ESG/CSR: まるちゃんの情報セキュリティ気まぐれ日記

November 2025
Sun	Mon	Tue	Wed	Thu	Fri	Sat
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30

ESG/CSR

2025.10.31

紹介クロスセクター・サイバーセキュリティ法蔦大輔監修森・濱田松本法律事務所

こんにちは、丸山満彦です。

蔦大輔さんが監修で森・濱田松本法律事務所外国法共同事業（サイバーセッキュリティ法研究チーム）著で[amazon]「クロスセクター・サイバーセキュリティ法」が商事法務から出版されていますね...

帯はNTTセキュリティCEOの横浜さん。「圧倒されました。基本用語からAIや宇宙など最先端まで、サイバーセキュリティに関わるリーガルイシューすべてを網羅。現場実務に寄り添った法務解説が満載のデジタル社会ではすべての会社に必携の１冊」

クロスセクターというのが、まさにポイントですね...サイバーセキュリティ単独の法律問題というよりも、実務がサイバーとフィジカルな空間で融合して行われてきているということから、サイバー（デジタル）空間での活動量が増えるとことによる変化が各分野でどのようにおこるのか？という視点でまとめられているように思いました...そういう意味では、ここまで網羅的に書籍をまとめるというのは大変な話で、かつ大手の法律事務所だからこそできたという面はあるかもしれません。。。

No.00 法律（総論）	サイバーセキュリティに関連する様々な法令
第1部主要法分野
No.01 会社法	内部統制システムの構築とランサムウェア対応
No.02 ディスクロージャー	金融商品取引法を中心とするサイバーセキュリティ関連の情報開示
No.03 個人情報保護法	個人データ漏えい等対応における諸論点
No.04 営業秘密保護	機密情報の持ち出し・持込への対応
No.05 独禁法・競争法	サイバーセキュリティ向上のための取組に際して独禁法・競争法上留意すべき事項
No.06 労働法	セキュリティ目的でのモニタリングと雇用管理上の諸論点
No.07 システム開発	裁判例からみるシステムベンダとの関係
No.08 弁護士実務（Column）	弁護士実務におけるセキュリティの重要性
No.09 刑事法	サイバーセキュリティに関する犯罪に対する刑事的分析および実務対応
No.10 危機管理	外部からのサイバー攻撃を念頭に置いた危機管理対応
No.11 M&A	デュー・ディリジェンス、契約条項、FDI規制
No.12 経済安全保障①	外為法に基づく輸出管理・投資管理・経済制裁とサイバーセキュリティ
No.13 経済安全保障②	セキュリティ・クリアランス
第2部各種インフラ
No.14 インフラ防護	能動的サイバー防御を含む重要インフラ・基幹インフラの防護とサプライチェーン・リスク対策
No.15 金融	金融分野におけるサイバーセキュリティ
No.16 保険関連法	サイバー保険に関する諸論点
No.17 エネルギー・インフラ	電気事業におけるサイバーセキュリティ対策
No.18 通信インフラ	電気通信事業者におけるセキュリティ対策と通信の秘密
No.19 データセンタービジネス（Column）	データセンター事業の発達とセキュリティ対策
No.20 医療	医療機関・医療機器のサイバーセキュリティ
No.21 モビリティ	自動車のサイバーセキュリティ保安基準と自動運転に関する諸論点
No.22 空・海のインフラ（Column）	航空・船舶とサイバーセキュリティの諸論点
第3部応用・複合分野
No.23 クラウド	クラウドサービスのセキュリティに関する法令等と実務対応
No.24 IoT	IoT機器のセキュリティ
No.25 ECサイト	クレジットカード情報の取扱いに係る留意点
No.26 防災	サイバーリスクに備えたBCPの策定
No.27 AI	AI技術の進化と、AIとセキュリティに関する法的課題
No.28 メタバース	メタバースに関する官民の取組とデジタルアイデンティティ
No.29 宇宙（Column）	宇宙事業の拡大とサイバーセキュリティの重要性
No.30 Fintech	資金決済法に関する事業者におけるセキュリティ対策
No.31 DFFT（Column）	国際的なデータ流通の枠組みを日本が主導するために企業に求められる対応
第4部国際法務
No.32 アジア法務	シンガポール、タイ、ベトナム、インドネシアにおけるサイバーセキュリティ法制
No.33 中国法務	いわゆるデータ三法とサイバーセキュリティ
No.34 EU 法務	EUにおけるサイバーセキュリティ分野の法規制
No.35 アメリカ法務	アメリカにおけるサイバーセキュリティ関連法規制
No.36 イスラエル法務	サイバーセキュリティビジネスのエコシステムとイスラエル法

・書籍...

みなさん、是非、ご一読を...

ちなみに、アフェリエイトではないです(^^)...

2025.10.31 00:00 in 情報セキュリティ / サイバーセキュリティ, in 個人情報保護 / プライバシー, in 法律 / 犯罪, in ESG/CSR, in 内部統制 / リスクマネジメント, in 危機管理 / 事業継続, in クラウド, in IoT, in AI/Deep Learning, in 暗号 / 電子署名 / ブロックチェーン, in 安全保障 | Permalink | Comments (0)
Tweet

2025.10.09

OECD 方針文書：AIトレーニングのための関連データ収集メカニズムのマッピング(2025.10.03)他

こんにちは、丸山満彦です。

OECDがいくつかのAIに関する方針文書と作業文書（ワーキングペーパー）を公表していたので、まとめて備忘録...

2025.10.03	Policy paper: Mapping relevant data collection mechanisms for AI training	方針文書：AIトレーニングのための関連データ収集メカニズムのマッピング
2025.09.26	Working paper: Advancing the measurement of investments in artificial intelligence	作業文書：人工知能への投資測定の推進
2025.09.25	Working paper: How are AI developers managing risks? - Insights from responses to the reporting framework of the Hiroshima AI Process Code of Conduct	作業文書：AI開発者はリスクをどのように管理しているか？ - 広島AIプロセス行動規範の報告枠組みへの回答から得られた知見
2025.09.25	Working paper: Leveraging artificial intelligence to support students with special education needs	作業文書：特別支援教育を必要とする生徒の学習目標達成に向けた人工知能の活用
2025.08.14	Policy paper: AI openness	方針文書：AIのオープン性
2025.07.31	Working paper: Exploring win-win outcomes of algorithmic management	作業文書：アルゴリズム管理におけるウィンウィンの成果の探求
2025.06.30	Working paper: Macroeconomic productivity gains from Artificial Intelligence in G7 economies	作業文書：G7経済圏における人工知能（AI）によるマクロ経済的生産性向上
2025.06.30	Policy paper: AI and the future of social protection in OECD countries	方針文書：OECD諸国におけるAIと社会保障の未来
2025.06.27	Working paper: Is generative AI a General Purpose Technology? - Implications for productivity and policy	作業文書：生成AIは汎用技術か？ - 生産性と政策への示唆

