Local Governments to Be Required to Formulate, Publicize Basic Policies on Cybersecurity

Yomiuri Shimbun file photo
The Internal Affairs and Communications Ministry in Chiyoda Ward, Tokyo

The Internal Affairs and Communications Ministry intends to require local governments to formulate and publicize a basic policy on cybersecurity, in a bid to strengthen their systems to deal with cyber-attacks.

This plan will be included in a draft of the revised Local Autonomy Law to be approved by the Cabinet in the near future, and to be submitted to the current Diet session for approval.

April 1, 2026, will be stipulated in the draft as the deadline to formulate a basic policy. The ministry plans to require local governments to implement measures based on their respective policies.

It is also planned that local governments’ basic policies will clearly state their organizational structure, compliance by staff, countermeasures against computer viruses and other malware, and measures to deal with cyber-attacks based on guidelines formulated by the ministry.

Municipalities that have already formulated such a basic policy are also encouraged to review it.

The current law leaves the formulation of basic policies to each local government’s discretion, and does not require that they publicize them. According to the ministry, almost all local governments are believed to have formulated a basic policy.

However, as some local governments do not disclose the details, the ministry cannot ascertain the specifics of each policy.

“Countermeasures against cyber-attacks might not be sufficient among small municipalities that lack tech specialists,” a senior ministry official said.

In recent years, cyber-attacks have become more complex and sophisticated. Networks of local governments, the central government and private companies are also rapidly becoming interconnected, increasing the risk that a single municipality’s inadequate measures could cause widespread system failures.

The government intends to improve the transparency of local governments’ cybersecurity measures by clearly positioning basic policies in the law. It also aims, by reviewing those policies, to ensure that the measures taken by local governments reach a certain a level.