TRAFEED

Critical Infrastructure Rules and Security Clearance: What Vendors and SIers Must Do

Published2026-07-16濱本 隆太

A beginner-friendly explainer on how Japan's critical infrastructure system (16 sectors, designated operators) reaches down through the supply chain to the vendors, SIers, SaaS providers, subcontractors, and offshore teams that supply the equipment. Covers the introduction plan filing, disclosure of 5% shareholders and officer nationality, the bypass procedure, and the security clearance system, grounded in primary sources.

Critical Infrastructure Rules and Security Clearance: What Vendors and SIers Must Do
シェア

Hello, this is Hamamoto from TIMEWELL.

"We don't operate any infrastructure, so economic security rules have nothing to do with us." When I talk with mid-sized system houses and software vendors, I hear this line a lot. I understand the instinct. If you are not a power company, a railway, or a bank, but a subcontractor a few links down, it feels natural to assume the rules for protecting the nation's critical infrastructure are decided somewhere outside your world.

That assumption is exactly where the trap lies. The critical infrastructure system does not simply regulate the designated infrastructure operators. It reaches down the contract chain to the companies that supply the equipment, build the systems, provide the cloud, and handle the maintenance, and then further still to their subcontractors and offshore development teams. The vendors who believe "this isn't about us" are, in fact, the ones who should read this first. As a first step in getting ready, if you want to check where your own export control and security posture stand, try our export control compliance check.

This article is the final part of a three-part beginner series on Japan's Economic Security Promotion Act. Part one covered the overall picture of the Act itself, and part two dealt with the security requirements around government procurement, ISMAP, and SBOM. This time, as the capstone, I want to untangle the two most misunderstood themes together: why the critical infrastructure system reaches all the way down to end-of-chain vendors, and how the state verifies the trustworthiness of people through a security clearance.

What the critical infrastructure system actually regulates

Let us start with the foundation. The critical infrastructure system sits in Chapter 3 of the Economic Security Promotion Act (Act No. 43 of 2022), which was enacted in 2022.[^4] Its aim is to prevent a situation where the essential services underpinning daily life and economic activity are interfered with from outside and grind to a halt. The scope works in two layers: the law sets the outer boundary by listing covered businesses, and cabinet orders then narrow it down further.[^1]

The list of covered sectors has expanded in stages since the system began. It started with 14 sectors. A 2024 amendment added general port transport to make 15 (that amendment took effect on April 1, 2025, with the filing obligation beginning on November 2, 2025), and a further amendment adding medical services brought the total to 16.[^1][^2] The current lineup is electricity, gas, petroleum, water supply, railways, freight motor transport, oceangoing cargo, port transport, aviation, airports, telecommunications, broadcasting, postal services, medical services (still in preparation for enforcement), finance, and credit cards. Almost every service that quietly holds up our daily lives is on the list.

Within these sectors, operators above a certain scale are designated as "designated critical infrastructure operators." As of July 1, 2026, there are 258 such operators.[^1] The number may seem larger than expected, but once you picture businesses like electricity or telecommunications, where a single company serves a wide region, the scale makes sense. A designated operator has an obligation to file an "introduction plan" with the competent minister before introducing new critical equipment or outsourcing its maintenance and management.[^1] Filing does not mean immediate use. The government reviews the content. The review period is 30 days as a baseline, but it may be extended or, conversely, shortened depending on the circumstances.[^1][^5] Where necessary, the review involves consultation with the Prime Minister and relevant agencies, and if the equipment is judged to pose a serious risk of being used as a means of interference, the operator receives a recommendation or an order.[^1] This flow of "file in advance, pass the government's check, then use it" is the backbone of the system.

Replace siloed classification work with AI.

METI's FY2024 data shows 52% of foreign exchange law violations stem from classification errors. Download the TRAFEED product catalog covering features and rollout.

Why it reaches down to vendors, SIers, and SaaS providers

Here is the part I most want to convey. The ones designated are the infrastructure operators, not their subcontractors. So why do vendors, SIers, and SaaS providers get pulled in? The answer lies in what the introduction plan requires you to disclose.

