Weekday Japan business intelligence for finance professionals.

Join the list
Tokyo Brief東 京 ブ リ ー フ

Japan's day, wrapped and delivered by morning.

Policy Watch

Japan drafts single reporting form to speed cyberattack disclosures to companies' many regulators

Japan's privacy regulator wants to end the practice of cyberattack victims filing separate reports to every ministry with a claim on the incident, proposing one common form for ransomware, DDoS and other attacks that would route straight to the national cyber centre from October 1, 2026, pending an August 14 comment deadline.

Jul 16, 20261 min read
Illustration of multiple separate incident-report forms converging into one unified reporting form, symbolizing Japan's proposed single cyberattack reporting format.

Companies hit by a cyberattack in Japan currently face a second headache once the immediate crisis passes: filing near-duplicate incident reports to whichever ministries oversee their industry, under whichever rules apply, on whatever timeline each regulator sets. Japan's Personal Information Protection Commission (PPC) wants to fix that. It opened a public comment period on July 16 for a draft amendment that would let victimized organizations file one common report instead of several.

The draft targets a specific pain point flagged by an expert panel on cyber-security capability in November 2025: DDoS attacks and ransomware incidents are usually obvious as cyberattacks from the moment they hit, and victims must report them during initial incident response, when staff are already stretched thin. The PPC's proposal would let companies use one of three common templates, covering DDoS incidents, ransomware incidents, and other cyberattacks such as unauthorized access or data theft, rather than assembling separate filings keyed to each agency's specific format.

Under the draft, reports filed on these common forms would be shared with the Cabinet Secretariat's National Cyber Security Center for analysis, with the aim of speeding up threat containment across government. The amendment covers reporting obligations tied to Japan's Act on the Protection of Personal Information and its rules on leaks involving the