Amendments to the Whistleblower Protection Act strengthened protections and raised expectations for effective internal reporting and response. Japan’s Ministry of Economy, Trade and Industry (METI) reinforced export and import controls- related regulations and signaled stricter enforcement, further tightening export-control compliance requirements. Cybersecurity rose to the top of the agenda as cyberattacks caused market-moving disruptions, and the Active Cyber Defense law was enacted, highlighting the need for enhanced risk management and collaboration between business and government.
Across all of these areas, governance that spans corporate groups, jurisdictions, and supply chains remains a central challenge, reinforcing the need for robust, internationally oriented compliance programs.
Escalating enforcement risks and regulatory developments in Japan
Enforcement risk for in-house counsel in Japan increased in 2025, reflecting stronger anti bribery tools, sustained scrutiny of misconduct, and tighter export controls. Although domestic case counts were not high, tougher penalties, enhanced supervision, and external pressure point to higher risk, particularly for Japanese companies with overseas operations.
Authorities maintained pressure on corporate fraud and misconduct. Whistleblower reports, internal or third party audits, and investigations by authorities continued to trigger inspections, corrective reporting, and governance remediation. Recent matters have spanned multiple industries, involving data falsification in testing and certification processes and irregularities in inspection and shipment approvals, which triggered inspections and remedial measures.
The Act on the Protection of Personal Information (APPI) led to the tightening of oversight of personal information. There have been instances among Japanese insurers that have highlighted concerns about data governance weaknesses. These developments reflect rising expectations around data governance, access controls (especially for secondees and affiliates), remediation plans, and managerial accountability.
There was continued regulatory tightening in export controls. Japan has repeatedly amended the scope of list controlled items, including multiple additions related to semiconductor items, as well as the inclusion of end user and end use controls. In January 2025, the Trade Control Department of Japan’s Ministry of Economy, Trade and Industry (METI) amended its end user list, a reference tool to enhance the effectiveness of Japan’s catch all controls, to add 42 foreign companies linked to WMD/missile concerns and other entities.
In April 2025, METI amended regulations related to the Foreign Exchange and Foreign Trade Act (FEFTA) to strengthen catch all export controls, including the reclassification of controlled items, the introduction of “know” and “informed” conditions, and the segmentation of catch all items. Further, authorities showed a readiness to act through impactful administrative measures. For example, in May 2025, METI announced administrative sanctions against both the company itself and its representative director, for violations of FEFTA. On the other hand, recent judicial rulings, such as in an alleged illegal export of products of a Japanese company, have spotlighted investigative overreach in export control enforcement. In response, judicial scrutiny is pushing regulators toward clearer, internationally aligned definitions to curb discretion, reduce ambiguity, and restore confidence in the export control regime.
Recent legal developments: whistleblowing and cyber defense reforms
New whistleblowing law
The Whistleblower Protection Act, passed on June 11, 2025 (effective within 18 months) newly criminalizes dismissals and disciplinary measures taken because of whistleblowing, and extends protection to freelancers. An individual in breach can receive up to six months’ detention or a fine; corporations may receive a fine of up to JPY 30 million under dual liability. The amendments shift the burden of proof in civil cases for one year after a report, requiring employers to prove that certain adverse action was not retaliatory, while clarifying prohibitions on obstructing whistleblowing and attempting to identify whistleblowers.
Enforcement tools have been strengthened, including orders from authorities and penalties for failing to designate responsible personnel, new on-site inspection powers with penalties for non-cooperation, and a duty to inform workers about internal reporting systems. These changes directly increase both corporate and personal criminal risk for decision-makers, prompting companies to revamp internal reporting systems, prohibit “whistleblower searches,” and adopt well-documented, independent investigation procedures.
