InternationalPrinciples-BasedLast updated: May 20, 2026

Japan AI Guidelines for Business: METI/MIC, Hiroshima Process, and the AI Promotion Act

How to comply with Japan's AI Guidelines for Business (METI/MIC, version 1.0 April 2024, originally October 2023 draft), the Hiroshima AI Process and G7 Code of Conduct (October 2023), and the proposed Japanese AI Promotion Act under deliberation in the 2024-2025 Diet session. Developer, Provider, and Business User tiers, soft-law enforcement, and how Japan's voluntary approach diverges from the EU AI Act.

Non-compliance penalty: Japan's AI Guidelines are soft law - the framework itself carries no direct civil or criminal penalty. Enforcement risk flows through adjacent statutes (APPI for personal data, Antimonopoly Act, Consumer Contract Act, Civil Code tort liability, Copyright Act). The proposed AI Promotion Act, as drafted, focuses on government coordination and study obligations rather than new corporate penalties; future amendments may introduce sectoral duties.

How Areebi helps you comply

Map AI systems to Developer, Provider, or Business User tiers and apply tier-specific practicesAI Guidelines for Business (version 1.0, April 2024), tier framework

Areebi: Tier-Aware AI Inventory and Policy Tagging

Areebi inventories every AI system in use, classifies the organisation's tier relationship for each (Developer, Provider, Business User, or multi-tier), and surfaces tier-specific recommended practices through the policy engine and evidence dashboards.

Implement the ten common Guiding Principles (human-centricity, safety, fairness, privacy, security, transparency, accountability, education, fair competition, innovation)AI Guidelines for Business, Part 2 (Common Principles)

Areebi: Principle-Aligned Policy Engine and Audit Evidence

Areebi's policy engine, DLP, content guardrails, and audit trails are mapped to each of the ten common principles. Evidence packages export per-principle posture suitable for procurement disclosure and supervisory dialogue.

Comply with APPI when processing personal information through AI systemsAct on the Protection of Personal Information (as amended 2022)

Areebi: APPI-Aware DLP and Data Residency Controls

Areebi detects and blocks personal information leakage through AI prompts and outputs, applies retention and deletion controls, and provides regional inference and customer-VPC deployment for organisations subject to APPI cross-border transfer restrictions.

Provide consumer-facing AI disclosure when AI materially affects decisionsAI Guidelines for Business, Transparency Principle; Consumer Contract Act adjacencies

Areebi: Consumer AI Disclosure Surfaces

Configurable disclosure notices and watermarking applied automatically to model outputs in consumer-facing channels. Disclosure language can be tailored per service and per regulatory regime.

Conduct ongoing risk monitoring and incident response across the AI lifecycleAI Guidelines for Business, Accountability Principle; Hiroshima Code Actions 1-2 and 7

Areebi: Continuous Monitoring and Incident Workflows

Real-time monitoring identifies policy violations, model behaviour anomalies, and data-exposure events. Documented internal discovery supports the procurement and tort-defence posture that Japan's soft-law regime relies on.

Produce procurement-ready evidence packages aligned to the GuidelinesAI Guidelines for Business, Documentation expectations

Areebi: Exportable Compliance Evidence

Continuous, exportable evidence aligned to Japan's ten common principles, the tier-specific recommended practices, and the Hiroshima Code of Conduct actions. Evidence packages support Japanese government and large-enterprise RFP responses.

Support Hiroshima Process Code of Conduct signatory commitments for advanced AI developersHiroshima Process International Code of Conduct (October 2023), Actions 1-11

Areebi: Hiroshima Code Action Mapping and Reporting

Areebi maps platform capabilities to each of the eleven Hiroshima Code actions, providing signatory organisations with continuous evidence to support the voluntary commitment and to respond to OECD AI Policy Observatory monitoring inquiries.

What Are Japan's AI Guidelines?

