Japan’s Digital Agency held the first meeting of the Digital Cybersecurity Working Group, with the participation of relevant government bodies and expert members, to discuss Japan’s future vision in the fields of cybersecurity, digital transformation, and artificial intelligence, and to outline policy directions through 2030 and 2040.

The discussions focused on how to build a secure and advanced digital society in which no one is left behind, and on the role of artificial intelligence and robotics in that future. Participants emphasized the need to define what kind of security would be required in an era where intelligent technologies become an essential part of everyday life and society. They also stressed the importance of having a clear roadmap, a public timeline, and regular progress reviews in order to strengthen public trust and demonstrate the effectiveness of policies rather than merely drafting them in theory.

In terms of international competitiveness, participants noted that Japan could leverage its experience in dealing with an aging population and natural disasters to develop digital and security solutions that can be expanded both within Japan and abroad, particularly in ASEAN and other regions. They also emphasized the need to continuously update AI policies based on international comparisons, identify what Japan has already achieved and what remains insufficient in the short term, and adopt a flexible approach that allows rapid adjustment and investment according to changing conditions. Some members pointed out that digital cybersecurity initiatives not only strengthen protection, but also enhance corporate value and competitiveness when such efforts are made visible to markets and investors.

Regarding cloud infrastructure and data, a vision was presented that by 2030 digital transformation should become routine, security should be assured, and AI should be regarded as a fundamental requirement in the digital environment. By 2040, a collaborative environment should be established both within and outside Japan, including universities, based on a modern and unified cloud infrastructure. This infrastructure should also be applied in sectors such as healthcare to support scientific research and drug discovery. The discussions also called for the development of highly secure cloud infrastructure that takes the era of quantum computing into account, as well as an integrated design for communications and security that ensures operational continuity even during disasters.

Participants stressed that the goal for 2030 should not stop at “concept and experimentation,” but should reach the stage where AI and data are fully embedded in practical field use, including healthcare and the public sector. By 2040, AI should become a core social infrastructure across sectors, built on data and trust, rather than leaving digital transformation confined within each sector separately. They also emphasized that building data infrastructure alone is not enough; practical incentives must be created to encourage data provision through real use cases. A balance must therefore be built between infrastructure and actual applications, particularly in healthcare digital transformation and the public sector. Governance, security, and data regulation, they said, must advance together in order to enable effective and advanced use of artificial intelligence.

The discussions also highlighted the importance of dealing with the meaning within data, not merely storing it, especially in unstructured data such as text and images. Participants argued that future data infrastructure should include a semantic layer capable of handling meaning. They also emphasized the need to build industrial data spaces that allow trusted data sharing among companies, sectors, and countries, because the high-quality data accumulated in Japan’s manufacturing and service industries represents a strategic resource for future AI development. In this context, participants stressed the need to demonstrate the practical benefits of data linkage through real examples that encourage companies, especially small and medium-sized enterprises, to participate, while also developing trust services and practical guidelines for the private sector and strengthening compatibility with external data spaces, especially in Europe.

Other remarks focused on the fact that one of the barriers to AI adoption in companies is the immaturity of the infrastructure supporting it. Japan, therefore, needs to develop data-ready AI infrastructure that domestic companies can use openly, together with an enabling layer that helps transform AI into a tool for business growth. Members also pointed out the need for clear guidelines to help institutions understand the acceptable boundaries of AI use, as such clarity is essential for widespread adoption. Some participants further noted that digital transformation in Japan should not be limited to improving current operations, but should involve a broader redesign of workflows themselves when introducing AI and physical robotics.

In the area of cybersecurity, participants presented a vision in which 2030 should mark a transition from fragmented and individual responses to shared responses and system-wide improvement, while by 2040 the environment for collective work and integrated response should be firmly established. They called for guidelines to define the minimum measures companies should take, and for a public-private partnership framework that clearly and practically explains “what should be done,” along with a published timeline and semiannual public reporting on progress in order to build trust.

Participants also stressed that relying on human resources alone is no longer sufficient in the face of AI-specific vulnerabilities and advanced attacks that use artificial intelligence. Therefore, “AI against AI” has become a necessity in cybersecurity measures. They argued that the government should show institutions what level they are expected to reach, but without turning certification systems into rigid checklists that hinder customization and flexibility. In light of the rise in ransomware attacks, participants emphasized the need to define a clear minimum standard of protection that companies must at least implement, while encouraging cooperation between startups and large firms, as well as between the public and private sectors, and exploring the ideal form of security in an increasingly connected society by 2040.

The discussions also addressed the issue of excessive dependence on foreign products and platforms in cybersecurity. Participants argued that the lack of self-sufficiency in this field creates a vicious cycle: reliance on foreign products may lead to data leakage, the lack of real domestic data prevents the development of local technologies, and products analyzing Japanese data are then developed abroad, which further deepens dependence on external providers. For this reason, they proposed that Japan should set a clear goal of increasing its rate of self-sufficiency in cybersecurity, while aligning with like-minded countries and excluding entities or technologies that raise concerns from government procurement and support programs. They also discussed that relying only on the most well-known technologies from friendly countries is not sufficient, since such technologies are often extensively studied by attackers. Therefore, domestic technology can serve effectively as a second line of defense.

Another important point raised was the need to define what must be protected, from which threats, and at what level of protection from the stages of planning, design, and operation, instead of relying only on responses after services are launched. Participants therefore stressed the need to incorporate evaluation based on international standards such as ISO/IEC 15408 at an early stage in the development of systems and services. They also highlighted cybersecurity across the entire supply chain as a major challenge, and proposed creating a system to verify the readiness of partners, especially small and medium-sized enterprises, through security assessments and simplified inspections. In light of recent cyber incidents, they further noted the importance of reviewing business continuity plans, including backups through third parties, across critical sectors on which daily life depends. They also emphasized simplifying requirements and administrative procedures so that SMEs are not left behind as cybersecurity obligations become stricter.

In another part of the discussion, members addressed sector-specific issues involving the public sector, medical digital transformation, autonomous driving, and other quasi-public fields. It was suggested that universities could serve as sites for the development and testing of medical digital transformation alongside government digital transformation, and that future healthcare would require secure medical data infrastructure based on electronic health records and AI, which in turn would require rebuilding this infrastructure on secure and modern cloud foundations. Participants also called on the government to draw on international examples in order to develop a single-window, whole-of-government model, while expanding use cases that deliver direct value to citizens, such as simplifying death-related procedures, address changes, or automatic linkage between multiple services. The central point was that the real government challenge is to improve residents’ convenience, ensure the safe and reliable operation of the My Number card, and increase the added value of public services.

With respect to autonomous driving, participants stated that meaningful social implementation of this technology requires accompanying regulatory reform that provides predictability and clarity, as well as mechanisms to verify the effects of policies and revise or withdraw them flexibly if necessary. Questions were also raised as to whether current experiments are truly leading to broad social adoption, especially amid global advances in frontier AI, while more realistic possibilities such as shared public transport and the deployment of certain levels of automated driving systems were noted. The discussion also touched on Japan’s delay in utilizing large-scale medical and health data due to fragmented records, privacy concerns, and public understanding. Nevertheless, participants stressed the need to accelerate the use of such data in order to reduce social costs and improve efficiency.