Export Control for SaaS and Software Companies: Deemed Export, ISMAP, and Cloud Regulations in Practice [2026 Edition]

Hello, this is Hamamoto from TIMEWELL. Over the past year, I have heard the line "we're SaaS, so export control doesn't apply to us" more times than I can count. I understand the instinct. You don't ship physical goods, you have no warehouse, and there is no customs entry. In reality, though, SaaS and software sit deeper inside the export control net than almost any other field.

Working through this series on industry-specific export control has reminded me how unusual SaaS is. The goods don't move, but the technology does. An API with an embedded cryptographic algorithm crosses a border the moment its client sits overseas. Hire a remote engineer overseas, and the deemed export issue is triggered at the instant of onboarding. On top of that, Japan has its own government procurement gate — ISMAP — whose standards were substantially revised at the end of 2025. This article organizes what SaaS and software companies need to get right as of April 2026, in five practical topics.

SaaS is a party to export control even when it thinks it isn't

The first thing SaaS companies trip on is the definition of "export." Both Japan's Foreign Exchange and Foreign Trade Act and the U.S. EAR cover not only goods, but also technology and services. SaaS doesn't move goods, but delivering technology is its entire business, so it sits at the center of the control perimeter rather than outside it.

The U.S. EAR (Export Administration Regulations) sweeps a lot of encryption software into Category 5 Part 2, and if your product implements TLS, VPN, file-based encryption, or end-to-end messaging, it may qualify as 5D002 or 5A002. Integrate a U.S.-origin library or OSS, and the de minimis rule (25% U.S.-origin content — 10% for certain countries) extends U.S. re-export control to your Japanese entity. "We're fully domestic" is a harder claim than most SaaS companies realize.

Under domestic law, METI issued a notice in 2013 on cloud services and service transactions. The key point there was: "if data merely passes through or is stored in an encrypted state on overseas servers, it does not qualify as a service transaction." But that concerns data transit. If you provide the encryption technology itself to an overseas base, or if decryption keys are handled outside Japan, it is a different analysis.

SaaS often blurs the line between "provision of services" and "provision of a program." Monthly subscription API access tends toward a service transaction; distributing an on-premises installer or virtual appliance tilts toward a program. Companies that offer both models need to run classification per service. In practice, many teams try to manage this in a single spreadsheet and end up with inconsistent granularity. Japanese SaaS companies have not yet matured their export control operations to the level of manufacturing, and viewed through METI's security trade control lens, SaaS feels about a decade behind manufacturing.

ISMAP's 2026 revision reshapes government procurement and cloud provider response

For domestic SaaS operators, ISMAP (Information System Security Management and Assessment Program) is just as unavoidable as export control. The program is meant to assure the security level of cloud services in government procurement, and since its launch in 2020, the major CSPs — AWS, Microsoft Azure, Google Cloud, IIJ, Sakura Internet — have registered.

Without a listing on the ISMAP Cloud Service List, you cannot even enter the bidding round for government platform systems, and some local government procurements are also locked. That has been a meaningful barrier to entry for Japanese SaaS companies, especially mid-sized ones. The cost of acquisition and maintenance has long been called excessive, and on December 25, 2025, the government finally published a proposal for a broad revision of the control baseline[^1].

The revision has two main points. First, to align with the ISO/IEC 27002:2022 update, the controls are reorganized into four categories, plus a fifth for cloud-specific controls. Second, the detailed control items are compressed from 1,081 to 253 — roughly a quarter. This reduction is less a lightening of the checklist and more a consolidation and redefinition of redundant controls. The correct reading is that quality was not cut — duplication was removed.

In January 2026, IIJ announced the additional registration of its cloud-based authentication service (IIJ ID Service / Identity Management Option) and its cloud-based web security service[^2]. Full operation under the revised baseline is expected to ramp up in the second half of FY2026, making it a good re-entry window for mid-sized SaaS providers that had passed on ISMAP. Honestly, 253 items is still not a low bar. Rather than tackling it solo, a realistic path for SaaS built on AWS is to rely on AWS's ISMAP registration and focus on the controls you actually own.

On a side note, I get occasional questions that conflate ISMAP with JC-STAR (IPA's IoT security labeling scheme). JC-STAR targets IoT products; ISMAP targets cloud services — they cover different things. JC-STAR began accepting Level 1 applications in March 2025, and is scheduled to start Level 2 and above for communication equipment and network cameras in January 2026[^3]. Pure SaaS is outside JC-STAR's scope, but B2B SaaS vendors whose products pair with hardware should watch both.

The deemed export trap: hiring overseas engineers pulls the trigger

SaaS lives or dies by its engineers. Almost no company can staff entirely from domestic talent anymore, and fully remote hiring from India, Vietnam, or Ukraine is now routine. This is where deemed export steps in.

