Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.
If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Digital Relations Institutional Reform Study Meeting Technology-based regulatory reform Promotion Committee (1st)

Overview

  • Date and Time: Thursday, December 7, 2023 (2023) from 16:00 to 18:00
  • Location: Online
  • Agenda:
    1. Opening
    2. Proceedings
      1. Explanation from the Secretariat
        • Holding of the Technology-based regulatory reform Promotion Committee
      2. Explanation from the Secretariat
        • Progress of "Technology-based regulatory reform" and how to proceed for the time being
      3. Exchange of opinions
    3. Adjournment

Materials

Minutes, etc.

Date and Time

Thursday, December 7, 2023 (2023), from 16:00 to 18:00

Location

Held online

Members present

Chairman

Hiroshi Esaki (Digital Agency Senior Expert)

Members

  • Noriko Endo (Distinguished Professor, Keio University Global Research Institute)
  • Yusaku Okada (Professor, Department of Management Engineering, Faculty of Science and Engineering, Keio University)
  • Keiko Ogawa (Certified Public Accountant, Banking Capital Markets Leader LegTech Leader Partner, EY Strategy and Consulting Co., Ltd.)
  • Tsukasa Ogino (Representative Director of the security Council for Important Consumer Products)
  • KAWAHARA Yoshihiro (Professor, Graduate School of Engineering, The University of Tokyo)
  • Yumi Kawabata, Journalist Strategic Innovation Specialist
  • Keisuke Toyoda (Specially Appointed Professor, Institute of Industrial Science)
  • Takao Nakagaki (Professor, Faculty of Creative Science and Engineering, School of Science and Engineering, Waseda University)
  • Osamu Nakamura (Professor, Faculty of Environmental and Information Science, Keio University)
  • Daiyu Nobori (Director of the Cyber Technology Laboratory, Information-Technology Promotion Agency)
  • Kenji Hiramoto (Director General, Information-Technology Promotion Agency Digital infrastructure Center)

Minutes

Councilor Suga: time, the first "Technology-based regulatory reform Promotion Committee" will be held.

With the establishment of the Digital Administrative and Fiscal Reform Council, the Digital Ad Hoc Committee has been reorganized in a progressive manner, and the Digital Ad Hoc Committee and the working group under the Digital Ad Hoc Committee will be abolished as a council body in October this year. However, since the efforts made by the Digital Ad Hoc Committee and the working group are very important, it has been arranged that they will be succeeded in Digital Agency and will be continued. The other day, the first meeting of the Digital System Reform Review Committee, which was reorganized as a working group, was held.

Today's Committee will be the first to be held under the Conference, but the number of meetings will be the first. We will continue to hold the Committee for the purpose of conducting detailed examination of digital technologies that can be used for cross-sectional regulation reviews, and examining the applicability of digital technologies that have been confirmed to be safe and effective to other regulation areas.

The members will be the same as before. Thank you for your continued support. In addition, regarding the operation of the meeting, we would like to treat the minutes and materials of the meeting as public disclosure in principle.

Regarding What I have just mentioned, I have distributed the relevant regulations and other matters in Materials 1 to 3 in front of you. In addition, I would like to continue to ask Mr. Hiroshi Esaki, Senior Expert Digital Agency, to serve as Chairman of this Committee. Then, Chairman Ezaki, please give us your greetings.

Chairman Ezaki: Thank you very much, . As Mr. Suga explained earlier, the Council has been reorganized from organization to Digital Agency as the "Digital System Reform Review Committee." Therefore, I understand that this committee will basically proceed with the same contents and the same system in the first meeting, so I would like to continue to be recognized as the chairman. I would like to ask for your cooperation in conducting the discussions smoothly and effectively. Thank you very much. That's all for my greetings.

Councilor Suga: . Please proceed with the proceedings from now on, Mr. Ezaki.

Chairman Ezaki: Thank you very much, , I would like to proceed with the agenda. Please explain the progress of the technology-based regulatory reform and how to proceed for the time being from the Secretariat.

Councilor Suga: Handout 4. At the beginning, it contains an outline of the committee and how technology-based regulatory reform has been promoted as a whole, and the next page is the table of contents. This time, I would like to report on the progress of each of the projects of Technology Map, Technology Catalog, Consortium, and Technology validation, and the future of Issue.

The first is the progress of the Technical validation Project. The Technical validation Project is divided into the first, second, and third phases. Specifications are compiled little by little from simple parts, and a business operator who can make a validation is decided and announced. The validation Project is being started in various parts of Japan. For example, in order to validation the inspection accuracy of flying a drones in the Antarctic, a validation in snowy Hokkaido has been started.

This time, we have newly announced the operators, including seven projects for the third public offering. As for the project in which we, Digital Agency, wave the flag and conduct the technology validation together with each ministry, all the operators have been announced.

