Technical Lock-In and Data Sovereignty in Japan’s Government Cloud — Is a Japanese Sovereign Cloud Still Possible?

On December 26, 2025, the Digital Agency of Japan issued a public procurement notice related to the Government Cloud initiative.

Provision of Cloud Services for the Development of Japan’s Government Cloud (FY2026 Procurement)
https://www.digital.go.jp/procurement/5107093b-7c29-4ffe-808b-6e39b5e0e5be

This procurement provides a rare opportunity to examine how a highly centralized government cloud strategy can inadvertently undermine data sovereignty and operational resilience. The associated documents—including procurement specifications and detailed technical requirements—provide valuable insight into the current state and future direction of Japan’s Government Cloud.

The detailed technical requirements alone consist of:

  • Basic requirements: 67 items

  • Core service requirements: 165 items

  • Advanced data integration and security requirements: 79 items

In total, this amounts to 311 requirements, including six related to generative AI functions.

While these technical requirements have long been criticized as being “excessive” or “implicitly tailored to AWS,” another concern has received far less attention: whether data sovereignty has been adequately addressed at all.

This article examines how Japan’s Government Cloud has, in practice, intensified compound vendor lock-in and data sovereignty risks, and why the realization of a Japanese sovereign cloud remains structurally difficult.

Japan is becoming a de facto case study of how rapid hyperscale cloud adoption can erode public-sector data sovereignty. This is not a Japan-only issue, but a structural risk shared by advanced democracies.

The Current State and Challenges of Japan’s Government Cloud

Japan’s Government Cloud has resulted in a multi-layered vendor lock-in, dominated by AWS and its partner ecosystem, combined with deep technical lock-in through proprietary APIs and managed services.
As a consequence, system migration has become more difficult than before, while exposure to foreign exchange risk has increased.

Although the Digital Agency formally promotes a “multi-cloud” approach, the reality is a strong concentration on AWS. This concentration has exposed systemic vulnerabilities, including service disruptions and data security risks arising from configuration and operational errors.

In particular, during a large-scale AWS outage in 2025, a specific availability zone in the Tokyo region experienced approximately one hour of downtime. The Digital Agency acknowledged that the Government Cloud was “partially affected.”
This incident highlighted the fragility of single-CSP dependence. Another AWS-related incident later in October 2025 reportedly affected over 2,500 organizations worldwide.

During the critical planning and requirement-definition phase that followed the establishment of the Digital Agency in 2021, data sovereignty was never systematically or explicitly addressed.
Instead, emphasis was placed primarily on geographical controls, such as domestic data center locations. By contrast, operational sovereignty (domestic operational control) and software sovereignty (reducing dependency on foreign proprietary platforms and closed ecosystems) appear to have received little consideration.

As a result, vendor lock-in and sovereignty risks have expanded, while the Digital Agency has yet to clearly articulate the importance of data sovereignty as a public policy objective.

The Neglect of Data Sovereignty and the Cloud Illusion

In Europe, following the enforcement of the GDPR in 2018, digital sovereignty became a core policy objective. By 2021, concrete initiatives were already underway.
Thus, when Japan was designing its Government Cloud, sufficient reference material and policy precedents were readily available.

European policymakers explicitly recognized dependence on U.S. technology firms as a sovereignty risk. Japan, by contrast, appears to have underestimated these risks due to its alliance relationship with the United States.

This was not merely a lack of awareness, but a political choice driven by the priority of rapid migration. Under the Suga administration, the Government Cloud was positioned as a flagship policy, and comprehensive risk assessment was effectively deferred.

The political and governance dimensions of this issue are discussed in greater detail in the following article:

Do We Need “IT-Savvy Politicians” for a Data-Driven Digital Nation? — Governance Responsibility, Not Technical Intervention
https://www.manaboo.com/wordpress/?p=2968

Human factors also played a role. The early leadership and staffing of the Digital Agency strongly reflected global cloud “best practices,” with AWS effectively becoming the de facto standard. This fostered an overly optimistic belief that hyperscale cloud services could solve all structural problems.

