![Japan to Effectively Exclude Huawei and ZTE from Local Government IT [Starting 2027] | Takaichi Administration's Certified Products Rule and Corporate Ripple Effects](/images/columns/japan-local-government-chinese-it-ban-2026/cover.png)
Hello, this is Hamamoto from TIMEWELL.
In April 2026, the Takaichi administration announced a new policy to limit local-government procurement of IT equipment to products certified by the government[^1][^2]. A Ministry of Internal Affairs and Communications (MIC) ordinance is set to be revised in June 2026, with the rules going live in summer 2027.
On the surface, this looks like dry administrative housekeeping. In reality, it is a move that substantially redraws Japan's economic security map. The targets are the PCs, servers and cloud services used day-to-day by roughly 1,700 local governments. And because of how the certification schemes are built, Chinese products such as Huawei and ZTE effectively disappear from the procurement network.
On 22 April, an order to stop the acquisition of Makino Milling Machine was issued, and on 23 April the National Security Information Council bill passed the Lower House. This IT policy for local governments was announced in the same week. Lined up together, the three moves make clear that economic security policy under the Takaichi administration is sharply accelerating.
In this article I work through what has actually been decided, why local governments are the target, the intent behind it, and how it will filter through to private companies.
What has actually been decided
First, the key points[^1][^3][^4].
| Item | Content |
|---|---|
| Scope | All local governments in Japan |
| Target equipment | PCs, tablets, communications equipment, servers, cloud services |
| Mechanism | Procurement limited to government-certified products (JC-STAR / ISMAP) |
| Ordinance revision | June 2026 (planned) |
| Operation start | Summer 2027 |
| Existing equipment | Switched to certified products at renewal |
Two certification schemes are involved. One is JC-STAR (Japan Cybersecurity Star), run by METI and designed to assess the security conformity of IoT and similar devices. The other is ISMAP (Information System Security Management and Assessment Program), run by the Cybersecurity Strategic Headquarters and focused on the security assessment of cloud services.
Neither scheme has certified Chinese vendors. The design is therefore not "we ban Chinese products by name," but rather "you can only buy certified products — and Chinese products are not on the list." Legally it is regulation through certification; operationally it is a broad exclusion of Chinese IT equipment.
Why local governments rather than central ministries?
Central ministries have already operated under similar guidance since 2018[^1]. This latest move is closer to finally extending a working mechanism to local governments.
Why were local governments left as the gap? Simply because there are so many of them, and IT procurement decisions are fragmented across each one. With roughly 1,700 local governments running their own tenders, enforcing a consistent security baseline is hard. As a result, Chinese equipment that had been pushed out of central ministries often remained in local-government environments.
This is precisely where extremely sensitive data — resident information, My Number records, local tax data, medical and long-term care data — accumulates. The cybersecurity community has long argued that "Japan's biggest security gap sits at the local-government level." This policy is the government stepping in, top-down, to close that gap.
How to solve export compliance challenges?
Learn about TRAFEED (formerly ZEROCK ExCHECK) features and implementation benefits in our materials.
Three layers of intent
Looking at why the Takaichi administration moved now, I see at least three layers of intent.
1) A response to Chinese economic statecraft
In February 2026, China published an export-control list covering 40 Japanese entities including Mitsubishi Heavy Industries, SUBARU, TDK and JAXA. This is a textbook case of economic statecraft — using economic tools to force policy change in another country. I covered the details in "China's Export Controls on Japan: The New Reality Facing Japanese Companies."
From Tokyo's perspective, both reciprocity and security dictate that dependence on Chinese IT can no longer be left unaddressed. This local-government policy is that message encoded into a concrete regulation.
2) Paired with the National Security Information Council
The National Security Information Council bill that cleared the Lower House on 23 April creates an intelligence policy apex body chaired by the Prime Minister. Creating a top-level decision-making body is meaningless unless the security baseline of the government and local-government IT environment is lifted at the same time.
"Policy layer (the Council), execution layer (a national intelligence bureau), and field layer (IT equipment certification)." Moving all three layers roughly in parallel is the real story of this cluster of announcements.
3) Nurturing a domestic market for secure equipment
There is also an industrial policy angle. Certification implicitly guarantees a market, which makes it easier for domestic manufacturers, data centre operators and cloud providers to grow share.
"Protecting domestic industry in the name of security" is an idea that has been used elsewhere — the US Buy American Act being the obvious example. In Japan, it is a tailwind for players such as NEC, Fujitsu, Sakura Internet and NTT Communications.
Seen as a continuous arc
Read as a standalone story, this policy is easy to dismiss as "another round of China-bashing." Lined up next to the past few years of moves, however, a consistent arc appears.
| Year | Event |
|---|---|
| 2018 | Central-ministry IT procurement effectively excludes Chinese products (government guidance) |
| 2020 | Government drone procurement effectively excludes Chinese makers such as DJI |
| 2022 | Economic Security Promotion Act enacted |
| 2023 | 14 critical infrastructure sectors designated |
| 2024 | Pre-notification and review regime for critical infrastructure becomes fully operational |
| Feb 2026 | China's export-control list targeting 40 Japanese entities |
| 22 Apr 2026 | Makino Milling acquisition blocked (first use of FEFTA block power) |
| 23 Apr 2026 | National Security Information Council bill clears Lower House |
| Apr 2026 | Local-government IT certification policy ← we are here |
Read chronologically, this is not a string of isolated incidents but a long-running scenario: the government wraps the regulatory net around one domain after another — central ministries → drones → critical infrastructure → individual acquisitions → intelligence architecture → local governments.
