Cybersecurity

Japan’s Critical-Supply-Chain Rules: Compliance Guide 2025

Japanese Attorney at Law - Bengoshi L.L.

10 min read
Slide summary: Japan critical-supply-chain rules—risk reports, localisation, foreign-ownership vetting, 2025–26 enforcement
TL;DR: Japan’s Economic-Security laws now require companies handling “Specified Critical Supply Chains and Infrastructure” to file risk reports, localise key processes, and obtain ministerial vetting for upgrades or foreign ownership changes. Early mapping of tier-1 and tier-2 suppliers is essential as enforcement widens in 2025-26.

Table of Contents

  1. Introduction
  2. Defining “Specified Critical Supply Chains” in Japan
  3. Mandatory Risk-Assessment and Reporting Requirements
  4. Prior-Notification Rules for Infrastructure Upgrades
  5. Foreign-Ownership Screening and Mitigation Measures
  6. Enforcement, Penalties and Coordination with Allies
  7. Practical Steps for Global Companies
  8. Conclusion

Introduction: Japan Reinforces its Economic Foundations

Japan's Economic Security Promotion Act (ESPA), enacted in May 2022, represents a significant shift in the nation's approach to safeguarding its economic stability and national security. Driven by increasing global uncertainties, technological rivalries, and the lessons learned from pandemic-related disruptions, the ESPA establishes frameworks to proactively address vulnerabilities in critical sectors. Two central pillars of this legislation directly impact businesses operating in or supplying to Japan: measures to ensure the stable supply of specific critical materials and regulations to guarantee the stable provision of core infrastructure services.

These initiatives reflect Japan's recognition that economic resilience is intrinsically linked to national security. For international companies, understanding these regulations is crucial, as they introduce new compliance obligations, affect investment decisions, shape supply chain strategies, and create both challenges and potential opportunities within the Japanese market. This article provides an overview of these two key frameworks under the ESPA.

Pillar 1: Securing Stable Supply of Specific Critical Materials (特定重要物資)

This framework aims to reduce Japan's vulnerability to disruptions in the supply of goods deemed essential for citizens' survival or broad economic activity, particularly where there is excessive reliance on foreign sources.

Objectives and Designation

The core objective is to build resilient supply chains for designated "Specific Critical Materials" (特定重要物資, tokutei jūyō busshi). The designation, made via Cabinet Order based on Article 7 of the ESPA, considers four key criteria:

  1. Importance: The material must be indispensable for citizens' survival or form the foundation of widespread public life or economic activity.
  2. External Dependency: Japan must be overly dependent, or risk becoming overly dependent, on external sources for the material.
  3. Risk of Disruption: There must be a recognized risk that external actions could disrupt the supply, jeopardizing national security.
  4. Necessity for Action: Specific measures under the ESPA must be deemed particularly necessary to ensure a stable supply (considering if other existing policies are insufficient).

Initially designated in December 2022, the list currently includes items such as certain antibiotics, fertilizers, permanent magnets, machine tools and industrial robots, aircraft parts, semiconductors, storage batteries, cloud programs, natural gas, critical minerals, and ship parts. The list is dynamic; for instance, advanced electronic components (capacitors, filters) were added, and uranium was included under critical minerals in February 2024.

The Support System for Businesses

Instead of purely restrictive measures, the ESPA focuses on providing support to private sector entities that contribute to strengthening the supply chains for these critical materials. This involves a system where businesses submit plans for approval to receive government assistance.

  1. Supply Assurance Plans (供給確保計画, kyōkyū kakuho keikaku): Businesses seeking support must create and submit a "Supply Assurance Plan" to the competent minister (Article 9). These plans outline the company's proposed initiatives to contribute to the stable supply of a specific critical material. Required elements typically include:
    • Objectives, content, and duration of the initiative.
    • Implementation structure (personnel, management systems).
    • Required funding and procurement methods.
    • Measures to ensure smooth and reliable execution.
    • Information management systems, including safeguards against technology leakage (a crucial point for companies dealing with sensitive IP).
    • Current status of the company's procurement, supply, or use of the critical material.
  2. Certification and Support: If the minister certifies the plan as meeting the requirements outlined in specific guidelines (取組方針, torikumi hōshin) established for each material, the business becomes eligible for support measures (Article 8, Article 26). These can include:
    • Subsidies: Direct financial assistance provided through designated public-private support corporations (安定供給確保支援法人, antei kyōkyū kakuho shien hōjin) or independent administrative agencies.
    • Financial Aid: Low-interest loans facilitated through entities like the Japan Finance Corporation (JFC) or other designated financial institutions, and interest subsidies for loans obtained from private banks.
    • Support for SMEs: Special provisions under laws governing investment promotion and credit insurance for small and medium-sized enterprises (SMEs) to facilitate fundraising (Articles 27, 28).
  3. Government Measures: For materials where securing a stable supply through private sector support alone is deemed difficult, the competent minister can designate them for special measures, such as government stockpiling (Article 44). The government also has the authority to request reports or data from businesses regarding the production, import, sale, procurement, or storage of critical materials or their raw materials, although cooperation with such investigations is currently framed as a best-effort obligation (Article 48). Strict penalties apply for leaking confidential information obtained during such investigations (Article 93).