This mindset can be traced back to Japan’s “cloud-by-default” policy around 2018. However, what Japan truly needed was hybrid-by-default.
The notion that public cloud platforms alone could compensate for decades of digital policy failures reflects a failure to internalize lessons from Japan’s previous “digital defeats.”

For further discussion, see:
From Cloud-by-Default to Hybrid-by-Default — Rebuilding Japan’s Zero Trust Architecture
https://www.manaboo.com/wordpress/?p=2913

Interestingly, Japan and the EU are deepening cooperation through the Digital Partnership (its third Council meeting was held in 2025), which could provide an institutional framework for aligning data sovereignty and cloud governance standards.

Why BYOK Cannot Address National Security and Intelligence Risks

The Digital Agency has acknowledged the legal risks posed by foreign legislation such as the U.S. CLOUD Act, and has cited BYOK (Bring Your Own Key) as a partial mitigation strategy.

CLOUD Act Resources
https://www.justice.gov/criminal/cloud-act-resources

However, while BYOK allows users to generate and initially control encryption keys, those keys are still operationally handled within the cloud provider’s environment. From a data sovereignty perspective, this represents a fundamental limitation.

In both European and U.S. policy discussions, it is widely understood that BYOK is insufficient as a countermeasure to the CLOUD Act.

More robust approaches include:

  • HYOK (Hold Your Own Key), where keys are fully retained outside the cloud

  • Split-key architectures

  • Multi-Party Computation (MPC)-based key management

These methods enable significantly stronger sovereignty guarantees.

More concerning than the CLOUD Act itself, however, are foreign intelligence access mechanisms, particularly the combination of:

  • FISA Section 702 (Foreign Intelligence Surveillance Act)

  • Executive Order 12333

FISA Section 702
https://www.fbi.gov/how-we-investigate/intelligence/foreign-intelligence-surveillance-act-fisa-and-section-702

Executive Order 12333
https://www.archives.gov/federal-register/codification/executive-order/12333.html

If the CLOUD Act represents a “front door” request for data, FISA 702 and EO 12333 function as backdoor mechanisms, enabling access without prior judicial approval and without any obligation to notify the data holder—before or after the fact.

These mechanisms were a major driver behind Europe’s push to strengthen sovereign cloud initiatives.
Consequently, the possibility that sensitive population data—such as Japan’s resident registry—could be covertly accessed as part of foreign intelligence operations cannot be categorically dismissed.

What Would Be Required for a Japanese Sovereign Cloud?

What occurred in the United States during the Obama administration is now unfolding in Japan through the Government Cloud—yet with a crucial difference: Amazon is a U.S. corporation.

Amazon’s pursuit of profit and customer lock-in is entirely rational corporate behavior and should not be blamed.
The responsibility lies instead with Japan’s Digital Agency and Ministry of Internal Affairs and Communications, whose governance and oversight have been inadequate.

For a broader analysis, see:
The Invisible Infiltration: How U.S. Tech Giants Are Reshaping Japan’s E-Government
https://www.manaboo.com/wordpress/?p=2854

Today, vast amounts of Japanese citizens’ data—such as the resident registry—are concentrated on infrastructure operated by foreign providers. This significantly increases exposure to foreign legal regimes and raises the risk of administrative paralysis in the event of major outages.

Strict technical requirements initially favored large foreign providers, accelerating market concentration. Once established, this dominance is likely to become structurally entrenched.

In summary, Japan’s Government Cloud has suffered from:

  • Insufficient consideration of data sovereignty and economic security during requirement definition

  • Organizational and personnel governance issues that favored AWS

  • A nominal “multi-cloud” strategy that became largely symbolic

  • Rising operational costs and systemic risk, exposed by the 2025 AWS outages

The most serious failure, however, is that multiple opportunities for course correction were missed.

To move forward, Japan must urgently pursue an alternative trajectory centered on:

  1. Physical and legal separation of domestic backup systems

  2. A shift from cloud-by-default to hybrid-by-default

  3. System redesign based on strong key management and operational sovereignty

Only through such an approach can the realization of a Japanese sovereign cloud become conceivable.

While these challenges are discussed here in the Japanese context, they are not unique to Japan and reflect broader structural tensions between hyperscale cloud adoption and public-sector sovereignty.

1886