is defined as personal information comprising a data principal’s race, creed, social status, medical history, criminal record, the fact of having been a victim of a crime, or other descriptions that may be prescribed by a cabinet order as requiring special care in handling so as not to cause unfair discrimination, prejudice or other disadvantages to the data subject (Article 2.3).

2.4 State Responsibilities and Obligations

Governmental authorities that have specific jurisdiction over some of the 15 critical information infrastructure sectors have issued specific guidelines, described below, concerning cybersecurity.

For the healthcare industry, see 6.3 Cybersecurity in the Healthcare Sector. For the financial industry, see 3 Operational Resilience in the Financial Sector.

The Ministry of Land, Infrastructure, Transport and Tourism (MLIT) has issued:

Safety Guidelines for Ensuring Information Security for Air Transport Operators for aviation services;
Safety Guidelines for Ensuring Information Security in the Airport Sector for airport services;
Safety Guidelines for Ensuring Information Security for Railway Operators for railway services;
Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services (motor vehicle transportation);
Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services (warehouse operations);
Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services (ship operations);
Safety Guidelines for Ensuring Information Security for the Logistics Sector for water supply services; and
Safety Guidelines for Ensuring Information Security for the Logistics Sector for ports and harbours.

The MLIT also issues information security countermeasure checklists for railway services, bus services, bus terminals, taxis, hotels, ferries, and airports and airport buildings.

3. Operational Resilience in the Financial Sector

3.1 Scope of Financial Sector Operational Resilience Regulation

The FSA issued the Comprehensive Guidelines for the Supervision of Major Banks, etc (the “SMB Comprehensive Guidelines”), which mention cybersecurity obligations, referring to the Guidelines on Cybersecurity for the Finance Sector (the “CSFS Guidelines”). The SMB Comprehensive Guidelines further include measures regarding operational resilience, which refers to the ability of financial institutions to continue to maintain the minimum level of their critical operations even in the event of a system failure, terrorist attack, cyber-attack, infectious disease, natural disaster, or other event. The SMB Comprehensive Guidelines specify the actions to be taken by boards of directors and the authorities’ regulations to achieve operational resilience.

These Guidelines do not have any extraterritorial scope of applicability.

On 8 December 2025, a draft amendment to the SMB Comprehensive Guidelines was released, and public comments were invited until 13 January 2026. The amendment aims to strengthen measures to address cyber-risks related to online banking services and includes additional details on recommended fraud prevention measures, such as implementation of phishing-resistant multi-factor authentication.

3.2 ICT Service Provider Contractual Requirements

Not limited to the financial sector, when a handling operator entrusts personal data, it must exercise the necessary and appropriate supervision over the entrusted person to ensure security control over the entrusted personal data (Article 25 of the APPI). Handling operators must supervise the entrustees to ensure that the same levels of security control are taken as those imposed on the operators under the APPI.

If a handling operator uses cloud services, this may not be considered as entrustment and therefore the above-mentioned obligation under Article 25 of the APPI may not apply. Instead, businesses that use cloud services must still take appropriate security control over the personal data stored in cloud services as part of their own duties.

The APPI does not provide for data portability rights.

3.3 Key Operational Resilience Obligations

The SMB Comprehensive Guidelines require businesses to report to the authorities when they become aware of a computer system failure or a cybersecurity incident, when they are recovering from such incidents, and when they have identified the cause of an incident. Where the business detects that a cyber-attack will or is highly likely to have an impact on customers or business, a report is required even if a system failure or incident does not occur. For details on the SMB Comprehensive Guidelines, see 3.1 Scope of Financial Sector Operational Resilience Regulation.

3.4 Operational Resilience Enforcement

The FSA may impose administrative disposition on financial businesses that have violated or may be at risk of violating laws or regulations. Such disposition includes on-site inspections and orders to improve business operations.

3.5 International Data Transfers

For offshoring, please note that there are special restrictions on the transfer of personal data to foreign countries. In principle, the APPI requires the transferor to obtain the prior consent of individuals whose personal data will be transferred to third parties located in foreign countries (Article 28). In other words, overseas transfer restrictions will apply if a foreign company transfers user data to another company outside Japan. Conversely, if it transfers user data to a company in Japan, these overseas transfer restrictions will not apply. The overseas transfer restrictions apply even where outsourcing would otherwise qualify as an exception to local third-party data transfer restrictions.

