TechCrunch reports on some changes UK recently made to their NIS Directive:
In the UK, the government has announced that organizations working in critical services like energy, transport, water and health can be fined up to £17 million ($24 million) as a “last resort” if they fail to demonstrate that their cyber security systems are equipped adequately against attacks.
Major requirements for organizations will include having the right people and organization in place to handle a cyber attack; having the right software in to protect against attacks; having the right capabilities in place to detect if an attack has taken place anyway; and having the right systems in place to minimize the impact of an attack if a system is breached (despite the other three being in place).
More detailed guidance includes how to secure other aspects of your network, such as your supply chain and how your data in the cloud.
UK is well ahead of most of the global cyber powers on oversight of critical infrastructure cyber security implementation. This is a good set of lessons learned for Japan to consider investigating to determine viability in the country.