New cyber defense laws
The Act on preventing damage caused by unauthorized acts against critical computer systems and the Act on establishing relevant laws in conjunction with the enforcement of the Act on preventing damage caused by unauthorized acts against critical computer systems, the so-called the Active Cyber Defense laws, were passed on May 23, 2025, (effective within 18 months). A new National Cyber Coordinator’s Office sets will set policies for proactive defense, information use and sharing, potential neutralization actions, and stronger public– private coordination.
While the direct statutory impact of the Active Cyber Defense laws is presently limited to certain entities such as essential infrastructure operators and their related suppliers, telecom carriers, and certain IT vendors, they signal higher expectations for board-level cyber oversight, readiness to share incident information, and resilience in critical infrastructure and regulated sectors, creating additional avenues for regulatory scrutiny of governance failures.
Internal investigations in Japan
Whistleblowing
A June 2023 survey by Japan’s Consumer Affairs Agency indicated that internal whistleblowing is the most common trigger for detecting corporate misconduct at companies with whistleblowing systems, underscoring whistleblowing’s centrality as an investigative intake and escalation tool. Against this backdrop, and with the June 2025 amendments to the Public Interest Whistleblower Protection Act scheduled to take effect from 2026, protection of whistleblowers has become both a legal and reputational priority. Companies should ensure well-designed, trusted internal reporting channels and must avoid any steps that could identify reporters or be perceived as retaliatory. More broadly, handling and communication protocols with reporters should be calibrated with heightened care to avoid any suggestion of adverse treatment connected to the report.
Digital forensics and AI
Interest in digital forensics and the use of AI in investigations continues to grow. In March 2025, a widely covered harassment investigation at a television network highlighted the forensic recovery of emails and SMS messages, drawing attention to the evidentiary value of disciplined forensic methods. It is increasingly recognized that AI-enabled forensic analytics and continuous monitoring can be particularly effective in identifying anomalies within large operational datasets. When designing an internal investigation, companies should consider integrating these tools to ensure efficient, targeted, and defensible fact-finding. Depending on the matter, inspections may reasonably extend beyond PCs and email to include mobile devices; however, such measures require careful planning to address Japanese labor law and individual privacy rights, among other constraints.
Cross-border dimensions are increasingly unavoidable, given the rising importance of supply chain oversight, third-party due diligence, and group-level subsidiary management. In January 2025, METI issued guidance on the cross-border and international flow of industrial data, which provides helpful considerations for general information governance that can also inform data handling during cross-border investigations. This must also of course take into account applicable litigation and evidence rules in relevant jurisdictions. Japan does not have U.S.-style broad discovery in its domestic litigation system. However, litigation outside Japan and arbitrations can impose expansive discovery obligations on parties, warranting careful consideration of data collection and cross-border transfers in internal investigations.
Privilege
Privilege remains a continuing pressure point. Because the Japanese legal system lacks a general attorney– client privilege, document management from a privilege perspective can be a challenging task for a legal team. Counsel should structure internal investigations with privilege strategies that account for the differing regimes in other jurisdictions, including protocols for lawyer involvement, board and management reporting, document handling, group-company information sharing, and interactions with external auditors or other third parties.
Conversely, when Japanese authorities investigate data located in Japan, the limited scope for asserting privilege may materially constrain the ability to withhold information. There is a recognized risk that disclosures made to Japanese authorities could be deemed a waiver of privilege in foreign proceedings, potentially forfeiting protections that would otherwise apply abroad. This concern materialized during the global cartel investigations involving Japanese companies in the 2010s, and led to the introduction in 2019 of limited protections in certain Japan Fair Trade Commission administrative procedures. However, as of 2025, there has been no concrete legislative movement to generalize privilege protections. Companies should therefore exercise careful control over the location of sensitive materials and the pathways through which investigative data move into and out of Japan.
Targeted sectors for enforcement
There were enforcement activities and incidents involving financial services and the insurance sector in 2025. In addition to the case of Japanese insurers, in March, the Financial Services Agency (FSA) issued a business improvement order to a Japanese bank for deficiencies in anti– money laundering controls. These matters kept regulatory attention squarely on governance, data controls, and compliance in financial and insurance institutions.