The data subjects’ consent to overseas data transfers is not necessary if the following apply:

the foreign country is designated by the PPC as a country with a data protection regime with a level of protection equivalent to that of Japan (only EEA member countries and the UK have been designated to date);
the third-party recipient has an equivalent system of data protection that meets the standards prescribed by the ordinance issued by the PPC (the “PPC Ordinance”) – ie, either of the following:

there is assurance, by appropriate and reasonable methodologies, that the recipient will treat the disclosed personal data in accordance with the spirit of the requirements on handling personal data under the APPI; or
the recipient has been certified under an international arrangement, recognised by the PPC, regarding its system of handling personal data.

The implementation of the PPC Ordinance is set out in the PPC Guidelines, which provide that “appropriate and reasonable methodologies” include agreements between the data importer and exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI. With respect to PPC-recognised international frameworks, to date, the PPC Guidelines have identified only the APEC Cross Border Privacy Rules (CBPR) as a recognised international framework on the handling of personal data.

3.6 Threat-Led Penetration Testing

The CSFS Guidelines require that threat-led penetration testing be carried out on a regular basis.

4. Cyber-Resilience

4.1 Cyber-Resilience Legislation

There is no uniform legislation on cyber-resilience. Specific aspects of cyber-resilience are stipulated in each of the individual regulations.

4.2 Key Obligations Under Legislation

Specific aspects of cyber-resilience are stipulated in each of the individual regulations.

5. Security Certification for ICT Products, Services and Processes

5.1 Key Cybersecurity Certification Legislation

The Labelling Scheme based on the Japan Cyber-Security Technical Assessment Requirements (JC-STAR) provides an evaluation index for the security functions of IoT products. This system is provided by the IPA, and its application began in March 2025.

6. Cybersecurity in Other Regulations

6.1 Cybersecurity and Data Protection

Handling operators must establish appropriate safeguards to protect personal data (Article 23 of the APPI) and report data breaches to the PPC and, in cases where their rights or interests are likely to have been infringed, notify affected data subjects (Article 26 of the APPI).

6.2 Cybersecurity and AI

MIC and METI published the AI Business Guidelines for AI developers, service providers and users in April 2024. These Guidelines urge businesses to invest in and implement robust security management throughout the entire AI lifecycle, including cybersecurity. They also suggest considering appropriate cyber-access controls.

On 25 December 2025, MIC published draft guidelines outlining technical measures to ensure AI security and prevent information leakage, as well as unintended changes to or shutdowns of AI systems caused by unauthorised operations. These guidelines apply to AI developers and service providers as defined in the AI Business Guidelines.

6.3 Cybersecurity in the Healthcare Sector

The MHLW issued the Guidelines on Safety Management of Medical Information Systems (last amended in May 2023). While the MHLW guidelines and an announcement issued by the Ministry in October 2018 indicate that medical service providers should report cybersecurity incidents to the authorities, no special rules have been issued for statutory data breach reporting or notification in this regard.

MIC and METI jointly issued the Guidelines on Safety Management for Providers of Information Systems and Services Handling Medical Information (last amended in July 2023).

Mori Hamada & Matsumoto

16th Floor, Marunouchi Park Building
2-6-1 Marunouchi
Chiyoda-ku
Tokyo
Japan
100-8222

+81 3 6212 8330

info@morihamada.com www.morihamada.com

Trends and Developments

Authors

Yasushi Kudo

Yukiko Konno

Takayuki Inukai

Nagashima Ohno & Tsunematsu is based in Tokyo, Japan, and is widely recognised as a leading law firm and one of the foremost providers of international and commercial legal services. The firm’s overseas network includes locations in New York, Shanghai, Singapore, Bangkok, Ho Chi Minh City, Hanoi, Jakarta (associate office) and London. The firm also maintains collaborative relationships with prominent local law firms. In representing its leading domestic and international clients, it has successfully structured and negotiated many of the largest and most significant corporate, finance and real estate transactions related to Japan. In addition to capabilities spanning key commercial areas, the firm is known for path-breaking domestic and cross-border risk management/corporate governance cases and large-scale corporate reorganisations. The firm's over 600 lawyers work together in customised teams to provide clients with the expertise and experience specifically required for each client matter.