Reading the Cabinet Office briefing materials, the filing is not only about the equipment itself. It also calls for fairly detailed information about the equipment's supplier, the contractor handling maintenance and the like, and even the subcontractor further down the chain.[^1] For a shareholder who directly holds 5% or more of the supplier's voting rights, for instance, you record the name, the country whose law governs the entity, the nationality, and the share of voting rights held. That share is calculated as a proportion of the voting rights within two months before the filing date, rounded to three decimal places, which gives you a sense of the granularity.[^1] For officers, you file names, dates of birth, and nationality, with attachments such as a certificate of registered matters and a copy of a passport.[^1]

What draws the eye further is the mechanism for measuring ties to foreign governments. If, over the past three years, the supplier's sales from transactions with foreign governments, government agencies, local public bodies, central banks, political parties, and the like accounted for 25% or more of its total sales, you must record the fiscal year, the counterpart, and the share.[^1] You also state the country and region where the factory or facility that manufactures the critical equipment is located.[^1] In short, the government is trying to judge interference risk by looking not only at the infrastructure operator itself but at the capital structure, officer nationality, and dependence on foreign governments of the companies that supply it with parts and software.

Now put yourself in the subcontractor's shoes. Even if you do not see yourself as a party to economic security, once your client, the infrastructure operator, files its plan, you may be asked for information about your shareholder structure, your officers' nationality, and your share of transactions with foreign governments. If you have not put transparency around your ownership or the security posture I will describe next in order, you could simply fall off the shortlist. This is the structure I call indirect regulation. You are not the addressee of the law, yet through contracts you are effectively held to the same standard. Whether you hold this perspective, in my view, will change your order opportunities a few years from now.

The risk management measures actually expected on the ground

So beyond ownership transparency, what does the expected security posture actually consist of? The Cabinet Office materials lay out risk management measures they want suppliers and contractors to secure.[^1] They look technical, but the substance is all workable in day-to-day operations.

First is acceptance inspection and vulnerability testing to confirm that delivered equipment and software do not contain malicious code.[^1] Alongside that, they expect you to apply the latest patches and keep anti-malware software up to date. For the environment where manufacturing and maintenance take place, they expect both physical restriction, such as entry and exit control, and logical restriction, such as access control, so that no one outside the designated personnel can gain access.[^1] Prevent and monitor unauthorized access, and retain and periodically review operation logs and work histories that record who did what and when. Provide cybersecurity training to contractor personnel at least once a year. Each of these is cited as a risk management measure.[^1]

What has grown especially weighty in recent years is readiness for ransomware. The materials cite a structure that can keep services running even if you are hit by ransomware, meaning a business continuity plan with backups, isolation, and recovery procedures in place.[^1] The same goes for deciding, in advance, your policy and structure for responding to an incident, and for running drills. One caveat here: these measures are not a demand to do all of them perfectly at all times. The materials themselves make clear that measures are to be taken in proportion to the nature and degree of the risk, and that you do not have to implement every item uniformly.[^1] It is a realistic design: prepare to the extent that fits your role and the weight of the information you handle.

A word on subcontracting as well. The system makes prior approval by the designated critical infrastructure operator a requirement when you subcontract, and the same applies to further subcontracting.[^1] The condition for approval is that the subcontractor secures cybersecurity measures on par with the contractor. On top of that, where the foreign legal environment or instructions from an external actor could give rise to conduct that breaches the contract, you are expected to build in a contractual safeguard to report that to the operator.[^1] It is an attempt to govern offshore development and foreign government influence through the language of contracts. If you send development offshore, this passage is worth rereading against your own contract wording.

The "bypass procedure" as a relief route

Reading this far, subcontractors may feel one worry take hold. Do you really have to hand over sensitive information such as shareholder and officer details, your share of transactions with foreign governments, and passport copies to your client, the infrastructure operator, every time? Exposing your hand to a prime contractor who could be a competitor is, understandably, uncomfortable.

The system provides a proper escape route for this concern. It is the "bypass procedure."[^1][^6] The supplier, the contractor, and the subcontractor can submit some of the introduction plan's filing items and attachments, such as an officer's name, date of birth, and nationality, a copy of a passport, the share of transactions with foreign governments, and documents confirming part of the risk management measures, directly to the competent minister without going through the designated critical infrastructure operator.[^1] They can, quite literally, bypass the client and file with the state.

Why was such a mechanism needed? A little imagination makes it clear. If sensitive information could only ever be submitted through the prime contractor, suppliers would be reluctant to have their trade secrets held by a client, and would become hesitant to do business at all. That would push precisely the reputable vendors with solid credentials out of the infrastructure supply chain, producing the opposite of the security the system seeks. The bypass procedure is the bridge that reconciles a subcontractor's legitimate confidentiality with the transparency the state requires. There is also consideration built in, such as allowing companies registered in Japan to omit attaching a certificate of registered matters.[^1]

I want subcontractors in particular to know this procedure exists. Before jumping to the conclusion that "if we have to show everything to the client, we're out," simply knowing there is a route to file directly with the state widens your options considerably. The system is a regulation, but it is also designed to keep well-prepared companies in the supply chain. The bypass procedure is a part where that philosophy shows through clearly.