Japan publishes its primary AI rulebook as voluntary guidance, not statute. The AI Guidelines for Business (version 1.0) were finalised on April 19, 2024, by Japan's Ministry of Economy, Trade and Industry (METI) and Ministry of Internal Affairs and Communications (MIC), consolidating three earlier instruments: the 2019 Social Principles of Human-Centric AI from the Cabinet Office, the 2021 METI Governance Guidelines for the Implementation of AI Principles, and the 2019 MIC AI R&D Guidelines and AI Utilisation Guidelines. A revised version 1.1 was issued in March 2025 with limited substantive updates, and METI continues to maintain the document through periodic addenda.

Japan's approach contrasts sharply with the European Union. Where the EU AI Act sets mandatory obligations enforced by national supervisory authorities with administrative fines, Japan has chosen a soft-law posture: the Guidelines themselves are voluntary, and corporate accountability flows through existing statutes (the Act on the Protection of Personal Information, the Antimonopoly Act, the Consumer Contract Act, the Copyright Act, and Civil Code tort liability) rather than through a dedicated AI regulator.

Two further instruments complete Japan's AI policy architecture. The Hiroshima AI Process International Code of Conduct for Organizations Developing Advanced AI Systems, finalised on October 30, 2023, under Japan's 2023 G7 Presidency, sets a voluntary code that participating organisations sign on to. The proposed Japanese AI Promotion Act (commonly translated as the "AI Bill" or the "Bill on the Promotion of Research and Development and Utilisation of AI-Related Technologies") was submitted to the Diet in the 2024 legislative session, advanced in 2025, and remains under deliberation as of mid-2026; its current draft focuses on government coordination, research and development promotion, and information sharing rather than on prescriptive corporate duties.

Areebi is purpose-built for the operating model Japan's Guidelines describe: policy enforcement, content guardrails, audit trails, and continuous monitoring that map directly to the Developer, Provider, and Business User obligations the Guidelines articulate, with cross-mapping to the Hiroshima Process Code of Conduct for organisations that have signed the international commitment.

Japan AI Instruments in Scope

Japan's AI policy landscape consists of one consolidated voluntary guideline, one international voluntary code, one proposed statute, and a series of adjacent laws that supply real enforcement teeth.

AI Guidelines for Business (METI/MIC, April 2024)

The AI Guidelines for Business were finalised on April 19, 2024, after public consultation on a draft published in October 2023. The document is jointly published by METI and MIC under the auspices of the AI Strategy Council and the Cabinet Office, and it consolidates the prior generation of Japanese AI policy instruments into a single reference text.

The Guidelines are structured around ten common guiding principles that apply to every actor in the AI value chain: (1) human-centricity, (2) safety, (3) fairness, (4) privacy protection, (5) ensuring security, (6) transparency, (7) accountability, (8) education and literacy, (9) ensuring fair competition, and (10) innovation. Each principle is restated for the three actor tiers - Developers, Providers, and Business Users - with tier-specific recommended practices.

The Guidelines also describe a model of "agile governance": a continuous cycle of environmental scanning, risk assessment, system design, operation, and evaluation that organisations adjust as AI use evolves. Annexes provide practical worksheets, sample documentation, and reference checklists.

The document is intentionally non-binding. METI's public guidance emphasises that organisations should adopt the Guidelines as a benchmark for self-assessment and supplier expectations rather than treat them as a compliance checklist. Public statements from METI throughout 2024 and 2025 have signalled that future regulatory measures will, where introduced, build on the same conceptual model.

Status: Version 1.0 issued April 19, 2024; version 1.1 issued March 2025. Voluntary. No direct penalty.

Hiroshima AI Process and the G7 Code of Conduct (October 2023)

The Hiroshima AI Process was launched at the G7 Hiroshima Summit on May 19, 2023, under Japan's G7 Presidency. The process produced two parallel instruments on October 30, 2023: the International Guiding Principles for All AI Actors and the International Code of Conduct for Organizations Developing Advanced AI Systems. Both documents were endorsed by G7 leaders on December 6, 2023.

The Code of Conduct establishes eleven actions that signatory organisations commit to follow when developing advanced AI systems, including foundation models and generative AI. The actions cover risk identification and mitigation, post-deployment monitoring, transparency reporting, investment in security controls, watermarking and content authentication, prioritisation of research on safety and societal risks, prioritisation of research on global challenges, development of international technical standards, implementation of data input controls, advancement of AI literacy, and prioritisation of AI for global challenges.

