Japan is close to giving a newly defined class of companies a single paperwork problem instead of several. The Cabinet Office, working with seven other ministries, has opened public comment on draft forms that "special critical infrastructure operators" will use to report cyberattacks once the Act on Prevention of Damage Caused by Unauthorized Acts Against Critical Computers takes effect on October 1, 2026.
The law requires these operators to report what it calls "specified compromise events". Rather than leaving each ministry to specify its own reporting paperwork, the draft rule sorts every incident into one of three common templates: a form for DDoS attack cases, a form for ransomware cases, and a catch-all form for any other cyberattack-related incident.
| Form | Covers |
|---|---|
| Form 1 | DDoS attack cases as defined in the interagency memorandum |
| Form 2 | Ransomware cases as defined in the interagency memorandum |
| Form 3 | All other cyberattack-related incidents |
The forms do not replace whichever law or guideline actually triggered the reporting duty. The draft package itself notes that the specific submission destination, method, and any additional required items still follow the individual law or guideline behind the report, with the common forms meant to standardize the reporting layout rather than consolidate every regulator's separate demands into one office.
The push to simplify traces back to two 2024-2025 policy documents cited in the draft package: a November 2024 report from a government expert panel on cyber-security response capability, which argued that unifying report destinations and forms would ease the burden on victim organizations and speed up the government's own response, and a February 2025 meeting of the Cyber Security Strategy Headquarters that flagged the same form-unification task as urgent. The reasoning given is straightforward: DDoS and ransomware incidents are usually obvious as cyberattacks from the moment they are detected, so victim companies end up filing initial reports while still in the middle of incident response, and the sheer number of government contacts has made that burden heavier as attack volumes have risen.
The comment period runs from July 13, 2026 to August 17, 2026, with submissions due in Japanese through the e-Gov online form or by post. The underlying law was enacted in 2025 as Act No. 42 and is scheduled to take effect on October 1, 2026.
What is not yet settled in the public draft: which companies will actually be designated special critical infrastructure operators, and how the new common forms interact with the separate reporting duties companies may already carry under sector rules or Japan's personal information protection law. Those details sit with the individual laws and guidelines the draft package says will continue to govern actual submission, not with the forms themselves.