The reason why Type 2 on the lower right is gray is that there were six Security regulation provision in Type 2, but no proposals came out even after two public appeals. Including that, for the third public appeal, we did not receive validation proposals from business operators for several provision. We will thoroughly investigate the cause of the failure to receive proposals. At present, 32 projects have been adopted, and I would like to report that the Technology validation Project has been sequentially started using the budget.

From the next page, we show how each type of business operator decided to perform what kind of validation and what kind of technology for which law, in the content that we were able to fully agree with the ministries and agencies responsible for the regulation.

In fact, the contents of the validation Project are all very interesting, so we have started to have representatives of the business operators who will be conducting the validation Project gather and talk with them, and publish an article on the Digital Agency website. The first article has just been published on the website. I have distributed the manuscript in the form of Attachment 2 to you. If you have time, I would appreciate it if you could read through the article.

On page 13, we summarize the projects that were not successful. All six provision types 2 were unsuccessful, but for the other provision types 4, 5, and 10, the Ministry of Economy, Trade and Industry, the Ministry of Land, Infrastructure, Transport, and Tourism, and the Ministry of the Environment were very positive in their cooperation because these regions fall under these types. However, we did not receive any proposals that these technologies could be used.

It is symbolized by the concentration on the third type, but it is characterized by the fact that there were many difficult tasks such as the digital completion of periodic inspections and inspections, and that there were many tasks that were difficult to perform by installing sensors and cameras. The objects of periodic inspections were not located on the ground where they could be easily seen, but were underground or under the ground level, or were located in ordinary homes or ships.

Although it is written in small letters on the lower right, when the corresponding items are added up, Digital Agency aimed to establish a technology provision for 460 validation this time, but 41 provision, or 8.9% of them, were not established.

On the next page, we are analyzing the causes of the failure. This is because we believe that there is a possibility that we can obtain extremely large findings from why the failure occurred. As the secretariat, we have four hypotheses. First, there is the possibility that the regulation authorities want the technology to be used if it exists, but in fact the technology itself does not exist. Second, there is the possibility that the technology itself exists but the technology maturity is low. One and two may be the same thing. On the other hand, there is the possibility that the technology itself exists but does not satisfy sufficient performance standards, including the fact that the accuracy does not reach the level expected by the regulation authorities, or there is the possibility that we were not able to set or explain the standards we want to be satisfied sufficiently specifically when we made a public offering. Fourth, there is the possibility that there was a reason other than the existence of the technology, such as a lack of time or a lack of manpower, because the start of the public offering was delayed in the third period.

We value the 8.9% that failed and would like to delve into this assumption. First of all, it would be a waste if we could not search for the technology itself, so we would like to conduct our own investigation of technology and product information. On the other hand, based on the possibility that our method of recruitment was not sufficiently specific, we would like to conduct a questionnaire and hearing on why we did not apply to the business operator with the technology and how we could apply, and identify the Issue of the public offering. We will report back if we find out anything.

Next, the second issue, Technology Map. This has been discussed by this committee for a long time, and finally, on October 6, we were able to upload the first law to be announced based on Technology Map on the Digital Agency website. The image on page 16 of the document is a screenshot of the Digital Agency website. This page has received the largest access among our related efforts.

From page 17, we show the variations of Technology Map that are actually published. There are two simplified versions. The first is classified by management target regardless of law and set on the vertical axis. The second is organized into law types and arranged on the vertical axis so that it is easy for those in charge of regulation to understand. For the time being, we have decided to maintain these two versions, so we present both. The two simplified versions are slightly enlarged to improve readability, and what we showed you when we discussed in the committee is the very detailed version on page 19,20. At present, there is no search function attached due to the specification of the Digital Agency website, but in the future, we would like to be able to select axes by ourselves and make display adjustments such as searching more intelligently.

Finally, regarding page 21. Technology Map has published a mapping of the technology types that can be used at present on its website. As I said earlier, it has become clear that there are areas where there are no technologies but are desired because there are types where no hands were raised in the technology validation. I think it would be good to publish about three types of Issue: areas where validation remains for technology substitution, areas with potential for utilization, and areas where Technology Map has been completed. At present, only those that are known to have potential for utilization without validation have been published, but there is Issue for technology substitution, and I would rather make a map of the areas where we would like to recruit, and I think it would be good to make a map that reflects the results of intensive technology validation in some form. This is the report on Technology Map.

Next, I would like to make a technology catalog so that we can jump from each map to the catalog. However, at this committee, I explained that we will first develop a catalog from information that does not require technology validation.

At present, the validation Project is being implemented in 460 provision and 590 ministries out of 1,043 Digital Agency. For the other 8,600 provision, the regulation authorities say that it is OK to use provision because it already has technology without going through the Technology validation. Catalogs are being prepared for them one by one.

