Japan: Ministry of Economy, Trade and Industry and National Cybersecurity Office released guidelines on roles expected of cyber infrastructure providers

On 31 March 2026, the Ministry of Economy, Trade and Industry (METI) and the National Cybersecurity Office (NCO) released guidelines on the roles expected of cyber infrastructure providers. The guidelines were developed by the Study Group on the Roles Required of Cyber Infrastructure Providers. This group operates as a joint working group under the Cross-Sectoral Sub-working Group and the Critical Infrastructure Expert Examination Committee of the Cybersecurity Strategy Headquarters, within the Study Group on Industrial Cybersecurity WG1. The guidelines set out the division of roles and responsibilities between customers and cyber infrastructure providers. Providers are classified as developers, suppliers, and operators. The aim is to ensure cybersecurity and improve resilience across software development, supply, and operation. While Article 7 of the Basic Act on Cybersecurity obliges suppliers of information systems to support users’ cybersecurity measures, it does not specify roles at each stage of development, supply, and operation. The guidelines address this gap. They apply to software products, software services, embedded software, and software forming part of a broader system or service. The guidelines outline five responsibilities for cyber infrastructure providers. These include secure design, development, supply, and operation, in line with the principles of “secure by design” and “secure by default”. They also cover software supply chain management, including the use of a software bill of materials (SBOM), prompt response to remaining vulnerabilities, governance arrangements for software, and strengthened information sharing and cooperation. Customers are assigned one responsibility, covering risk management as well as software procurement and operation. The guidelines define six categories of requirements, comprising 21 itemised measures. These are organised into a minimum requirement package and a standard requirement package. The guidelines serve as a voluntary reference instrument.