Japan’s FSA proposes mandatory cybersecurity standards for crypto exchanges

Japan’s Financial Services Agency recently released a new framework policy draft that will set new mandatory cybersecurity standards for cryptocurrency exchanges. This marks a turning point from individualized, asset-focused security to defense protocols for the complete ecosystem (per exchange) as cyberattacks continue to escalate across the digital asset sector.

The policy guidelines were announced on February 10, 2026, introducing mandatory Cybersecurity Self-Assessments (CSSA) for all registered crypto exchanges operating in Japan. 

The FSA will accept public comments until March 11, giving key players like exchanges and security experts three weeks to provide feedback before the regulations are finalized for implementation in Japan’s 2026 fiscal year (beginning April 1).

Cold wallets no longer sufficient as indirect attacks increase

The FSA observed an increase in sophisticated indirect attacks in recent times. As the situation worsens, the use of cold wallets alone may not be able to guarantee safe asset management, thus signaling a shift in the evolution of Japan’s regulatory philosophy. 

While offline cold wallets protect assets from direct remote hacking, the agency acknowledged that modern threat actors have adapted to this by targeting the human and operational infrastructure supporting digital asset management.

Other analysts noted that the CSSA framework will require exchanges to systematically evaluate different aspects of their security domains, be it technical infrastructure (such as wallet security and network architecture), human and operational risks (including employee training and phishing protocols), third party vendor management, and data integrity protections, which have to be compliant with Japan’s Personal Information Protection Act.

This shift comes as a result of several high-profile breaches in 2024 that exposed these vulnerabilities. The guidelines in particular focus on attacks that bypass technological defenses by compromising employees through phishing campaigns or infiltrating service providers and contractors who maintain access to exchange systems.

Three-pillar framework demands industry-wide participation

The successful implementation of this new policy rests on three pillars that combine to create a multi-layer defense system. They include self-help, mutual help, and public help, and these pillars will address different aspects while working together to strengthen the industry’s security system.

The “self-help” pillar places primary responsibility on individual exchanges to secure their own operations. It will start in the fiscal year 2026 (April 1) and will require all registered cryptocurrency exchanges to conduct the mandatory assessments mentioned earlier.

The “mutual assistance” pillar uses collective intelligence backed by industry collaboration. The FSA will help strengthen the security committee functions of the Japan Virtual and Crypto Assets Exchange Association (JVCEA), while encouraging exchanges to actively participate in information sharing so that threats, attack patterns, and defensive strategies can be communicated better across the sector. 

As such, if one exchange identifies a new social engineering strategy or another vulnerability, that intelligence will become available to protect other operators before they experience something similar.

Finally, the “public help” pillar will see the FSA continuing the international joint blockchain research on emerging threats that it began in the fiscal year 2025, as well as involving the entire crypto exchange sector in the “Delta Wall,” a joint cybersecurity exercise for financial organizations, within three years of the policy’s adoption. 

What’s next for exchanges operating in Japan?

During the 2026 fiscal year, the FSA plans to conduct real penetration tests on specific operators and may hire ethical hackers to attempt intrusions into live exchange systems. 

These authorized attacks will identify vulnerabilities before malicious hackers can exploit them, with findings shared confidentially to help affected exchanges patch any weaknesses. This will help provide an objective measure of monitoring that may have been overlooked during self-assessments.

The three-pillar structure creates accountability at every level, with exchanges bearing primary responsibility for their own security (self-help), the industry sharing collective intelligence and raising standards (mutual help), and governmental oversight, testing and support (public help). 

The FSA believes this will herald a stronger, more adaptive ecosystem capable of defending itself against current threats and future ones.

If you're reading this, you’re already ahead. Stay there with our newsletter.