Article 25(1) of the Foreign Exchange and Foreign Trade Act treats the provision of technology by a resident in Japan to a non-resident as an "export" of controlled technology, and the May 1, 2022 amendment clarified operations[^4]. The key point of the amendment: even a person who is formally a resident, if judged to be under the strong influence of a foreign government or foreign company, is treated in substance the same as a non-resident for technology transfer. Typical indicators include strong ties to foreign governments or militaries, being under the direction of a foreign company, and receiving non-refundable scholarships from foreign governments (under certain conditions).

Here is what SaaS HR actually encounters. You want to hire a strong backend engineer who holds Chinese nationality. The individual has lived in Japan for a long time and is treated as a resident. But if they earned a doctorate on their home country's scholarship and continue to receive conditional support from that fund, after the 2022 amendment they may fall within deemed export control. Hiring is not prohibited. What you need is a design that controls access to relevant technology (encryption, AI, defense-related functionality) and a mechanism to assess whether prior METI licensing is required.

On January 31, 2025, METI published a draft amendment to the ministerial ordinance, and the revised supplementary export controls took effect on October 9, 2025[^5]. The catch-all controls were tightened there, which also affects deemed export decisions. What SaaS companies should do now is add "relationship with foreign governments, militaries, and foreign companies," "source of funding," and "current residence and travel history" to the hiring checklist, and formalize consents and declarations. Beyond paperwork, you need a design that scopes access by attribute — GitHub branch permissions, Snowflake roles, Kubernetes namespaces — so that scope can be narrowed by candidate profile.

I wrote more detail in A Practical Guide to Deemed Export Risk, but the scariest deemed export pattern is the one you notice after the hire. By the time you realize, the person has already touched the source repository, the audit trail is there, and you cannot walk it back. Whether HR, engineering, and legal can sit at the same table and discuss cases together is the real firewall.

The data residency, encryption, and API-delivery trio

When you talk about SaaS export control, data residency, encryption, and API delivery are inseparable. Each gets discussed on its own, but in operation they must be designed as a set — otherwise you will leave gaps.

On data residency, Japan has no storage-location restriction under the Act on the Protection of Personal Information. But when personal data is stored overseas, you must check the destination country's data protection regime and implement safety management measures (Article 28). For government information systems, Digital Society Promotion Standard Guideline DS-310 (September 2023) applies, and the government cloud assumes closed domestic use[^6]. Interestingly, even for information requiring protection, the guideline allows non-domestic data centers if the data is encrypted with an algorithm on the CRYPTREC cipher list (e-Government recommended ciphers) and the keys are managed by the user side or a tamper-resistant device. In other words, if you do encryption and key management properly, AWS's overseas regions can be on the table.

Next, encryption. EAR Category 5 Part 2 covers encryption software that meets criteria such as symmetric keys over 128 bits or asymmetric keys over 2048 bits. Modern algorithms like AES-256, RSA-4096, and ECC almost all cross that line. Japanese SaaS companies rarely implement these themselves; in practice they use AWS KMS, Azure Key Vault, or Google Cloud KMS. In that case, the division of responsibility for export control matters. The CSP has handled classification and filings at the infrastructure layer, but if you implement additional cryptographic features at the application layer, that layer is yours to classify.

Third, API delivery. Letting overseas users hit your SaaS endpoints is not the same thing as "passage of encrypted data" under METI's notice — the provision of the function itself may qualify as a service transaction. Concretely: providing API specifications and technical manuals to overseas customers, providing implementation support as a customer success function to overseas engineers, and contributing technical know-how in joint development are all service transaction questions. Under the catch-all controls covering conventional weapons and WMD, screening whether your customer falls into a restricted country or a suspect end user is a must.

Running this trio on manual spreadsheets is honestly at its limit. Our product TRAFEED (formerly ZEROCK ExCHECK) is an AI agent that handles customer screening, classification support, and technical information management end to end — billed as the world's first AI-based export control tool, operated in line with METI standards. A SaaS company using SaaS to protect its SaaS is a bit nested, but the reduction in manual effort is dramatic.

AI SaaS cannot relax, even "post-AI-Diffusion rescission"

In January 2025, the Biden administration published the "Framework for Artificial Intelligence Diffusion." It was an ambitious package that controlled the flow of AI model weights and advanced compute chips, reaching even into access controls via IaaS (Infrastructure as a Service). Many AI SaaS companies braced for impact — I remember it well.

