Promoting robust competition in the digital space while simultaneously ensuring the strongest possible cybersecurity protections is challenging. The Japan Fair Trade Commission (JFTC), however, has struck a crucial balance between these priorities in its May 2025 Subordinate Legislation and Guidelines (“Guidelines”), which outline implementation of the country’s new Mobile Software Competition Act (MSCA). Notably, the JFTC’s novel approach to this issue provides a series of cybersecurity-related “justifiable reasons” for non-compliance with the MSCA.
For context, Japan’s National Diet passed the MSCA in June 2024 as a supplementary law to the country’s Antimonopoly Act. The purpose of the law is to promote competition in the markets for mobile operating systems (OS), app stores, browsers, and search engines. Under the MSCA, so-called Designated Providers (e.g., Apple and Google) are prohibited from several practices, including:
- Engaging in “unfair or unjustly discriminatory” treatment towards third party app developers (Article 6).
- Preventing or making it more difficult for third parties to provide alternative app stores on their mobile OS (Article 7).
- Preventing or making it more difficult for third party app developers to use mobile OS functions the Designated Provider itself uses for similar purposes (Article 7);
- Preventing or making it more difficult for third party app developers to use alternative payment platforms (Article 8).
- Preventing third party app developers from including external links that direct users to websites outside the software (Article 8).
The law’s passage sparked concerns amongst cybersecurity policy experts that forcing Designated Providers to enable all third-party app stores and open up operating systems to third party developers cause increased unauthorized data exfiltration, malware, and fraud. They also worried that effective cybersecurity safeguards, by their nature, are restrictive and thus can appear anticompetitive.
These concerns echo similar critiques of the Digital Markets Act (DMA) (Regulation (EU) 2022/1925) – the European Union’s antimonopoly law for the digital space – which the Center highlighted in our February 2024 Trusted App Store: Protecting Security and Integrity report. Similarly, the Center filed an amicus brief in Epic Games v. Apple Inc., urging the U.S. Court of Appeals for the Ninth Circuit to protect cybersecurity while making determinations about antitrust and competition remedies.
Fortunately, the JFTC’s Guidelines include a novel approach for implementation that exempts Designated Providers from certain MSCA provisions when cybersecurity is a concern. Specifically, the Guidelines state that “ensuring cybersecurity, protecting information related to smartphone users, safeguarding minors, or achieving other [similar] objectives” qualify as “justifiable reasons” for non-compliance with the Articles 7 and 8 of the MSCA.
In comments to the JFTC, the Center expressed its strong support for this crucial exception because it allows Designated Providers to maintain a high level of cybersecurity in their products by conducting routine, multi-layered cybersecurity reviews (i.e., pre- and post-installation reviews) of third-party applications. Moving forward, we also encourage regulators in other jurisdictions to adopt a similar approach to digital antitrust enforcement that supports such cybersecurity practices.
In addition, the Center urged the JFTC to ensure that, under the MSCA, Designated Providers can still impose reasonable limits and provide warnings regarding alternative app stores, unvetted third-party apps, and external link-outs, which pose elevated risks such as phishing, identity theft, and fraudulent transactions.
This would also align the MSCA implementation with Japan’s National Security Strategy (NSS) of 2022, which states that “the Government will improve coordination with other policies that contribute to the enhancement of cybersecurity, such as economic security and the enhancement of technical capabilities related to national security.”
Moving forward, the MSCA is tentatively scheduled for full enforcement by December 18, 2025.
Read Next
European Commission 2028-2034 Budget Proposal Includes Substantial Increase for Cyber, Digital Programmes
The European Commission presented its initial proposal for the European Union’s 2028-2034 financial framework that, if approved, could authorise nearly EUR 2 trillion in spending over seven years for cyber and other digital efforts.
Congress’ Proposed Chip Security Act Threatens to Create New Cyber Vulnerabilities in U.S. Semiconductors
As the U.S. races toward global AI dominance, a new bill aimed at preventing diversion of innovative U.S. semiconductors to China could inadvertently make those very same chips less secure.
The Clock’s Ticking: Why CISA 2015 Must Be Renewed Now
As the September 2025 expiration of CISA 2015 looms, Congress faces a critical decision that will shape the future of national cyber defense. At a time when the U.S. is under near constant cyber attacks, government and industry need to share intel.