Hello, this is Hamamoto from TIMEWELL.
The phrase "security clearance" turns up in the news far more often than it used to. In Japan, a law with a long name, the Important Economic Security Information Protection and Utilization Act, took effect on May 16, 2025[^2], and a mechanism for the state to confirm that the people handling economic-security information can be trusted is now in motion. It may sound like a matter confined to the worlds of defense and diplomacy, but for private companies involved in critical infrastructure or semiconductor supply chains, it is by no means a distant concern.
In my day-to-day work, I build TRAFEED, an AI agent for export controls, and through that I touch the practical side of economic security. From that vantage point, this system looks like economic-security management centered on people, and it connects in a single line with export controls, which target goods and technologies. In this article I will lay out the framework of the system and the substance of the aptitude assessment, how it differs from the Act on the Protection of Specially Designated Secrets, and what companies should have in place, all grounded in primary government sources.
What a security clearance is, and why Japan needed one
A security clearance, put simply, is a qualification by which the government, after an investigation, confirms that a person may be exposed to sensitive information. Think of a server room that is off-limits: to enter, you need an access pass issued after your identity has been checked in advance. This system applies a similar idea to information tied to national security, requiring a proof of trust before access is granted[^10]. The clearance is not the information itself, nor permission to do a particular job; it is, more precisely, a certification of the person, attached to the individual and confirmed in advance. That distinction matters, because it explains why so much of the system revolves around examining people rather than cataloguing documents.
Japan already had a system for protecting defense and diplomatic secrets, the Act on the Protection of Specially Designated Secrets. What was missing was a clearance covering the field of economic security. The G7 countries, led by the United States and the United Kingdom, all have clearance systems that reach economic-security information. Without one, Japanese companies could not present the qualification that serves as the precondition of trust at the table of joint international research and development with allies, and they risked being shut out of participation. The need to fill this gap was pointed out repeatedly in the government's expert panels[^11][^12].
The law that emerged from this is formally titled the Act on the Protection and Utilization of Important Economic Security Information (law number: Act No. 27 of 2024). It was enacted on May 10, 2024, promulgated on May 17[^3], and took effect on May 16, 2025[^2]. The operational standards, which set out the details needed to actually run the system, were approved by the Cabinet on January 31, 2025, following the Advisory Council on the Protection and Utilization of Important Economic Security Information held on January 22, 2025[^8][^4]. On top of that, the first editions of the operational guidelines, one for administrative organs and one for eligible business operators, were published by the Cabinet Office as of May 2, 2025[^6][^7], so the supporting documents are now largely in place. The act is abbreviated as the Important Economic Security Information Protection and Utilization Act, and in news coverage it is also called the "Security Clearance Act." I find it telling that the name of the law contains not only "protection" but also "utilization." This is a system aimed at both wheels at once: not merely guarding information, but building a foundation of trust and stepping out onto the stage of joint international development.
Replace siloed classification work with AI.
METI's FY2024 data shows 52% of foreign exchange law violations stem from classification errors. TRAFEED cuts determination time by ~70% and stores structured rationale for every decision.
What it protects: the substance of "Important Economic Security Information"
So what kind of information is the "Important Economic Security Information" that this system sets out to protect? It is designated by the head of an administrative organ, and according to the operational standards and the Cabinet Office's commentary, information falls within scope only when it satisfies all three of the following conditions[^4][^5][^13]. First, it must be information held in order to protect the "critical economic base," described below. Second, it must be non-public information that is not yet known to the world. Third, its leak must risk causing harm to Japan's security, so that it needs to be kept confidential. Anything already handled as a specially designated secret or as a special defense secret is excluded from this system.
The key is the concept of the "critical economic base." It can be organized into two main pillars. One is critical infrastructure that supports daily life and the economy, such as electricity, gas, finance, telecommunications, aviation, railways, water supply, and medical care. The other is the supply chains of critical materials such as semiconductors, storage batteries, advanced electronic components, antimicrobial agents, fertilizer, machine tools, and aircraft parts[^13]. For example, information about what cyberattack weaknesses a piece of critical-infrastructure equipment has could, in the hands of an attacker, bring society as a whole to a halt. The system's role is to protect information of that kind, where a leak would cause damage on a national scale.
Here I want to add one caution. When words like semiconductors and machine tools are lined up, it is tempting to brace yourself, assuming that the very products your company handles will be designated as secret. But what falls within scope is strictly information that the government holds and designates. Products and services themselves are not regulated, and the act of manufacturing or trading them is not, by itself, what this law touches. The trigger is whether a specific piece of government-held information, relating to that field, has been designated; the catalog of what your company makes is a separate matter entirely. The status of designations and de-designations is reported to the Diet once a year[^1]. That said, as of June 2026, the concrete figures on operational performance, such as the number of designations, the number of certified eligible business operators, and the number of aptitude assessments carried out, have not been published as far as I have been able to confirm. I expect these to become clearer in the future through the first annual report to the Diet and similar channels. Because I want to avoid speaking definitively about figures I cannot verify, I will simply note here that, at present, they are unpublished.