● OECD

・2025.10.03 Policy paper: Mapping relevant data collection mechanisms for AI training

Policy paper: AI openness	方針文書：AIのオープン性
Abstract	要旨
This paper explores the concept of openness in artificial intelligence (AI), including relevant terminology and how different degrees of openness can exist. It explains why the term "open source" – a term rooted in software – does not fully capture the complexities specific to AI. This paper analyses current trends in open-weight foundation models using experimental data, illustrating both their potential benefits and associated risks. It incorporates the concept of marginality to further inform this discussion. By presenting information clearly and concisely, the paper seeks to support policy discussions on how to balance the openness of generative AI foundation models with responsible governance.	本稿は人工知能（AI）におけるオープン性の概念を探求し、関連用語や異なるレベルのオープン性の存在形態を考察する。ソフトウェア分野に由来する「オープンソース」という用語がAI特有の複雑性を完全に捉えきれない理由を説明する。実験データを用いてオープン重み付け基盤モデルの現状動向を分析し、その潜在的利点と関連リスクを明らかにする。議論を深めるため限界性の概念を取り入れている。情報を明確かつ簡潔に提示することで、生成AI基盤モデルの開放性と責任あるガバナンスのバランスに関する政策議論を支援することを目的とする。

・[PDF]

・2025.09.26 Working paper: Advancing the measurement of investments in artificial intelligence

Working paper: Advancing the measurement of investments in artificial intelligence	作業文書：人工知能への投資測定の推進
Abstract	要旨
This working paper presents a methodology for estimating public and private artificial intelligence (AI) investments in European Union (EU) Member States, focusing on assets and capabilities. It categorises investments into four groups: skills, research and development, data and equipment, and other intellectual property products. Using publicly available national accounts and sector-specific sources, AI investments are estimated by applying AI intensity coefficients derived from patent data, academic programmes, and workforce statistics. The estimates highlight how AI investments are distributed across EU countries. The methodology also disaggregates investments in areas such as information and communication technologies, specialist remuneration, corporate training, software and databases, and telecommunications equipment. This work supports efforts to measure the evolving AI investment landscape in the EU.	本作業文書は、欧州連合（EU）加盟国における公的・民間の人工知能（AI）投資を、資産と能力に焦点を当てて推定する手法を提示する。投資をスキル、研究開発、データ・設備、その他の知的財産製品の4グループに分類する。公開されている国民経済計算及び業種別情報源を用い、特許データ、学術プログラム、労働力統計から導出されたAI集約度係数を適用することでAI投資を推計する。この推計は、EU諸国におけるAI投資の分布状況を明らかにする。本手法は、情報通信技術、専門家報酬、企業研修、ソフトウェア・データベース、通信機器などの分野への投資を細分化する。本研究は、EUにおける進化するAI投資環境の測定努力を支援するものである。

・[PDF]

・2025.09.25 Working paper: How are AI developers managing risks?

Working paper: How are AI developers managing risks?	作業文書：AI開発者はリスクをどのように管理しているか？
Insights from responses to the reporting framework of the Hiroshima AI Process Code of Conduct	広島AIプロセス行動規範の報告枠組みへの回答から得られた知見
Abstract	要旨
Rapid advances in artificial intelligence (AI) are reshaping economies and societies, creating significant opportunities while also raising important considerations around the effective governance and risk management of advanced AI systems. Launched in February 2025, the Hiroshima AI Process Reporting Framework is the first international, voluntary tool to help organisations report on their practices compared to the Hiroshima AI Process International Code of Conduct for Organisations Developing Advanced AI Systems. This report presents preliminary insights from submissions by 20 organisations across diverse sectors and countries, examining their approaches to risk identification and management, transparency, governance, content authentication, AI safety research, and the advancement of global interests.	人工知能（AI）の急速な進歩は経済と社会を再構築し、大きな機会を生み出す一方で、高度なAIシステムの効果的なガバナンスとリスク管理に関する重要な考慮事項も提起している。2025年2月に開始された「広島AIプロセス報告枠組み」は、先進的AIシステムを開発する組織向けの「広島AIプロセス国際行動規範」に照らした自組織の実践状況を報告するための、初の国際的かつ自主的なツールである。本報告書は、多様な分野・国々の20組織からの提出資料に基づく予備的知見を提示し、リスクの特定・管理、透明性、ガバナンス、コンテンツ認証、AI安全研究、およびグローバルな利益の推進に関する各組織のアプローチを検証する。

・[PDF]

・2025.09.25 Working paper: Leveraging artificial intelligence to support students with special education needs

Working paper: Leveraging artificial intelligence to support students with special education needs	作業文書：特別支援教育を必要とする生徒の学習目標達成に向けた人工知能の活用
Abstract	要旨
This working paper examines how artificial intelligence (AI) can support students with special education needs (SEN) to achieve their learning goals, while underlining key risks and limitations. It defines central terms and the rationale for using AI in this context and reviews a selection of research-backed AI tools that aim to empower students with SEN. Based on this review, it highlights risks and limitations to consider and mitigate when procuring, creating and employing AI-enabled tools for students with SEN and beyond. The paper discusses governance and operational mechanisms for ensuring their implementation is ethical, sustainable and secure. It concludes with policy considerations for developing, selecting and integrating AI tools to foster inclusive education, particularly related to ethical design, research and monitoring, data protection and security, and accountability.	本作業文書は、人工知能（AI）が特別支援教育を必要とする生徒（SEN）の学習目標達成をいかに支援できるかを検証するとともに、主要なリスクと限界を強調する。この文脈におけるAI活用の核心用語と根拠を定義し、SEN生徒の能力強化を目的とした研究裏付けのあるAIツールを厳選して検討する。この検討に基づき、SEN生徒およびそれ以外の生徒向けにAI搭載ツールを調達・開発・導入する際に考慮・軽減すべきリスクと限界を指摘する。本稿では、その導入が倫理的、持続可能かつ安全であることを保証するためのガバナンスと運用メカニズムについて論じる。最後に、特に倫理的な設計、研究とモニタリング、データ保護とセキュリティ、説明責任に関連して、インクルーシブ教育を促進するためのAIツールの開発、選択、統合に関する政策上の考慮事項を結論として提示する。

・[PDF]