The Code of Conduct is voluntary; organisations sign on individually. As of mid-2026 the public signatory list maintained by the OECD's AI Policy Observatory and the Government of Japan's Hiroshima AI Process page lists dozens of large model developers and infrastructure providers. The G7 has agreed to monitor implementation through the OECD's AI policy work and through subsequent G7 communiqués.

The Code of Conduct is the most cited expression of Japanese-led AI governance internationally. Where Japan's domestic Guidelines target Japanese business, the Hiroshima Code is positioned as a global voluntary baseline for the largest model developers, and it appears as a reference document in EU AI Act recitals on general-purpose AI obligations.

Status: Endorsed by G7 leaders December 6, 2023. Voluntary. Signatory-based.

Proposed Japanese AI Promotion Act (2024-2025 Diet session)

The proposed Bill on the Promotion of Research and Development and Utilisation of Artificial Intelligence-Related Technologies (the "AI Promotion Act," referred to variously in English commentary as the AI Bill, the AI Basic Act, or the AI Promotion Act) was developed by the Cabinet Office in coordination with METI and MIC during 2024 and submitted into the Diet legislative process during the 2024-2025 session.

The draft, as reported in public commentary by Japanese law firms (Mori Hamada & Matsumoto, Nishimura & Asahi, Nagashima Ohno & Tsunematsu) and tracked by the OECD AI Policy Observatory, focuses on:

Government coordination: establishing an Artificial Intelligence Strategy Headquarters under the Cabinet Office with cross-ministerial authority.
Research and development promotion: directing public investment toward AI research and infrastructure.
Study and reporting obligations: requiring the government to study AI risks, publish recommended practices, and respond to incidents.
Voluntary cooperation expectations: framing corporate participation as cooperative rather than mandatory, consistent with the soft-law posture of the Guidelines.

The bill does not, in the publicly reported drafts, introduce broad-spectrum corporate penalties of the kind contained in the EU AI Act. It instead anticipates that sectoral penalties, where required, will continue to flow through existing laws or be introduced through targeted sector-specific amendments (financial services, transport, medical devices) in subsequent legislative sessions.

Organisations operating in Japan should track the bill's progress through the National Diet Library's legislative tracker and through the Cabinet Office AI Strategy page. The bill's enactment timeline and final text remain fluid; corporate compliance teams should not assume the soft-law posture will persist indefinitely.

Status: Submitted to the Diet 2024-2025 session. Under deliberation as of mid-2026.

Adjacent Japanese Statutes Supplying Real Enforcement

Because Japan's AI Guidelines and Hiroshima Code carry no direct penalties, the operational compliance question is which Japanese statutes supply enforcement risk for AI-driven conduct:

Act on the Protection of Personal Information (APPI): Japan's omnibus privacy statute, materially amended in 2020 and 2022, regulates the processing of personal information including AI training data, prompts containing personal data, and inference outputs. The Personal Information Protection Commission (PPC) enforces APPI and has issued targeted guidance on AI throughout 2023-2025.
Antimonopoly Act: The Japan Fair Trade Commission has repeatedly signalled that AI-driven pricing, market segmentation, and platform behaviour fall within Antimonopoly Act scope. The JFTC's 2024 report on competition in generative AI markets is the operational reference.
Consumer Contract Act and Specific Commercial Transactions Act: Misrepresentation of AI capabilities or AI-driven recommendations can trigger consumer-law claims, with the Consumer Affairs Agency as the enforcement authority.
Copyright Act (revised 2018): Japan's Copyright Act includes a non-enjoyment exception (Article 30-4) that permits text and data mining for AI training under specified conditions. The Agency for Cultural Affairs published a notice in 2024 clarifying scope. Misuse outside the exception can trigger copyright liability.
Civil Code tort liability (Article 709): General tort liability applies to harm caused by AI-driven decisions, with case law evolving through district court decisions in 2023-2025.
Telecommunications Business Act and Act on Specified Commercial Transactions: Sector-specific obligations on telecommunications carriers and e-commerce operators using AI systems.
Financial Instruments and Exchange Act: The Financial Services Agency has issued supervisory guidance on AI use by financial institutions, including model governance, explainability, and incident reporting expectations.

