Guidelines on the Roles Expected of Cyber Infrastructure Providers (draft) Compiled in Japanese and English Versions

1. Background

Software has become the cornerstone of social activities in modern society, and its importance is consistently growing. As cyberattacks exploiting software vulnerabilities could potentially cause significant damage to social infrastructure, businesses involved in software development, supply, and operation are expected to take greater responsibility for implementing cybersecurity measures across software supply chains.

Customers using software, including government agencies and critical infrastructure operators, can manage cybersecurity risks by selecting appropriate cyber infrastructure providers as their software suppliers.

Internationally, concepts such as secure by design (ensuring software is secure during the design stage) and secure by default (enabling customers to use software securely immediately after purchase without incurring additional costs or effort) are gaining broad endorsement, resulting in the publication of international documents related to these approaches.

Against this backdrop, METI and NCO jointly established a working group comprising experts from industry and academia in September 2024. This group has been discussing the responsibilities required of businesses engaged in the development, supply, and operation of software, with the aim of protecting customers who use it.

In Japan, the Basic Act on Cybersecurity prescribes that cyberspace-related business entities and other business entities are to endeavor independently and actively to ensure cybersecurity in the course of their business activities (Article 7.1: Responsibility of Cyberspace-Related Business Entities and Other Business Entities). In July 2025, the Act was revised to include a new provision that information system providers are obliged to make reasonable efforts to provide necessary support for users' endeavors to ensure cybersecurity (Article 7.2).

The Guidelines on the Roles Expected of Cyber Infrastructure Providers (draft) have been compiled as the domestic guidelines pursuant to Article 7, Paragraphs 1 and 2 of the Basic Act on Cybersecurity. These guidelines define business entities that develop, supply, and operate software* (suppliers of information systems) as "cyber infrastructure providers," and describe their specific roles and responsibilities.

*In addition to software provided to customers as a product, this also includes software services such as cloud services, embedded software and firmware provided as part of hardware products such as IT/OT/IoT devices, and software provided as components of systems and services.

With the aim of gathering broad feedback from stakeholders both domestically and internationally, we will initiate a 60-day public comment period for both the Japanese and English versions of the draft guidelines starting today.

2. Overview of the Draft Guidelines

These draft guidelines outline the responsibilities expected of cyber infrastructure providers and customers to improve cybersecurity resilience across software supply chains, as well as requirements (specific measures) for fulfilling these responsibilities, arranged into six categories.

Cyber infrastructure providers can make use of the guidelines as a tool to enhance the maturity level of their cybersecurity measures for software supply chains by checking the adequacy of their own organizations' efforts and those of contractors in their supply chains against the requirements checklists of the draft guidelines.

Meanwhile, customers can effectively manage their cybersecurity risks by using the guidelines' requirements checklists to assess prospective cyber infrastructure providers and to select appropriate software suppliers.

3. Outline of Public Comments

Subject of public comments

• Guidelines on the Roles Expected of Cyber Infrastructure Providers (draft): Japanese version(PDF:3,825KB)
• Guidelines on the Roles Expected of Cyber Infrastructure Providers (draft): English version(PDF:1,647KB)

Note: The English version does not contain the following:

• The provisions in Article 7, Paragraphs 1 and 2 of the Basic Act on Cybersecurity
• Contents regarding the Cyber Response Capability Strengthening Act

Access to the materials

The materials are available at the following locations.

• The e-Gov portal, the comprehensive website for electronic government services
• The METI website (refer to the "Subject of public comments" section on this page)
• The National Cybersecurity Office webpage, "Call for public comments on the Guidelines on the Roles Expected of Cyber Infrastructure Providers (draft)"

Due date

Submissions must be made between Thursday, October 30, 2025, and Tuesday, December 30, 2025 (Japan Standard Time, UTC+0900)

Submission of comments

Please proceed to the comment submission form* available via the e-Gov portal and submit your comments in either Japanese or English.

*Instructions are provided in Japanese only.

If accessing the e-Gov portal is difficult, you may complete the comment submission form found on Page 4 of the "Call for Public Comments" listed in Related Materials below in either Japanese or English and send it via email to the address below.

EMAIL: [email protected]

(Please type "Comments on the Guidelines on the Roles Expected of Cyber Infrastructure Providers (draft)" in the subject line and attach your comment submission form.)

Please note that we cannot accept comments submitted via telephone.

Notes:

The comments received will be used as a reference for making final decisions. However, please note that individual responses to submitted comments will not be provided. We appreciate your understanding in advance.

Please note that the submitted comments may be made publicly available, excluding personal information such as names, phone numbers and email addresses. However, if the submitted comments include personal information that could identify specific individuals or contain descriptions that may harm the property rights or other rights of individuals, corporations, or other entities, those portions will be redacted before publication.

Any personal information provided with your comments, such as names and contact details, will be managed appropriately and used solely for the purpose of contacting or clarifying unclear points regarding the submitted comments as part of this public consultation process.

4. Future Outlook

Moving forward, METI and NCO plan to finalize the guidelines by the end of this year and intend to expand the checklists as annexed documents to promote the wider use of the guidelines.

Related Materials

• Call for Public Comments (in Japanese)(PDF:171KB)
• Guidelines on the Roles Expected of Cyber Infrastructure Providers (draft): Japanese version(PDF:2,439KB)
• Guidelines on the Roles Expected of Cyber Infrastructure Providers (draft): English version(PDF:965KB)

Note: The English version does not contain the following:

• The provisions in Article 7, Paragraphs 1 and 2 of the Basic Act on Cybersecurity
• Contents regarding the Cyber Response Capability Strengthening Act

Related Links (in Japanese)

• Industrial Cybersecurity Study Group Working Group 1: Study Group on the Roles Required of Cyber Infrastructure Providers
• National Cybersecurity Office Working Group: Study Group on the Roles Required of Cyber Infrastructure Providers

Divisions in Charge

• Cybersecurity Division, Commerce and Information Policy Bureau, The Ministry of Economy, Trade and Industry

• Policy Planning and Supervisory Unit, National Cybersecurity Office