・2024.08.14 Policy paper: AI openness

Policy paper: AI openness	方針文書：AIのオープン性
Abstract	要旨
This paper explores the concept of openness in artificial intelligence (AI), including relevant terminology and how different degrees of openness can exist. It explains why the term "open source" – a term rooted in software – does not fully capture the complexities specific to AI. This paper analyses current trends in open-weight foundation models using experimental data, illustrating both their potential benefits and associated risks. It incorporates the concept of marginality to further inform this discussion. By presenting information clearly and concisely, the paper seeks to support policy discussions on how to balance the openness of generative AI foundation models with responsible governance.	本稿は人工知能（AI）におけるオープン性の概念を探求し、関連用語や異なるレベルのオープン性の存在形態を考察する。ソフトウェア分野に由来する「オープンソース」という用語がAI特有の複雑性を完全に捉えきれない理由を説明する。実験データを用いてオープン重み付け基盤モデルの現状動向を分析し、その潜在的利点と関連リスクを明らかにする。議論を深めるため限界性の概念を取り入れている。情報を明確かつ簡潔に提示することで、生成AI基盤モデルの開放性と責任あるガバナンスのバランスに関する政策議論を支援することを目的とする。

・[PDF]

・2025.07.31 Working paper: Exploring win-win outcomes of algorithmic management

Working paper: Exploring win-win outcomes of algorithmic management	作業文書：アルゴリズム管理におけるウィンウィンの成果の探求
Abstract	要旨
This research project explores how worker consultation can deliver “win-win” outcomes for firms and workers in the context of the introduction of an algorithmic management system in firms. It does so using a novel research design: a laboratory experiment involving worker participants carried out in three German manufacturing firms in which a simulation of an algorithmic management system was altered to affect firm outcomes (productivity) and worker outcomes (job quality). The results show that consultations between workers, managers and works council representatives can lead to agreement on the design of a new technology that stakeholders deem to preserve firm-level productivity gains while also improving workers’ job quality. The project advances research methods for understanding the dynamics underlying worker consultation and how it can be beneficial in contexts of new technology introduction. Further research should expand the scope of this methodology (in terms of the number of participants, sectors and other countries), to substantiate the findings.	本研究プロジェクトは、企業におけるアルゴリズム管理システムの導入という文脈において、労働者との協議が企業と労働者の双方にとって「ウィンウィン」の結果をもたらす方法を模索する。そのために、独創的な研究デザインを採用している：ドイツの3つの製造企業で実施された労働者参加型の実験室実験であり、アルゴリズム管理システムのシミュレーションを改変して企業成果（生産性）と労働者成果（仕事の質）に影響を与えた。結果は、労働者・管理職・労働評議会代表者間の協議が、企業レベルの生産性向上を維持しつつ労働者の仕事の質を改善すると関係者が判断する新技術設計への合意につながることを示した。本プロジェクトは、労働者協議の基盤となる力学と、新技術導入の文脈におけるその有益性を理解するための研究手法を発展させる。今後の研究では、この方法論の範囲（参加者数、業種、他国）を拡大し、知見を実証すべきである。

・[PDF]

・2025.06.30 Working paper: Macroeconomic productivity gains from Artificial Intelligence in G7 economies

Working paper: Macroeconomic productivity gains from Artificial Intelligence in G7 economies	作業文書：G7経済圏における人工知能（AI）によるマクロ経済的生産性向上
Abstract	要旨
The paper studies the expected macroeconomic productivity gains from Artificial Intelligence (AI) over a 10-year horizon in G7 economies. It builds on our previous work that introduced a micro-to-macro framework by combining existing estimates of micro-level performance gains with evidence on the exposure of activities to AI and likely future adoption rates. This paper refines and extends the estimates from the United States to other G7 economies, in particular by harmonising current adoption rate measures among firms and updating future adoption path estimates. Across the three scenarios considered, the estimated range for annual aggregate labour productivity growth due to AI range between 0.4-1.3 percentage points in countries with high AI exposure – due to stronger specialisation in highly AI-exposed knowledge intensive services such as finance and ICT services – and more widespread adoption (e.g. United States and United Kingdom). In contrast, projected gains in several other G7 economies are up to 50% smaller, reflecting differences in sectoral composition and assumptions about the relative pace of AI adoption.	本稿は、G7経済圏における人工知能（AI）の10年間にわたるマクロ経済的生産性向上の見込みを分析する。既存のミクロレベルにおけるパフォーマンス向上の推計値と、AIへの活動露出度および将来の採用率に関する証拠を組み合わせたミクロからマクロへの枠組みを導入した我々の先行研究を発展させたものである。本稿では、米国から他のG7諸国への推計を精緻化・拡張し、特に企業間の現行導入率指標の調和化と将来導入経路推計の更新を行った。検討した3つのシナリオにおいて、AIの影響度が高い国々（金融やICTサービスなどAIの影響を強く受ける知識集約型サービスへの高度な特化が進み、導入がより広範な米国や英国など）では、AIによる年間総労働生産性成長率の推定値は0.4～1.3パーセントポイントの範囲となる。対照的に、他のいくつかのG7経済圏では、部門構成の違いやAI導入の相対的なペースに関する仮定の違いを反映し、予測される利益は最大50％小さくなっている。

・[PDF]

・2025.06.30 Policy paper: AI and the future of social protection in OECD countries

Policy paper: AI and the future of social protection in OECD countries	方針文書：OECD諸国におけるAIと社会保障の未来
Abstract	要旨
Governments in OECD countries are increasingly applying advanced uses of data and technology to improve the coverage, effectiveness and efficiency of social programmes, yet they are proceeding with caution when introducing artificial intelligence (AI). Common AI uses in social protection include client support, automating back-office processes and fraud detection. Looking ahead, there is significant potential for AI to help improve the performance of social programmes – including through predictive analytics, enhanced outreach and better-tailored interventions – but governments must continue to build trust and foster transparency when using AI.	OECD諸国の政府は、社会保障プログラムの適用範囲、効果、効率性を向上させるため、データと技術の高度な活用をますます進めているが、人工知能（AI）の導入には慎重な姿勢を示している。社会保障分野におけるAIの一般的な用途には、クライアント支援、バックオフィス業務の自動化、不正検知などが含まれる。今後、予測分析、アウトリーチ強化、より適切な介入などを通じて、AIが社会プログラムのパフォーマンス向上に大きく貢献する可能性はあるが、政府はAI利用において信頼構築と透明性確保を継続しなければならない。

・[PDF]

・2025.06.27 Working paper: Is generative AI a General Purpose Technology?