An AI compliance programme that addresses these statutes substantively will satisfy most of what the AI Guidelines for Business ask for, because the Guidelines were designed to ride on top of the existing statutory base rather than to displace it.

Developer, Provider, and Business User Tiers

The defining structural feature of the AI Guidelines for Business is the three-tier actor model. Every common principle is restated for each tier, with tier-specific recommended practices. Understanding the tiers is the first compliance task.

AI Developers (kaihatsusha)

Developers are the organisations that build AI systems, including model training, fine-tuning, and component construction. Recommended practices for Developers include:

Documentation of training data sources, consent posture, and any known biases.
Risk assessment of foreseeable use cases and the misuse surface.
Pre-deployment testing for safety, fairness, and security characteristics.
Publication of model documentation (the Guidelines reference NIST-style model cards as a relevant practice).
Coordination with Providers on the limits of intended use.
Incident reporting channels and post-deployment monitoring infrastructure.

AI Providers (teikyousha)

Providers are organisations that integrate AI systems into products or services made available to Business Users or to end consumers. Recommended practices for Providers include:

Selection of AI systems whose Developer documentation matches the intended use.
Operational testing in the deployment context, not only the Developer's test conditions.
User-facing transparency about AI presence in the product or service.
Contractual flow-down of safety and security expectations to downstream users.
Operational monitoring for drift, abuse, or unexpected output patterns.
Incident response coordination with the Developer and with affected Business Users.

Business Users (riyousha)

Business Users are organisations that use AI systems in their own operations - the largest tier in number. Recommended practices for Business Users include:

Inventory of AI systems in use, including shadow AI tools adopted without IT approval.
Use-case-by-use-case risk assessment.
Internal policy on permitted and prohibited uses.
Training and AI literacy programmes for affected staff.
Disclosure to consumers or counterparties where AI materially affects decisions.
Procurement diligence on the Developer and Provider tiers above them.

Many enterprises operate in more than one tier simultaneously: a financial institution that fine-tunes a foundation model is a Developer of the fine-tuned variant, a Provider of internal AI assistants to its business lines, and a Business User of external chat-based AI through employee browser usage. The Guidelines anticipate this multi-tier reality and ask organisations to map their tier-by-tier footprint explicitly.

Areebi maps these tier obligations directly:

Tier obligation	Areebi capability
AI inventory across owned and shadow systems	AI inventory and discovery with risk classification by tier and use case
Use-case risk assessment and policy enforcement	Policy engine with declared-intent gating per workspace and per model
Operational monitoring for drift and abuse	Continuous monitoring dashboards aligned to common Guideline principles
User-facing AI disclosure	Configurable disclosure surfaces applied at the prompt or output boundary
Documented evidence for procurement and audit	Exportable evidence packages aligned to each tier's recommended practices

Japan's Soft-Law Posture vs the EU AI Act

The clearest way to grasp Japan's AI rulebook is to contrast it with the EU AI Act. The two regimes target the same general subject matter but apply opposing regulatory philosophies.

Dimension	Japan AI Guidelines	EU AI Act
Legal status	Voluntary guidance	Binding regulation directly applicable in all 27 EU Member States
Actor model	Developer, Provider, Business User	Provider, Deployer, Importer, Distributor, Authorised Representative
Risk classification	Continuum (organisations self-assess)	Categorical (prohibited / high-risk / limited-risk / minimal-risk)
General-purpose AI	Hiroshima Process Code of Conduct (voluntary)	GPAI obligations binding from August 2025
Enforcement authority	Distributed across existing regulators (PPC, JFTC, FSA, CAA, ACA)	National competent authorities and AI Office at EU level
Penalties	None direct; adjacent-law penalties only	Up to EUR 35M or 7% of worldwide annual turnover for prohibited-practice breaches
Documentation expectations	Encouraged via Annexes; not formally required	Mandatory technical documentation, post-market monitoring, registration
Conformity assessment	None - self-assessment	Required for high-risk systems; sometimes third-party
Extraterritorial reach	Domestic Japanese organisations and Japan-affecting operations	Any provider or deployer whose AI output is used in the EU

For multinational organisations operating in both Japan and the EU, the practical compliance strategy is to build to the higher EU AI Act bar and treat the resulting controls as substantially complete for Japan's Guidelines. Where Japan's Guidelines diverge - notably in the explicit Developer / Provider / Business User tier vocabulary - the EU-built controls need to be tagged into the Japanese tier framework but rarely need to be rebuilt.