We will conduct a public offering of catalogs by the third round, and after that, we plan to continue with the fourth and fifth rounds. This is also a public offering in which the difficulty increases as you go to the back, so the secretariat is having a hard time deciding what kind of application guidelines to make and where to listen. The first and second public offerings of catalogs have already been completed. In the first round, we did not ask questions such as security, so we received additional responses from business operators. Of the 27 lectures and examinations listed, 17 were responded to by additional information and are listed in the catalog.

On the other hand, it seems that the second visit and inspection were quite difficult, and there were seven applications themselves, and furthermore, there was no application for products or services that satisfy the "snooping function" required by the regulation authorities, so I think this is a potential area.

Regarding cybersecurity management, the committee discussed how to increase the number of questions. In fact, the most common question from the business operator was "Don't know how to write this additional question about cybersecurity." Among them, the one you wrote down is in the catalog.

Based on the information provided in the catalog, our impression is that most of them have obtained third party certification for cybersecurity management, comply with domestic and overseas guidelines, or conduct their own vulnerability inspections, but most of them are conducted at the organization or corporate level, and few of them have obtained certification on a product or service basis. Then, we added a question on whether or not they have liability property in the Japanese market when damage is caused by technology. Most of the companies answered about the maximum limit of compensation for damage, but most of the companies do not disclose whether or not they have collateral assets in the Japanese market. If there is a Issue, I would like to hear your comments on this matter later.

Page 27 is a summary of the two types of the third public offering, which is currently conducting a public offering for catalogs. It is about whether it is possible to make a digital completion for digital technology that can confirm the use of natural environments over a wide area and grasp the damage in the event of disasters, and for on-site investigation of management of business offices and confirmation of business conditions. Smart glasses and others will appear here. The deadline for the public offering is December 22, but we would like to submit it as a catalog after January after being carefully examined by the task force.

Next, I would like to talk about the consortium. On August 4, we launched the RegTech Consortium, and on October 27, we held a kickoff event called "RegTech Day." Thank you very much for your cooperation. Many people participated in RegTech Day. Our goal was to increase the number of people who join the Slack community, but the number of applicants has increased a little bit due to the holding of "RegTech Day."

However, we actually need to increase the number of participants further from here, but since it has been sluggish since then, we recognize that there is a Issue in how to liven up the community.

The next page is a report on the holding of "RegTech Day." As a remote distribution event, the speakers gathered at the site and discussed it. We received many positive comments from the participants, saying that they finally understood what they were doing.

We are doing various public relations before and after the opening of "RegTech Day", and some articles are published including the coverage of owned media in Digital Agency.
The next page is a questionnaire of the participants. The satisfaction level was basically high, and I think that people with various attributes were able to participate.

Next is our future direction. On the day of "RegTech Day," the number of viewers was close to 450, and the total number of views was close to 1,000, so I think that many people watched it. On the other hand, I think it is Issue that the number of participants in the consortium was small despite the fact that it was held with gorgeous members and called for participation in the consortium. I am also in the Slack of the consortium, but I am in a state of depopulation that I do not know what to say in my position. I would like to finish the content firmly and make it a vibrant community.

The next page is "RegTech Cafe." I don't intend to hold so many big events like "RegTech Day." Rather, I would like to hold a series of study meetings online because the detailed awareness of problems at the site and what kind of validation is being seen by the Issue project is very interesting. The first round of "RegTech Cafe" will be held online from December 20 (Wed), so if you can participate, please access it from the QR code.

The next page is an update of what I have explained before, but I would like to continue to liven up the community by doing activities while preparing for various events, so please help me.

Finally, I would like to talk about the future schedule and so on. About a year ago, due to the RFI, I asked for a wide range of information on digital technologies that could be used for the review of regulations on paper and in-person processes. At that time, even though it was a year-end and New Year's application, we received a large number of applications. We received multiple inquiries about what has happened since we applied, so I summarized how it is being used and how we want to use it.

First of all, when creating the Technology Map, we referred to it as information on what kinds of products actually exist. In addition, regarding the technical catalog, we asked individual companies whether they would be able to publish the information that the secretariat judged to be applicable to the catalog from the information provided in the RFI. One company is applicable to the training and examination, two companies are applicable to the visiting inspection and public inspection, and 29 companies are applicable to the third wide area grasp and on-site survey. We are adjusting for the transition of the catalog.

Regarding the Technology validation, there was a work to have the regulation authorities have an image of the expected technology and to drop it into the specifications. We are referring to the information of the RFI as the expected technology at that time. We are soliciting applications from business operators for the validation project, and we are asking them to apply individually.

In addition, we would like to continue to have contact with people who have applied, so we are sending information about events, including the consortium and "RegTech Day," by push as needed. In the future, we would like to make sure not to waste information so that we can return the favor of such information provision.

As for the future schedule of the Technology Map improvement project, the first map will be issued in October, and after that, it will be updated as needed. Among them, there is a task to issue variations to the map, and I think it would be good if it could be issued in the form of a map of the potential region next year.