Cybersecurity Trends and Regulatory Enforcement in Japan (2025)

In 2025, a series of cyber-incidents occurred in Japan, including Distributed Denial-of-Service attacks targeting critical infrastructure, such as telecommunications and finance, as well as ransomware attacks against a major beverage manufacturer and a leading e-commerce company. These incidents resulted in large-scale personal data breaches and partial suspension of business transactions. As supply chains become increasingly complex, the risk that damage from cyber-incidents will affect not only a company’s own corporate group but also its entire supply chain ‒ including contractors and business partners ‒ has become more pronounced.

Based on these circumstances in Japan, this article examines recent actions taken by the relevant authorities to address cyberthreats to personal data, enhance cybersecurity resilience, and mitigate cybersecurity supply chain risks.

Recent Enforcement and Administrative Guidance by the PPC

Since 2024, the Personal Information Protection Commission (PPC) has published quarterly summaries of its enforcement activities and the processing status of data breach reports. The PPC’s active enforcement trend continued through the first half of fiscal year 2025.

During this period, 62.1% of reported breaches involved sensitive personal data, followed by “breaches caused by unjust purposes, such as unauthorised access” at 21.2%.

The following reflects the volume of regulatory actions processed by the PPC.

Breach report processing: 7,733 cases in FY2024 H1, 11,323 cases in FY2024 H2, and 8,933 cases in FY2025 H1.
Guidance and advice: 203 cases in FY2024 H1, peaking at 395 in FY2024 H2, with 236 cases in FY2025 H1.
Recommendations: while no recommendations or orders were issued in FY2024 H1, the PPC issued one recommendation in FY2024 H2. By FY2025 H1, this increased to two recommendations and one formal administrative order.
Monitoring activities: in FY2025 H1, the PPC conducted 11 collections of information and two on-site inspections.

Case studies of administrative guidance and implications for businesses

The PPC has frequently issued guidance regarding deficiencies in measures for managing the security of personal data under the Act on the Protection of Personal Information (APPI), particularly in cases involving unauthorised access. For instance, in a case where a ransomware attack led to a public finding of inadequate security, the following failures were highlighted, among others.

Technical: failure to update VPN devices and insufficient password strength.
Organisational: lack of formalised rules for data storage, no password policy regarding length/character complexity, and a failure to conduct regular audits or inspections.
Human: employees were unable to access storage rules at all times, and appropriate security training was not provided.

Businesses in Japan, especially those handling substantial volumes of personal information are recommended to regularly review these PPC reports and continuously update their technical, organisational, and human security measures as well as implement measures to supervise their contractors.

Furthermore, the Ministry of Internal Affairs and Communications (MIC) issued administrative guidance to a mobile carrier regarding a breach of the secrecy of communications. In this instance, although a third party obtained user IDs and passwords ‒ making private communications accessible ‒ the carrier failed to verify the breach promptly, delaying the initial report by more than three months.

Discussion On The “Three-Year Review” Of The APPI

When the APPI was amended in 2020, a supplementary provision was included requiring the regulatory regime to be reviewed every three years to keep pace with technological changes. Pursuant to this mandate, the PPC is currently conducting its latest review, which includes significant proposals such as the introduction of an administrative surcharge system.

As part of this process, the PPC released its “Future Directions for Consideration” in January 2025, followed by public comments in April. In March, it published the “Conceptual Approach to Institutional Challenges.” In January 2026, the PPC released the “Policy for Institutional Reform” (the “Reform Policy”), expressing its intent to submit an amendment bill to the Diet as early as possible this year.

Key discussions on the “Three-Year Review” relevant to cybersecurity

The Reform Policy generally aligns with previous discussions. Key points regarding cybersecurity include the following.

Introduction of a surcharge system: to deter malicious violations involving large-scale data, a surcharge system will be introduced. However, deficiencies in measures for managing the security of personal data are not currently listed as targets for surcharges, unless the incident also involves the designated illegal acts.
Relaxation of notification requirements: the obligation to notify affected individuals may be relaxed in cases where there is a low risk of harming the rights and interests of those individuals.
Streamlining breach reporting: the PPC is considering exempting businesses from “prompt preliminary reports” if they have their systems verified by a third party. Additionally, for minor errors, businesses may be allowed to submit consolidated reports at fixed intervals.
Integration with the Cyber-Resilience Enhancement Act: to reduce the administrative burden on businesses, the PPC will co-ordinate with the “Act on Prevention of Damage caused by Unjust Acts against Important Computers” to unify reporting formats and contact points. Reporting thresholds will also be adjusted to align with the risk-based approach of the new cybersecurity laws.
Postponement of collective redress: the proposal to grant qualified consumer organisations the right to seek injunctions and damages has been postponed in this amendment cycle due to the need for further co-ordination with existing consumer litigation systems.