For Japan-only or Japan-primary organisations, the Guidelines themselves remain the operational benchmark, with the adjacent statutes (APPI, Antimonopoly Act, Copyright Act, FIEA) supplying the real enforcement teeth that the Guidelines defer to.

Enforcement Realities Under Japan's Soft Law

The most honest characterisation of Japan's AI regime is that the Guidelines have no direct enforcement teeth, but the underlying statutes do. Organisations that treat the Guidelines as a checklist without understanding the adjacent enforcement risk will misjudge their exposure in both directions.

Where penalties actually come from

APPI breaches: The Personal Information Protection Commission has issued administrative orders and recommendations in cases involving personal information mishandling. APPI breach penalties for organisations include fines up to JPY 100 million for falsifying records or refusing PPC orders, plus civil claims and reputational harm.
Antimonopoly Act breaches: The Japan Fair Trade Commission can impose surcharges and cease-and-desist orders. Where AI-driven conduct is found to violate competition law, the underlying conduct attracts the same penalty as non-AI conduct.
Consumer Contract Act and SCT Act breaches: The Consumer Affairs Agency can issue improvement orders, business suspension orders, and refer cases for criminal prosecution where AI-driven sales practices mislead consumers.
Copyright infringement: Liability for unlicensed training data outside the Article 30-4 exception, or for AI outputs that reproduce protected expression, flows through the Copyright Act with civil and criminal exposure.
Tort liability: Article 709 of the Civil Code supplies the catch-all for harm caused by AI-driven decisions, with damages assessed by case-by-case judicial application.
Sectoral supervisory action: The Financial Services Agency, the Ministry of Health Labour and Welfare (medical devices), and the Ministry of Land Infrastructure Transport and Tourism (transport) each have supervisory powers that reach AI use within their sectors.

What "soft law" actually means in practice

Soft law in Japan operates through three mechanisms that supply real practical pressure even without statutory penalties:

Procurement and contracting: Japanese government procurement, large enterprise procurement, and increasingly mid-market procurement reference the AI Guidelines for Business in requests for proposal. Suppliers that cannot evidence Guideline alignment lose deals.
Sectoral supervisory expectations: Regulators in financial services, healthcare, and telecommunications cite the Guidelines as a baseline expectation in supervisory dialogues, even when they cannot point to a statutory penalty.
Reputational and tort exposure: Civil claims for AI-driven harm cite the Guidelines as the prevailing standard of reasonable conduct, transforming a voluntary code into the de facto due-care benchmark in litigation.

The takeaway: organisations operating in Japan should treat the Guidelines as practically binding for procurement and tort-defence purposes, while continuing to focus statutory compliance on the named acts (APPI, Antimonopoly, Copyright, FIEA, sectoral statutes).

Implementation Roadmap for Japan AI Compliance

Organisations approaching Japan AI compliance for the first time can use the following ten-week roadmap. The work parallels NIST AI RMF and ISO/IEC 42001 implementation, with Japan-specific overlays.

Weeks 1-2: Tier mapping and inventory

Identify which Guideline tiers your organisation occupies (Developer, Provider, Business User) for each AI system in use.
Inventory every AI system, including shadow AI tools adopted without IT approval.
Map data residency: identify whether prompts, responses, and training data touch Japan data centres or cross borders.

Weeks 3-4: Common principles assessment

For each in-scope AI system, conduct a self-assessment against the ten common Guiding Principles (human-centricity, safety, fairness, privacy, security, transparency, accountability, education, fair competition, innovation).
Document the tier-specific recommended practices that apply and identify gaps.
Map gaps to existing controls under NIST AI RMF or ISO/IEC 42001 if those frameworks are already in place.