Working paper: Is generative AI a General Purpose Technology?	作業文書：生成AIは汎用技術か？
Implications for productivity and policy	生産性と政策への示唆
Abstract	要旨
The rapid rise of generative AI has sparked discussions about its potentially transformative effects and whether the technology will bring significant benefits in the form of widespread productivity increases. Through a review of theoretical literature and early empirical evidence, including novel descriptive analysis, this study suggests that generative AI has considerable potential to qualify as a new general-purpose technology (GPT). Despite the early evidence, generative AI appears to exhibit the defining characteristics of GPTs: i) pervasiveness, ii) continuous improvement over time and iii) innovation spawning. While productivity gains may not materialise immediately, the evolution of earlier GPTs seems to provide encouraging signs that generative AI could lead to substantial improvements in productivity in the future, notably through the innovation-spawning channel. The full realisation of generative AI’s productivity potential in the long-term will depend on the implementation of relevant policies.	生成AIの急速な台頭は、その変革的な影響の可能性と、この技術が広範な生産性向上という形で大きな利益をもたらすかどうかについての議論を喚起している。理論的文献と初期の実証的証拠（新規記述分析を含む）のレビューを通じて、本研究は生成AIが新たな汎用技術（GPT）として認定される可能性を十分に有していることを示唆する。初期段階の証拠にもかかわらず、生成AIはGPTの定義的特徴であるi) 普遍性、ii) 時間の経過に伴う継続的改善、iii) イノベーション創出を示している。生産性向上が直ちに実現しない可能性はあるものの、先行するGPTの進化は、特にイノベーション創出経路を通じて、生成AIが将来的に生産性の大幅な向上をもたらす可能性を示す有望な兆候を提供している。生成AIの生産性向上の可能性が長期的に完全に実現されるかどうかは、関連する政策の実施にかかっている。

・[PDF]

2025.10.09 00:00 in 法律 / 犯罪, in ESG/CSR, in AI/Deep Learning | Permalink | Comments (0)
Tweet

2025.09.20

AIイノベーションのための共同プライバシー宣言を採択 (2025.09.17)

こんにちは、丸山満彦です。

2025.09.15-17に第47回グローバルプライバシー総会（GPA）が、韓国のソウルで開催されていましたが、最終日に、2025.02.11に韓国、フランス、英国、アイルランド、オーストラリアの5カ国で署名された「AIイノベーションのための共同プライバシー宣言」に15カ国が署名し、合計20カ国採択することになりましたね。。。

署名国は、カナダ、イタリア、ドイツ、オランダ、スペイン、ニュージーランド、香港が新たな署名国ですね...日本の名前はないですね...

● 개인정보위

・2025.09.17 GPA 서울 총회 계기, 20개 감독기구 간 AI 혁신 위한 프라이버시 공동 선언문 채택

GPA 서울 총회 계기, 20개 감독기구 간 AI 혁신 위한 프라이버시 공동 선언문 채택	GPAソウルサミット：20の監督団体がAIイノベーションのための共同プライバシー宣言を採択
서울에서 개최된 제47차 글로벌 프라이버시 총회(GPA)를 계기로 국내 혁신 지향적 인공지능(이하 ‘AI’) 프라이버시 정책에 대한 국제적 외연이 대폭 확장된다.	ソウルで開催された第47回グローバルプライバシーアセンブリ（GPA）は、韓国のイノベーション志向型人工知能（AI）プライバシー政策の国際的影響力を大幅に拡大した。
개인정보보호위원회(위원장 고학수, 이하 ‘개인정보위’)는 9월 17일(수) 고학수 위원장과 캐나다·뉴질랜드·홍콩 등 20개 개인정보 감독기구 대표가 참석한 가운데, AI 시대 개인정보 보호와 국제 데이터 거버넌스 구축 관련 공동 선언문에 대한 서명식을 진행했다.	個人情報保護委員会（PIPC、高鶴秀委員長）は9月17日（水）、AI時代における個人情報保護と国際データガバナンス構築に関する共同宣言の調印式を開催した。式典には高鶴秀委員長と、カナダ、ニュージーランド、香港など20の個人情報監督機関の代表者が出席した。
개인정보위는 지난 2월 파리 인공지능 액션 서밋(AI Action Summit)에서 프랑스(CNIL), 영국(ICO), 아일랜드(DPC), 호주(OAIC) 개인정보 감독기구와 함께 ‘AI 시대의 국제 데이터 거버넌스와 개인정보 보호’를 주제로 고위급 원탁회의를 개최하고 AI 시대 혁신 친화적 개인정보 정책에 대한 공동의 비전을 제시하는 공동 선언문*을 채택했다.	今年2月には、パリAIアクションサミットにおいて、フランス（CNIL）、英国（ICO）、アイルランド（DPC）、オーストラリア（OAIC）の個人情報監督機関と共に「AI時代の国際データガバナンスと個人情報保護」に関するハイレベル円卓会議を主催。AI時代におけるイノベーションに友好的な個人情報政策の共通ビジョンを示す共同宣言*を採択した。
* (영문) Joint statement on building trustworthy data governance frameworks to encourage development of innovative and privacy-protective AI	* (英語) Joint statement on building trustworthy data governance frameworks to encourage development of innovative and privacy-protective AI
(국문) 혁신적이고 개인정보를 보호하는 AI 개발 장려를 위한 신뢰할 수 있는 데이터 거버넌스 체계 구축에 관한 공동 선언문	(韓国語) 革新的かつプライバシー型のAI開発を促進する信頼性あるデータガバナンス枠組み構築に関する共同宣言
최근 AI에이전트 등 급속한 기술발전을 뒷받침하는 프라이버시 정책의 중요성이 높아지는 가운데, 한국의 혁신 친화적 AI 정책에 공감대를 형성한 캐나다, 독일, 이탈리아 등 15개국* 개인정보 감독기구가 동 공동선언문에 참여하여 총 20개국으로 외연이 확대됐다.	AIエージェントなどの急速な技術進歩を支えるプライバシー政策の重要性が高まる中、カナダ、ドイツ、イタリアを含む15カ国*の個人情報監督当局が共同宣言に賛同し、その範囲は20カ国に拡大した。これは韓国のイノベーションに友好的なAI政策に対する共通認識を反映している。
* 벨기에(APD), 불가리아(CPDP), 캐나다(OPCC), 크로아티아(AZOP), 핀란드(ODPO), 독일(BfDI), 홍콩(PCPD), 스웨덴(IMY) 이탈리아(GPDP), 뉴질랜드(OPC), 룩셈부르크(CNPD), 마카오(PDPB), 폴란드(UODO), 스페인(AEPD), 네덜란드(AP)	* ベルギー（APD）、ブルガリア（CPDP）、カナダ（OPCC）、クロアチア（AZOP）、フィンランド（ODPO）、ドイツ（BfDI）、香港（PCPD）、スウェーデン（IMY）、イタリア（GPDP）、ニュージーランド（OPC）、ルクセンブルク（CNPD）、マカオ（PDPB）、ポーランド（UODO）、スペイン（AEPD）、オランダ（AP）
본 선언문은 ▲개인정보 적법처리근거에 대한 다양한 적용 가능성 모색, ▲AI 리스크에 대한 과학적·비례적 접근, ▲개인정보 중심설계(Privacy by Design) 등 내부관리체계 정립, ▲AI 혁신지원·국제공조 등 개인정보 감독기구의 주도적 역할 등에 대한 내용을 담고 있다.	本宣言は▲個人データの処理の法的根拠の多様な適用可能性の模索▲AIリスクへの科学的かつ比例的なアプローチ▲プライバシー・バイ・デザインを含む内部管理システムの構築▲AIイノベーション支援と国際協力における個人情報保護当局の主導的役割をカバーする。
고학수 개인정보위 위원장은 “AI 심화시대의 복합적 데이터 환경에서 개인정보 감독기구가 선제적·주도적 역할을 강화할 필요가 있다”라며, “이번 공동 선언문 확장을 통해 혁신 지향적 AI에 대한 국제적 공감대를 확장해 나가겠다.”라고 밝혔다.	個人情報保護委員会のコ・ハクス委員長は「AI時代が深化する複雑なデータ環境において、個人情報監督当局は積極的かつ主導的な役割を強化する必要がある」と述べ、「今回の共同宣言の拡大を通じ、イノベーション志向のAIに関する国際的な合意を拡大していく」と付け加えた。
* 기타 자세한 내용은 첨부파일을 확인해주시기 바랍니다.	* 詳細は添付ファイルを参照のこと