Impact on business operators

The 2026 APPI review is expected to alleviate the administrative burden of incident response while mitigating the most severe legal risks originally anticipated by the industry. While a surcharge system will be introduced to deter designated malicious violations, the current policy does not list deficiencies in security management measures as a direct target for surcharges. This clarifies that breaches resulting solely from security vulnerabilities, without accompanying designated illegal acts, are not currently expected to trigger these substantial financial penalties. As the PPC aims for the early submission of the amendment bill to the Diet in 2026, businesses should view this period as an opportunity to refine their internal governance.

Cybersecurity Response Capability Enhancement Act

The Cybersecurity Response Capability Enhancement Act (official title: Act on Prevention of Damage Caused by Unauthorized Acts Against Important Computers; the “Act” in this section), promulgated on 23 May 2025, aims to prevent harm caused by specified unlawful acts (“Specified Unlawful Acts”) defined under the Act, such as unauthorised access, against important computers (“Important Computers”) as defined under the Act. These computers are used by the national government, critical infrastructure, and business operators that hold important information (ie, information classified under Japanese national security related laws, including special defence secrets, designated secrets, defence equipment secrets, and critical economic security information). It establishes a comprehensive framework for the government’s acquisition and analysis of telecommunications information defined under the Act, reporting systems for special social infrastructure operators (“Special-SIO”) defined under the Act, agreement-based public–private information sharing, requests for co-operation to telecommunications carriers, and supervisory and inspection mechanisms. Implementation will be phased, and the Act’s core provisions, including the notification and reporting obligations described below, are scheduled to come into force on 1 October 2026 (not yet formally determined).

The Act is one of the key components of Japan’s Active Cyber Defense policy and establishes the principle that the exercise of powers must be strictly limited to the minimum necessary, with due regard for the constitutionally guaranteed secrecy of telecommunications.

In imposing incident reporting obligations on critical infrastructure operators, structuring public–private information sharing, and providing for governmental supervision and enforcement to improve cybersecurity, the Act shares common elements with the European Union’s NIS 2 Directive.

Affected companies

Under the Act, it is the Special-SIO who will need to take certain measures. Their requirements are as follows: (i) to fall under the definition of a specified social infrastructure operator (“Specified-SIO”) (ie, a social infrastructure operator designated across 15 sectors, including electricity, telecommunications, finance, and railway, under the Economic Security Promotion Act), and (ii) to use specified important computers (SIC) defined under the Act.

Although, by their nature, Special-SIOs are unlikely to be foreign companies, computer vendors that supply Special-SIOs may be affected in practice. Accordingly, companies that are not themselves Special-SIOs should nevertheless take note of the Act.

Reporting upon the occurrence of specified compromise events

Where an entity qualifies as a Special-SIO and uses SICs, it must submit notifications upon initial deployment and upon configuration changes, and it is obliged to promptly report upon becoming aware of a specified compromise event defined under the Act (ie, a situation where the cybersecurity of important computers is compromised due to specified unlawful acts).

The statute does not impose a legal duty of co-operation on vendors of computers and related equipment. However, vendors that supply such equipment to Special-SIOs may be required, under their contracts with those operators, to provide necessary co-operation for such reporting.

Reporting obligation for vulnerabilities

Under the Act, a framework will be established for providing, requesting, and collecting vulnerability information from vendors of computers and related equipment. Accordingly, foreign vendors may be required by the Prime Minister or by the minister with jurisdiction over the supply of computers and related equipment to submit reports or materials concerning the products they have supplied. Special-SIOs may also require contractual provisions calling for ongoing remediation of vulnerabilities in delivered equipment; this aligns with existing practice.

Participant agreements

A participant agreement (PA) defined under the Act is a bilateral arrangement under which a business provides telecommunications information defined under the Act to the government (the Prime Minister) and, in return, receives individualised analytic outputs generated from analyses that use inbound and outbound telecommunications information. Businesses other than Special-SIOs may also enter into a PA if they qualify as users of business telecommunications services; foreign-affiliated companies can also be counterparties to such agreements.

