Weekday Japan business intelligence for finance professionals.

Join the list
Tokyo Brief東 京 ブ リ ー フ

Japan's day, wrapped and delivered by morning.

Policy Watch

Japan Opens Comment Window on New Cyber Incident Reporting Duties for Critical Infrastructure Operators

Comments close August 19 on draft rules requiring designated infrastructure operators to notify Tokyo about sensitive computer systems and report qualifying cyber incidents under Japan's cyber-response law.

Jul 15, 20262 min read
Rows of server racks in a data center with a technician adjusting network cables, representing the computer systems now subject to Japan's draft cyber-incident reporting rules.

Japan's Cabinet Office and seven ministries opened a public comment period on July 15, 2026, seeking feedback on draft guidance that spells out two new obligations for a category of firms the government calls "special critical infrastructure operators". The guidance sits under the Act on Strengthening Cyber Coping Capabilities, and comments must reach the government by midnight on August 19, 2026.

The joint effort brings together the Cabinet Office, the Ministry of Internal Affairs and Communications, the Ministry of Justice, the Ministry of Finance, the Ministry of Health, Labour and Welfare, the Ministry of Agriculture, Forestry and Fisheries, the Ministry of Economy, Trade and Industry, and the Ministry of Land, Infrastructure, Transport and Tourism.

Two duties, one law

The draft guidance addresses notification of "specified critical computers" and reporting of "specific compromise events," the law's term for qualifying cyber incidents. Both duties fall on operators the law designates as special critical infrastructure operators. The notification requirement tracks the scope set out in Article 2, Paragraph 2, Item 2 of the Act; the draft's table of contents, included in the comment package, breaks that scope into computers used directly by designated operators and programs embedded within them.

Submitting a comment, and what's still missing

Anyone submitting comments must do so in Japanese, either through the e-Gov online form or by post to the Cabinet Office's cyber security policy division at its Akasaka, Tokyo address. The notice says submitted comments will serve as a reference for the government's final decision, without detailing what happens once the window closes.

The material available for review runs through the notice itself, a procedural cover document, and the opening section of the draft explanatory guidance, which covers definitions up to the scope of embedded programs. The guidance's later sections, covering incident-reporting timelines, thresholds, and any consequences for missed reports, are not part of what has been reviewed for this article.

For now, the concrete facts are the deadline and the two duties: notify on specified critical computers, report on specific compromise events, with August 19 as the date to have a view on record.