・[PDF]

● CNIL

・2025.02.11 Data governance and AI: Five Data Protection Authorities Commit to Innovative and Privacy-Protecting AI

Data governance and AI: Five Data Protection Authorities Commit to Innovative and Privacy-Protecting AI	データガバナンスとAI：5つのデータ保護当局が革新的かつプライバシー保護型AIへの取り組みを表明
At the AI Action Summit in Paris (6-11 February 2025), the Australian, Korean, Irish, French and UK data protection authorities signed a joint declaration to reaffirm their commitment to establishing data governance that fosters innovative and privacy-protective AI.	パリで開催されたAIアクションサミット（2025年2月6日～11日）において、オーストラリア、韓国、アイルランド、フランス、英国のデータ保護当局は共同宣言に署名し、革新的かつプライバシー保護型AIを促進するデータガバナンスの確立に向けた取り組みを再確認した。
Building a Reliable Governance Framework for Trusted AI	信頼されるAIのための確固たるガバナンス枠組みの構築
This initiative aims to promote an artificial intelligence (AI) governance framework that provides legal certainty for stakeholders and safeguards for individuals, including in terms of transparency and respect for fundamental rights.	本イニシアチブは、透明性や基本的権利の尊重を含む、関係者に法的確実性を提供し個人を保護する人工知能（AI）ガバナンス枠組みの推進を目的とする。
The declaration highlights the many opportunities offered by AI in various fields such as innovation, research, economy and society. It also warns of several risks relating to personal data protection and privacy, algorithmic discrimination and bias, disinformation and AI hallucinations.	宣言は、イノベーション、研究、経済、社会など様々な分野におけるAIの多くの可能性を強調する一方、個人データ保護とプライバシー、アルゴリズムによる差別とバイアス、偽情報、AIによる幻覚（AI hallucinations）に関連する複数のリスクについても警告している。
To ensure AI is compliant with current regulations, the authorities advocate incorporating data protection principles by design of AI systems, establishing robust data governance and anticipating risk management.	AIが現行規制に準拠するよう、当局はAIシステム設計段階でのデータ保護原則の組み込み、強固なデータガバナンスの確立、リスクマネジメントの事前対応を提唱している。
The statement also highlights the increasing complexity of data processing via AI in areas such as health and public services, public security or human resources and education. It also highlights the diversity of actors involved and the need for a regulatory framework adapted to technological evolutions.	声明はまた、医療・公共サービス、公共安全、人事・教育などの分野におけるAIを介したデータ処理の複雑化を指摘。関与する主体の多様性と、技術進化に適応した規制枠組みの必要性も強調している。
Faced with the challenges posed by AI, the commitments of the authorities	AIがもたらす課題に直面する当局の取り組み
In this joint declaration, the main commitments of the authorities are:	本共同宣言における当局の主な取り組みは以下の通り：
・clarify legal bases for the processing of data by AI;	・AIによるデータ処理の法的根拠を明確化
・share information and establish appropriate security measures;	・情報共有と適切なセキュリティ対策の確立
・monitor the technical and societal impacts of AI by involving various actors;	・多様な関係者を巻き込んだAIの技術的・社会的影響の監視
・encourage innovation while reducing legal uncertainty;	・法的不確実性を低減しつつイノベーションを促進
・strengthen cooperation with other competent authorities (consumer protection, competition, intellectual property).	・他管轄当局（消費者保護、競争、知的財産）との連携強化

・[PDF] Joint statement on building trustworthy data governance frameworks to encourage development of innovative and privacy-protective AI

