Overview of the Draft Report on the Cryptoasset System Working Group and Its Impact on Practice
AI Business |
AI Regulation |
EU |
JAPAN |
Artificial intelligence regulation is rapidly becoming a decisive factor in cross-border business strategy. Companies developing or deploying AI systems in multiple jurisdictions must navigate fundamentally different regulatory models, particularly in the European Union and Japan. This article provides a practical overview of how these two approaches diverge, and what those differences mean for businesses operating across both markets.
The EU has adopted a comprehensive, binding framework through the EU Artificial Intelligence Act. Built around a risk-based classification system, the Act imposes extensive ex ante obligations on providers and deployers of high-risk AI systems, including governance requirements, technical documentation, conformity assessments and significant enforcement exposure. For companies entering or operating in the EU market, AI compliance is no longer a peripheral issue but a core component of product design, market entry planning and corporate risk management.
Japan has taken a markedly different path. Rather than introducing AI-specific hard law, it has enacted a policy-oriented framework that promotes research, development and social implementation of AI while relying on existing laws—such as data protection, labour and consumer protection—to address concrete risks as they arise. This innovation-first, ex post accountability model reduces upfront regulatory friction but places greater emphasis on internal governance, documentation and responsiveness to regulatory guidance.
For cross-border businesses, these differences translate into distinct compliance strategies, timelines and cost structures. EU alignment often provides a robust baseline, but it does not eliminate Japan-specific legal considerations. Conversely, systems developed primarily for the Japanese market may require substantial redesign to meet EU requirements. Understanding these dynamics is essential for companies seeking to deploy AI responsibly, competitively and at scale across both jurisdictions.
This article is intended for companies considering entry into the EU or Japanese markets, as well as businesses already operating across both jurisdictions.
Why are regulatory responses to artificial intelligence diverging so sharply across jurisdictions, and why does this divergence matter in practice?
AI regulation is often discussed in simplified terms, with the EU portrayed as “strict” and Japan as “lenient”. While not entirely inaccurate, this framing obscures the more important question for businesses: how different regulatory models shape compliance strategy, product design and market entry decisions.
The contrast between the EU and Japan is particularly instructive because both jurisdictions share broadly similar policy goals (such as promoting trustworthy AI and mitigating social harm), yet pursue those goals through fundamentally different legal structures. The EU has chosen a uniform, AI-specific framework built around ex ante risk control, whereas Japan has embedded AI governance within existing legal regimes and administrative practice.
For companies operating across borders, these design choices are not merely theoretical. They affect when legal review must occur, how much documentation is required before deployment, how enforcement risk materialises, and where internal accountability should sit within an organisation.
This article does not attempt to assess which approach is preferable. Instead, it focuses on how these regulatory models function in practice, and what businesses need to understand when developing or deploying AI systems in both markets. It proceeds by first outlining the contrasting regulatory philosophies of the EU and Japan, then examining each framework in detail, before comparing their practical impact through a case study and concluding with concrete guidance for businesses.
This chapter provides a conceptual framework for understanding the regulatory choices made by the EU and Japan before turning to the specific legal regimes.
At the core of the EU-Japan comparison lie two related questions. First, how should novel and rapidly evolving technologies be regulated: through binding legal obligations or through flexible, non-binding norms? Second, how do different legal systems balance the perceived trade-off between risk mitigation and innovation incentives?
In general terms, hard law refers to legally binding rules that create enforceable rights and obligations and may be sanctioned through courts or administrative penalties. Soft law, by contrast, encompasses guidelines, principles and policy statements that lack direct legal enforceability but may nonetheless influence behaviour through administrative practice, market expectations or reputational effects.
In the context of AI, this distinction is particularly significant. AI technologies evolve quickly, and their real-world impacts are often difficult to predict at the point of development. Hard law can provide legal certainty, clear allocation of responsibility and strong protection for affected individuals, but it also risks becoming outdated or imposing compliance burdens that disproportionately affect smaller or younger firms. Soft law offers adaptability and can respond more readily to technological change, but may suffer from ambiguity and weaker accountability mechanisms.
