The Japanese government is planning to introduce a new regulation that will require local governments to only procure IT (information technology) equipment that has passed cybersecurity certification to avoid the risks of information leakage and cyber attacks. This policy is expected to be implemented in the summer of 2027, demonstrating Japan’s further expansion of its cybersecurity defenses.
According to a report by the Nikkei Asian Review, the new regulation covers personal computers, communication devices, servers, and cloud services. In the future, local governments will need to meet low cybersecurity risk standards when making procurements, fully integrating into the centralized review mechanism established by the central government to enhance overall protective capabilities and eliminate Chinese-made and other products that may lead to information leaks.
The Japanese government assesses that Chinese-made equipment could potentially serve as a conduit for information leaks or even be used by foreign forces as a launchpad for cyber attacks. Therefore, it has decided to strengthen control measures from the procurement side.
The current certification system, led by the Ministry of Economy, Trade, and Industry and the National Center of Incident Readiness and Strategy for Cybersecurity, does not include Chinese products. As a result, future procurements by local governments will naturally exclude related equipment, effectively amounting to a comprehensive ban.
To assist local governments in transitioning to the new system, the Ministry of Internal Affairs and Communications will establish a dedicated channel to provide consultation and implementation guidance, reducing obstacles to policy implementation.
For equipment that has already been procured but has not been certified, local governments will need to replace it when updating equipment or undergoing recertification, gradually achieving full compliance goals.
As early as 2018, Japan had required central government agencies to procure equipment that meets cybersecurity standards. However, local governments had not been included in the regulations for a long time, making this new system a step towards filling the institutional gap.
In recent years, cyber attacks targeting local governments have increased significantly, leading not only to the leakage of personal data but also causing interruptions in government website services, highlighting the urgent need to enhance cybersecurity protection.
From a policy perspective, this policy in Japan aims to strengthen grassroots cybersecurity protection and reduce the risk of data leakage through administrative adjustments. It is also part of the “de-risking” of the supply chain and is sure to affect the sensitive nerves of technological interaction between China and Japan. The “de-Chinization of information equipment” also demonstrates the blurry line between technology and national security; information equipment is no longer just a technical choice but also a part of national security and strategic layout.
(Reference: Nikkei Asian Review)