Verifying people's trustworthiness: the security clearance

The discussion so far has centered on equipment and companies, but the other pillar of economic security is people. This is where the security clearance enters, resting in Japan on the Important Economic Security Information Protection and Utilization Act (Act No. 27 of 2024).[^7][^8] The law was enacted on May 10, 2024, promulgated on May 17 of the same year, and took effect on May 16, 2025.[^7] It falls under the jurisdiction of the Cabinet Office.

From a company's viewpoint, the point to grasp is that it comes in two tiers. First the company obtains certification as an "eligible business," and then the individual actually handling the information within that company passes a screening called an "aptitude assessment"; only then can they handle important economic security information.[^9] Neither the company's credentials alone nor the individual's alone is enough. The door opens only when both are in place. For companies involved in critical infrastructure or the joint development of advanced technology, this management of people is becoming a new condition for admission. For a gentle introduction to the overall picture and significance, see the beginner's explainer on security clearance, and for a deeper look at what companies must actually do, see the latest on the system and corporate response.

What everyone wants to know is what the aptitude assessment examines. According to explanations from law firms and others, the matters the law prescribes for investigation are conducted by the head of the administrative agency on the premise of the person's consent.[^9][^10] The content said to be examined ranges widely, from basic items such as name, date of birth, nationality, naturalization history, and work and educational background, to family and cohabitants, ties to activities that damage important economic foundations such as espionage and relationships with foreign governments, criminal and disciplinary history, any history of improper handling of information, drug abuse, mental illness, moderation in drinking, credit status such as borrowing, arrears, and personal bankruptcy, and even the history of past aptitude assessments.[^9] Hearing that debt, drinking, and family nationality can be examined may feel like it goes too far, but understood as screening to choose whom you entrust with secrets, it broadly aligns with comparable systems in other countries. Because these investigation items and the exact article numbers rest on secondary explanations, please always confirm against the primary sources when you actually respond.

The penalties are designed to be correspondingly heavy. According to several explanations, leaking important economic security information can be punishable by imprisonment of up to five years or a fine of up to five million yen, with the two potentially imposed together, with attempts and negligence also subject to punishment, and with a dual liability provision extending fines to the corporation as well.[^9][^10] On the information management side, expected measures include setting up restricted-entry zones, limiting the bringing in of recording media, and using standalone terminals not connected to external networks.[^10] A mechanism to verify people and a mechanism to physically protect information move together as a set.

Let me touch on one adjacent point. The Act on Enhancing Cyber Response Capabilities (Act No. 42 of 2025), enacted in May 2025 and promulgated on May 23 of that month, is proceeding in a direction that, alongside introducing active cyber defense, imposes incident reporting and the like on critical infrastructure operators.[^11] Equipment, people, and cyber response: the demands surrounding economic security are thickening in a way where the three complement one another. For the intersection of critical infrastructure and AI governance, see critical infrastructure and AI governance as well.

What small and mid-sized vendors can prepare now

Let me restate the whole thread from a subcontractor's standpoint. The critical infrastructure system is not a matter for the designated infrastructure operators alone. Through the filing, the capital structure, officer nationality, dependence on foreign governments, and even the security posture of suppliers, contractors, and subcontractors come into question. That is precisely why, even if you are not the addressee, you may be held to the same standard at the entrance to a deal. This is the true nature of indirect regulation.

So where do you start? What I recommend on the ground is, before any large investment, to take stock. Organize the information on your main shareholders and officers, and grasp how large a share your transactions with foreign governments or foreign companies represent. Make a list of how far your current operations meet the risk management measures, such as access control, operation logs, annual security training, and backups and recovery procedures for ransomware. If you send development offshore, check whether your contracts contain a clause requiring foreign influence to be reported. And share internally that the bypass procedure exists as an option when you do not want to hand sensitive information to a client. Do this much, and you will not scramble when a client asks.

