This article was written as of February 2024.

The Economic Security Promotion Act, enacted in May 2022, has four pillars. Two of the pillars, (i) the strengthening of the supply chains of important items and raw materials, and (ii) the implementing of systems to develop and support key technologies by public and private sectors, have already been implemented, but the remaining two pillars will be implemented in May 2024.

As an update to our previous newsletter, this provides an overview of one of the two remaining pillars, namely, ensuring the stable provision of essential infrastructure services, as well as an overview of the security clearance mechanism that is expected to be introduced by enacting new legislation that will be introduced during the ordinary session of the Diet in 2024, and by amending the implementation guidelines for the existing information security legislation, namely, the Act on the Protection of Specially Designated Secrets.

1. Ensuring Stable Provision of Essential Infrastructure Services

1.1. Overview

In order to mitigate the risk that an infrastructure provider cannot stably provide its essential services due to cyber-attacks directed against their critical facilities by foreign governments, screening for the installation and entrustment of maintenance, management, or operation of the critical facilities supporting essential domestic infrastructure will be implemented in May, 2024.

1.2. Scope of Screening

Among the operators conducting essential infrastructure businesses, such as electricity, gas, water, telecommunications, financial services, and credit card providers, the Japanese Government has designated 210 operators as specified essential infrastructure providers that must file prior notification of a plan related to the installation or entrustment of the maintenance, management, or operation of said critical facilities.⁴

⁴As of November 16, 2023. For example, for the specified essential infrastructure providers in the financial services sector, see https://www.fsa.go.jp/news/r5/economicsecurity/tokuteishakaikiban.pdf (Japanese only).

The critical facilities subject to the screening when installing or entrusting maintenance, management, and operation are mainly the information processing systems used in the provision of essential infrastructure. During the screening process, suppliers of the critical facilities as final products are required to provide the information mentioned in 1.3 below to the Government, and suppliers of the facilities, equipment, devices, or programs that comprise certain parts of such critical facilities, such as operating systems, middleware, business applications, and servers of the information processing systems, are also required to provide the specified information to the government. In addition, entrusted parties as well as re-entrusted parties of the maintenance, management and operation of the critical facilities are required to provide the specified information to the Government. Thus, it should be noted that suppliers of facilities, equipment, devices, or programs that comprise certain parts of the critical facilities and the re-entrusted parties are also affected by the screening.

1.3. Information that needs to be provided to the Government

The suppliers, entrusted parties, and re-entrusted parities aforementioned in 1.2 above are required to report to the Government the name, date of birth, and nationality of each of its directors. In addition, if their sales to a foreign government, foreign government agency, foreign local government, foreign central bank, or foreign political organization account for 25% or more of their total sales, it is necessary to report the names of the applicable foreign bodies and the ratio that such sales account for out of their total sales.

The suppliers are required to report to the Government the location of the factory or workplace where the suppliers manufacture the critical facilities or the facilities, equipment, devices, or programs that comprise certain parts of the critical facilities.

2. Security Clearance

2.1. Overview

The Japanese Government plans to submit a bill to introduce in the ordinary session of the Diet in 2024 a security clearance mechanism which allows an individual to qualify for access to specified confidential information with economic security implications. The Government intends to implement the new law seamlessly together with the existing information security law.

A security clearance is a system in which, as part of national information security measures, the Government examines an individual who needs to access national security information held by the Government that is specified as Classified Information (hereinafter referred to as "CI"), confirms the credibility of such individual, and grants such individual a security clearance which makes such individual eligible to access CI.

In order to access CI, not only is a security clearance for individuals who need to access CI (hereinafter referred to as “personnel security clearance”) needed, but also required is a security clearance for membership in and access to the premises and facilities of the entity to which such individuals belong (hereinafter referred to as “facility security clearance”).

2.2. Purpose of Introduction of Security Clearance System

One of the purposes of the introduction of the security clearance system is to enable Japanese companies and their employees to obtain security clearances and share CI within international joint development programs and with the government procurement agencies of allied countries. In order to achieve this, the Japanese government aims to establish a system that can be trusted by partner countries, including the United States and the United Kingdom; that is, a system substantially equivalent to the security clearance systems of the partner countries.

2.3. Direction of Discussions on a Security Clearance System in Japan

Although the bill has not been made public, the panel of experts considering the security clearance system in Japan discussed the following options:

(a) Personnel Security Clearance
In principle, an individual who is granted personnel security clearance must be a Japanese national.

(b) Facility Security Clearance
A Japanese subsidiary of a foreign company will be eligible for security clearance if it is registered as a Japanese corporation.

From the perspective of FOCI (Foreign ownership, control, or influence), the panel discussed whether directors of clearance-seeking entities, including the chairperson of the Board and the CEO, should be required to obtain personnel security clearance as a requirement for obtaining facility security clearance, even if they do not access CI themselves. If a director or other officer subject to personnel security clearance requirements does not have Japanese nationality, such person may not be able to obtain personnel security clearance.