We have been publicizing the catalog in five rounds, but these are fields that do not require validation. I think we will start posting the areas where we have made a technology validation in the catalog as needed. In the meantime, we will continue our activities to make the RegTech Consortium a community where people concerned can be directly connected. Thank you very much for your help this year.

Chairman Ezaki: Thank you very much, . Is it okay if I don't explain about the attachment?

Councilor Suga: Attachment 2 is an interview article that has already been published on the Internet, and I provided it because I wanted you to read it. Attachment 1, as you have already discussed, is a report that a technical catalog operation task force has been set up and has started operating in order to screen before putting it on the catalog.

Chairman Ezaki: Thank you very much, . We will be exchanging opinions in the future. If you have any questions or opinions, please let us know. If you want to speak, please write your name in the chat or let us know by the show of hands function. Thank you.

Nakamura: Technology validation? You explained that 90% of the Technology validation Projects have been adopted and are starting to move concretely, and 10% have not been applied. I think this 10% is very important, but I think the reason why there was no specific action is the operability of people who do actual work such as inspection. Even if it exists as a technology, it is quite difficult to actually operate it, so is something that Digital Agency is considering this time?

Councilor Suga: , I would like to make a validation by incorporating it into our hypotheses. Among the types that have already begun to be demonstrated, there were comments that they could be done if they were done, but it would be troublesome to give instructions remotely. I think that operability includes such things. There were comments that even if it is technically possible for a person with a license to remotely give instructions such as "I want to look at the lower right side a little more," and for a person at the site to point a camera or bring the drones closer, it would be faster to look at it at the site. From such things, I thought that there were parts where it would be troublesome to validation rather than that a hand would not be raised. What do you think about those parts?

Nakamura: I'm not saying anything specific, but I think there are situations where people with qualifications have to work in inspections and the like. When such a situation arises, I wonder if there was a background where people with qualifications are older and it is faster to see and sign by yourself than to install new technology. In other words, instead of analog or digital technology, is it possible to make a validation this time in a form that includes problems such as the method of inspection, for example, who is qualified and what must be done? Or is it possible to make a validation only in a form that follows existing rules and whether digital technology can be used? I wonder if there will be a big difference.

In other words, I think it is necessary to change the essential method of each inspection item and the form in which people with licenses must be involved. Do you mean that this time, you did not go that far?

Councilor Suga: We will be conducting a cause analysis from now on, so I would like to include such a possibility. If it is just that qualified personnel do not have to go to the site, and if it is true that the inspection is based on the judgment of qualified personnel in the end, there is a possibility that it is in the phase before digital completion, and that is why I think there is a more difficult aspect. I think there is a possibility that technology will not enter unless we consider the direction of eliminating the involvement of qualified personnel end-to-end, so I would like to analyze it including that point.

Nakamura: I think that is important, so please take care of it.

Chairman Ezaki: Thank you very much, As Is to To Be, but there are steps in the middle, so it is a difficult place. I think the other point was that how to change laws and regulation in accordance with technology is also an important task. Thank you very much. Mr. Noboru, I have received an entry, but could you please make a statement including an explanation of it?

Candidate: Technology Map There is something I noticed when I checked the content of the public offering form in the current technology catalog. I think it would be better to add questions to the application form, so I would like to make a proposal.

To give you a point, I think there is a service that handles personal data among the applied technologies. I think there are applications for products that handle personal data and use foreign public clouds as their system infrastructure. However, there are cases where I am worried about whether or not measures are taken to prevent leakage of personal data only by the items to be entered in the current form. I think it is better to include important points in the questions in advance.

The specific question that should be added is limited to the service where the personal data will be stored. First of all, you should write down whether the information will be stored on-demand or in the cloud, in Japan or outside the country. In addition, you should write down the name of the public cloud service that is used. So far, it's not that difficult, but the important thing is to make sure that even if the personal data to be stored is encrypted, it is in a place where there is a risk that the encrypted data will be raided or taken under foreign law by a foreign state without going through judicial review in Japan.

From here, you should also check the strength of encryption, and if a foreign government can obtain the data, it is meaningless to encrypt the data if the foreign government can obtain the encryption key without permission. Therefore, you should check whether the data is stored in another place.

Finally, we will ask you to write down specific measures to prevent the possibility of being forcibly acquired without going through judicial review in Japan. Some people don't know how to write this, so I would like to have some examples of filling out this form.

I would like to show the reason why I thought I should include such a question. It has been a problem in European countries since around 2018, but European countries have created various legal regulation for personal data protection. A representative Issue that European countries are now problematic about is the U.S. government's "U.S. Cloud Act (CLOUD Act)," which is a response to law. This is a problem in European countries for personal data protection. The point of the U.S. Cloud Act is that it is an extremely strong law that allows U.S. public cloud operators, who are used by applicants to this technology catalog, to overwrite their promises with the authority of the U.S. government and have their data submitted to the U.S. government without permission, even if they do not view the data without permission under the contract.