Weeks 5-6: APPI and adjacent-law overlay

Assess APPI compliance for personal information processed by AI systems, including consent posture, purpose limitation, third-country transfer requirements, and the role of joint controllers.
Review training data sources for Article 30-4 Copyright Act compliance.
For financial-services organisations, align with FSA supervisory guidance on AI; for healthcare, with MHLW guidance on medical AI; for telecoms, with MIC guidance on AI in telecommunications services.

Weeks 7-8: Hiroshima Code of Conduct overlay (if applicable)

If your organisation develops advanced AI systems (foundation models or comparable systems), assess whether to sign the Hiroshima International Code of Conduct.
Document compliance with the eleven actions: risk identification and mitigation, post-deployment monitoring, transparency reporting, security investment, watermarking, safety research investment, societal-risk research, international standards engagement, data input controls, AI literacy, and AI for global challenges.
Track G7 monitoring activity via the OECD AI Policy Observatory.

Weeks 9-10: Operational controls and procurement readiness

Deploy policy enforcement that blocks prohibited use cases by design.
Activate DLP and content guardrails that prevent APPI-sensitive personal data from leaking through prompts.
Implement consumer-facing AI disclosure for Japan-facing customer touchpoints.
Pre-stage Guideline-aligned evidence packages for procurement RFPs that ask about AI governance posture.
Establish an incident-response playbook with named escalation to PPC, JFTC, CAA, or sectoral regulators as appropriate.

Ongoing: AI Promotion Act and regulatory tracking

Monitor the AI Promotion Act through the National Diet Library legislative tracker and METI/MIC public announcements.
Track sectoral amendments that may layer mandatory obligations on top of the soft-law Guidelines.
Maintain continuous evidence collection through Areebi's compliance dashboards; soft-law regimes are particularly sensitive to periodic snapshot evidence becoming stale.

Organisations seeking to accelerate Japan AI implementation can request a demo to see how Areebi maps directly to the Developer / Provider / Business User tier obligations and the ten common principles.

Relationship to Other AI Frameworks

Japan's AI Guidelines are designed to be compatible with the major international AI frameworks. The Cabinet Office, METI, and MIC have repeatedly emphasised interoperability over divergence. Operationally:

OECD AI Principles: Japan was an OECD AI Principles signatory in 2019. Japan's ten common principles trace directly to the OECD framework, with refinements added through the 2024 update of the OECD Principles.
NIST AI Risk Management Framework: Japan's Guidelines and NIST AI RMF are conceptually aligned. An organisation in substantial compliance with NIST AI RMF will satisfy most of Japan's Guideline expectations with light additional tier mapping.
ISO/IEC 42001: ISO 42001 certification gives Japanese organisations a defensible international management-system credential. The certifiable status of ISO 42001 makes it the procurement-ready complement to Japan's voluntary domestic framework.
EU AI Act: The two regimes diverge in approach but cover similar substantive ground. Building to EU AI Act obligations also substantially satisfies the Japan Guidelines.
Singapore Model AI Governance Framework: Singapore's framework is a similarly voluntary, principles-based regime; the two governance approaches share architectural DNA and are commonly grouped in APAC-wide procurement diligence.
Australia's AI Ethics Principles and Voluntary AI Safety Standard: Australia and Japan have aligned positions in G7 and quad-format discussions on AI safety; the voluntary postures share characteristics.
US state law (Texas TRAIGA) safe harbors: Japan's Guidelines themselves are not named in US state-law safe harbors, but Hiroshima Code of Conduct signatory status is increasingly cited as part of a "comparable framework" argument under TRAIGA's safe-harbor language.

Smart multinational organisations build a single, framework-agnostic AI governance programme that satisfies the most demanding requirements (typically the EU AI Act for any EU exposure) and produces evidence packages that can be repurposed for Japan, US state, UK, Australia, and Singapore audits without rebuilding. Areebi's Compliance Hub provides cross-mapped templates for the major frameworks.

