AI Regulation Tracker / Regulator guidance
Japan's Digital Agency issues DS-920 rules for government generative-AI procurement and use
Japan's Digital Agency published a standard guideline, DS-920, governing how government bodies buy and run generative AI. It reaches the gov-tech vendors that sell to them, setting expectations on risk assessment, data handling, and human oversight.
Japan's Digital Agency has set out how the government, and the companies that sell to it, may buy and operate generative AI. On May 27, 2025, the agency published DS-920, "Guidelines on Procurement and Use of Generative AI for the Evolution and Innovation of Administration," as part of its Digital Society standard-guideline series. The document is issued as guidance rather than statute, but for anyone bidding on public-sector work it functions as a practical condition of doing business.
The Digital Agency, created in 2021 to consolidate government digital policy, maintains the Digital Society standard-guideline series as the reference rulebook for how public bodies plan, procure, and run information systems. Slotting generative AI into that series is itself the signal worth noting. Rather than treat generative AI as an experiment sitting outside normal procurement, the agency has folded it into the same standards machinery that governs the rest of government IT, which means the expectations are meant to be applied as routine practice, not as a one-off pilot policy.
What DS-920 actually covers
DS-920 addresses the full arc of a government generative-AI project: assessing risk before adoption, handling the data that flows into and out of a model, setting the conditions written into procurement, and keeping human oversight over what the system produces. The premise is that a public body cannot outsource accountability to a model. When an agency uses generative AI to draft, summarize, or triage in the course of administration, the responsibility for the result stays with the agency, and the guideline pushes agencies to build that expectation into how they buy and run the technology.
Why vendors, not just agencies, should read it
The direct audience is government, but the operational weight lands on suppliers. Procurement conditions are the mechanism by which a guideline aimed at agencies becomes a requirement for vendors. A gov-tech firm, systems integrator, or cloud AI provider that wants to win Japanese public contracts will need to demonstrate that its product supports the risk assessment, data-handling discipline, and human-in-the-loop controls DS-920 expects. In effect, the guideline sets the floor that a compliant proposal has to clear.
That has concrete consequences for how a vendor prepares. Data handling is the clearest example. An agency guided by DS-920 will want to know where prompts and outputs are stored, whether inputs are used to train the provider's models, and how sensitive administrative data is segregated. Risk assessment means the agency expects a documented view of where the system could fail and what the fallback is. Human oversight means the agency, not the model, signs off on decisions that affect the public. A vendor that already answers these questions in its standard documentation is well positioned; one that treats them as an afterthought will struggle to clear procurement.
What it does not do
DS-920 is a standard guideline within the Digital Society series, not a penalty-backed law. It does not create fines or a private right of action, and it is aimed at the public sector rather than at private companies using AI for their own internal purposes. Its force is procedural and reputational: it shapes what a government buyer must ask for and what a bidder must be able to answer. Treating it as merely advisory would be a misread, because the procurement channel gives it real bite for anyone selling into that channel.
The cross-border read for a US firm
For a US or multinational gov-tech vendor, DS-920 is best understood alongside the frameworks it resembles. It is broadly comparable to the US Office of Management and Budget's M-24-10 memorandum on federal agency use of AI, and to the United Kingdom's government guidelines on AI procurement. All three put the buying government in the position of setting AI conditions on its suppliers. A vendor selling across these markets does not face one rulebook but three overlapping ones, and the useful exercise is a crosswalk: map your existing controls once, then show each government buyer where your product meets its particular version of risk assessment, data handling, and human oversight. DS-920 is the Japanese column in that table, and until now it has had very little English-language explanation for the teams that have to respond to it.
Frequently Asked Questions
What changed with DS-920?
On May 27, 2025, Japan's Digital Agency published DS-920, a standard guideline on procuring and using generative AI in public administration. It sets expectations for risk assessment, data handling, procurement conditions, and human oversight when government bodies adopt generative AI.
Who does DS-920 affect?
Japanese government agencies that deploy generative AI, and the gov-tech vendors, integrators, and cloud AI providers that sell to them. The guideline reaches suppliers through the procurement conditions agencies apply.
Is DS-920 a binding law?
No. It is a Digital Society standard guideline, not a penalty-backed statute. In practice it is binding-in-effect for government procurement, because bidders must meet its expectations to win and keep public-sector contracts.
How does DS-920 compare to US and UK rules?
It is broadly comparable to the US OMB M-24-10 federal AI-use memo and the UK government's AI procurement guidelines. Each makes the buying government set AI conditions on suppliers, so cross-border vendors should build a single crosswalk across all three.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.