AI Business Operator Guidelines v1.1 vs EU AI Act — The Implementation Gap for Japanese Firms
Japan's AI Business Operator Guidelines (v1.1, 2025-03-28, METI/MIC/Digital Agency) and the EU AI Act (in force 2024-08-01, staged application) compared. Three-actor classification, risk-tiered design, and the structural implementation gap.
TL;DR
- Japan's AI Business Operator Guidelines were updated to version 1.1 on 28 March 2025, organising AI developers, providers, and users into three actor categories under ten principles including human-centredness and safety. The Guidelines carry no penalties and are designed as a "Living Document" subject to ongoing revision.
- The EU AI Act (Regulation 2024/1689, in force 1 August 2024) adopts a four-tier risk classification, conformity assessment akin to CE marking, and a fine structure capped at 7% of worldwide annual turnover. The provisional Digital AI Omnibus deal of 7 May 2026 postponed high-risk AI obligations until December 2027.
- When Japanese firms place AI systems on the EU market, or the AI outputs are used within the EU, the extraterritorial provisions of Article 2 make EU AI Act compliance mandatory, while Japan's domestic Guidelines merely "encourage" alignment. The asymmetry between an EU that places verification responsibility on providers and a Japan that leaves this to corporate self-assessment is the structural source of the implementation gap.
What Is Happening
A chronological map of Japan's Guidelines v1.1 and the EU AI Act
Japan and the EU chose different institutional answers to the same problem. For the social deployment of advanced AI systems, including generative AI, Japan opted for guidelines without penalties (soft law); the EU enacted a comprehensive regulation (hard law).
The current Japanese reference is the AI Business Operator Guidelines Review Committee output, the AI Business Operator Guidelines Version 1.1, published jointly by METI and the Ministry of Internal Affairs and Communications (MIC) on 28 March 2025. The Guidelines organise three actor categories — AI developers, AI providers, and AI business users — under ten principles: human-centredness, safety, fairness, privacy protection, security, transparency, accountability, education and literacy, fair competition, and innovation. The revision incorporates the EU AI Act's entry into force and the start of operations of the Hiroshima AI Process International Code of Conduct reporting framework. The Guidelines impose no direct penalty and are designed as a Living Document subject to continuous revision.
Earlier in May 2025, Japan enacted the AI Promotion Act, which entered into force on 1 September of the same year. This statute also carries no penalty; it establishes an AI Strategy Headquarters and articulates the responsibilities of the national and local governments. In April 2025, the Digital Agency released the DS-920 Generative AI Procurement and Utilisation Guideline, which will apply across government procurement from April 2026. Japan's AI governance architecture is thus a two-track structure: industry-facing soft law (the Business Operator Guidelines) and a government-procurement guideline (DS-920).
The EU, by contrast, adopted Regulation (EU) 2024/1689 — Artificial Intelligence Act, published in the Official Journal on 12 July 2024 and in force from 1 August 2024. The staged application schedule is set out in Article 113. Prohibited AI practices (social scoring, workplace and educational emotion recognition, subliminal manipulation, and certain biometric uses) became applicable from 2 February 2025. Obligations for general-purpose AI (GPAI) model providers became applicable from 2 August 2025, with the remaining general provisions starting on 2 August 2026.
On 7 May 2026, the Council of the EU and the European Parliament reached a Digital AI Omnibus provisional agreement. The application of stand-alone high-risk AI systems (Annex III domains such as employment, education, credit scoring, biometrics, critical infrastructure, and judicial assistance) is postponed from August 2026 to 2 December 2027, while embedded-product high-risk AI is further postponed to 2 August 2028. The reasoning, set out in Tech Policy Press, concerns the readiness gap in implementation infrastructure and the concentrated administrative burden on Member States and industry.
The timeline is as follows.
| Date | Event | Type |
|---|---|---|
| April 2024 | Japan AI Business Operator Guidelines v1.0 | Soft law |
| 12 July 2024 | EU AI Act published in Official Journal | Hard law |
| 1 August 2024 | EU AI Act in force | Hard law |
| 2 February 2025 | EU prohibited AI obligations applicable | Hard law |
| February 2025 | Hiroshima AI Process reporting framework operational | International framework (Japan-led) |
| 28 March 2025 | Japan AI Business Operator Guidelines v1.1 published | Soft law |
| May 2025 | Japan AI Promotion Act enacted (no penalties) | Statute (no penalties) |
| 2 August 2025 | EU GPAI provider obligations applicable | Hard law |
| 1 September 2025 | Japan AI Promotion Act in force | Statute (no penalties) |
| 1 April 2026 | Japan DS-920 generative AI procurement guideline fully applied | Government guideline |
| 7 May 2026 | EU Digital AI Omnibus provisional agreement | Amending agreement |
| 2 August 2026 | EU AI Act remaining provisions applicable | Hard law |
| 2 December 2027 | EU stand-alone high-risk AI applicable (post-Omnibus) | Hard law |
| 2 August 2028 | EU embedded-product high-risk AI applicable (post-Omnibus) | Hard law |
What matters here is less the number of effective dates than the difference in where penalties sit and where verification responsibility is placed. Japan presupposes self-assessment by operators and leaves implementation judgement to firms. The EU places verification responsibility on the provider side through ex-ante conformity assessment by notified bodies and the fine structure under Article 99. For the same objective — deploying AI in society — the location of verifiability is set in opposite places.
