Cyber incident reporting requirements should be targeted in purpose and scope. The purpose of a cyber incident reporting law or policy should be to improve the cybersecurity of the entire digital ecosystem. Governments should limit the scope of requirements to ensure they prioritize cyber incidents of national or international significance and do not unnecessarily encumber a business’s incident response and recovery. To build a cyber incident reporting ecosystem that serves governments’ needs while not unduly encumbering businesses’ ability to respond to and recover from cyber incidents, cyber incident reporting requirements should follow these recommendations. 

Translation: Japanese