Joint statement on building trustworthy data governance frameworks to encourage development of innovative and privacy-protective AI	信頼性の高いデータガバナンス枠組みの構築に関する共同声明：革新的かつプライバシー保護型のAI開発を促進するために
11 February 2025	2025年2月11日
1. Artificial intelligence (AI) presents immense opportunities for the benefit of humanity, innovation in science, the economy, and society as a whole. AI also poses significant risks with respect to the protection of fundamental rights such as data protection and privacy, but it also poses risks of discrimination, misinformation and hallucination that are often caused by the inappropriate processing of data.	1. 人工知能（AI）は、人類の利益、科学・経済・社会全体の革新にとって計り知れない可能性を秘めている。一方でAIは、データ保護やプライバシーといった基本的権利の保護に関して重大なリスクをもたらすだけでなく、データの不適切な処理によって引き起こされることが多い差別、誤情報、幻覚のリスクも孕んでいる。
2. We recognize the need to fully cultivate public trust and harness the transformative benefits AI could bring. We recall that AI should be developed and deployed in accordance with data protection and privacy rules and other norms. This includes embedding privacy-by-design principles into AI systems from the initial planning stage and implementing robust internal data governance frameworks. These frameworks should incorporate technical and procedural safeguards for effective management and mitigation of risks throughout the entire lifecycle of an AI system.	2. 我々は、公共の信頼を十分に醸成し、AIがもたらしうる変革的な恩恵を活用する必要性を認識する。AIはデータ保護・プライバシー規則その他の規範に従って開発・展開されるべきであることを想起する。これには、初期計画段階からプライバシー・バイ・デザイン原則をAIシステムに組み込み、強固な内部データガバナンス枠組みを実施することが含まれる。これらの枠組みは、AIシステムの全ライフサイクルを通じたリスクの効果的管理・緩和のための技術的・手続き的保護措置を組み込むべきである。
3. Moreover, we recognize that in the current environment surrounding AI development and deployment, data processing has become exceedingly complex. Indeed:	3. さらに、AI開発・展開を取り巻く現状環境において、データ処理が極めて複雑化していることを認識する。実際：
a. It is developed and deployed across many different sectors, including health, public services, public security, human resources, and education;	a. 医療、公共サービス、公安、人事、教育など多様な分野で開発・展開されている；
b. It involves a great number of stakeholders scattered all over the world and complex value chains, including dataset creators, model providers, dataset and model hosting platforms, integrators, annotators, system deployers, and end-users;	b. 世界中に散在する多数のステークホルダーと複雑なバリューチェーンが関与しており、これにはデータセット作成者、モデルプロバイダ、データセットおよびモデルのホスティングプラットフォーム、インテグレーター、アノテーター、システム展開者、エンドユーザーなどが含まれる
c. It operates at large scale with AI technologies necessitating vast amounts of data that are at the core of these systems;	c. AI技術は膨大なデータ量を必要とする大規模運用を前提としており、データがシステムの中核を成す；
d. It implies complex data processing that poses significant challenges for its control and increases the needs for transparency to foster the protection of privacy and other fundamental rights; and	d. これは複雑なデータ処理を意味し、その管理に重大な課題を提起するとともに、プライバシーその他の基本的権利の保護を促進するための透明性の必要性を高めるものである；そして
e. It evolves at a very fast pace with major scientific and technological breakthroughs being recorded on a daily basis.	e. 科学技術の大幅な進歩が日々記録される極めて急速な進化を遂げている。
4. Citizens’ and businesses’ need for answers and legal certainty is therefore increasingly pressing in order to enable the development of AI within trustworthy data governance frameworks. At the same time, the application of rules should provide a sufficient degree of flexibility for various innovative efforts to take place consistently with the protection of privacy and personal data. We recognize therefore the importance of supporting players in the AI ecosystem in their efforts to comply with data protection and privacy rules and help them reconcile innovation with respect for individuals’ rights.	4. したがって、信頼できるデータガバナンス枠組み内でのAI開発を可能とするため、市民と企業による回答と法的確実性へのニーズはますます切迫している。同時に、規則の適用は、プライバシー及び個人データの保護と整合しながら様々な革新的な取り組みが行われるための十分な柔軟性を提供すべきである。我々は、AIエコシステムの関係者がデータ保護及びプライバシー規則を遵守する取り組みを支援し、革新と個人の権利尊重との調和を図る重要性を認識する。
Highlighting data protection authorities’ leading role in shaping data governance to address AI’s evolving challenges, we commit to the following:	AIの進化する課題に対処するためのデータガバナンス形成におけるデータ保護当局の主導的役割を強調し、我々は以下を約束する：
5. To foster our shared understanding of lawful grounds for processing data in the context of AI training in our respective jurisdictions. Clear standards and requirements should be developed to ensure that AI training data is processed lawfully, whether based on consent, contractual necessity, legitimate interest, or other legal justifications. In doing so, attention should be paid to various relevant factors, including the specific purposes of AI development, the characteristics of the requisite data, the reasonable expectation of data subjects, and associated risk mitigation strategies.	5. それぞれの管轄区域におけるAIトレーニングの文脈でデータを処理する法的根拠に関する共通理解を促進する。同意、契約上の必要性、正当な利益、その他の法的根拠に基づくかを問わず、AIトレーニングデータが合法的に処理されることを確保するため、明確な標準と要件を策定すべきである。この際、AI開発の具体的な目的、必要データの特性、データ対象者の合理的な期待、関連するリスク緩和戦略など、様々な関連要素に留意すべきである。
6. To exchange information and establish a shared understanding of proportionate safety measures based on rigorous scientific and evidence-based assessments and tailored to diversity of use cases. The relevance of these measures should be regularly updated to keep pace with evolving AI data processing technologies and practices.	6. 厳格な科学的・証拠に基づくアセスメントに基づき、多様なユースケースに適応した比例原則に基づく安全対策に関する情報を交換し、共通認識を確立する。これらの対策の妥当性は、進化するAIデータ処理技術と実践に歩調を合わせるため、定期的に更新されるべきである。
7. To continuously monitor both the technical and societal implications of AI and to leverage the expertise and experience of Data Protection Authorities and other relevant entities, including NGOs, public authorities, academia, and businesses, in AI-related policy matters when possible.	7. AIの技術的・社会的影響を継続的に監視し、可能な限りAI関連政策課題において、データ保護当局やNGO、公的機関、学術界、企業等の専門知識・経験を活用すること。
8. To reduce legal uncertainties and secure space for innovation where data processing is essential for the development and deployment of AI. This may include institutional measures, such as regulatory sandboxes, as well as tools for sharing best practices.	8. AIの開発・展開にデータ処理が不可欠な分野において、法的不確実性を低減しイノベーションの余地を確保すること。これには規制サンドボックス等の制度的措置や、ベストプラクティス共有ツールが含まれ得る。
These measures and tools should be grounded in public trust and be consistent with principles of privacy and data protection.	これらの措置とツールは、公衆の信頼に基づき、プライバシーの原則とデータ保護の原則と整合性を保つべきである。
9. To strengthen our interactions with relevant authorities, including those in charge of competition, consumer protection and intellectual property, to facilitate consistency and foster synergies between different applicable regulatory frameworks to AI systems, tools and applications. Dialogues involving diverse players in the AI ecosystem should also be encouraged.	9. 競争政策、消費者保護、知的財産権を担当する機関を含む関連当局との連携を強化し、AIシステム・ツール・アプリケーションに適用される異なる規制枠組み間の一貫性と相乗効果を促進する。AIエコシステムにおける多様な関係者を巻き込んだ対話も奨励すべきである。

2025.09.20 00:00 in 個人情報保護 / プライバシー, in 法律 / 犯罪, in ESG/CSR, in 内部統制 / リスクマネジメント, in AI/Deep Learning | Permalink | Comments (0)
Tweet

2025.08.13

中国国家情報化発展報告 (2024年) (2025.07.30)

こんにちは、丸山満彦です。

中国の国家互联网信息办公室（国家サイバースペース管理局）が、国家情報化発展報告 (2024年) を公表しています。中国の通信白書的なものですかね...民事領域についての発表ですが、世界でも最もインターネットの活用が進んでいる国の一つである、中国の状況を理解する上で、これからのサイバー空間の活用に関して参考になると思います。

求める世界観がおそらく民主主義、自由主義国家とは異なる面もあるので、そのままというわけにはいかないとは思いますが...