Linkage with Foreign Investment Controls (FEFTA)

The designation of specific critical materials under the ESPA has direct implications for Japan's foreign investment screening regime under the Foreign Exchange and Foreign Trade Act (FEFTA, 外為法). In April 2023, following the initial designation of critical materials, Japan amended its FEFTA regulations to designate several related business sectors as "core industries" (コア業種).

This means that foreign investors seeking to acquire stakes (typically 1% or more for listed companies, or any stake in non-listed companies) or exert influence in Japanese companies operating in these newly designated core sectors—such as fertilizer importing, manufacturing of machine tools/robots, storage batteries/materials, metal smelting, metal 3D printers/powders, permanent magnets/materials, semiconductor manufacturing equipment, natural gas wholesaling, and manufacturing of key ship components (e.g., engines)—are now subject to mandatory pre-transaction notification and government review. This significantly tightens scrutiny over foreign investment in these sensitive supply chain areas, limiting the availability of exemptions that might otherwise apply to portfolio investments.

Implications for Foreign Businesses

  • Supply Chain Strategy: Companies relying on materials designated as critical need to assess potential risks and consider diversification or participation in Japan-based initiatives.
  • Investment Opportunities & Obligations: Investing in sectors related to critical materials in Japan might open doors to government support under the ESPA, but it also triggers heightened FEFTA scrutiny. Certified plans require robust implementation structures and technology protection measures.
  • Compliance: Understanding both ESPA support requirements and FEFTA investment restrictions is crucial for compliance and strategic planning.
  • Information Requests: Businesses in relevant sectors should be prepared for potential government requests for information on their supply chain activities.

Pillar 2: Ensuring Stable Provision of Core Infrastructure Services (基幹インフラ)

This framework addresses the security and resilience of Japan's most critical infrastructure services against disruption, particularly from external threats like cyberattacks or compromised equipment introduced through the supply chain.

Objectives and Designation

The system focuses on ensuring the stable provision of "Core Infrastructure Services" (特定社会基盤役務, tokutei shakai kiban ekimu). These are essential services whose disruption could significantly harm public life, economic activity, or national security.

  1. Designated Sectors: Fourteen sectors are currently designated by Cabinet Order (Article 50(1), ESPA Enforcement Order Art. 9) as core infrastructure businesses (特定社会基盤事業, tokutei shakai kiban jigyō):
    • Electricity, Gas, Petroleum, Water Supply
    • Railways, General Motor Trucking, Ocean Freight Shipping
    • Aviation, Airports
    • Telecommunications, Broadcasting, Postal Services
    • Finance, Credit Cards
    • A fifteenth sector, Port Transportation (港湾運送), was added by a May 2024 ESPA amendment following a major cyberattack at a Japanese port in 2023. The specifics for this sector are pending implementation (within 1.5 years of May 17, 2024).
  2. Designated Providers: Within these sectors, specific providers are designated by the competent ministers as "Specified Core Infrastructure Providers" (特定社会基盤事業者, tokutei shakai kiban jigyōsha) based on criteria like business scale and the difficulty of finding alternatives (Article 50(1)). As of late July 2024, 212 providers had been designated. Foreign-owned entities operating in these sectors in Japan can be, and some are, designated.

The Prior Review System for Critical Equipment

The core of this framework is a mandatory prior review system (Article 52). Designated providers must submit detailed plans to the competent minister for review and approval before undertaking certain actions related to "Specified Critical Equipment" (特定重要設備, tokutei jūyō setsubi). This equipment includes systems, devices, or programs essential for providing the core service, whose failure could cause significant disruption (e.g., control systems, core communication equipment).

The review is triggered by two main scenarios:

  1. Introduction of Specified Critical Equipment: Procuring and installing new critical equipment from another business operator.
  2. Outsourcing of Important Maintenance, etc.: Commissioning another business operator to perform "Important Maintenance Management, etc." (重要維持管理等, jūyō iji kanri tō) or operation of critical equipment. This includes tasks like regular maintenance, repairs, monitoring, software updates, and system operation.

This system became fully operational on May 17, 2024, following a six-month transitional period after the initial designation of providers in November 2023. Importantly, the review requirement applies not only to new contracts but also potentially to software updates that add or change functionality in existing equipment, and to renewals (including automatic renewals) of existing maintenance contracts entered into before the system started.