Running the technical side of management by hand alone is, frankly, getting harder year by year. Rules in each country are revised frequently, and the lists you must check against keep growing. Our export control AI agent, TRAFEED, automates the heavy work in line with Japan's Ministry of Economy, Trade and Industry standards, from classification of whether an item may be exported, to judging dual-use technology (technology usable for both civilian and military purposes), to screening against lists of counterparts of concern, and reflects each country's rules on the same day. In a joint demonstration with Okayama University, we confirmed an AI classification accuracy of 95% or higher based on past review data (in-house study), we hold Patent No. 7862062, and more than 20 organizations already use it. Of course, the principle that the final classification decision is made by your own export control officer does not change. The tool is only a foundation for making human judgment faster and more accurate.

Both the critical infrastructure system and the security clearance rest, at their root, on a simple idea: entrust important things only to counterparts you can trust. There is no need to brace yourself for something forbidding. But whether you can demonstrate that trust is decided by your preparation in peacetime. A company that thought "this isn't about us" is confronted with the rules for the first time on the day of an inquiry, and stands frozen. Not wanting to see more of those scenes is, honestly, why I wrote this three-part series. As an entry point for getting ready, please also use our individual consultation on economic security and export control. Now that you have finished reading, open your list of shareholders and officers first. Starting there is enough.

References

[^1]: System for Ensuring the Stable Provision of Specified Critical Infrastructure Services under the Economic Security Promotion Act (Briefing Materials) — Cabinet Office, Economic Security Promotion Office — July 7, 2026 (accessed July 16, 2026) [^2]: System for Ensuring the Stable Provision of Critical Infrastructure Services — Cabinet Office, Economic Security Promotion Office (accessed July 16, 2026) [^3]: On the System for Ensuring the Stable Provision of Specified Critical Infrastructure Services under the Economic Security Promotion Act — Cabinet Office, Economic Security Promotion Office — June 17, 2026 (accessed July 16, 2026) [^4]: Act on the Promotion of Ensuring Security by Taking Integrated Economic Measures (Economic Security Promotion Act, Act No. 43 of 2022) — e-Gov Law Search (Digital Agency) (accessed July 16, 2026) [^5]: Recent Developments in the Critical Infrastructure System under the Economic Security Promotion Act — House of Councillors, Legislation and Investigation No. 483 — 2026 (accessed July 16, 2026) [^6]: Critical Infrastructure System — Ministry of Internal Affairs and Communications (accessed July 16, 2026) [^7]: About the Important Economic Security Information Protection and Utilization Act — Cabinet Office, Economic Security Promotion Office (accessed July 16, 2026) [^8]: Act on the Protection and Utilization of Important Economic Security Information (Act No. 27 of 2024, version in force from May 16, 2025) — e-Gov Law Search (Digital Agency) [^9]: Overview of the Security Clearance System Based on the Important Economic Security Information Protection and Utilization Act — BUSINESS LAWYERS — 2025 (accessed July 16, 2026) [^10]: What Is the Security Clearance System — KPMG Japan — April 2024 (accessed July 16, 2026) [^11]: Response Toward the Enforcement of the Act on Enhancing Cyber Response Capabilities (Document 2) — Ministry of Health, Labour and Welfare — 2025 (accessed July 16, 2026)

52% of FY2024 export-control violations stem from classification errors. Is your team covered?

METI FY2024 data shows over half of violations stem from classification. Start with a free 5-question light check (~2 min, no email), then continue to the full 10-question report.

Share this article if you found it useful

シェア

Newsletter

Get the latest AI and DX insights delivered weekly

Your email will only be used for newsletter delivery.

無料診断ツール

輸出管理のリスク、見えていますか?

まず5問(約2分・メール不要)のライト診断。必要なら10問本編で詳細レポートまで。

Talk with us about export-control operations

Share your screening, classification, or compliance workflow. We will map where TRAFEED can help—via our contact form (no cold booking).

Related Articles

Japan's Catch-All Export Control Amendments, Explained: The October 9, 2025 Overhaul and Its Impact on the Use, End-User, and Inform Requirements [2026 Update]

A chronological roundup of the amendments to Japan's catch-all export controls (formally "complementary export controls"). We cover the overhaul promulgated on April 9, 2025 and effective October 9, 2025, including the new "specified items" category defined by HS codes, the extension of the objective requirements to the conventional-weapons stream, and the new inform requirement for Group A destinations, plus the separate Export Trade Control Order amendment promulgated November 14, 2025 and effective February 14, 2026. Based on primary sources from METI and e-Gov, with practical notes on updating your internal compliance program (CP).

2026-07-15