Promoting robust competition in the digital space while simultaneously ensuring the strongest possible cybersecurity protections is challenging. The Japan Fair Trade Commission (JFTC), however, has struck a crucial balance between these priorities in its May 2025 Subordinate Legislation and Guidelines (“Guidelines”), which outline implementation of the country’s new Mobile Software Competition Act (MSCA). Notably, the JFTC’s novel approach to this issue provides a series of cybersecurity-related “justifiable reasons” for non-compliance with the MSCA.

For context, Japan’s National Diet passed the MSCA in June 2024 as a supplementary law to the country’s Antimonopoly Act. The purpose of the law is to promote competition in the markets for mobile operating systems (OS), app stores, browsers, and search engines. Under the MSCA, so-called Designated Providers (e.g., Apple and Google) are prohibited from several practices, including: 

• Engaging in “unfair or unjustly discriminatory” treatment towards third party app developers (Article 6).
• Preventing or making it more difficult for third parties to provide alternative app stores on their mobile OS (Article 7).
• Preventing or making it more difficult for third party app developers to use mobile OS functions the Designated Provider itself uses for similar purposes (Article 7);
• Preventing or making it more difficult for third party app developers to use alternative payment platforms (Article 8).
• Preventing third party app developers from including external links that direct users to websites outside the software (Article 8).

The law’s passage sparked concerns amongst cybersecurity policy experts that forcing Designated Providers to enable all third-party app stores and open up operating systems to third party developers cause increased unauthorized data exfiltration, malware, and fraud. They also worried that effective cybersecurity safeguards, by their nature, are restrictive and thus can appear anticompetitive.

These concerns echo similar critiques of the Digital Markets Act (DMA) (Regulation (EU) 2022/1925) – the European Union’s antimonopoly law for the digital space – which the Center highlighted in our February 2024 Trusted App Store: Protecting Security and Integrity report. Similarly, the Center filed an amicus brief in Epic Games v. Apple Inc., urging the U.S. Court of Appeals for the Ninth Circuit to protect cybersecurity while making determinations about antitrust and competition remedies. 

Fortunately, the JFTC’s Guidelines include a novel approach for implementation that exempts Designated Providers from certain MSCA provisions when cybersecurity is a concern. Specifically, the Guidelines state that “ensuring cybersecurity, protecting information related to smartphone users, safeguarding minors, or achieving other [similar] objectives” qualify as “justifiable reasons” for non-compliance with the Articles 7 and 8 of the MSCA.

 In comments to the JFTC, the Center expressed its strong support for this crucial exception because it allows Designated Providers to maintain a high level of cybersecurity in their products by conducting routine, multi-layered cybersecurity reviews (i.e., pre- and post-installation reviews) of third-party applications. Moving forward, we also encourage regulators in other jurisdictions to adopt a similar approach to digital antitrust enforcement that supports such cybersecurity practices. 

In addition, the Center urged the JFTC to ensure that, under the MSCA, Designated Providers can still impose reasonable limits and provide warnings regarding alternative app stores, unvetted third-party apps, and external link-outs, which pose elevated risks such as phishing, identity theft, and fraudulent transactions. 

This would also align the MSCA implementation with Japan’s National Security Strategy (NSS) of 2022, which states that “the Government will improve coordination with other policies that contribute to the enhancement of cybersecurity, such as economic security and the enhancement of technical capabilities related to national security.”

Moving forward, the MSCA is tentatively scheduled for full enforcement by December 18, 2025. 

‍