Under the U.S. Cloud Act, if a state or federal government in the United States issues a search warrant or administrative subpoena to a public cloud provider, there is a risk that the data could be remotely copied from the United States or elsewhere, even if it is in Japan. The problem with this is that it carries penalties such as obstruction of justice and contempt of court, which U.S. cloud providers would likely have to comply with even if they wanted to protect Japanese customers.

There has been a response to this in the Japanese Diet. In June 2019, the Government of Japan responded that "among the provisions in the personal data Protection Act that exceptionally allow the transfer of data to others based on the law,' law' in' cases based on law' (Article 27, Paragraph 1, Item 1 of the said Act) shall be limited to' Japanese law'" ("memorandum on questions on Responses to the U.S. Cloud Act and the personal data Protection Act," 198th Diet Prime Minister's Answer No. 227). Therefore, the fact that the U.S. government is in a state where data can be obtained at any time based on the U.S. Cloud Act is not an exceptional reason for the Japanese personal data Protection Act, and I think there is a risk that it will be recognized that the "measures to prevent data leakage" in Article 23 of the personal data Protection Act have not been taken.

Up to this point, it is obvious, but most people think that the data to be placed in the cloud is encrypted. If the application data says that it is not encrypted, or if it says that it is encrypted by, for example, AES256, it is not possible to distinguish whether the encryption is performed as a function of the service infrastructure of the cloud service provider or is performed independently by the service provider just by looking at the form, so it is necessary to make an inquiry individually.

There are two types of encryption performed by cloud service business operators. First, there is a form in which the key is stored as data in the cloud business operator, but this is meaningless. Second, there is a method in which the key is stored outside the cloud. Since it is necessary to see whether or not the protection by the second method is ensured, I think it is better to include it in the question.

Finally, when it comes to writing about the U.S. Cloud Law, the partnership between the Japanese and U.S. governments is very important, and paying attention to the U.S. Cloud Law may undermine the relationship of trust. Therefore, I think it is better to use a generalized expression of "foreign law" instead of naming "the United States" as in "the U.S. Cloud Law" in the questions.

These questions can be answered by the applicant engineers without devising new ideas, so I don't think it will cause much burden. That's all.

Chairman Ezaki: Thank you very much,

Ogino Member: I am creating the content of the hearing at the time of application for the Technology Catalog on cybersecurity with the Secretariat. It is undeniable that it is a stopgap measure, and we have to hear about Supply Chain Risk Management, but we have to ask in terms that can be understood by companies, and the questions are difficult to write without experts, and the content of the question is just a summary of the supply chain guidelines issued by NIST. We need to make the content more realistic, and I think that in the Technology Catalog, we should make easy-to-understand modifications in the form of what kind of vulnerability test the applicant company is conducting and what kind of certification it has obtained. We have prioritized time, so I would like to make more modifications in the future. I believe that it must be written in a way that the general public can understand, so I would like to work with the Secretariat.

Chairman Ezaki: Thank you very much, , would you like to make a statement?

Nakamura: It's probably the same as what Ogino is saying, and since the other party's level is various, I think the questions in the form that Noboru was asked are questions that will be answered by default. If you change "the United States" to "a foreign country," on the contrary, I think you will inflate your imagination by thinking about China, South Korea, and Europe.

I thought that my comment would be more understandable if I said "I recommend." and if not, I would like each item to be recorded. For people who don't know, it would be easier to do what is recommended.

Chairman Ezaki: Thank you very much, Do you have any other opinions? It is quite difficult to do 100% of this, and if it has to be done in the supply chain, there is a concern that it will be almost impossible to do the work, so it is difficult to decide what to do. Is it realistic to proceed with future enhancements or modifications in a manner that is properly aware of this? What do you think, Mr. Noboru?

Candidate: Technology Map That's exactly right. We received an opinion that it would be confusing to write "foreign country." However, we asked whether the data regulation is in Japan or not, and we thought that most Japanese business operators rent cloud servers in Japan, so it is probably not difficult to decide whether it is China or Europe.

Next, President Ezaki pointed out that it would be difficult to take measures if the supply chain were included. I don't think so. A standard function is to place an encryption key on the server of the business operator. Even if a cloud without such a function is used, IaaS, which operates in the cloud, has disk encryption and database encryption, and SaaS, which operates in the cloud, has data encryption. In addition, if you answered that you encrypt in most cases, I thought it would not be so difficult to maintain that the entire supply chain is not in an ambiguous state.

Chairman Ezaki: Thank you very much, Cloud, in particular, major clouds have such transparency, but there are actually many devices that do not have such transparency, and I recognize that such devices have not been able to ensure transparency like clouds. As you said, it is not so much trouble if it is a cloud, and I recognize that major clouds in particular provide such functions.

