On March 29, 2024, Japan's Agency for Medical Research and Development (AMED) published version 2.00 of its "Medical Device Cybersecurity Practical Guide" (Iryo Kiki Saiba-sekyuriti Jissen Gaido), and on May 31, 2024, the Ministry of Economy, Trade and Industry (METI) released version 2.0 of the "Guide on Introduction of SBOM for Software Management." Both documents follow the April 1, 2024 enforcement of the Pharmaceuticals and Medical Devices Agency (PMDA) Notification No. 0427-1, which added cybersecurity requirements to device-registration dossiers under the Pharmaceuticals and Medical Devices Act (Yakkihō, Act No. 145 of 1960). Japan is moving to the SBOM-based supply chain model that the U.S. NTIA and the EU Cyber Resilience Act have converged on, with a local flavor tailored to the Japanese regulatory structure and the IEC 81001-5-1 standard.
What Is the AMED Medical Device Cybersecurity Practical Guide?
AMED's practical guide, first issued in 2021 and updated to v2.00 in March 2024, is the companion document to MHLW Notification No. 0413-1 "Ensuring Cybersecurity in Medical Devices" (April 13, 2023). It translates IEC 81001-5-1 and IEC/TR 60601-4-5 into practical workflows for Japanese manufacturers and hospital operators, and v2.00 added three new chapters on SBOM generation, vulnerability triage, and post-market surveillance. Appendix C contains a Japanese-language SBOM template mapped to SPDX 2.3 fields, and the guide recommends VEX documents (CycloneDX VEX or CSAF) for communicating exploitability status to operators.
When Did PMDA's Cybersecurity Requirements Take Effect?
PMDA Notification No. 0427-1 of April 27, 2023 set the compliance date at April 1, 2024 for new device registrations and device-registration changes. From that date, applications for Class II, III, and IV medical devices that include software must include a cybersecurity design file that addresses threat modeling, secure development, SBOM maintenance, and post-market response. Devices approved before April 1, 2024 are subject to the requirements at the next partial change application or by a voluntary transition — effectively creating a two to three year grace period but not an open-ended exemption. The PMDA published a bilingual Q&A clarifying the scope in October 2024.
How Does METI's SBOM Guidance v2.0 Apply Beyond Medical Devices?
METI's "Guide on Introduction of SBOM for Software Management" v2.0 (May 2024) is sector-agnostic and serves as the reference used by the Information-technology Promotion Agency (IPA), JPCERT/CC, and procurement officials across Japanese Government and critical infrastructure. The guide endorses SPDX and CycloneDX, explains the differences between build-time, source, and analyzed SBOMs, and recommends that operators require SBOMs from suppliers as a contractual term. Section 4.3 of v2.0 added explicit expectations for VEX integration and for component-level vulnerability monitoring. METI's Cyber-Physical Security Framework (CPSF) references the SBOM guide for software-layer controls.
How Does Japan's Framework Compare With the U.S. and EU?
Japan's approach closely tracks NTIA's minimum elements for SBOM — supplier name, component name, version, unique identifier, dependency relationship, author, and timestamp — and cross-references the EU Cyber Resilience Act's Annex I obligations. For medical devices the AMED guide explicitly invokes IEC 81001-5-1, the same standard the FDA's October 2023 premarket guidance cites. The key difference is governance: Japan's requirements flow through PMDA notifications and METI guides rather than a single legislative act, which means a vendor shipping into Japan must track updates from multiple agencies rather than one primary regulator.
What Are the Enforcement Mechanisms and Penalties?
Under the Pharmaceuticals and Medical Devices Act Article 23-2-5, a device manufacturer that fails to meet the design and manufacturing standards for an approved device can have the marketing authorization revoked, and Article 84 carries criminal penalties of up to 3 years imprisonment or JPY 3 million for violations of device approval provisions. Class I misdemeanours under Article 75-5 can also be triggered for recall failures. For non-medical software, METI can issue administrative guidance (gyōsei shidō) and, under the Act on the Promotion of Information Processing (IPA-managed), can publish non-compliance notices. The Personal Information Protection Commission (PPC) can issue penalties of up to JPY 1 million per violation and up to JPY 100 million for corporations under the 2022 APPI amendments when breaches involve personal data exposure due to supply chain compromise.
How Do Operators Use SBOMs From Suppliers?
Hospital operators in Japan assess SBOMs against the Common Vulnerability Reporting Framework and the JVN iPedia vulnerability database maintained by JPCERT/CC and IPA. Operators are expected to maintain an internal asset register of devices and software, match SBOM components against new CVEs as they are disclosed, and apply the AMED guide's triage playbook which uses a risk matrix that combines patient-safety impact with the CVSS base score. Key performance indicators published in the AMED guide include time-to-identify (TTI) and time-to-mitigate (TTM) for post-market vulnerabilities.
How Safeguard Helps
Safeguard generates SPDX 2.3 and CycloneDX 1.5 SBOMs with the supplier, version, and timestamp metadata that both the AMED guide and the METI SBOM guide require. Griffin AI reachability analysis aligns with the AMED risk-matrix triage workflow by telling operators which vulnerabilities actually reach the clinical data path, which cuts the TTM clock and aligns with IEC 81001-5-1 post-market expectations. TPRM workflows track vendor attestations against PMDA Notification No. 0427-1 and the METI SBOM guide section 4.3, and policy gates block builds that lack a valid SBOM or that introduce components with unresolved high-severity CVEs. Compliance mapping aligns the AMED guide, METI guide, and IEC 81001-5-1 so a single evidence store supports PMDA submissions and post-market surveillance.