Japan: no penalties + self-assessment
Guidelines (rolling revision) + AI Promotion Act (principle law, no penalties) + DS-920 (procurement guideline). Verification responsibility rests on businesses.
EU: penalty regime + conformity assessment
Article 99 imposes fines up to 7% of global turnover or EUR 15M. Conformity-assessment bodies perform ex-ante review; providers bear verification responsibility.
* Sources: METI/MIC 'AI Business Guidelines v1.1' (Mar 2025), Japan AI Promotion Act (enacted May 2025), Regulation (EU) 2024/1689 Article 113, EU Council 'Digital AI Omnibus interim agreement' (May 7, 2026).
Background & Context
The fundamental design gap between soft law and hard law in international comparison
The soft-law lineage (Japan)
Japan's choice of a guideline-based soft-law design reflects consistent positions advanced by industry. The Keidanren argued in "Towards Responsible Development and Use of Digital Technology" (6 March 2025) in favour of the agile-governance concept, asserting that pre-fixed detailed rules are ill-suited to rapidly changing technology domains. The view holds that continuously revising guidelines while maintaining dialogue with industry is preferable to setting precise rules in advance.
This design carries paired advantages and disadvantages. The advantage is that innovation friction is minimised. New entrants and small operators can refer to the Guidelines while making implementation judgements on their own. The disadvantage is that verifiability is hard to see from outside. When a firm declares that it is "compliant with the Guidelines," no third-party audit or conformity-assessment scheme exists to verify that claim externally. The two-layer structure of the v1.1 main text (31 pages) and the accompanying practical annex emphasises readability, but that readability carries the risk that reading the document may feel like having complied. As the cognitive debt discussion suggests, the gap between "having read the governance document" and "having verified the implementation" is hard to close through soft law alone.
The hard-law lineage (EU)
The EU applied to AI the risk-based comprehensive-regulation approach already familiar from chemical safety (REACH), medical devices (MDR), and data protection (GDPR). The EU AI Act adopts the following four-tier risk classification.
| Risk Tier | Examples | Principal Obligations |
|---|---|---|
| Unacceptable Risk | Social scoring, workplace and educational emotion recognition, subliminal manipulation, indiscriminate biometric surveillance | Prohibition (Article 5) |
| High Risk | Recruitment AI, credit scoring, critical-infrastructure control, law enforcement, judicial assistance, migration management, biometric identification | Conformity assessment, technical documentation, log retention, human oversight (Annex III, Articles 8-15) |
| Limited Risk | Conversational AI, deepfake generation | Transparency obligations, labelling of AI-generated output (Article 50) |
| Minimal Risk | Spam filters, game AI | Voluntary standards, encouraged participation in codes of conduct |
The fine structure is set out in Article 99.
| Violation type | Maximum |
|---|---|
| Breach of prohibited AI rules | EUR 35,000,000 or 7% of worldwide annual turnover, whichever is higher |
| Breach of high-risk AI obligations | EUR 15,000,000 or 3% of worldwide annual turnover |
| Provision of incorrect information to authorities | EUR 7,500,000 or 1% of worldwide annual turnover |
The 7% ceiling, exceeding GDPR's 4%, signals the priority the EU places on AI governance. High-risk AI must also undergo conformity assessment (an ex-ante review by a notified body, modelled on CE marking) before placement on the EU market. Third-party certification networks similar to those for chemicals and medical devices are being institutionalised for AI.
Extraterritorial application
Article 2 of the EU AI Act contains extraterritorial provisions. Even when the provider and user of an AI system are located outside the EU, the Act applies if the output produced by the system is used within the EU. A Japanese firm running an AI system on Japanese servers may therefore fall within the AI Act's scope at the point when its output reaches EU customers. PwC Japan, KPMG Japan, and other major audit-aligned consultancies have been urging Japanese firms to prepare for extraterritorial reach. The EY Japan briefing shows that scoping alone generates additional internal-governance work.