The substance of the "aptitude assessment," a background check
Another core of this system is the investigation called the aptitude assessment. It is a procedure by which the state confirms in advance that a person who handles Important Economic Security Information poses no risk of leaking it, in other words, a background check. As a precondition, the person's own consent is required, and the investigation is conducted by the head of an administrative organ[^4][^6]. The point worth holding onto is that no one's background is probed arbitrarily without consent.
What does it examine? According to the operational standards and guidelines, and the commentaries that read them closely, the items follow the framework of the Act on the Protection of Specially Designated Secrets[^6][^13]. In addition to the person's basic particulars, the assessment looks at family and cohabitants, ties to foreign countries, criminal and disciplinary history, whether there has been any past rule-breaking in handling information, substance abuse, mental illness, drinking habits, and even financial standing such as debt. It goes quite far. The reason it looks this deeply is that the risk of leaking information arises not only from a person's own malice but also from "openings to be exploited," such as economic hardship, approaches from foreign actors, and physical or mental condition. It makes sense if you think of placing an expensive safe in your home: you would want to confirm the character of the person to whom you entrust the key.
On the number of items examined, some commentaries describe "about ten items" and others "seven categories," so it differs depending on how you count. If this concerns you, the surest course is to check the text of the law and the operational standards themselves. The result of an assessment has a validity period, set at ten years from the time notification is received[^13]. However, if suspicious circumstances arise during that period, the person is assessed anew. It is not a matter of clearing the bar once and being done; trust is confirmed on an ongoing basis. Seen from the side of the working individual, this is also a system that carries the weighty question of how much of one's own privacy to hand over. Even with consent as a precondition, there will be situations in which whether or not one undergoes the assessment could affect promotion or job assignment, and I believe careful explanation to employees will be indispensable for companies.
How private companies are involved: the two-layer structure of eligible operators and employees
Having read this far, some readers may feel that, in the end, this is a matter that plays out inside government offices. In fact, the system is designed to clearly draw in private companies. Simplified, the mechanism splits into two layers.
The first layer is the certification of companies as "eligible business operators." The head of an administrative organ certifies, as an eligible business operator, a company recognized as capable of appropriately protecting Important Economic Security Information, and information can then be provided to that company[^7][^9][^13]. To obtain certification, the facilities and equipment for protecting information and the internal management structure must meet certain standards. The second layer is the aptitude assessment of the individual "employees" who actually handle the information within that company. In other words, only when both are in place, the company being recognized as a vessel (certification) and the person being confirmed as trustworthy (the aptitude assessment), can sensitive information be handled. Picture locking both the vessel and its contents.
So in what settings does a company come into contact with this system? Government materials and commentaries envision settings such as support for cyber-defense of critical infrastructure, efforts to remove supply-chain vulnerabilities for critical materials, joint international development of advanced technology, and government commissions or procurement[^9][^13]. Companies that handle semiconductors, storage batteries, or defense-related components, and IT vendors that support the systems behind critical infrastructure, may be asked for this qualification at the entrance to a transaction or a joint development, even if they do not think of themselves as a "company that handles secrets." In practice, that means the request may arrive not as a regulatory order but as a commercial condition: a prime contractor, a government client, or an overseas partner sets clearance as the price of admission, and a company that cannot show it is quietly left out of the room. The pressure, in other words, can come from the market well before it comes from the law.
What I feel strongly as we develop TRAFEED, our AI agent for export controls, is that this kind of "human and organizational management of economic security" and the management that targets goods and technologies are beginning to be asked about at the same site, at the same time. Building the structure of an eligible business operator, and the item classification and counterparty screening of export controls that I touch on below, share the same root: getting to a state where you can explain what your company may handle, with whom, and to what extent. We have reached a point that calls for managing these crosswise, rather than having separate staff for each system run them as a sideline.
Its relationship to the Specially Designated Secrets Act and the US system, and the penalties
When a new system is created, the question "How is this different from the Act on the Protection of Specially Designated Secrets?" always comes up. To organize it: first, the fields covered differ. The Act on the Protection of Specially Designated Secrets protects four areas, defense, diplomacy, prevention of specified harmful activities, and counterterrorism. By contrast, the Important Economic Security Information Protection and Utilization Act extends scope to the critical economic base described earlier, that is, the field of economic security[^13].
Another difference is the threshold of sensitivity. A specially designated secret targeted information whose leak would risk causing "serious harm" to security. This law designs that point one step more broadly, as a risk of causing "harm"[^13]. With the qualifier "serious" removed, the structure can capture a wider range of information. Even so, this does not replace the Act on the Protection of Specially Designated Secrets. Information of higher sensitivity continues to be handled on the specially designated secret side, and this law is explained as adding a new layer beneath it, in a complementary relationship. This arrangement has become more concrete in recent developments. According to news coverage and government materials, the operational standards of the Act on the Protection of Specially Designated Secrets were revised in December 2025, paving the way to designate, as specially designated secrets, the more highly sensitive among the economic-security-related advanced technologies and critical-infrastructure information[^14]. More confidential information goes to the heavily penalized specially designated secrets, and the next tier goes to Important Economic Security Information. It is easiest to grasp this as a two-stage framework for protecting the state's sensitive information that has come into sharper focus.