Candidate: Technology Map I think exactly so. In the case of on-premise rather than cloud, and if it is in Japan and is managed and controlled by the company or the assignation firm, it is not necessary to encrypt it, and it is physically impossible for a foreign state to seize it. In the case of on-premise, there is no possibility that a foreign state will acquire it without going through judicial review in Japan, so you can answer NO to all the questions after that. In the case of a small server in a data center, you can choose on-premise and in Japan, so I think you don't have to worry so much.

In the case of a major U.S. cloud service provider, there is an encryption mechanism, so you can just write down which one you have selected. Considering a small Japanese rental server company, we have to support such a company, but even when using the service, it is part of the equipment or function controlled and controlled by a third party such as a cloud service provider, and the data is stored only in Japan. Such a small business operator does not fall under the jurisdiction of the U.S. Cloud Act, so I don't think there is a risk of compulsory acquisition. I think it is usually the case for Japanese companies.

As an exception, if what seems to be a small Japanese cloud server actually has a base in the United States, the United States may issue an order to the base in the United States based on the concept of minimum contact. In such a limited case, we have to ask the Japanese cloud service company whether there is a risk of data being forcibly investigated or acquired under foreign laws without going through a Japanese judicial review, but I don't think there are so many. I had the impression that there is not so much serious risk if it is on-premise and in Japan, and it is a matter that can be done in most cases.

Chairman Ezaki: Thank you very much, If IoT devices that are not simply using servers come in, or if a different system comes in, the device itself may be talking to another part of the cloud without knowing it, so I recognize that this is what Mr. Ogino's team is considering. As Mr. Nakamura wrote, it may be realistic to "recommend this type of form."

Candidate: Technology Map and I think that recommending something in the Technology Catalog may seem like a new challenge. If we were to write a recommendation structure for privacy issues, there would be other recommendations for safety and availability, and if we wrote them down, it would be difficult to think that we would finally have a whole textbook of informatics. In particular, it is not necessary to put up a large signboard for privacy issues at the moment compared to other issues, or it is not necessary to write a recommendation guideline, but as you pointed out, there are cases where we do not know how to write it. If we write an example answer as a comment on the form of the question like a cheat sheet, I think that people who have not thought about anything may be able to read and understand it.

Chairman Ezaki: Thank you very much, . I have received an opinion from Mr. Nakamura that it would be good if there was a guide for filling out the form. I think it would be appropriate to create a direction while discussing it with the people concerned, and if possible, consult with this committee again. Do you have any responses from the Secretariat?

Councilor Suga: said. I believe that you made a very valuable point, but as Mr. Nakamura said, even the current question is difficult, so we are flooded with questions. There are two levels of hurdles: the literacies of those who fill out the form, and the literacies of those who read the form and make a procurement. Among them are government officials. I would like to realize a UI that allows both parties to immediately understand what the item means and what they should be careful about. I would like to think about how to respond to the points you pointed out while consulting with you so that the hurdles for applying do not rise rapidly. Thank you.

Chairman Ezaki: Thank you very much, cybersecurity is a very troublesome area, and the levels are very different, so I think it is an area where we need to put a lot of effort. Thank you very much. Do you have any other opinions or questions? Member Ogawa, please.

Member Ogawa: I think you are right, I have two points. I would like to touch on cloud computing, which you just mentioned. When we use cloud for financial data, reports for authorities, and the generation process of core data, we apply it to a risk catalog called third party risk, and how to secure it. First of all, we must obtain the SOC report.

There are three SOC reports. One is about Ministry of Finance, but the second is about security's variety, confidentiality, privacy, and interbridge, so I'll take them first. I think one of them is to take them because most people can understand them with vendors who usually use clouds.

It is weak to just receive it, and there are so many cases where problems occur from third party clouds, so it is a current trend that "this is not enough." It is required for corporate core data to confirm whether the scope is properly covered.

I think it is an absolute requirement whether the cloud is domestic or foreign, but next is the reliability of the cloud. Not only in cybersecurity, SOC is a third party evaluation report that evaluates whether there are sufficient internal controls, so I think vendors know to some extent. Recently, there are many cases in which cloud is used with the latest technology, and even if the company itself is a startup, the cloud is used by a major company, so I think that is one point.

The other story is about the RegTech Consortium. I think it is a very good initiative, and I think it is one of the important channels for information collection in this initiative. I agree with you that we will make this consortium a good forum for discussion in the future. I also want to promote this consortium, and I have been talking to executives of various private sector companies, and among them, I have received some Issue.

I think the main purpose of Digital Agency is to widely collect opinions that it will be better if we do this, but I heard opinions that it is difficult for participants to see what kind of information they can get or whether their activities will be beneficial.