The EU and Japan have resolved this tension in different ways. The EU has prioritised legal certainty, fundamental rights protection and harmonisation across Member States, even at the cost of increased regulatory complexity. Japan has prioritised innovation, experimentation and international competitiveness, seeking to address AI-related risks primarily through existing legal frameworks rather than AI-specific prohibitions.
Against this conceptual backdrop, the EU Artificial Intelligence Act was first proposed by the European Commission in 2021 as part of a broader digital regulatory agenda. Its central organising principle is a risk-based classification of AI systems, under which regulatory obligations increase in line with the potential impact of an AI system on health, safety and fundamental rights. Following legislative negotiations in the European Parliament and the Council, the Act was formally adopted in 2024 and is being applied on a phased basis from 2025 onward, with different provisions becoming applicable at different times.
The EU AI Act has a broad territorial scope. It applies not only to providers and deployers established within the EU, but also to entities outside the EU where AI systems are placed on the EU market or their outputs are used within the EU. As a result, non-EU companies offering AI-enabled products or services that affect individuals or businesses in the EU may be subject to the Act’s requirements.
Certain activities are excluded from the scope of the Act. These include AI systems developed or used exclusively for military, defence or national security purposes, as well as AI used by foreign public authorities or international organisations for law enforcement, subject to safeguards for individual rights. AI systems used purely for personal, non-professional purposes are also excluded. In addition, AI developed and released under free and open-source licences may benefit from partial exemptions, provided the system does not fall within the high-risk category.
Enforcement of the EU AI Act follows a hybrid model. At the EU level, the newly established AI Office within the European Commission plays a central coordinating and supervisory role, particularly in relation to general-purpose AI models. Day-to-day enforcement, however, is largely carried out by national competent authorities and market surveillance authorities designated by each Member State. This structure mirrors other EU product safety and digital regulation regimes and is intended to combine central oversight with local enforcement capacity.
Article 5 of the EU AI Act identifies certain AI practices that are prohibited outright due to their unacceptable risk to fundamental rights. These include, among others, AI systems that deploy subliminal techniques or exploit vulnerabilities in order to materially distort behaviour, certain forms of social scoring, and predictive policing systems that assess an individual’s risk of committing criminal offences based on profiling. The Act also prohibits large-scale scraping of facial images to create biometric databases, as well as emotion recognition systems used in workplaces or educational institutions, subject to limited and carefully defined exceptions.
AI systems classified as high-risk are subject to the most extensive compliance obligations under the Act. An AI system is considered high-risk where it is used as a safety component of a product regulated under existing EU product safety legislation (listed in Annex I), or where it falls within one of the use cases enumerated in Annex III, such as employment-related decision-making, creditworthiness assessment or access to essential public services. In limited circumstances, providers may argue that a system listed in Annex III does not pose a significant risk, but this requires robust documentation and justification demonstrating the absence of material risk.
For providers and deployers of high-risk AI systems, the Act imposes detailed requirements relating to risk management, data governance, technical documentation, record-keeping, transparency, human oversight and conformity assessment. These obligations apply regardless of whether the system is placed on the market or used internally, underscoring the EU’s emphasis on ex ante risk control.
EU AI Act violations may result in the following administrative fines:
In addition to fines, corrective measures, market withdrawal and recall orders may be imposed.
Japan’s regulatory response to artificial intelligence is centred not on restriction, but on promotion. The Act on the Promotion of Research and Development, and Utilization of AI-related Technology (the “AI Promotion Act”) represents a conscious policy choice to support innovation while managing risk primarily through existing legal frameworks rather than through AI-specific prohibitions or licensing regimes.
Unlike the EU AI Act, the Japanese AI Promotion Act does not establish a comprehensive set of binding obligations directly applicable to AI developers or deployers. Instead, it functions as a policy framework statute. Its stated objectives include promoting research and development of AI-related technologies, facilitating their social implementation, and ensuring that such use aligns with fundamental principles such as human-centricity, transparency and fairness. The Act is intended to operate alongside, and not replace, existing laws governing data protection, consumer protection, competition, labour and product safety.