Timeline and enforcement

Businesses that have already deployed SICs are not required to file notifications immediately on the Act’s effective date. There is a six‑month grace period from that date, meaning that, in practice, many businesses will be able to file by 31 March 2027. Where a Special-SIO commits a violation, the competent minister may issue orders, require reports, and provide guidance or advice. Given the above, Special-SIOs may aim for strict compliance, and therefore, vendors also should prepare for the Act’s entry into force.

Trends in Addressing Cybersecurity Supply Chain Risks

Impact of the enforcement of the Proper Transactions Act

In May 2025, amendments to the Subcontract Act were enacted. The amended legislation, under its new title: “Act Against Delay in Payment of Fees, etc. to Small and Medium-sized Entrusted Business Operators in Manufacturing and Other Specified Fields” (“Proper Transactions Act”) took effect on 1 January 2026. These amendments broaden the scope of applicable transaction parties and introduce additional prohibited acts for contractors.

Specifically, regarding the expansion of the scope of applicable transaction parties, the amended law introduces a new employee standard. This employee standard includes the following two cases.

First case: the Proper Transactions Act applies when a business operator that is a corporation with more than 300 regular employees contracts with a business operator that is a corporation or individual with 300 or fewer regular employees for manufacturing outsourcing, repair outsourcing, outsourcing for the creation of information deliverables (limited to program creation), outsourcing for service provision (limited to transportation, storage of goods in warehouses, and information processing), or transportation outsourcing meeting certain conditions.
Second case: the Proper Transactions Act applies when a business operator that is a corporation with more than 100 regular employees outsources the creation of information deliverables (excluding those mentioned above) or the provision of services (excluding those mentioned above) to a business operator that is a corporation or individual with 100 or fewer regular employees.

With the addition of these requirements, large enterprises that demand certain security standards from SMEs acting as suppliers or contractors in their supply chains, thereby imposing certain transaction costs on those SMEs, must re-examine whether their transactions fall under the scope of the Proper Transactions Act.

Furthermore, the amended law introduces a new prohibition against determining payment amounts without proper consultation. While the previous Subcontract Act already prohibited large enterprises subject to its application from unilaterally reducing subcontractor payments or forcing down prices on SMEs also subject to the law, this provision was introduced due to concerns about large enterprises passing on price increases to SMEs during periods of rising transaction costs. Historically, the Japanese Fair Trade Commission (JFTC) interpreted and classified the following actions as prohibited acts under the Subcontract Act: (i) large enterprises subject to the Subcontract Act failing to explicitly consult with SMEs regarding the necessity of passing on price increases during periods of rising transaction costs, and (ii) large enterprises maintaining prices unchanged without providing reasons in response to price increase requests from SMEs. These were deemed to constitute unfair price suppression. In this sense, it could be argued that determining payment amounts without appropriate consultation was already subject to regulation. However, it is important to note that the amendment explicitly lists this practice as a prohibited act. Consequently, it cannot be ruled out that the JFTC will strictly enforce the law against such practices going forward.

METI/JFTC: building partnerships with business partners to enhance cybersecurity across the supply chain (Unfair Competition Prevention Act/Subcontract Act)

To clarify the applicability of the Antimonopoly Act and the Proper Transactions Act (formerly known as the Subcontract Act prior to the amendment noted above) in situations where large corporations, as ordering parties, request SMEs and other business partners to implement cybersecurity measures as a condition of the transaction, the Ministry of Economy, Trade and Industry (METI) and the JFTC published a document in October 2022 titled “Toward Building Partnerships with Business Partners to Enhance Cybersecurity Across the Entire Supply Chain.”

In December 2025, METI and the JFTC published an explanatory document supplementing their earlier guidance titled “Toward Building Partnerships with Business Partners to Enhance Cybersecurity Across the Entire Supply Chain”. This document further clarifies the relationship with the Antimonopoly Act and the Proper Transactions Act, presenting hypothetical cases deemed “not problematic” along with explanations detailing the scenarios.

Specifically, it envisions a scenario where a large enterprise, as the ordering party, requests its SME business partners to implement security measures based on a security evaluation system aimed at strengthening the supply chain. Within this scenario, the document explains how the large enterprise (ordering party) and its SME business partners can establish an appropriate partnership, conduct price negotiations regarding security measures, and reach a mutually satisfactory agreement.