I think there are companies like start-ups among the companies with technology, and for example, there are major regulation companies as private sector target companies. I think the benefits required for each are different, so I think it is good to make a certain degree of hypothesis, break down how to satisfy the participants, and analyze by stakeholder.

For example, you explained that you will be conducting a pitch run. The FCA in the UK is a "tech sprint," and as a bridge between private sector, the authorities prepare sample data, involve private sector companies in the hackathon, and widely publicize the results. For startups in private sector, it is very beneficial that their technologies are publicized on the spot, so many companies are raising their hands. I think it is also important how to form a pitch run.

In addition, companies that receive regulation are also looking for technology. For example, drones is used by audit firms for conduct risk monitoring, transaction monitoring, data falsification, and objectivity of inventory. There is a big trend to put technology into such places more and more, and digitalization is done for the purpose of reducing personnel and costs. If Digital Agency's efforts this time can provide reference technology to such places, many of them will come, and it is expected that we will be able to absorb opinions from private sector companies on how to realize Trust, so I expect how to effectively operate the RegTech Consortium.

Chairman Ezaki: Thank you very much, . Do you have a response from the Secretariat?

Councilor Suga: Handout 4, we have mapped the events and gimmicks to provide benefits and values to each stakeholder, including our delusions. In that sense, we held "RegTech Day" for the purpose of announcing the beginning and letting people know about the existence of the Slack community, but I don't think that alone will allow people to stay in Slack. I think we need to prepare for the pitch run well, and we would like to do trial and error to see what is useful by accumulating several things, such as distributing articles on what we are doing in Technology validation and holding study sessions at cafes. We would like to consult with you again at the stage of planning for each event. Thank you very much.

Chairman Ezaki: Thank you very much, I think what Mr. Ogawa said is that it is easier to do if there are slides that you can promote.

Councilor Suga: Consortium, or something with a QR code? A QR code is also included in the website, but is it better to use a flyer? I would appreciate it if you could give me some ideas.

Chairman Ezaki: Thank you very much, Ogawa, what do you think?

Member Ogawa: I think you are right, . I am involved in this project, so I understand it well, but in order to involve new people more and more, it may be a vague picture or very detailed one, and private sector companies will need to spend personnel and costs to enter, so I would like to see the benefits to a certain extent shown in a more easy-to-understand manner. I think it is an important process to present what will happen and what will be expected by joining the consortium. I have high expectations for it, so I would like to ask for your cooperation.

Chairman Ezaki: Thank you very much, Secretariat.

Councilor Suga: . You don't see Digital Agency's website very often. I think I am writing a lot on it, but I think it is a matter of writing style. I think it is because PR is not good, but I would like to work together with the public relations team of Digital Agency.

Chairman Ezaki: Thank you very much, Kawabata is writing is a different story. Could you make a statement?

Kawabata Member: Regarding the holding of "RegTech Day," I talked to my acquaintances at the executive level and related parties in my work as much as possible and asked them to participate, but they said that the hurdle for applying was high. The reason was different between large companies and startups, so I would like to share that.

In the case of large companies, we had to go through the legal department for such applications, so we didn't have enough time to apply. In addition, many new initiatives and digitalization initiatives are being carried out in cooperation with other companies in the form of consortia, so it seems that we need to persuade various companies when applying. In that sense, the hurdles for applying are high, so I think they want lead time.

Also, I received a reply from a startup that they were very interested in and would apply immediately, but I heard that startups are often partnered with other companies, and it is quite difficult to get an agreement from the other company when the time comes. When I asked a startup consortium, they advised me that the application might advance a little. I wanted to give you feedback on the application.

Chairman Ezaki: Thank you very much, . If we actually try to do it, there are many players who need to reach an agreement, so I think there are some difficulties. I think it will be a homework to think about a form that is a little easier to apply. Member Okada, I heard that you are writing to the effect that you may not apply because you do not see a business opportunity, but I would like you to make a statement.

OKADA Member: Regarding the fact that there was no application earlier, there is no evidence, and it is my personal impression. First of all, due to the impact of carbon neutrality, the number of oil industries and major plants that are on the decline is increasing, so there may be no business opportunities even if we enter these industries digitally. Considering the industrial structure of the future, I think that it is easy to enter digitalization where there will be more expansion in the future, but in an industry that is on the decline, I think that it is difficult to introduce digital technology only in regulatory reform without some ingenuity.

Another thing is that ships have many patterns, so I have a feeling that one method or technology may not be enough. I don't know for certain unless I examine the details of periodic inspections, but I think it is very difficult to introduce new technology into ship-related business. Perhaps the more I research services such as inspections on ships, the more I feel that I will not make a profit, that is, I will not be able to find a business model. It is important to consider whether or not a business will be viable before considering whether or not there is a technology. In industries where the business environment is not yet in place, if you want to actively introduce new technology, I have a feeling that it will not work well unless you consider what will be the catalyst for new moves, such as combining it with growing industries or granting special exemptions such as tax system preferential treatment.

