Japan is consulting on a narrow but meaningful rewrite of the cyber-security transition rules that apply when a business is brought under its special critical infrastructure framework. The draft would revise two early-stage carve-outs, one on when designated special critical infrastructure operators must file notifications on critical computer systems and another on when they may omit reports on specified cyber incidents, so the order matches this year's amendments to the Economic Security Promotion Act.
Under the current order, notifications for critical computer systems are generally due within four months of installation. There is, however, a transition rule for systems introduced soon after an operator is designated under the Economic Security Promotion Act: if the system is brought in within two months of designation, the filing deadline is extended to within six months from the designation date. A separate transition rule says incidents that occur within six months of designation do not need to be reported under Article 5.
| Obligation | Current order | Draft direction |
|---|---|---|
| File notifications on critical computer systems | Normally within 4 months of installation. If introduced within 2 months after designation, the deadline is within 6 months from designation. | Transitional measure to be aligned with amended Economic Security Promotion Act Article 53(1) proviso. |
| Report specified cyber incidents | Incidents occurring within 6 months after designation do not need to be reported under the current transitional measure. | Transitional measure to be aligned with amended Economic Security Promotion Act Article 53(1) proviso. |
The consultation summary says both carve-outs will be rewritten to line up with the amended Act's Article 53(1) proviso. For operators, that is more than legal housekeeping. These rules determine how much breathing room a newly designated business gets before it must map critical systems into the regime and start reporting qualifying cyber incidents. The consultation summary states the alignment objective clearly, but the excerpt available in the published materials reviewed here does not reproduce the full replacement wording, so the exact operational effect on the dates will turn on the final text.
Comments are open from July 3 to August 2. The proposal is being handled jointly by the Cabinet Office and seven ministries, a sign of how firmly cyber reporting now sits inside Japan's broader economic-security toolkit. For compliance teams, the immediate task is less grand strategy than calendar control: identify systems introduced around the designation date, and test whether early-stage incident workflows would need to change if the draft is adopted.
