7 min read Compliance

Japan's AI Policy in 2026: METI, the AI Promotion Act, and the Regulatory Sandbox

Japan has taken a deliberately different path on AI regulation from the EU and the US. What METI's framework actually looks like in practice and what it means for builders.

  • Japan
  • AI Policy
  • Compliance
  • Government
Japan's AI Policy in 2026: METI, the AI Promotion Act, and the Regulatory Sandbox

Japan’s AI policy has been deliberately, sometimes frustratingly, different from the EU’s and the US’s. Rather than building a single horizontal AI law like the EU AI Act, Japan has pursued sector-specific regulation grounded in pre-existing regulators — the FSA for finance, MHLW for healthcare, MEXT for education, METI for industry. The 2025 AI Promotion Act adds a thin horizontal layer over the top, but the bulk of operational AI regulation continues to live in sectoral guidance.

For builders deploying AI in Japan or selling AI products into Japanese enterprise, the practical question is which regulator owns your use case, what their guidance currently says, and how the AI Promotion Act overlays on top.

Japan AI policy METI

The structural posture#

Three orientations underlie Japan’s AI policy approach.

Pro-innovation by default. The cabinet’s AI Strategy 2025-2030, refreshed in early 2025, positions AI as a productivity multiplier for Japanese industry against the structural labor-shortage backdrop. The policy framing is enabling rather than restricting; specific risks are addressed at the sectoral level rather than through horizontal prohibitions.

Soft law and guidance over prescriptive rules. Japan has historically preferred guidelines, expectations, and industry self-regulation under regulator oversight, rather than detailed prescriptive rules. The AI Operators’ Guidelines (the joint METI/MIC document refreshed in 2024) and sector-specific guidance are non-binding but operationally important.

Sector regulators retain primary jurisdiction. Even with the new AI Promotion Act, the FSA still leads on financial AI, MHLW on medical AI, MEXT on educational AI, and so on. The horizontal layer is thin and largely complements the sectoral approach.

This is meaningfully different from the EU AI Act’s horizontal risk-based framework and from the US’s sector-specific-plus-state-level patchwork. For a global company, complying in Japan means understanding which regulator owns each AI deployment, not just hitting a single horizontal compliance bar.

The AI Promotion Act, in plain terms#

The AI Promotion Act, passed in 2025 and operational from 2026, is the thin horizontal layer. Its main provisions:

Risk-based categorization of AI systems, with three tiers — Standard, Important, and Specially Designated. The categorization is determined by use case, scale, and impact. The bar for “Specially Designated” is high; it captures things like AI used for credit decisions affecting many individuals, AI used in healthcare diagnostic loops, and AI used by significant infrastructure operators.

Transparency obligations for Important and Specially Designated AI — disclosure of what the AI does, what data it was trained on (in summary terms), what its known limitations are, and what mechanisms exist for user redress.

Algorithmic accountability for Specially Designated AI — meaningful documentation of model evaluation, fairness assessment, and outcome monitoring. The detailed expectations are still being elaborated through subordinate regulations expected in mid-2026.

Foundation model deployer obligations — distinct from foundation model developer obligations. Deployers of foundation models (the customer fine-tuning a Llama or Sarvam model for production use) have lighter obligations than developers (those training the foundation model in the first place).

Government coordination — the Act establishes a cross-ministerial AI coordination body and authorizes specific subsidies and regulatory sandboxes.

Notably, the Act does not prohibit any specific AI uses (the EU AI Act prohibits real-time biometric identification in public, social scoring, etc.) and does not have the EU’s notion of “high-risk” with mandatory conformity assessment. The Japanese framework relies on sectoral regulators to apply prohibitions where appropriate, and on the underlying laws (anti-discrimination, consumer protection) to govern problematic uses.

The sector-specific architecture#

The bulk of operational AI regulation in Japan continues to be sector-specific.

Finance — FSA. The FSA’s principles-based AI guidance for financial institutions, updated in 2024, covers explainability, fairness, customer disclosure, and operational risk for AI used in credit decisions, fraud detection, and customer service. Banks and securities firms apply these alongside the broader CSITE-equivalent operational risk frameworks.

Healthcare — MHLW. Medical AI as a “software medical device” follows the PMDA approval pathway, similar in shape to the FDA’s SaMD framework. The PMDA has been more flexible than the FDA on certain categories (AI as a “supplementary” decision aid versus diagnostic) but the certification work is real. The MHLW’s separate guidelines on AI use in clinical care (not as a regulated device) cover ambient documentation, clinical decision support, and population health analytics.

Manufacturing and industrial — METI. METI’s AI Operators’ Guidelines plus the recent industrial-AI-specific subsidiary guidance establishes the expectations for industrial AI. The framework is largely non-binding but is operationally referenced in procurement and certification.

Education — MEXT. The 2024-updated MEXT guidance on AI in education covers personalized learning systems, AI tutors, and the use of generative AI by students. Generally permissive but with explicit disclosure expectations.

Government — Digital Agency. AI used by central government and (increasingly) municipal governments is subject to the Digital Agency’s procurement and operational guidance, including specific data-handling requirements.