Why "we're not affected" does not hold up
The direct target is local governments, but private companies are not in the clear.
Under the critical infrastructure regime in the Economic Security Promotion Act, the following 14 sectors are designated as "specified social infrastructure" businesses[^5]:
- Electricity, gas, oil
- Water
- Railways, trucking, international shipping, aviation, airports
- Telecommunications, broadcasting
- Finance, credit cards
Operators in these sectors must notify and obtain government review before introducing or outsourcing the maintenance of "specified critical equipment." In practice, this also makes Chinese specified critical equipment difficult to adopt.
Ordinary private companies (BtoB, manufacturing, trading companies, and so on) are not directly within scope today. But three routes create real exposure:
- If you supply local governments or critical infrastructure operators, you are part of their supply chain and must be able to meet the same level of security explanation
- Overseas counterparties — particularly in the US — increasingly ask for a record of any Chinese IT equipment or components you have used
- "Deemed export" situations (for example, disclosing technology to foreign-national engineers) also now test how rigorously you manage information
"We don't do business with local governments, so this doesn't matter" is a posture that can break overnight when an overseas counterparty sends a due-diligence questionnaire you cannot answer.
Concerns and open questions
Even if the direction is sensible, several issues remain on the operational side.
Cost and speed: Replacing existing systems in local governments is financially and operationally heavy. Smaller municipalities in particular may struggle to complete the transition to certified equipment by summer 2027.
Transparency of the certification regime: JC-STAR and ISMAP do not spell out which countries or which vendors they effectively exclude. It is the same structural issue Nikkei flagged in its editorial on the Makino Milling case — making review criteria transparent is an open task.
Impact on competition: If the line between exclusion and protection is blurry, domestic vendors could start treating certification as a guaranteed win — "get certified, and we don't have to compete." Governance-side oversight is needed.
Chinese countermeasures: China is likely to respond with additional regulation or retaliatory export controls aimed at Japanese companies. The 40-entity list in February is best read as an opening move.
How companies should prepare
What your company needs to do depends on where it sits.
If you do business with local governments or critical infrastructure operators: You need to quickly map the country-of-origin of every IT product, component and software package used across your supply chain. Plans for switching to certified equipment, alternative vendor selection, and shifting to a data-in-Japan operating model can no longer wait.
If you have significant overseas operations (especially in the US and Europe): Organise, in line with each counterparty's supply-chain security requirements, a clear record of any Chinese IT equipment, components or cloud services in use. Cross-checking against the Entity List, Foreign User List and sanctions lists is no longer realistic as a manual process.
If you are starting from scratch: At a minimum, systematise counterparty screening, controlled-goods determinations, deemed-export management and access control for technical information. These four are the starting point.
Our AI export control agent "TRAFEED" was built to address exactly these requirements. Counterparty risk is scored in about five seconds against multiple lists, and product specifications drive an AI-based first-pass controlled-goods determination. Workflow and audit trails follow METI's expectations, so the output plugs directly into audit response.
Export compliance teams that have been running on Excel and tacit know-how are, honestly, no longer fit for the 2026 environment. Using this moment to operationalise the process is, in my view, the most cost-effective move.
Summary
At first glance, excluding Chinese IT equipment from local governments looks like an unremarkable MIC ordinance revision. Set alongside the moves of the past several years, it is clearly the piece that completes Japan's economic security regulatory net.
- Target: local-government PCs, communications equipment, servers and cloud services, live from summer 2027
- Mechanism: procurement limited to government-certified products under JC-STAR and ISMAP → Chinese products effectively excluded
- Rationale: the sensitivity of resident and My Number data, and the response to Chinese economic coercion
- Arc: central ministries (2018) → drones (2020) → critical infrastructure (2023) → local governments (2026)
- Takaichi administration: announced in the same week as the National Security Information Council and the Makino Milling block — the economic-security triple play
- Private-sector ripple: into local-government and critical infrastructure business, US-facing business, and the supply chain as a whole
Even if you think "this has nothing to do with us," once you trace your customers' customers a few steps out, the odds you touch this net are high. It is worth taking a beat to audit your own exposure to Chinese IT and the transparency of your supply chain.
For details on TRAFEED, materials, or a demo, see the product page.
References
[^1]: Local governments to exclude Chinese products in IT procurement — Nikkei (2026-04-17) [^2]: Government to limit local IT procurement to certified products — Business+IT [^3]: MIC to revise ordinance to exclude Chinese IT in local procurement — Fukushima Minpo [^4]: MIC to limit local IT procurement to certified products — Epoch Times Japan [^5]: Critical infrastructure regime under the Economic Security Promotion Act — Cabinet Office