あと、どこまで情報が現実を反映しているのか？という点も気になる点ではあります（できたことにしないといろいろと不味くなることもある？もうそういうことはない？）。

人口が多いだけに、普及等の絶対数は圧倒的に凄いですね...

● 中央网络安全和信息化委员会办公室 (Cyberspace Administration of China: CAC)

・2025.07.30 国家互联网信息办公室发布《国家信息化发展报告（2024年）》

国家互联网信息办公室发布《国家信息化发展报告（2024年）》	国家サイバースペース管理局、「国家情報化開発報告書（2024年）」を発表
7月30日，《国家信息化发展报告（2024年）》（以下简称《报告》）发布会在京召开。《报告》坚持以习近平总书记关于网络强国的重要思想为指导，深入贯彻落实党中央、国务院关于信息化发展的重要部署，系统总结我国信息化发展成就，分析面临的新形势新挑战，阐明下一步重点任务，为推进我国信息化发展凝聚理念共识、提供指引参考。	7月30日、「国家情報化発展報告（2024年）」（以下、「報告」という）の発表会が北京で開催された。報告は、習近平総書記のネットワーク強国に関する重要な思想を指針とし、党中央、国務院の重要な情報化発展の配置を深く実施し、中国の情報化発展の成果を体系的に総括し、直面する新たな情勢と課題について分析し、次の重点課題について明らかにし、中国の情報化発展を推進するための理念の共通認識の形成と指針の参考を提供している。
《报告》指出，2024年是网络强国战略目标提出10周年和我国全功能接入国际互联网30周年，党的二十届三中全会胜利召开，赋予信息化发展新使命新任务。深入推进信息化发展，是牢牢把握信息革命历史机遇、抢占国际竞争新优势的战略选择，是培育发展新质生产力、推动经济高质量发展的迫切需要，是保障和改善民生、满足人民群众美好生活新期待的内在要求，是推进国家治理体系和治理能力现代化的有力支撑。	報告書は、2024年はネットワーク強国戦略目標が提唱されてから10周年、中国が国際インターネットに全機能で接続してから30周年であり、中国共産党第20回中央委員会第3回全体会議が成功裏に開催され、情報化の発展に新たな使命と任務が課せられたと指摘している。情報化の発展を深く推進することは、情報革命の歴史的機会を確実に捉え、国際競争における新たな優位性を確保するための戦略的選択であり、新たな質の高い生産力を育成し、経済の高品質発展を推進するための緊急の必要性であり、民生を保障し改善し、国民の新たな生活への期待に応えるための内在的な要求であり、国家の統治体制と統治能力の現代化を推進するための強力な支えである。
《报告》显示，2024年，各地区、各部门深入贯彻落实党中央、国务院决策部署，积极谋划改革创新举措、凝聚政策资源合力，扎实推进《“十四五”国家信息化规划》重大任务、重点工程、优先行动实施，创新发展能力显著增强，赋能发展作用日益明显，普惠发展效应持续释放，安全发展基础不断夯实，开放发展成果更加丰硕，全国信息化发展水平迈上新台阶，为开创新时代新征程网络强国建设新局面提供强大动力和坚实支撑。	『報告』によると、2024年、各地域、各部門は党中央、国務院の決定・方針を深く貫徹し、改革・イノベーションの施策を積極的に立案し、政策資源の結集を図り、『「第14次5カ年計画」国家情報化計画』の重大任務、重点プロジェクト、優先行動の実施を着実に推進し、イノベーション・発展能力は著しく強化され、発展への貢献はますます顕著になった。普及発展の効果が持続的に発揮され、安全発展の基盤がさらに強化され、開放発展の成果がさらに充実し、全国の情報化の発展レベルが新たな段階に到達し、新時代におけるネットワーク強国建設の新たな局面を切り開くための強力な原動力と強固な基盤を提供した。
《报告》分析了2024年国家信息化发展情况网络问卷调查结果。调查结果显示，受访网民普遍认为，2024年信息化在创新学习工作方式、提升生活服务水平、增强公共治理能力等方面发挥了更加重要的作用，人民群众的获得感、幸福感、安全感更加明显；受访企业表示，2024年加强信息技术创新和人才培育，积极布局新产品、新应用、新业务，不断提升企业竞争力。	報告書は、2024年の国家情報化の発展状況に関するネットワークアンケート調査の結果を分析している。調査結果によると、回答したネットユーザーは、2024年に情報化が、学習・仕事の方法の革新、生活サービスの向上、公共の統治能力の強化などにおいて、より重要な役割を果たし、国民の獲得感、幸福感、安心感がより顕著になったと広く認識している。また、回答した企業は、2024年に情報技術の革新と人材の育成を強化し、新製品、新アプリケーション、新事業の展開を積極的に推進し、企業の競争力を継続的に強化すると回答している。
《报告》提出，2025年是“十四五”规划收官、“十五五”规划谋篇布局之年，也是全面深化网信领域改革、推进网络强国建设的关键一年。要坚持以习近平新时代中国特色社会主义思想特别是习近平总书记关于网络强国的重要思想为指导，深入贯彻党的二十届三中全会精神和2025年全国两会精神，以更大力度、更实举措推进信息化发展迈上新台阶。一是坚持自立自强，加快推动网络信息技术创新和产业生态发展；二是坚持驱动引领，加快推动信息化赋能新质生产力发展；三是坚持为民惠民，加快推动信息化发展成果更多更公平惠及全民；四是坚持系统观念，加快优化完善信息化健康可持续发展的环境；五是坚持全球视野，加快推进多层次网络空间国际交流合作。	報告書は、2025年は「第14次5カ年計画」の最終年であり、「第15次5カ年計画」の立案・策定の年であり、ネット情報分野における改革を全面的に深化させ、ネットワーク強国建設を推進する重要な年であると指摘している。習近平新時代中国特色社会主義思想、特に習近平総書記のネットワーク強国に関する重要な思想を指針とし、党第20回中央委員会第3回全体会議の精神と2025年の全国人民代表大会の精神を深く貫き、より大きな力、より実効的な措置をもって情報化の発展を新たな段階へと推進していく必要がある。一是自立自強を堅持し、ネットワーク情報技術の革新と産業生態系の発展を加速する。二是駆動と先導を堅持し、情報化が新質生産力の発展に資する役割を加速する。三是民衆に恩恵をもたらすことを堅持し、情報化の発展の成果がより公平に国民全体に及ぶよう加速する。四は体系的な考え方を堅持し、情報化の健全で持続可能な発展のための環境を最適化・整備する。五はグローバルな視野を堅持し、多層的なネットワーク空間の国際交流・協力を加速する。
会上，国家网信办信息化发展局负责同志介绍了《报告》主要内容和推动信息化发展工作情况，网络管理技术局负责同志介绍了生成式人工智能发展和管理有关工作情况。工业和信息化部信息通信发展司、农业农村部市场与信息化司以及北京市委网信办负责同志，围绕部门和地区推动信息化发展工作情况进行交流发言。	会議では、国家インターネット情報管理委員会情報化発展局担当者が「報告書」の主な内容と情報化推進の取り組みについて紹介し、ネットワーク管理技術局担当者が生成型人工知能の開発と管理に関する取り組みについて紹介しました。工業情報化部情報通信発展司、農業農村部市場情報化司、北京市委インターネット情報管理委員会担当者が、各部門や地域における情報化推進の取り組みについて発表した。
信息化发展相关研究机构专家学者、媒体单位代表和网信企业代表参加了发布会。	情報化推進に関する研究機関の研究者、メディア関係者、インターネット情報企業代表も発表会に参加した。

