Japan is set to mandate that all local governments procure only certified IT products and cloud services, a significant policy shift expected to begin operations by the summer of 2027.
This new regulation requires that devices and services purchased by approximately 1,700 municipalities be listed under either JC-STAR, Japan's IoT security label, or ISMAP, its security program for government cloud services. It's a strategic move that extends a 2018 central government policy—which effectively excluded high-risk Chinese OEMs like Huawei and ZTE—to the local level. Instead of naming specific countries, the policy uses domestic certification as a gatekeeper, minimizing diplomatic friction while hardening the nation's technology supply chain.
Several factors have paved the way for this decision. First, there's a pressing need for enhanced cybersecurity. Japanese police reported a significant number of ransomware cases in 2025, and local governments have been vulnerable targets, suffering from outages and data leaks. This rule directly addresses the weakest links in the system: endpoints, network gear, and software services. Second, the policy builds on years of preparation. The central government's 2018 precedent established the playbook, and the standardization of municipal IT systems by 2025 made a uniform procurement filter enforceable. Third, the necessary infrastructure is now mature. The JC-STAR program was formally launched in 2025 and has gained international recognition, while the list of ISMAP-certified vendors has steadily grown, ensuring that municipalities have a viable pool of secure options to choose from.
The market implications are quite clear. The primary beneficiaries will be vendors already on the ISMAP list, which includes global giants like AWS, Microsoft, and Google, as well as security specialists like Cloudflare and Zscaler. Domestic integrators will also see increased opportunities. Conversely, China-headquartered hardware and software companies that lack a clear path to certification will face significant hurdles. Without being listed, their products will be effectively excluded from public sector tenders, reshaping market share in favor of certified, predominantly Western and Japanese, providers.
- ISMAP (Information system Security Management and Assessment Program): A Japanese government program that assesses and registers cloud service providers that meet its security requirements, making them eligible for government procurement.
- JC-STAR (Japan Cybersecurity-Conformity assessment Scheme for IoT producs And seRvices): A certification system in Japan to ensure the security of IoT devices and services.
- OEM (Original Equipment Manufacturer): A company that produces parts and equipment that may be marketed by another manufacturer.