Japan is proposing to rewrite the transition rules that govern how quickly newly designated special critical infrastructure operators must register specified critical computer systems and report certain cyber incidents, in a joint draft order now out for comment. Public comments run until Aug. 2.
The rule sits inside a broad ministerial coalition, the Cabinet Office plus ministries handling internal affairs, justice, finance, health, agriculture, industry and transport, which is bureaucratic shorthand for a cross-sector obligation rather than a niche cyber notice.
The draft does not rebuild the reporting regime from scratch. It goes after the grace period, which is where compliance teams find out whether a rule is merely annoying or genuinely calendar-changing. Under the current order, notification of a specified critical computer system is normally due within four months of introduction. If that system is introduced within two months of an operator's designation, the deadline can instead run to six months from designation. A separate transitional rule currently waives incident reporting for events that occur within six months of designation. The new draft revises those carve-outs so they line up with the amended Economic Security Promotion Act.
| Area | Current rule described in overview | What the draft does |
|---|---|---|
| Register specified critical computer systems | Normally within 4 months of introduction. If introduced within 2 months of designation, within 6 months of designation. | Revises the transitional rule to align with the amended Economic Security Promotion Act. |
| Report specified cyber incidents | Incidents occurring within 6 months of designation are currently exempt from reporting. | Revises the transitional rule to align with the amended Economic Security Promotion Act. |
That matters because the first months after designation are when operators are still inventorying systems, testing escalation lines and working out who signs what. Change the transition window and you change filing dates, internal controls, and potentially whether an early incident falls inside or outside a formal reporting duty. The draft says the revision follows partial implementation of a 2026 amending law tied to Japan's economic-security framework.
There is an important caveat. The packet excerpt shows the current carve-outs clearly and makes clear they are being revised, but it does not fully surface the replacement wording. Readers can therefore see where the pressure point sits, the initial designation period, without being able to say from this packet alone whether the final rule will be tighter, looser or simply cleaner in legal drafting.
Still, the signal is useful. Tokyo's economic-security push is now reaching the plumbing of cyber compliance, not just the statutory headline. Transition rules sound bureaucratic until day 120, or day one.