The creation of this document stems from two major challenges: the increasing cybersecurity risks across the entire supply chain and the uncertainty surrounding the cost burden of countermeasures. In recent years, cyber-attacks targeting not only large corporations but also their SME suppliers have become increasingly sophisticated. A vulnerability at a single point can lead to business disruption or information leaks across the entire supply chain, making co-ordinated countermeasures essential rather than isolated efforts by individual companies. On the other hand, surveys by relevant authorities indicate that many SMEs do not perceive the necessity of such measures. Therefore, it is necessary for ordering companies to take the lead in promoting countermeasures. However, the document published by METI and the JFTC in October 2022 outlined basic principles but did not clearly define specific “price negotiation or cost-sharing models.” Consequently, large companies, as the ordering parties, sought clarification on how to pass on the costs of organisational security measures to their SME suppliers, particularly in relation to the Antimonopoly Act and the Proper Transactions Act.

Against this backdrop, in December 2025, METI and the JFTC published this document to clarify the following key points:

promoting a positive co-operative relationship between large corporations (the ordering parties) and SMEs (their suppliers) to enhance the resilience of the entire supply chain;
presenting specific negotiation approaches to ensure that passing on security measure costs does not raise issues under the Antimonopoly Act or the Proper Transactions Act; and
utilising the “Security Measures Evaluation System for Supply Chain Strengthening” under consideration by METI to visualise the security measures status of suppliers, thereby stabilising and facilitating transactions.

Based on the foregoing, when large corporations negotiate cost-sharing arrangements for necessary security measures with SME suppliers or contractors, it is imperative for large corporations to provide a sufficient notification period, offer thorough explanations and facilitate discussions, and properly document these explanation and discussion processes (eg, by retaining meeting minutes and explanatory materials).

METI’s moves towards establishing a security measures evaluation system for supply chain strengthening

METI is advancing the establishment of a security measures evaluation system to strengthen supply chains. This initiative aims to address the frequent security incidents occurring within supply chains in recent years and to enhance the overall security level across the supply chain.

Background and purpose of system development

A significant challenge exists where ordering companies find it difficult to visualise the security measures status of their suppliers, while these suppliers (especially SMEs) experience an excessive burden due to the diverse requirements of multiple ordering companies. To address this issue, the security evaluation system aims to promote effective countermeasures against supply chain risks, such as information leaks, business interruptions, and unauthorised intrusions, and to enhance visibility of the response status. This is achieved through the acquisition of the “Mark (★)”, assigned based on compliance with the system’s standards.

This visualisation clarifies the necessary countermeasures for contractors while enabling ordering companies to easily and appropriately assess the security status of their partners.

Scope and positioning of the system

This system targets companies’ IT infrastructure including both on-premises and cloud environments. It does not extend to manufacturing environment control systems (OT) or the products themselves. This system identifies three primary risks: (i) disruption of the company’s own business or service provision, (ii) leakage or tampering of confidential information; and (iii) unauthorised intrusion using business partners as a stepping stone.

Overview of the tiered assessment system (★3 to ★5)

Three levels are established based on a company's position and risk profile.

★3 (Basic): this level outlines fundamental organisational and system defences against common cyberthreats. It requires an annual self-assessment with expert verification.
★4 (Standard): this level outlines comprehensive and standard countermeasures to prevent damage escalation and strengthen supply chain resilience. It requires third-party evaluations, including on-site audits and technical verification, every three years.
★5 (Advanced): this level addresses advanced cyber-attacks, including unknown threats, through a risk-based improvement process. Details regarding third-party assessments for this level will be specified in the future.

Security requirements and evaluation criteria

Requirements are structured based on classifications aligned with the NIST CSF (Cybersecurity Framework), with the addition of “Vendor Management.” Key items include governance establishment, vendor management, risk identification, defence, detection, response, and recovery measures.

Implementation promotion measures

To promote the adoption of this system, multifaceted support measures are planned, including the following.

For SMEs, support measures include developing new types of “Cybersecurity Assistance Team Services” and establishment of mechanisms for matching them with experts. Furthermore, to ensure appropriate cost pass-through, the framework clarifies concepts under the Antimonopoly Act and the Proper Transactions Act to prevent security measures costs from being considered “unreasonable costs.” This promotes the establishment of appropriate partnerships between large enterprises and SMEs. Additionally, there are plans to encourage adoption of these measures in government procurement and by critical infrastructure operators.

Future schedule

In 2025, METI finalised the above institutional framework policy, conducted demonstration projects, and solicited public comments. In 2026, METI aims to advance the preparation of the operational infrastructure and commence operations in the latter half of the year.