The legislative materials accompanying the AI Promotion Act make clear that Japan views itself as lagging behind other major economies in the development and practical deployment of AI technologies. At the same time, public concern regarding the societal impact of AI has increased. Rather than responding with a new layer of sector-agnostic regulation, Japanese policymakers have opted for an approach that emphasises voluntary compliance, administrative guidance and coordination across ministries.
This philosophy reflects a broader tradition within Japanese administrative law, where regulatory objectives are often pursued through a combination of non-binding guidelines, consultation and informal enforcement, backed by the possibility of reputational consequences and, where necessary, application of existing statutory powers.
The AI Promotion Act does not contain explicit extraterritorial application provisions like the EU AI Act. However, government policy documents and ministerial statements have clarified that foreign companies conducting business activities directed at the Japanese market—such as operating in Japanese or targeting Japanese users—are not categorically exempt from the Act’s scope.
The Act’s provisions are framed as duties to make reasonable efforts rather than strict legal obligations. However, all companies operating in Japan—whether domestic or foreign—remain fully subject to applicable Japanese laws governing the outcomes and impacts of their activities, including the Act on the Protection of Personal Information (APPI), labour and employment legislation, consumer protection statutes and sector-specific regulations.
Article 16 of the AI Promotion Act grants the government the following powers:
Notably, Article 16’s latter part uses the phrase “shall provide” rather than “may provide”, suggesting that guidance and advice will be actively implemented. However, specific measures and criteria for such actions will become clearer through future operational practice.
A key feature of Japan’s approach is that substantive legal risk associated with AI systems is addressed through existing laws rather than through the AI Promotion Act itself. For example, discriminatory outcomes in AI-assisted hiring or lending may give rise to liability under labour law, anti-discrimination principles or industry-specific regulations. Improper collection or use of training data may trigger enforcement under the APPI. Misleading or unsafe AI-enabled products may fall within the scope of consumer protection or product safety laws.
Accordingly, while the absence of AI-specific hard law may reduce upfront compliance burdens, it does not eliminate legal exposure. Instead, risk is managed ex post through established legal doctrines and administrative practice. For businesses, this shifts the compliance focus from formal certification and pre-market approval to internal governance, documentation and the ability to demonstrate reasonable and responsible use of AI in light of existing legal standards.
Having examined both regulatory regimes, this chapter analyses their practical impact on business operations.
The table below summarises the core differences between the EU and Japanese approaches to AI regulation from a business and compliance perspective.
| Item | European Union (EU AI Act / Hard Law) | Japan (AI Promotion Act + Existing Laws / Soft Law) |
| Primary regulatory approach | Binding, AI-specific regulation with legally enforceable obligations | Policy-led governance combined with existing sectoral laws |
| Regulatory focus | Protection of fundamental rights through risk management and ex ante controls | Promotion of innovation with risk addressed through ex post accountability |
| Risk classification | Explicit risk-based system (unacceptable, high-risk, limited-risk, minimal-risk) | No formal AI-specific risk classification system |
| Key obligations | Pre-market conformity assessment, technical documentation, risk management, human oversight | Governance frameworks, reasonable efforts, compliance with APPI, labour and consumer laws |
| Enforcement model | Administrative enforcement by national authorities coordinated at EU level | Administrative guidance, public disclosure, enforcement via existing laws |
| Penalties and sanctions | Significant administrative fines, corrective measures, market withdrawal | No AI-specific penalties; sanctions arise under existing statutes |
| Extraterritorial reach | Yes, where AI systems affect the EU market or individuals in the EU | No explicit extraterritorial provisions. However, foreign companies conducting business activities in the Japanese market may be subject to the Act |
| Practical impact on businesses | Higher upfront compliance cost and longer time to market, but high regulatory certainty | Lower upfront friction, greater emphasis on internal governance and responsiveness |
The regulatory differences outlined above translate into distinct operational realities for businesses.