Plan Submission and Content ("Introduction Etc. Plan")

The designated provider must submit an "Introduction Etc. Plan" (導入等計画書, dōnyū tō keikakusho) containing extensive details (Article 52(2), related Ministerial Ordinances):

  • Transaction Details: Overview of the equipment being introduced or the maintenance being outsourced, timing, duration, etc.
  • Supplier/Contractor Information: Extensive details about the immediate supplier or maintenance contractor, including:
    • Name, representative, address, country of incorporation.
    • Shareholders holding 5% or more (name, nationality/jurisdiction, ownership percentage).
    • Officers (name, date of birth, nationality).
    • Significant dealings with foreign governments over the past three years.
  • Deep Supply Chain Scrutiny: Similar detailed information must generally be provided for:
    • Suppliers of "constituent equipment" (構成設備, kōsei setsubi) – key components within the critical equipment (e.g., servers, OS, core applications).
    • Subcontractors involved in maintenance, down to the final tier performing relevant tasks.
  • Risk Management Measures: A description of measures taken by the designated provider to prevent "specified interference activities" (特定妨害行為, tokutei bōgai kōi). This refers to actions, often originating from outside Japan (like cyberattacks or introduction of malicious functions), aimed at disrupting the stable provision of the core service. The plan format includes checklist items across categories like:
    • Verification of equipment integrity (e.g., vulnerability testing, checking for malicious code).
    • Measures against unauthorized modification during manufacturing/development (e.g., access controls in development environments).
    • Incident response capabilities (manuals, drills).
    • Business continuity measures (backups, redundancy).
    • Access control and monitoring mechanisms.
    • Ensuring suppliers/contractors comply with relevant laws and standards.
    • Cybersecurity training for maintenance personnel.

The provider must indicate which measures are implemented and often provide supporting documentation. While not all listed measures may be required in every case (depending on assessed risk), a thorough approach is expected.

Challenges in Information Gathering

Gathering the required depth of information, especially regarding multi-tiered international supply chains (including subcontractors and component suppliers), presents significant practical challenges. Suppliers and contractors must cooperate in providing sensitive corporate and personal data (like officer DOBs and nationalities).

  • Privacy Compliance: Collecting and submitting personal data requires compliance with Japan's Act on the Protection of Personal Information (APPI), likely necessitating consent unless a specific legal basis applies. Transferring data from foreign suppliers also requires adherence to their local data protection laws (e.g., GDPR, Chinese regulations).
  • Confidentiality: Suppliers may be reluctant to disclose sensitive ownership, financial, or technical information, especially to their direct customers (the designated provider).
  • Practicalities: Tracing information down multiple tiers can be complex and time-consuming.

The regulations offer some flexibility: information for lower-tier subcontractors can sometimes be simplified if certain conditions are met (e.g., regarding the nature of their work), and suppliers can, in certain cases, submit particularly sensitive information directly to the reviewing ministry rather than through the designated provider. However, robust contractual clauses obligating suppliers/contractors to provide necessary information and cooperate with security measures are essential for the designated provider to meet its submission requirements. The government has published model contract clauses as a reference.

The Review Process and Potential Outcomes

Once a plan is submitted, a 30-day waiting period generally applies before the provider can implement the introduction or outsourcing (Article 52(3)). During this period, the competent minister reviews the plan, assessing the risk of the equipment or maintenance arrangement being exploited for specified interference activities. This risk assessment considers factors related to the equipment itself, the suppliers/contractors involved (including their ownership, foreign ties, and security practices), and the proposed risk management measures.

  • Possible Outcomes:
    • Implicit Approval: If no action is taken within the review period (which can be shortened or extended up to 4 months if necessary), the plan is implicitly approved.
    • Recommendations/Orders: If significant risks are identified, the minister can issue a recommendation (勧告, kankoku) to modify the plan (e.g., implement additional security measures, change suppliers) or cancel the planned activity (Article 52(6)). Failure to comply with a recommendation without justifiable reason can lead to a legally binding order (命令, meirei) (Article 52(10)).
    • Post-Implementation Review: Even after implementation, the minister can issue recommendations or orders if circumstances change or new risks emerge (Article 55).

Implications for Foreign Businesses

  • Direct Regulation: Foreign companies operating designated core infrastructure businesses in Japan are directly subject to the review system.
  • Supplier/Service Provider Impact: Companies (Japanese or foreign) supplying critical equipment or providing maintenance/operational services to designated providers in Japan are indirectly but significantly affected. They will face intense scrutiny regarding their ownership, operations, security practices, and supply chain, and will need to provide extensive information. Failure to meet perceived security standards could lead to exclusion from procurement opportunities.
  • Cybersecurity and Supply Chain Risk Management: The system heavily emphasizes cybersecurity and supply chain integrity. All businesses involved in these sectors need robust risk management programs aligned with the types of measures assessed under the ESPA review.
  • Contractual Obligations: Expect designated providers to impose stringent contractual requirements regarding information sharing, security compliance, and cooperation related to the ESPA review process.

Conclusion: Integrating Supply Chain and Infrastructure Security

The ESPA's frameworks for critical materials and core infrastructure represent a comprehensive effort by Japan to bolster its economic resilience and national security. They move beyond traditional border controls to address vulnerabilities embedded within global supply chains and domestic essential services.

For foreign businesses, these regulations create a more complex operating environment in Japan. Compliance requires a deep understanding of the designation criteria, support mechanisms, prior review processes, and the extensive information disclosure and risk management standards involved. Proactive assessment of how these rules impact specific business activities, investments, supply chains, and contractual relationships is essential. While presenting challenges, these frameworks may also offer opportunities for companies demonstrating robust security practices and contributing to Japan's economic security objectives. Staying informed about the detailed guidelines and evolving enforcement practices will be critical for navigating this new landscape successfully.