The Financial Services Agency of Japan has released a draft policy requiring mandatory cybersecurity assessments, shifting from protecting individual assets to defending the entire ecosystem.
Japan is taking a significant step in how it manages cybersecurity for the cryptocurrency industry. The Financial Services Agency ( FSA ) announced on February 10, 2026, a draft of a new framework policy establishing mandatory cybersecurity standards for exchanges, marking a shift from a personalized security approach for each asset type to comprehensive defense protocols for the entire ecosystem.
The policy guidelines include a mandatory requirement for all registered and operating cryptocurrency exchanges in Japan to conduct a cybersecurity self-assessment. The regulatory body will accept public comments until March 11th, providing a three-week period for stakeholders such as exchanges and security experts to provide feedback before the regulations are finalized and implemented in fiscal year 2026, beginning April 1st.
Regulators have noted an increase in sophisticated indirect attack methods, indicating that relying solely on Cold Storage may no longer guarantee secure asset management. While offline Cold Storage help protect assets against direct remote intrusions, modern threat actors have adapted by targeting the human and operational infrastructure behind cryptocurrency asset management.
The three-pillar framework enhances multi-layered defense.
The cybersecurity assessment framework requires exchanges to systematically evaluate multiple components in the security domain, including technical infrastructure such as wallet security and network architecture, human and operational risks including staff training and fraud response procedures, third-party vendor governance and data integrity protection mechanisms, and to comply with Japan's Personal Data Protection Act.
This shift stems from major breaches in 2024 that exposed vulnerabilities. The guidance specifically focuses on attacks that bypass technological defenses by compromising employees through phishing campaigns or infiltrating service providers and contractors who maintain access to the exchange's systems.
The successful implementation is based on three combined pillars. The self-reliance pillar places primary responsibility on each exchange for safeguarding its operations, starting in fiscal year 2026 with the requirement that all registered exchanges undergo mandatory assessments.
The pillar of mutual support is based on collective intelligence through industry cooperation, with regulatory bodies supporting the strengthening of the security committee function of the Japan Cryptocurrency and Virtual Asset Trading Association, encouraging exchanges to actively Chia information on threats, attack patterns, and defense strategies.
The public support pillar will see regulators continue their cross-border blockchain research program on emerging threats launched in fiscal year 2025, and bring the entire exchange sector into Delta Wall, a joint cybersecurity exercise for financial institutions, within three years of policy adoption.
In fiscal year 2026, the regulatory body plans to deploy real-world penetration testing on specific operating units, potentially hiring white-hat penetration testers to attempt to break into the operating exchange systems. These authorized attacks aim to detect vulnerabilities before hackers exploit them, with results Chia securely to help exchanges patch weaknesses and provide an objective monitoring metric.
