Complying with the ESPA Framework

The Reality

The ESPA framework enforces strict proactive security measures for Japanese critical infrastructure and manufacturing organisations. With enforcement occurring in stages following its promulgation on May 18, 2022, the stakes for organisations with cyber-physical systems (CPS) are now higher than ever.

Essential Infrastructure Services (Chapter III)

Designated providers across 14 specified sectors like electricity, gas, water, railway, and telecommunications.

Supply of Critical Products (Chapter II)

Entities ensuring the stable supply of products vital for the survival of citizens or economic activities.

Strict 24-72 hour incident reporting windows and fines up to ¥2 million for non-compliance.

Why?

Mandatory prior notification and screening for the installation and entrustment of maintenance of critical facilities.

Mitigating over-reliance on external sources and preventing national security risks due to vulnerable supply chains.

"If the screening determines that critical facilities pose a high risk of being misused as a means for actions that disrupt the stable provision of services from outside Japan, the government makes recommendations or orders to the business entities on necessary measures (e.g. change, cancellation, etc. of the plan)."

ESPA Compliance in 3 Steps

Align people, processes, and technology to bridge the CPS gap for ESPA compliance.

Step 1: Identify

Learn more

ESPA Chapter III requires prior notification of detailed plans, including exact components and suppliers, prior to the installation of critical facilities. Yet, 88% of CPS assets fail to transmit exact product codes, and 76% use names that differ from official records. Without a verified identity, security teams cannot submit accurate notifications to the government.

Solution: The CPS Library

Automatically translate messy naming strings into a verified global standard.

Standard IT tools see less than 5% of CPS assets. We provide 99% detection accuracy, delivering the exact granular component data required for ESPA notifications.

ESPA Chapter III mandates strict screening to prevent critical facilities from being misused to disrupt the stable provision of essential services. Treating every PLC or legacy device the same creates noise, not security. The biggest risk is the failure to protect the critical business processes that matter most to national security.

Solution: Device Purpose

Move from seeing a generic device to identifying a mission critical asset in a high-priority operational zone.
Automatically group assets by business criticality to prioritise remediation efforts, ensuring the stable provision of services and preventing government intervention.

Step 2: Assess

Welcome to xDome

Step 3: Mitigate

Learn more

Government screening can result in strict orders to change or cancel plans if facilities are at high risk. When the government asks for a risk assessment or requires incident reporting, you need business answers, not technical spreadsheets. You need to bridge the gap between technical OT/IoMT data and executive language instantly.

Solution: MCP Server

Bridge the gap between technical data and business risk by asking natural language questions like: "Which high-impact assets are most vulnerable?"
Generate customisable, ESPA-aligned compliance reports in seconds, translating CPS data into audit-ready evidence for METI.

Why Has the CPS Gap Become So Critical for the ESPA?

Organisations often mistakenly apply IT security controls to their corporate environment while overlooking the unique requirements of their CPS, leaving essential infrastructure services exposed to disruptive actions.

Traditional Corporate IT

Cyber-Physical Systems (CPS)

System Lifespan

Frequent refreshes (3–5 years).

Decades-old legacy devices never designed for internet connectivity.

Downtime

Scheduled maintenance is standard.

Shutting down for hours is economically and physically unfeasible.

Visibility

Standard discovery tools work well.

Use of proprietary/legacy protocols creates blind spots for standard IT tools.

Security Agents

Software agents are easily deployed.

Inability to deploy agents on legacy systems; requires passive scanning to avoid disruption.

Patching

Rapid deployment of updates.

Patches may require OEM low-level access, potentially opening new attack vectors.

Primary Goal

Data confidentiality and integrity.

Safety, uptime, and reliability of physical processes.

Pro Tip!

To operationalise ESPA, the Ministry of Economy, Trade and Industry (METI) provides the Cyber/Physical Security Framework (CPSF). Claroty’s technology fulfills the technical requirements of the METI CPSF, which in turn satisfies the legal mandates of ESPA.

Built for Every Stakeholder

For the CISO

Move from technical silos to a shared language that executive leadership understands. Protect the business from government compliance orders, up to ¥2 million fines, and secure the stable provision of essential services.

For the Security Analyst

Move from technical silos to a shared language that executive leadership understands. Protect the business from government compliance orders, up to ¥2 million fines, and secure the stable provision of essential services.

For the Compliance Officer

Move from technical silos to a shared language that executive leadership understands. Protect the business from government compliance orders, up to ¥2 million fines, and secure the stable provision of essential services.

For the OT Engineer

Eliminate manual inventory. Automatically build a repository of in-depth CPS knowledge (140+ device attributes) to easily fulfill prior notification requirements.

For the Biomed Engineer

Establish configuration and change management workflows. Ensure process integrity is maintained to prevent unplanned shutdowns of critical facilities.

Simplified ESPA Compliance

Technology is only half the battle. Download the full ESPA white paper to align your people, processes, and technology with the organisational requirements of Japan's Economic Security Promotion Act (ESPA) and the METI CPSF.

Download Now

Claroty Demo

Want to see how Claroty will support your entire CPS cybersecurity journey?

Request a demo

The Guide to Building Operational Resilience in Healthcare Environments

Claroty xDome Drives Business Value and Enhanced Exposure Management at Ohio State University Wexner Medical Center

Provincial Health Services Authority and Fraser Health Authority Boost Cybersecurity Processes and Compliance with Claroty xDome

Phlow Leverages Claroty Technologies for Unparalleled Cyber-Physical System Protection

Life, uninterrupted.

Claroty Named a Leader in 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms

The Guide to Building Operational Resilience in Healthcare Environments

Resolving the CPS Identity Crisis

Using ESPA Compliance to Secure Continuity

The Reality

Essential Infrastructure Services (Chapter III)

Supply of Critical Products (Chapter II)

ESPA Compliance in 3 Steps

Step 1: Identify

Step 2: Assess

Step 3: Mitigate

Why Has the CPS Gap Become So Critical for the ESPA?

Built for Every Stakeholder

For the CISO

For the Security Analyst

For the Compliance Officer

For the OT Engineer

For the Biomed Engineer

Simplified ESPA Compliance

Claroty Demo