Weekday Japan business intelligence for finance professionals.

Join the list
Tokyo Brief東 京 ブ リ ー フ

Japan's day, wrapped and delivered by morning.

Policy Watch

Japan moves to rewrite the first six months of cyber reporting for designated infrastructure operators

The draft order would revisit the grace periods around system registration and incident reporting for designated critical-infrastructure operators, where current rules let some filings wait six months from designation and waive reports on early incidents.

Jul 3, 20262 min read
Editorial illustration of a secure operations center with server racks and compliance checkpoints.

Japan is proposing to rewrite the transition rules that govern how quickly newly designated special critical infrastructure operators must register specified critical computer systems and report certain cyber incidents, in a joint draft order now out for comment. Public comments run until Aug. 2.

The rule sits inside a broad ministerial coalition, the Cabinet Office plus ministries handling internal affairs, justice, finance, health, agriculture, industry and transport, which is bureaucratic shorthand for a cross-sector obligation rather than a niche cyber notice.

The draft does not rebuild the reporting regime from scratch. It goes after the grace period, which is where compliance teams find out whether a rule is merely annoying or genuinely calendar-changing. Under the current order, notification of a specified critical computer system is normally due within four months of introduction. If that system is introduced within two months of an operator's designation, the deadline can instead run to six months from designation. A separate transitional rule currently waives incident reporting for events that occur within six months of designation. The new draft revises those carve-outs so they line up with the amended Economic Security Promotion Act.

Transition rules under review
Summary from the draft overview in the packet. The excerpt does not show the full replacement wording.
AreaCurrent rule described in overviewWhat the draft does
Register specified critical computer systemsNormally within 4 months of introduction. If introduced within 2 months of designation, within 6 months of designation.Revises the transitional rule to align with the amended Economic Security Promotion Act.
Report specified cyber incidentsIncidents occurring within 6 months of designation are currently exempt from reporting.Revises the transitional rule to align with the amended Economic Security Promotion Act.

That matters because the first months after designation are when operators are still inventorying systems, testing escalation lines and working out who signs what. Change the transition window and you change filing dates, internal controls, and potentially whether an early incident falls inside or outside a formal reporting duty. The draft says the revision follows partial implementation of a 2026 amending law tied to Japan's economic-security framework.

There is an important caveat. The packet excerpt shows the current carve-outs clearly and makes clear they are being revised, but it does not fully surface the replacement wording. Readers can therefore see where the pressure point sits, the initial designation period, without being able to say from this packet alone whether the final rule will be tighter, looser or simply cleaner in legal drafting.

Still, the signal is useful. Tokyo's economic-security push is now reaching the plumbing of cyber compliance, not just the statutory headline. Transition rules sound bureaucratic until day 120, or day one.