Strengthening cyber defense has also moved to the forefront of policy. The Takaichi administration, launched in October 2025, has emphasized cyber-risk mitigation as a core priority, with the Active Cyber Defense laws slated for implementation. Since September 2025, significant cyber incidents have affected major B2C businesses, highlighting cascading impacts across entire supply chains. This has accelerated momentum for public–private coordination and reinforced expectations around defense-in-depth across critical infrastructure and regulated sectors. These dynamics, coupled with the coming into force of the Active Cyber Defense framework, suggest continued close regulatory attention through 2026.
Cross-border coordinated investigation or enforcement activity
While public disclosure of specific cross‑border investigations remains limited in Japan, authorities continue to emphasize the importance of multilateral information exchange, joint operational frameworks, and sustained engagement with foreign counterparts as core pillars of Japan’s enforcement posture.
A report published by the National Police Agency (NPA)’s Cyber Police Bureau in September 2025 shows the direction of travel. The NPA highlighted that international collaboration is critical to responding effectively to cyber incidents and reported active efforts to establish and deepen cooperative relationships across multiple jurisdictions. As a rare example of a publicly reported matter, the NPA reported their participation in a joint investigation targeting the ransomware group known as “Phobos/8Base,” conducted in coordination with Europol and the FBI.
In addition, the NPA disclosed that it undertook an international joint investigation with the Central Bureau of Investigation of the Republic of India concerning “support‑scam” schemes.
Taken together, these disclosures illustrate Japan’s continued pivot toward coordinated, cross‑border enforcement, particularly in the cyber domain, through proactive intelligence sharing, operational assistance, and partner‑led takedowns.
Predictions for 2026
- Revisions to the APPI to strengthen individual rights, enhance monitoring and enforcement, and support responsible data use are under active consideration as part of the statute’s three-year review cycle following the April 2022 amendments. Discussions span governance expectations for vendors and other processors handling personal data on behalf of controllers, responses to egregious cases, refinements to the scope of permitted processing without consent or notice, and more practical standards for incident response where risks to data subjects are minimal. These developments will have day-to-day operational implications and will also affect investigative data handling, requiring closer coordination between legal, privacy, IT, and internal audit functions.
- In parallel, organizations must prepare for the implementation of the June 2025 amendments to the Public Interest Whistleblower Protection Act and for the roll-out of the Active Cyber Defense laws in 2026. Both regimes are expected to remain under active policy development thereafter, necessitating ongoing monitoring and timely program adjustments.
Beyond 2026
- Anti-bribery: Japan’s anti-bribery regime under the Unfair Competition Prevention Act was strengthened in 2024 through increased penalties, a seven-year limitation period, and expanded extraterritorial reach to cover offenses committed abroad by non-Japanese employees of Japanese companies. As of October 2025, METI indicated there were no reported enforcement cases under the amended provisions. With Japan’s OECD Phase 5 evaluation scheduled for 2028 and METI monitoring enforcement developments, a policy pivot toward more proactive enforcement in Japan could happen at any time. Japanese companies should therefore continue to treat anti-bribery as a priority compliance risk, calibrating programs to international standards and preparing for potential increases in multi-jurisdictional scrutiny.
- Handling information and data: Ongoing refinements to both the whistleblower protection regime and the Active Cyber Defense framework, together with continued debates over Japan’s APPI, illustrate that determining how to handle information and data while safeguarding human rights and a healthy business environment will remain a central issue for both the Japanese government and companies. Organizations should plan for continued evolution in supervisory expectations, procedural requirements, and the interplay between administrative guidance and enforcement practice.
- Across all these areas, governance spanning corporate groups, jurisdictions, and supply chains will remain challenging. It is increasingly important for companies to strike the right balance among various factors, including legal risks in relevant jurisdictions, market expectations, and operational efficiency when making decisions.
This article is part of the A&O Shearman Cross-border white-collar crime and investigations review 2026.