Compliance Structure and Cost
Under the EU AI Act, compliance for high-risk systems is structured, formalised and front-loaded. Providers must establish risk management systems, ensure data governance standards, prepare detailed technical documentation, maintain logs, implement human oversight measures and undergo conformity assessments prior to market entry. These obligations entail significant legal, technical and organisational costs, often requiring specialised compliance personnel or external advisors.
In Japan, there is no equivalent AI-specific pre-market conformity regime. Compliance costs arise primarily from ensuring alignment with existing legal obligations such as data protection, labour and consumer protection laws. This allows greater discretion in development sequencing and may reduce initial regulatory expenditure, particularly for smaller firms.
Time to Market
The EU’s ex ante risk control can extend development timelines. For high-risk systems, conformity assessment and internal preparation may add months to market entry, a critical consideration for start-ups and fast-moving technology companies.
Japan’s framework is generally more permissive at the deployment stage. Without mandatory AI-specific approval processes, companies can introduce services more quickly, provided they are prepared to address legal issues as they arise under existing laws. This prioritises speed and experimentation but places greater responsibility on businesses to manage downstream risk.
Regulatory Certainty
The EU AI Act offers a high degree of formal regulatory certainty. Risk categories, prohibited practices and compliance obligations are set out in binding legislation applicable across all Member States, facilitating long-term planning and harmonised compliance strategies.
In Japan, certainty derives from the interpretation and application of established legal regimes rather than AI-specific rules. While this provides flexibility, it may create uncertainty where the application of existing laws to novel AI use cases has not yet been tested through enforcement or case law.
Enforcement Risk
Enforcement exposure under the EU AI Act is explicit and potentially severe, with administrative fines reaching up to EUR 35 million or a percentage of global annual turnover, plus potential product withdrawals and corrective measures.
Japan’s AI Promotion Act does not impose fines or penalties. However, violations of underlying laws such as the APPI or sector-specific statutes may result in administrative orders, penalties or civil liability. Public disclosure and administrative guidance can also carry significant reputational consequences, particularly in a market where regulatory relationships and public trust are paramount.
For companies operating in both markets, meeting EU AI Act requirements often establishes a robust baseline for governance, documentation and risk management. However, this does not eliminate the need to assess Japanese legal risks independently, particularly regarding personal data handling, employment practices and consumer-facing representations.
Conversely, companies developing AI systems primarily for the Japanese market may find their governance structures insufficient to satisfy EU ex ante requirements without substantial modification. Early consideration of EU risk classifications and documentation expectations is therefore critical for businesses with global ambitions.
To illustrate how these regulatory frameworks differ in practice, consider a common enterprise use case: a company develops an AI system that screens job applicants by analysing CVs, online assessments and interview responses to recommend candidates for hiring.
This example sits at the intersection of high-stakes decision-making, potential discrimination risk and intensive personal data processing. It is also a system type that multinational companies may wish to deploy consistently across regions.
Under the EU AI Act, AI systems intended for recruitment, selection or employment-related decision-making are generally treated as high-risk where they can materially affect individuals’ access to employment opportunities. An AI-driven recruitment screening tool will typically fall within the high-risk category listed in Annex III.
If classified as high-risk, the provider and deployer must comply with detailed obligations, including:
Non-compliance can trigger administrative measures, including corrective actions, market withdrawal and significant administrative fines.
In Japan, the same recruitment screening system is not subject to AI-specific conformity assessment. Instead, compliance obligations and legal exposure arise through existing laws applicable to employment decision-making and personal data handling.
Key legal considerations include:
Japanese compliance focuses on internal governance and readiness to respond to issues, rather than satisfying formal ex ante regulatory requirements. A prudent approach includes documenting dataset selection, bias testing, decision-making processes and escalation procedures, and ensuring HR and compliance teams can explain how the system is used and monitored.
This case study underscores the core operational distinction: in the EU, companies must demonstrate compliance before market entry for high-risk systems, with structured documentation and conformity assessment playing a central role. In Japan, the emphasis is on ensuring AI use does not breach existing legal obligations and that the company can justify its practices if challenged.