But in May 2025, just before it took effect, BIS under the Trump administration rescinded it. The rescission went through proper procedure, and on December 8, 2025, President Trump announced approval for selected chip sales to approved customers in China; then on January 13, 2026, BIS issued a new final rule moving chip exports to mainland China, Hong Kong, and Macau from a general denial to case-by-case review[^7]. Read in isolation, that looks like loosening.

However, the parts that concern AI SaaS have not really loosened. Even after the rescission of the January 2025 rule, the existing Part 744 controls and the October 2024 expansion remain in place, and providing remote access to "IaaS remote end users" whose location or ultimate parent is in Belarus, China, Cuba, Iran, Macau, North Korea, Russia, or Venezuela is still restricted. A Japanese AI SaaS offering a large language model via API that issues API keys to a mainland Chinese startup is already in the scope of that question. User-onboarding KYC (Know Your Customer), IP-based geoblocking, token usage limits, and audit log retention need to be designed together.

My personal read is that the AI Diffusion Rule rescission is best interpreted as "the framework is rescinded, but the individual rules continue and intensify." Let the surface-level easing news push you into "our AI SaaS is fine" and you may eat heavy penalties later. An EAR violation can cost up to twice the transaction amount or 350,000 dollars, plus exclusion from the U.S. market and SDN listing — management risks that hit the top line directly.

Domestically, METI is likewise moving to explicitly cover AI and cloud APIs, as I laid out in The 2026 Amendments to AI, Semiconductor, and Cloud Export Controls. Combined with the trend toward excluding Chinese IT from government and local government procurement, which I covered in Exclusion of Chinese IT from Japanese Local Governments in 2026, export control infrastructure is becoming an upfront investment for Japanese AI SaaS to survive domestic government and municipal markets. The shift is from "do it to differentiate" to "do it or be cut in the first round."

If you start on SaaS export control today in 2026

Running through these five topics, the common thread is that SaaS tends to become a party to export control before it notices. Unlike manufacturing, there is no physical customs event, so the trigger is hard to see. That invisibility is the biggest risk, and once an issue surfaces, customer churn and brand damage can be worse than the equivalent in physical goods smuggling.

A realistic starting sequence. First, refresh classification for your SaaS at the product level. EAR applicability, Foreign Exchange Act applicability, encryption classification — just holding these three in a single table moves the internal discussion forward. Second, embed an overseas-hire deemed export check into the hiring process. Don't leave it to HR alone; pull in legal and engineering, and close the loop all the way to post-hire access control. Third, re-evaluate ISMAP. The new baseline starts in FY2026, so companies that had given up are worth a second look.

Fourth, systematize customer screening. Manual effort cannot keep up with the pace of sanctions list updates and will miss entries. Offload it to an AI agent like TRAFEED and let people focus on review and judgment. SaaS as a business now moves too fast for manual export control operations to keep up, which means export control operations need to run at the same cadence.

Export control is often seen as being at odds with "offensive" management, but watching the past three years — U.S.-China confrontation, the economic security trend, the EU AI Act, Japan's tightening of catch-all controls — I would say that companies that have built out their export control are precisely the ones who can accelerate overseas expansion. Reframe it not as defensive spend but as the ground floor for taking your product overseas. For SaaS companies, 2026 is the year that turning point lands.

References

[^1]: PwC Japan, "New developments in ISMAP: the broad revision of the ISMAP control baseline and the outlook for ISMAP going forward" https://www.pwc.com/jp/ja/knowledge/column/awareness-cyber-security/explanation-of-ismap2.html

[^2]: IIJ, "Cloud-based authentication service and cloud-based web security service registered with ISMAP" January 13, 2026 https://www.iij.ad.jp/news/pressrelease/2026/0113.html

[^3]: IPA, "Security Requirements Compliance Assessment and Labeling Scheme (JC-STAR)" https://www.ipa.go.jp/security/jc-star/index.html

[^4]: METI Trade Control Department, "Clarification of deemed export control operations" https://www.meti.go.jp/policy/anpo/law_document/minashi/meikakukanitsuite2.pdf

[^5]: EY Japan, "METI publishes draft amendments — strengthening security trade control including catch-all controls" https://www.ey.com/ja_jp/technical/ey-japan-tax-library/tax-alerts/2025/tax-alerts-02-06-03

[^6]: Digital Agency, "Digital Society Promotion Standard Guideline DS-310: Basic policy on appropriate use of cloud services in government information systems" https://www.digital.go.jp/assets/contents/node/basic_page/field_ref_resources/e2a06143-ed29-4f1d-9c31-0f06fca67afc/5167e265/20230929_resources_standard_guidelines_guideline_01.pdf

[^7]: US Studies Centre, "The US AI Diffusion Rule: What is it, why did the United States rescind it, and implications for Australia" https://www.ussc.edu.au/the-us-ai-diffusion-rule