Comparison with the United States and China
In the United States, voluntary frameworks centre on the NIST AI Risk Management Framework 1.0 (January 2023) and the NIST AI 600-1 Generative AI Profile (26 July 2024), with state-level statutes (California, Colorado, Texas, New York) running in parallel as a decentralised governance pattern. China, in the Interim Measures for the Management of Generative AI Services (in force 15 August 2023), incorporates algorithm-filing and safety-assessment systems under a "tolerance-and-prudence, classification-tiered supervision" principle that differs from both EU and US approaches.
Internationally, Japan's AI Business Operator Guidelines sit between the US NIST AI RMF-style voluntary framework and the EU AI Act-style comprehensive regulation. The US, however, is now seeing concrete state-level obligations emerge (for example, California's TFAIA imposing obligations on frontier models exceeding 10²⁶ FLOPS); Japan is unusual internationally in having neither federal-equivalent penalties at the central level nor independent regulation at the local level.
Hiroshima AI Process reporting framework
The Japan-led international framework also deserves mention. The Hiroshima AI Process International Code of Conduct reporting framework became operational in February 2025, providing a mechanism for GPAI providers to report their risk-management practices on a voluntary basis. In the initial reporting round in April 2025, 19 organisations participated, including 7 Japanese firms. Reports are published via the OECD website. Because the content overlaps substantively with EU AI Act GPAI obligations (applicable from August 2025), providers face the administrative burden of submitting similar information through two channels. A gap remains between the rhetoric of international coordination and the operational reality of regional regulatory divergence.
Reading the Structure
Four analytical points on risk tiers, implementation voids, extraterritoriality, and international alignment
Point 1: Risk-tier blind spots
Annex III of the EU AI Act enumerates high-risk AI domains in concrete terms: employment (recruitment and performance-evaluation AI), education (test scoring and progression decisions), credit scoring, critical infrastructure (electricity and transport control), law enforcement, judicial assistance, migration management, and biometric identification. This design operationalises the abstract criterion of "AI with significant impact on rights and opportunities" through a specific domain list.
Japan's AI Business Operator Guidelines v1.1 introduces a "risk-based approach" but its domain-specific list is less detailed than the EU's. The main text uses abstract categories such as "particularly important AI systems" and "important AI systems," with illustrative references to medicine, finance, education, and recruitment. Which domains qualify as high-risk is left to the operator's own assessment, and no procedure exists for third-party audit to confirm the categorisation.
As a result, recruitment AI, credit AI, and educational AI operating within Japan may be deployed without undergoing verification equivalent to the EU's. Institutional bases for individual objection and explanation rights are also thinner than in the EU. For Japanese firms without EU exposure, this reduces near-term compliance costs; from the standpoint of individuals directly affected by AI decisions, however, the routes for redress and correction are less defined.
Point 2: The asymmetry of dual-compliance costs
Japanese firms placing AI systems on the EU market, or providing AI services whose outputs reach EU users, must meet the high-risk AI obligations of the AI Act. Concretely, this means preparing technical documentation for conformity assessment, building log-retention infrastructure, designing human-oversight schemes, and securing certification equivalent to CE marking. Because this runs in parallel with GDPR compliance, the rebuild required is broader than AI alone.
Japan's domestic Guidelines, meanwhile, "encourage" but do not "require" EU alignment. The EU AI Act compliance burden is therefore absorbed by Japanese firms themselves. In the reverse direction — EU firms supplying AI services to the Japanese market — Japan's Guidelines effectively provide a free pass, because there is no penalty for ignoring them. If this asymmetry persists, the share of EU firms in Japan's AI market and the share of Japanese firms in the EU AI market could diverge structurally through the difference in compliance cost.
The Nishimura & Asahi Law Offices N&A Newsletter (January 2026) reviews post-Omnibus developments and the state of Japanese-firm preparation. Read together with the Hogan Lovells English-language briefing and the IAPP analysis, it becomes clear that the postponement provides time for implementation, not exemption.
Point 3: The absence of a verification loop
The Japanese Guidelines lack an institutionalised verification loop. Three components are missing.
First, third-party audit and conformity-assessment bodies. The EU is moving toward an AI-specific network of notified bodies, modelled on those for CE marking. Japan's design presupposes self-assessment by operators and does not institutionally require external verification.
Second, mandatory technical documentation. Under the EU AI Act, high-risk AI is subject to obligations including technical documentation (Article 11), log retention (Article 12), transparency (Article 13), and human oversight (Article 14). The Japanese side "recommends" these but imposes no sanction for their absence.