Privacy — PPC. The Personal Information Protection Commission has ultimate jurisdiction over personal-data processing in AI systems, under the Act on Protection of Personal Information (APPI). The 2022 APPI amendment and subsequent 2024 update strengthened consent and disclosure obligations for AI-related data processing.

The regulatory sandbox#

The METI-led regulatory sandbox, established under the Industrial Competitiveness Enhancement Act, has been the practical vehicle for piloting AI deployments that don’t cleanly fit existing regulations. Foreign-headquartered companies are eligible to apply, and successful sandbox graduates have included autonomous-vehicle pilots, drone-delivery in Hokkaido, and various fintech experiments.

The sandbox is not just a regulatory pause — it provides explicit safe harbor for the duration of the pilot and accelerated guidance from the relevant regulator. Application processing has been measured (typically 3-6 months) but predictable.

For non-Japanese AI startups looking to deploy in Japan, the sandbox is often the practical path. The 2024-2026 cohort included substantial international participation, including US, EU, and Singaporean companies.

How Japan compares to other major regimes#

A quick comparison.

vs. EU AI Act. EU’s horizontal, prescriptive, risk-based regulation with mandatory conformity assessment for high-risk systems. Japan’s approach is more sector-specific, more soft-law, and less prescriptive on technical conformity. The compliance cost differential is real; the protections produced are different in character.

vs. US (federal + state patchwork). US federal AI regulation is incremental (executive orders, sector regulators). State regulation is heterogeneous (California, Colorado, Illinois, Texas, New York all have or are developing distinct frameworks). Japan’s centrally-coordinated sectoral approach is simpler from a compliance perspective.

vs. UK. UK has pursued a similar sector-led approach, with the Department of Science, Innovation and Technology playing a coordinating role. The Japanese and UK approaches are now the most similar among major economies, in practice if not in formal structure.

vs. China. China’s AI regulation is more prescriptive than Japan’s, with generative AI-specific rules, content moderation requirements, and stricter algorithmic accountability for recommendation systems. The differences are substantial.

vs. Singapore. Singapore’s Model AI Governance Framework is voluntary but operationally influential. Japan’s AI Operators’ Guidelines and Singapore’s framework are now broadly aligned in spirit, with Japan’s framework slightly more enforced through sectoral regulators.

Practical implications for AI builders#

For a company deploying AI in Japan in 2026, the practical implications are:

  1. Identify your primary sectoral regulator. This is the most consequential step. Your AI is governed by sector-specific guidance more than by horizontal law.

  2. Engage early on Specially Designated categorization. If your AI is potentially Specially Designated under the AI Promotion Act, the specific obligations matter; engage with regulators early rather than at deployment.

  3. APPI compliance is the baseline. Personal data in AI systems is governed by APPI; the 2024 update tightened expectations on disclosure and consent.

  4. Algorithmic transparency surfaces are increasingly expected. Even for Standard AI, customer-facing transparency about how AI affects decisions is becoming the norm. Build the explanation surfaces into the product.

  5. Foundation-model use is permitted but documented. If you deploy GPT, Claude, Gemini, Sarvam, or a Japanese foundation model, document which version, what fine-tuning, and what guardrails. This is becoming routine in procurement reviews.

  6. Sandbox is available if your use case is novel enough.

What’s coming in 2026 and 2027#

Three things to watch:

The AI Promotion Act subordinate regulations — the detailed operational rules for Important and Specially Designated AI — are due in mid-2026. They will materially affect compliance posture.

The PMDA’s medical AI guidance is being refreshed; the 2026 update will likely tighten expectations for AI in clinical decision support.

The FSA’s framework for AI in financial decisioning is evolving as foundation-model use in banks accelerates; new guidance is expected.

Where pdpspectra fits#

We work with clients deploying AI in Japan and the broader Asia-Pacific region across our four offices. Our work spans regulatory architecture (which regulator owns this AI deployment), technical implementation (the platform engineering for compliance posture), and the deployment work that bridges policy and operations.

Related reading: the EU AI Act enforcement post, the India DPDPA compliance post, and the bedrock vs openai vs anthropic enterprise comparison.

Japan’s pragmatic AI regulation works on its own terms. Talk to our team about your deployment.

Keep reading

Related posts.

Japan

Japan's Cybersecurity Architecture: NISC, the Active Cyber Defense Bill, and Critical Infrastructure

Japan's cybersecurity posture has tightened materially in 2024-2026. The NISC framework, the Active Cyber Defense Bill, and what enterprise security teams should know.

Read post →
Japan

Japan's APPI in 2026: A Practitioner's Guide to the Act on Protection of Personal Information

APPI is older, narrower, and more pragmatic than GDPR or DPDPA. What it actually requires of an engineering team in 2026, and where it differs from the other major regimes.

Read post →
Singapore

Singapore's AI Policy in 2026: IMDA, the Model AI Governance Framework, and the Strategic Position

Singapore's AI policy approach has been deliberately pragmatic. Where the framework sits in 2026 and what enterprises should know.

Read post →