Japan Eases Criteria for Govt Cloud Management Firms; Market Currently Dominated by U.S. Giants

The Yomiuri Shimbun

6:00 JST, September 15, 2023

The Digital Agency announced new selection criteria for providers of government-level cloud platform services that handle personal information and other data held by local authorities.

Presently, government cloud hosting is dominated by major U.S. IT companies that could meet the previous stringent criteria on its own. The new criteria are aimed at encouraging Japanese companies to participate in the selection process in hopes that domestic providers can provide similar services to the U.S firms.

The agency on Tuesday opened its fiscal 2023 application process with a deadline of mid-October, and will screen candidates’ proposals under the new criteria. Providers will be selected in late October, at the earliest.

The government cloud hosts play a fundamental role in Japan’s economic security and are responsible for managing central and local government data. The government cloud stores such personal information as people’s full names, My Number card details, family registers, national pension records and tax payments. The system is being adopted by the public sector with the aim of increasing administrative efficiency. Data currently managed by municipalities across the nation are planned to be transferred to the government cloud by fiscal 2025, in principle.

Government cloud service providers must meet stringent security and data-storage requirements, set out in about 300 criteria. Previously, each individual firms had to satisfy all of the criteria on its own. As a result, only major U.S. firms with a global presence could meet such requirements.

In fiscal 2022, all four companies selected to manage Japan’s government cloud were U.S. firms: Amazon.com Inc., Microsoft Corp., Google LLC and Oracle Corp.

Not a single Japanese entity even submitted a bid.

Some domestic companies have called for a review of the government’s exacting requirements and allowing them to use other companies’ services to meet the requirements, or to have several companies provide the services together.

The new criteria allow selected companies to incorporate services provided by other firms as long as the selected companies can independently provide core functions, such as data management and authentication services. As such, it will be permissible to farm out data analysis and other functions to other entities.

The revised criteria would increase the chances of Japanese companies being selected as government cloud management providers.

In regard to the new criteria, the digital agency said it has continued asking providers to meet the highest safety standards, and the revision was not meant to ease safety requirements.

“We are not limiting the target to domestic companies, but we do want Japanese companies to advance in cloud services,” digital minister Taro Kono told reporters Tuesday after a Cabinet meeting.

Sakura Internet Inc. and Internet Initiative Japan Inc. are among the domestic companies seeking applications.

Nevertheless, even if domestic firms do gain a foothold in the market, the four U.S. giants will remain players in Japan’s cloud-management realm.

Municipalities would be able to select their provider of choice. It remains unclear whether local governments would widely call on Japanese companies to manage their cloud-based information.

Government cloud data must be stored in Japan in encrypted form, with administrative agencies managing the decryption keys.