Third, an institutional route for objection and correction. The EU AI Act incorporates rights for affected individuals, including requests for explanation of AI decisions and human re-evaluation. The Japanese Guidelines list "accountability" as a principle that includes explainability, but the Guidelines themselves do not create a legal basis on which individuals can request an explanation from operators (such rights depend on the existing Act on the Protection of Personal Information and other statutes).
These three absences combine to create a substantial implementation gap between "having read the Guidelines" and "having verified the field." The Japan AI Safety Institute (AISI) published its v1.1 announcement, but AISI itself has no statutory power to audit corporate AI on a compulsory basis. The gap between "having read the governance document" and "having verified the field" needs to be surfaced as cognitive debt.
Point 4: International alignment and Japan's options
If Japan were to move from the current soft-law model, three options are theoretically available.
First, maintaining an independent path. Japan continues to revise the Guidelines and the AI Promotion Act, leaving verification to industry self-standards and trade-association certification. The advantage is preserved flexibility on the ground; the risk is a quiet form of the "Brussels effect," in which EU standards become de facto Japanese standards through extraterritorial reach, without that fact being deliberately chosen.
Second, partial alignment. Japan brings the domain-list for high-risk AI (recruitment, education, credit, and so on) into alignment with EU Annex III, and introduces a domestic certification scheme equivalent to conformity assessment. This is short of full EU harmonisation but reduces dual-compliance cost for Japanese firms and allows imported AI to be subjected to a domestic baseline.
Third, full alignment. Japan enacts a comprehensive statute equivalent to the EU AI Act, complete with penalties and conformity-assessment bodies. This collides head-on with the agile-governance argument advanced by Japanese industry, but it would structurally resolve the verifiability gap.
Drawing on the Bradley comparative study and the University of Washington JSIS comparison, it is clear that each jurisdiction has chosen a design consistent with its legal culture and industrial structure. The realistic question for Japan is whether it can compose a fourth path: "soft law with a verification base." If third-party audit, conformity assessment, and an objection-and-correction route could be institutionalised without statutory penalties, a route to closing the verification loop without converting to hard law remains theoretically open. That design has not yet been assembled.
Guidelines do not close the implementation gap when penalties are absent and verification mechanisms are missing. Whether Japan should follow the EU into hard law, or design soft law with its own verification base, is a separate question; the structural risk to identify is unverifiable soft law. This article is not a prompt for individual implementation judgements inside Japanese firms. It reads the design difference that decides where the cognitive load of judgement is placed in the field. What follows is whether to change that placement or to build out an internal verification loop that fits it.
Related Columns
- AI Regulation in the United States: Federal vs. State
- Cognitive Debt — What Happens to the Brain and Society When We Delegate Thinking to AI
- AI Authority Bias and the Hollowing of Knowledge
References
AI Business Operator Guidelines (Version 1.1) — Ministry of Economy, Trade and Industry & Ministry of Internal Affairs and Communications. METI
AI Business Operator Guidelines (Version 1.1) — Summary — Ministry of Economy, Trade and Industry & Ministry of Internal Affairs and Communications. METI
Regulation (EU) 2024/1689 — Artificial Intelligence Act — European Parliament and Council. EUR-Lex
Artificial intelligence: Council and Parliament agree to simplify and streamline rules — Council of the EU. Council of the European Union
Towards Responsible Development and Use of Digital Technology — Keidanren (Japan Business Federation). Weekly Keidanren Times No.3764
DS-920 Generative AI Procurement and Utilisation Guideline — Digital Agency. Digital Agency
Hiroshima AI Process International Code of Conduct Reporting Framework — Ministry of Internal Affairs and Communications. MIC
AI Business Operator Guidelines (Version 1.1) Published — Japan AI Safety Institute (AISI). Japan AISI
EU AI Regulation — Application Timeline and Japanese Firm Response — PwC Japan. PwC Japan
The Application of the European AI Regulation and Japanese Firm Response — EY ShinNihon LLC. Info Sensor February 2025
EU AI Law: Updates from Autumn 2025 Onwards — Nishimura & Asahi. N&A Newsletter
What the EU AI Omnibus Deal Changes for the AI Act and What Lies Ahead — Tech Policy Press. Tech Policy Press
EU legislators agree to delay for high-risk AI rules — Hogan Lovells. Hogan Lovells
NIST AI Risk Management Framework — National Institute of Standards and Technology. NIST
Global AI Governance: Five Key Frameworks Explained — Bradley Arant Boult Cummings LLP. Bradley Insights
