Japan prepares new cybersecurity standards for the crypto market

Key points:

• Japan’s Financial Services Agency (FSA) has proposed a mandatory cybersecurity self-assessment framework for all domestic cryptocurrency exchanges.
• The new rules could take effect in fiscal year 2026 and are designed to address the growing wave of sophisticated cyberattacks.

The FSA released its draft proposal on February 10, 2025, outlining stricter cybersecurity requirements for crypto trading platforms. The move comes amid a global rise in complex hacks and digital asset theft. Under the proposal, all registered exchanges in Japan would be required to conduct a Comprehensive Security Self-Assessment (CSSA).

The regulator has effectively acknowledged that cold storage alone is no longer sufficient. Cyber threats are becoming more advanced, with attackers increasingly exploiting indirect vulnerabilities.

Japan Tightens Oversight of Crypto Exchanges

Japan has long been considered a pioneer in crypto regulation. Following the collapse of Mt. Gox in 2014, the country introduced a mandatory exchange licensing regime under the Payment Services Act. The new proposal signals a shift toward a more systematic and proactive cybersecurity model.

The FSA has pointed to the growing number of attacks carried out through third-party vendors, as well as social engineering schemes. Exchanges will therefore be required not just to meet baseline compliance standards, but to conduct regular and in-depth reviews of their entire security infrastructure.

This approach aligns with broader global trends. The European Union has implemented its MiCA framework, while Singapore has strengthened operational resilience requirements for crypto firms. However, Japan is placing particular emphasis on ongoing internal self-assessments as a mandatory process. Public consultations on the proposal will run through March 11, 2025.

What the Mandatory CSSA Will Cover

The new framework is designed as a continuous risk evaluation system rather than a one-time audit. Exchanges will be required to assess:

• The security of hot and cold wallets, key management systems, and network architecture;
• Employee training programs and safeguards against phishing and social engineering;
• Security standards applied to contractors and third-party service providers;
• Incident response plans and recovery procedures;
• The protection of user data in compliance with Japan’s Act on the Protection of Personal Information (APPI).

Through these measures, the FSA aims to build a more resilient digital asset ecosystem and reduce the likelihood of major fund losses in the future.