Japan's Cabinet Office and seven ministries opened a public comment period on July 15, 2026, seeking feedback on draft guidance that spells out two new obligations for a category of firms the government calls "special critical infrastructure operators". The guidance sits under the Act on Strengthening Cyber Coping Capabilities, and comments must reach the government by midnight on August 19, 2026.
The joint effort brings together the Cabinet Office, the Ministry of Internal Affairs and Communications, the Ministry of Justice, the Ministry of Finance, the Ministry of Health, Labour and Welfare, the Ministry of Agriculture, Forestry and Fisheries, the Ministry of Economy, Trade and Industry, and the Ministry of Land, Infrastructure, Transport and Tourism.
Two duties, one law
The draft guidance addresses notification of "specified critical computers" and reporting of "specific compromise events," the law's term for qualifying cyber incidents. Both duties fall on operators the law designates as special critical infrastructure operators. The notification requirement tracks the scope set out in Article 2, Paragraph 2, Item 2 of the Act; the draft's table of contents, included in the comment package, breaks that scope into computers used directly by designated operators and programs embedded within them.
Submitting a comment, and what's still missing
Anyone submitting comments must do so in Japanese, either through the e-Gov online form or by post to the Cabinet Office's cyber security policy division at its Akasaka, Tokyo address. The notice says submitted comments will serve as a reference for the government's final decision, without detailing what happens once the window closes.
The material available for review runs through the notice itself, a procedural cover document, and the opening section of the draft explanatory guidance, which covers definitions up to the scope of embedded programs. The guidance's later sections, covering incident-reporting timelines, thresholds, and any consequences for missed reports, are not part of what has been reviewed for this article.
For now, the concrete facts are the deadline and the two duties: notify on specified critical computers, report on specific compromise events, with August 19 as the date to have a view on record.