What Is Still Uncertain in Japan AI Policy

Several elements of Japan's AI policy landscape remain fluid through mid-2026 and beyond. Compliance teams should track these closely.

AI Promotion Act final text and timing: The proposed AI Promotion Act has been under deliberation through 2024 and 2025. Final enacted text, effective dates, and ministerial ordinance details remain pending. Monitor the National Diet Library and the Cabinet Office AI Strategy page.
Sectoral overlay statutes: Sector-specific amendments (financial services, transport, medical devices, telecommunications) are likely to layer mandatory obligations on top of the soft-law Guidelines over the next two to three years.
APPI guidance evolution: The Personal Information Protection Commission has issued AI-specific guidance in 2024 and 2025 and is expected to continue refining its position, particularly on training data and on inference outputs containing personal information.
JFTC competition enforcement: The Japan Fair Trade Commission's 2024 report on competition in generative AI markets signalled enforcement attention. Future cases will shape practical limits on platform behaviour and data access.
Copyright Article 30-4 interpretation: The Agency for Cultural Affairs continues to develop guidance on the boundaries of the non-enjoyment exception, particularly for commercial generative AI training.
Hiroshima Process monitoring: G7 leaders have committed to monitor implementation of the Code of Conduct through subsequent communiqués and through OECD AI Policy Observatory work; future G7 cycles may add expectations.
Interaction with EU AI Act extraterritoriality: Japanese organisations whose AI outputs reach EU users fall within EU AI Act scope. The interaction between EU obligations and Japan's voluntary regime continues to develop.
AI Safety Institute coordination: Japan's AI Safety Institute (AISI Japan), launched in February 2024 under METI's IPA, coordinates with the UK, US, and other national AI safety institutes; outputs from this work may shape future Japanese policy.

For organisations that prefer not to track legislative and regulatory developments themselves, Areebi maintains a compliance hub with status tracking and last-updated dates for every framework supported.

Compliance Checklist

Identify the Developer, Provider, and Business User tier roles your organisation occupies for each AI system in use

Inventory all AI systems including shadow AI tools adopted without IT approval

Map prompts, responses, and training data residency in light of APPI cross-border transfer rules

Conduct a self-assessment against Japan's ten common Guiding Principles for each in-scope AI system

Document tier-specific recommended practices and address gaps for each AI system

Confirm APPI compliance for personal information processed by AI systems, including consent posture and PPC notification rules

Review training data sources for Copyright Act Article 30-4 non-enjoyment exception scope

Align with sectoral supervisory guidance (FSA for financial services, MHLW for medical, MLIT for transport, MIC for telecoms)

If you develop advanced AI systems, assess Hiroshima Code of Conduct signatory status and document compliance with the eleven actions

Deploy policy enforcement that blocks prohibited use cases by design

Activate DLP and content guardrails that prevent APPI-sensitive personal data from reaching third-party models without consent

Implement consumer-facing AI disclosure for Japan-facing customer touchpoints

Pre-stage Guideline-aligned evidence packages for procurement RFPs and supervisory dialogues

Establish an incident-response playbook with named escalation to PPC, JFTC, CAA, or sectoral regulators as appropriate

Monitor the AI Promotion Act and sectoral amendments through the National Diet Library and Cabinet Office AI Strategy page

Frequently Asked Questions

What are Japan's AI Guidelines for Business?

The AI Guidelines for Business are voluntary guidance issued jointly by Japan's Ministry of Economy, Trade and Industry (METI) and Ministry of Internal Affairs and Communications (MIC). Version 1.0 was finalised on April 19, 2024, consolidating earlier 2019 and 2021 instruments. Version 1.1 was issued in March 2025. The Guidelines structure obligations around a Developer, Provider, and Business User tier model and ten common Guiding Principles (human-centricity, safety, fairness, privacy, security, transparency, accountability, education, fair competition, and innovation).

Are Japan's AI Guidelines legally binding?