I believe that the characteristics of industry must be incorporated into Technology Map, and some form of support must be provided in cases where it is difficult for regulatory reform alone to push.

Chairman Ezaki: Thank you very much, . I think there is a feeling that it will be an opportunity for the industry to take action on its own initiative, rather than leaving it to others. From the perspective of those who have such a problem awareness, will it be constructive if we can come up with a story that is not listed here?

OKADA Member: That's right. That's one reason, and there is also quite a lot of anxiety about leaving the inspection and the like to the technology, and who will take responsibility if there is a mistake. It will be a barrier to the introduction of technology because it is not clear how to share responsibilities such as user responsibility and manufacturer responsibility, as well as the form of technology in which "measurement is automatic and final judgment is made by people" or "from measurement to final judgment is made by machines or AI." It is also important to answer questions that everyone is suspicious of. The level of understanding of IT is still low, and there are quite a few companies that have only a few people in the company who know well about IT. Second or third ranked companies will be able to introduce IT with peace of mind, but most business operators and local government will not be able to do it with the first ranked company. I think it is also important to have a mechanism to find the first ranked underwriter well.

Chairman Ezaki: Thank you very much, That is the essence of how to proceed with the digital consultation, so the practical team here also needs to be aware of it. One more step up, it may be better to talk about how to accept the trigger of how to change the consciousness of the industry.

Councilor Suga: , have taken the trouble to ask us to use our technology if we have it, so we feel that it is a waste of money, so this is the table. Certainly, as Mr. Okada said, we should include the fact that there is no market or business feasibility in the hypothesis. Thank you very much.

Chairman Ezaki: Thank you very much, However, if it is fixed with that, there is a risk that it will be an inefficient and worst 10 years, so I think we must think about it. What do you think, Mr. Nakagaki?

Member Nakagaki: It is almost the same as the content of Member Okada, but when I tell you what I think about Type 5, the Electricity Utilities Industry Law, which I am involved in, it seems to be a situation in which it is faster to go there. There are chief electrical engineers, and in the case of generators, chief engineers of turbines and boilers, who visit and inspect them. Even in ordinary households, I think people from the Electrical Safety and Security Association come once every few years, for example, once every four to five years.

Since the frequency per case is once every 4-5 years, the target is large, but it is difficult to generalize, and it is a business model in which the investment cannot be recovered even if a camera is installed there. When it comes to the installation of digital completion type sensors and cameras, it is a technology suitable for constantly monitoring at a fixed point and observing changes, so I think that is the reason why there was no application. The rest is almost the same as the Okada members.

Chairman Ezaki: Thank you very much, . In terms of whether we can overcome that tricky point, it may be a discussion that includes what to do about existing infrastructure and future construction, and what to do about the fact that there are places where we can make it by reducing costs. Do you have any other opinions? Mr. Hiramoto, please.

Hiramoto Member: In my opinion or impression, I think it is a very good initiative to consider the place where there was no effective proposal on page 14. I am very much looking forward to the future results.

As for the community, there are talks about cafes and pitches at the consortium, but when we were doing open data, we often ran into a wall that was close to regulation. At that time, we held a round table where those who have regulation and those who have regulation gather and discuss. If we do that, we can discuss the background of Okinawa in a little more detail than in writing, and I think it will be beneficial for both of us. We can talk about the existence of a solution on the spot, and we also have a sense of understanding about whether there was such a reason, so I think there are various patterns, but I think it would be good to do that. Thank you very much.

Chairman Ezaki: Thank you very much, . This is a very constructive opinion. What do you think of the Secretariat?

Councilor Suga: . At the stage of creating the specifications, we are working with the ministries and agencies in charge of regulation, so we would like you to tell them about it. Because we have the authority, it is quite difficult for them to come out and talk, but I hope we can realize such a place.

Chairman Ezaki: Thank you very much, I would like to ask for the cooperation of Hiramoto members who have experience.

Hiramoto Member: I understand.

Chairman Ezaki: Thank you very much, , do you have any other opinions? If you don't have any, I think the first report today was mainly about progress, and although cybersecurity's problem is difficult to handle, or rather, it is an extremely difficult problem, I think we received several solutions and new proposals from the members. I think we also received input that critical information is already handled by installment sales finance.

If you don't mind, I would like to conclude today's proceedings. Finally, I would like to ask the secretariat to explain about the next committee.

Councilor Suga: Thank you very much for your participation today. The Secretariat will contact you again about the next Committee meeting. In addition, today's proceedings will be announced on the Digital Agency website after the Secretariat confirms the draft minutes with everyone who attended the meeting. If you do not have any particular objections to the Committee materials, we would like to disclose all of them on the Digital Agency website. Thank you very much for your participation today.

Chairman Ezaki: Thank you very much, . With that said, I would like to conclude today's meeting of the Committee. Thank you very much for your participation.