For businesses deploying the same recruitment tool in both markets, an effective strategy is to design governance and documentation to satisfy EU high-risk expectations from the outset, while separately confirming Japan-specific issues such as APPI requirements, HR data handling practices and local expectations around transparency.
For companies developing, procuring or deploying AI systems in both the EU and Japan, the divergence between these regulatory models requires deliberate and jurisdiction-sensitive planning.
Building governance structures that satisfy EU high-risk requirements often provides a strong foundation. Risk management processes, documentation practices, dataset governance and human oversight mechanisms designed for EU compliance generally improve internal accountability and transparency across the organisation.
However, EU alignment should not substitute for Japanese legal analysis. Japan-specific issues may still arise under laws such as the APPI, employment regulations or sectoral business laws. Local review remains essential.
Businesses should identify and categorise AI use cases at an early stage, focusing on how AI outputs affect individuals, customers or counterparties. Use cases involving hiring, credit, pricing, eligibility or behavioural analysis are more likely to attract regulatory scrutiny in both jurisdictions, albeit through different mechanisms.
Early mapping enables companies to anticipate EU high-risk classification likelihood and assess which Japanese laws may be implicated if similar functionality is deployed domestically.
Across both regimes, the ability to explain how an AI system works, what data it relies on and how decisions are reviewed is increasingly central. In the EU, this is a formal compliance requirement for high-risk systems. In Japan, it is a practical necessity for responding to administrative guidance, audits, complaints or reputational challenges.
Documentation should not be treated as a purely regulatory instrument. It plays a critical role in internal decision-making, incident response and communication with regulators, business partners and affected individuals.
The enforcement profile differs markedly between the EU and Japan. In the EU, enforcement risk is explicit, rule-based and potentially severe, with administrative fines and market restrictions forming core tools. In Japan, enforcement is more relational and discretionary, with administrative guidance and public disclosure often preceding formal sanctions.
Companies operating in Japan should pay close attention to regulatory relationships, industry practice and public perception, even in the absence of AI-specific penalties.
AI regulation is not a one-size-fits-all exercise. The appropriate level of legal involvement depends on the nature of the AI system, its scale and its intended markets. For EU-facing products, early engagement with legal and technical advisors can materially reduce downstream compliance risk and redesign costs. For Japan-facing deployments, periodic review against evolving guidance and enforcement trends may be more effective than upfront formalisation.
The EU and Japan have adopted distinctly different regulatory responses to the rise of artificial intelligence. The EU AI Act represents a comprehensive, binding and risk-based framework that prioritises ex ante control and harmonisation across markets. Japan’s AI Promotion Act, by contrast, reflects a policy-driven approach that seeks to foster innovation while managing risk through existing legal regimes and administrative practice.
For cross-border businesses, neither model can be ignored. Understanding how these systems operate, and how they interact with existing laws, is essential to deploying AI responsibly and competitively. As AI technologies and regulatory expectations continue to evolve, proactive and informed legal strategy will remain a critical component of sustainable AI-driven business.
The below sources are provided for reference and further reading.
EU AI Act
Japan AI Regulation
International Analysis
This article reflects information current as of January 2026. Legal and regulatory developments may occur after this date. For specific matters, please consult with qualified legal advisors.
Overview of the Draft Report on the Cryptoasset System Working Group and Its Impact on Practice
M&A of Cryptoasset Exchange Service Providers – Regulatory Specificities
“Are AI police and AI judges on the way?” – The turning point between a surveillance society and a fair society
Crypto Payments and Japanese Law (2nd Edition)
SEC ICO Warning (Dec 2017)
Initial Coin Offerings (ICO) under Japanese laws
Guidance Note on the Japanese Virtual Currency Legislation
New Crypto Regulations of Japan
Impacts upon enforcement of the Act concerning Work Style Reform
Stable Coins under Japanese Laws
Libra, Maker’s Dai and other Stable Coins under Japanese Laws
Security Token Offerings in Japan