No. The AI Guidelines for Business are voluntary guidance with no direct civil or criminal penalty. Enforcement teeth come from adjacent statutes - the Act on the Protection of Personal Information (APPI), the Antimonopoly Act, the Consumer Contract Act, the Copyright Act, the Financial Instruments and Exchange Act, sector-specific statutes, and Civil Code tort liability. In practice the Guidelines exert real pressure through procurement requirements, supervisory dialogue, and litigation-standard-of-care arguments even without statutory penalties.

What is the Hiroshima AI Process?

The Hiroshima AI Process is a G7 initiative launched at the May 2023 Hiroshima Summit under Japan's G7 Presidency. It produced two voluntary instruments finalised on October 30, 2023, and endorsed by G7 leaders on December 6, 2023: the International Guiding Principles for All AI Actors and the International Code of Conduct for Organizations Developing Advanced AI Systems. The Code of Conduct contains eleven actions covering risk management, transparency, security investment, watermarking, safety research, and AI literacy. Signatory organisations include many of the largest foundation-model developers, and the OECD AI Policy Observatory tracks implementation.

What is the proposed Japanese AI Promotion Act?

The Bill on the Promotion of Research and Development and Utilisation of AI-Related Technologies (commonly the AI Promotion Act or the AI Bill) was developed by the Cabinet Office in 2024 and submitted into the Diet legislative process during the 2024-2025 session. The drafted bill focuses on government coordination, establishment of an AI Strategy Headquarters, research and development promotion, study and reporting duties, and voluntary cooperation expectations - not on broad new corporate penalties. The bill remains under deliberation as of mid-2026; final text, enactment timing, and any sectoral overlays remain pending.

How does Japan's AI approach differ from the EU AI Act?

Japan's approach is voluntary and principles-based; the EU AI Act is mandatory, risk-categorised, and enforced by national supervisory authorities with administrative fines of up to EUR 35 million or 7 percent of worldwide annual turnover for prohibited-practice breaches. Japan's actor model uses Developer, Provider, and Business User tiers; the EU model uses Provider, Deployer, Importer, Distributor, and Authorised Representative roles. Japan requires no conformity assessment for high-risk systems; the EU does. For multinational organisations, building to the EU AI Act bar substantially satisfies the Japan Guidelines with light additional tier mapping.

Who are Developers, Providers, and Business Users under the Japan Guidelines?

Developers (kaihatsusha) are organisations that build AI systems, including model training, fine-tuning, and component construction. Providers (teikyousha) are organisations that integrate AI systems into products or services made available to downstream users. Business Users (riyousha) are organisations that use AI systems in their own operations - the largest tier in number. Many enterprises occupy multiple tiers simultaneously; the Guidelines anticipate this and ask organisations to map their tier-by-tier footprint explicitly.

What penalties apply for AI-related conduct in Japan?

No penalties flow directly from the AI Guidelines themselves. Penalties flow through adjacent statutes: APPI breaches can trigger administrative orders by the Personal Information Protection Commission and corporate fines up to JPY 100 million for falsifying records; the Antimonopoly Act allows JFTC surcharges and cease-and-desist orders; the Consumer Contract Act, Consumer Affairs Agency improvement orders and business suspension; the Copyright Act, civil and criminal liability for infringement; the Civil Code, tort damages under Article 709. Sectoral regulators (FSA, MHLW, MLIT, MIC) supply additional supervisory action within their domains.

How does Areebi help with Japan AI compliance?

Areebi maps directly to Japan's Developer / Provider / Business User tier model and to the ten common Guiding Principles. The policy engine blocks prohibited use cases by design, configurable disclosure surfaces satisfy transparency expectations, APPI-aware DLP prevents personal information leakage, and continuous monitoring supports the operational evidence that Japan's procurement and supervisory dialogues now expect. For Hiroshima Code signatories, Areebi maps the eleven actions to platform capabilities and supports OECD monitoring inquiries with continuous evidence.

Related Resources

Ready to achieve Japan AI Guidelines for Business: METI/MIC, Hiroshima Process, and the AI Promotion Act compliance?

See how Areebi maps to Japan AI Guidelines for Business: METI/MIC, Hiroshima Process, and the AI Promotion Act requirements with a personalized demo.

Get a Demo Free AI Risk Assessment

Taking longer than expected.

Reload the page