What underpins the system are the penalties. For leaking Important Economic Security Information and similar offenses, a person faces imprisonment of up to five years or a fine of up to five million yen, and both may be imposed together[^13]. This can extend not only to the individual who leaked the information but also to the business operator. In terms of international relations, putting this system in place is expected to function as a proof of trust when receiving disclosure of classified information in allied countries, broadening opportunities to participate in joint international projects and in the government procurement of allies[^11]. Looking ahead, building a framework of mutual recognition, in which Japan's clearance and a foreign country's clearance are accepted by each other, has also become a point of discussion. That said, it should be noted that this is spoken of only as a future direction; there is no agreement already concluded. In news coverage and commentaries as well, this mutual recognition is treated as an "issue still to be worked out."
What companies should prepare, as the "human management" of economic security
Finally, let me consider how to connect this system to your own company's practice. In my reading, a security clearance is a mechanism that manages economic security from the side of "people" and "organizations," in an inseparable relationship with export controls, which manage it from the side of goods and technologies.
For example, picture a setting where you take part in the joint international development of advanced technology. While the clearance confirms that "this person, this company can be trusted," you are simultaneously asked whether the technical information exchanged in that joint development falls under the regulation of the Foreign Exchange and Foreign Trade Act (item classification), whether providing technology to overseas researchers or seconded staff amounts to a "deemed export," and whether the counterparty is a transaction partner of concern (counterparty screening). The confirmation of human trust and the management of technology outflow happen on the same table. It is wise to assume that the more a company builds a clearance structure, the more its export-control structure will be scrutinized. The basics of item classification, deemed exports, and counterparty screening referred to here are explained in detail in a separate article, Export Compliance in Practice for Companies, so I recommend taking stock of your own operations alongside it.
That said, running this kind of management on manpower alone is getting harder year by year. Each country's regulations are revised frequently, and the lists to be checked only keep growing. TRAFEED, the export-control AI agent we develop, conforms to the standards of the Ministry of Economy, Trade and Industry and automates heavy-load tasks such as item classification, the determination of dual-use (civilian and military) applicability, and cross-checking against lists of customers of concern, with multilingual support as well. The moment when you review your internal management structure in responding to the clearance system is also a good opportunity to shore up the footing of your export controls. Keep your company in a state where it can explain, at any time, what it may handle, with whom, and to what extent. We accept consultations on that preparation through our individual consultation page. Rather than scrambling to respond after the system is already in motion, getting the issues in hand first ends up taking shape faster. If you run a business involved in semiconductors or critical infrastructure, I recommend viewing clearance and export controls as one continuous challenge.
References
[^1]: Important Economic Security Information Protection and Utilization Act (Portal) | Cabinet Office, Economic Security Promotion Office — continuously updated [^2]: Act on the Protection and Utilization of Important Economic Security Information (Act No. 27 of 2024) | e-Gov Law Search (Digital Agency) — version effective May 16, 2025 [^3]: Act on the Protection and Utilization of Important Economic Security Information (Promulgation Information) | House of Representatives — promulgated May 17, 2024 [^4]: Operational Standards for the Important Economic Security Information Protection and Utilization Act (Full Text) | Cabinet Office, Director-General for Policy Planning (Economic Security) — Cabinet decision of January 31, 2025 [^5]: Operational Standards: Overview | Cabinet Office — published 2025 [^6]: Operational Guidelines (Administrative Organs Edition), 1st Edition | Cabinet Office, Director-General for Policy Planning (Economic Security) — May 2, 2025 [^7]: Operational Guidelines (Eligible Business Operators Edition), 1st Edition | Cabinet Office, Director-General for Policy Planning (Economic Security) — May 2, 2025 [^8]: Advisory Council on the Protection and Utilization of Important Economic Security Information (The Prime Minister's Day) | Prime Minister's Office — January 22, 2025 [^9]: Provision of Important Economic Security Information to Eligible Business Operators (Advisory Council, Document 2) | Cabinet Office — August 29, 2024 [^10]: Overview of the So-Called "Security Clearance" System | Cabinet Secretariat, Expert Panel on the Economic Security Clearance System (10th Meeting, Reference Materials) — 2024 [^11]: Final Report Draft of the Expert Panel on a Security Clearance System in the Field of Economic Security | Cabinet Secretariat — 2024 [^12]: Directions and Key Issues for Introducing a Security Clearance System | Research Offices of the Standing and Special Committees, House of Councillors (Economic Prism) — FY2023 [^13]: An Explanation of the Security Clearance System Based on the Important Economic Security Information Protection and Utilization Act | BUSINESS LAWYERS — 2025 [^14]: Act on the Protection of Specially Designated Secrets: Related Laws and Operational Standards | Cabinet Secretariat — continuously updated (including the December 2025 revision of operational standards)