Guidelines on the Roles Expected of Cyber Infrastructure Providers (Japanese and English Versions)

1. Background

Software has become the cornerstone of social activities in modern society, and its importance is consistently growing. As cyberattacks exploiting software vulnerabilities could potentially cause significant damage to social infrastructure, businesses involved in software development, supply, and operation are expected to take greater responsibility for implementing cybersecurity measures across software supply chains.

Customers using software, including government agencies and critical infrastructure operators, can manage cybersecurity risks by selecting appropriate cyber infrastructure providers as their software suppliers.

Internationally, concepts such as secure by design (ensuring software is secure during the design stage) and secure by default (enabling customers to use software securely immediately after purchase without incurring additional costs or effort) are gaining broad endorsement, resulting in the wide international dissemination of these approaches.

Against this backdrop, METI and NCO jointly established a working group comprised of experts from industry and academia in September 2024. This group has been discussing the responsibilities required of businesses engaged in the development, supply, and operation of software, with the aim of protecting customers who use it.

In Japan, the Basic Act on Cybersecurity prescribes that cyberspace-related and other business entities are to actively endeavor to independently ensure cybersecurity in the course of their business activities (Article 7.1: Responsibility of Cyberspace-Related Business Entities and Other Business Entities). In July 2025, the Act was revised to include a new provision that information system providers are obliged to make reasonable efforts to provide necessary support for users’ endeavors to ensure cybersecurity (Article 7.2).

In October 2025, the Guidelines on the Roles Expected of Cyber Infrastructure Providers (draft) were compiled as the domestic guidelines pursuant to Article 7, Paragraphs 1 and 2 of the Basic Act on Cybersecurity. These guidelines define business entities that develop, supply, and operate software* (suppliers of information systems) as “cyber infrastructure providers,” and describe their specific roles and responsibilities.

*In addition to software provided to customers as a product, this also includes software services such as cloud services, embedded software and firmware provided as part of hardware products such as IT/OT/IoT devices, and software provided as components of systems and services.

Following the compilation of the draft guidelines, METI and NCO made necessary corrections and formulated them based on the feedback received during the public comment period between Thursday, October 30 and Tuesday, December 30, 2025. Reference documents and annexes, including evaluation checklists, were also created to promote the wider use of the guidelines.

2. Overview of the Guidelines on the Roles Expected of Cyber Infrastructure Providers

These guidelines outline the responsibilities expected of cyber infrastructure providers and customers to improve cybersecurity resilience across software supply chains, as well as requirements (specific measures) for fulfilling these responsibilities, arranged into six categories.

Cyber infrastructure providers can make use of the guidelines as a tool to enhance the preparedness level of their cybersecurity measures for software supply chains by analyzing the adequacy of their own organizations’ efforts and those of businesses related to software supply chains against the requirements set out in the guidelines, using them as checklist items.

Meanwhile, customers can effectively manage their cybersecurity risks by using the guidelines’ requirements as checklists in assessing the efforts of prospective cyber infrastructure providers and in selecting appropriate software suppliers.

Related Materials

• Guidelines on the Roles Expected of Cyber Infrastructure Providers (summary)(PDF:1,759KB)
• Guidelines on the Roles Expected of Cyber Infrastructure Providers: Overview Materials (summary)(PDF:677KB)
• Guidelines on the Roles Expected of Cyber Infrastructure Providers (evaluation checklist, etc.) [(in Japanese), Excel version with macros](Excel:3,642KB)
• Guidelines on the Roles Expected of Cyber Infrastructure Providers (evaluation checklist, etc.) [(in Japanese), Excel version without macros](Excel:2,744KB)

Related Links

• Industrial Cybersecurity Study Group Working Group 1: Study Group on the Roles Required of Cyber Infrastructure Providers (in Japanese)
• National Cybersecurity Office Working Group: Study Group on the Roles Required of Cyber Infrastructure Providers

Divisions in Charge

• Cybersecurity Division, Commerce and Information Policy Bureau

• Policy Planning and Supervisory Unit, National Cybersecurity Office