・[PDF] 国家信息化发展报告（2024年） [downloaded]

・[DOCX][PDF] 仮訳

目次...

摘要	要約
第一章进一步全面深化改革赋予信息化发展新使命	第1章改革をさらに全面的に深化させ、情報化の発展に新たな使命を課す
一、深刻认识推进信息化领域改革创新发展的重要意义	1. 情報化分野の改革とイノベーション発展の推進の重要性について深く認識する
二、准确把握推进信息化领域改革创新发展的丰富内涵	2. 情報化分野における改革と革新の発展の豊かな内容を正確に把握する
三、全面落实推进信息化领域改革创新发展的实践要求	3. 情報化分野における改革と革新の発展を全面的に推進するための実践的要件
第二章创新发展能力显著增强	第2章革新発展能力の著しい強化
一、网络信息技术创新加速突破	1. ネットワーク情報技術イノベーションの加速的突破
二、数字产业创新生态不断完善	2. デジタル産業のイノベーションエコシステムが不断に充実
三、信息化创新人才队伍持续壮大	3. 情報化イノベーション人材の継続的な拡充
第三章赋能发展作用日益明显	第3章能力強化の発展作用がますます顕著に
一、信息基础设施提档升级	1. 情報インフラのグレードアップ
二、数据资源开发利用提质扩面	2. データ資源の開発利用の質的向上と範囲の拡大
三、数字技术和实体经济深度融合	3. デジタル技術と実体経済の深い融合
第四章普惠发展效应持续释放	第4章普及発展効果が持続的に発揮される
一、数智生活服务加速普及	1. デジタル・スマートな生活サービスの普及が加速
二、数字文化动能更加强劲	2. デジタル文化の動力がさらに強化される
三、电子政务赋能减负增效	3. 電子政府が負担軽減と効率向上を支援
第五章安全发展基础不断夯实	第5章安全発展の基盤が不断に強化される
一、网络安全保障有力有序	1. サイバーセキュリティの保障が力強く秩序あるものとなっている
二、数据安全治理扎实推进	2. データセキュリティガバナンスの着実な推進
三、网络综合治理更加完善	3. ネットワーク総合治理のさらなる充実
第六章开放发展成果更加丰硕	第6章開放発展の成果がさらに豊かになる
一、理念主张凝聚国际广泛共识	1. 理念・主張が国際的な広範なコンセンサスを形成
二、网络空间交流合作深化拓展	2. サイバー空間における交流・協力の深化・拡大
三、数字贸易促进高水平对外开放	3. デジタル貿易が高度な対外開放を促進
第七章 2024年全国信息化发展水平迈上新台阶	第7章 2024年、全国の信息化発展水準が新たな段階へ
一、2024 年各地区信息化发展成效评价	1. 2024年の各地域の情報化推進成果の評価
二、2024 年国家信息化发展网络调查分析	2. 2024年国家情報化発展ネットワーク調査分析
第八章 2025年信息化发展形势与任务	第8章 2025年の情報化発展の情勢と任務
一、信息化发展面临新机遇新挑战	1. 情報化発展が直面する新たな機会と課題
二、2025 年我国信息化发展重点任务	2. 2025 年までの我が国の情報化発展の重点任務

要約...

摘要	要約
2024 年是网络强国战略目标提出 10 周年和我国全功能接入国际互联网 30 周年。党的二十届三中全会胜利召开，系统擘画了进一步全面深化改革、以中国式现代化全面推进中华民族伟大复兴的宏伟蓝图。习近平主席向 2024 年世界互联网大会乌镇峰会开幕视频致贺，指出“我们应当把握数字化、网络化、智能化发展大势，把创新作为第一动力、把安全作为底线要求、把普惠作为价值追求，加快推动网络空间创新发展、安全发展、普惠发展，携手迈进更加美好的‘数字未来’”，为推动构建网络空间命运共同体指明了前进方向。	2024 年は、ネットワーク強国戦略目標が提唱されてから 10 周年、我が国が国際インターネットに全機能で接続してから 30 周年となる年である。中国共産党第 20 回中央委員会第 3 回全体会議が成功裏に開催され、改革をさらに全面的に深化させ、中国式現代化を全面的に推進して、中華民族の偉大な復興を実現するための壮大な青写真が描かれた。習近平国家主席は、2024年世界インターネット大会烏鎮サミットの開会式にビデオメッセージで祝辞を送り、「私たちは、デジタル化、ネットワーク化、インテリジェント化の大きな潮流を捉え、イノベーションを第一の原動力とし、安全を最低限の要件とし、普及を価値の追求とし、ネットワーク空間の革新的な発展、安全な発展、普及の発展を加速し、より素晴らしい『デジタル未来』に向けて共に前進すべきだ」と述べ、ネットワーク空間の運命共同体の構築を推進するための進むべき方向性を示した。
当前，新一轮科技革命和产业变革迅猛发展，人工智能等新技术方兴未艾，信息化迈向数字化、网络化、智能化全面跃升的新阶段。深入推进信息化发展，是牢牢把握信息革命历史机遇、抢占国际竞争新优势的战略选择，是培育发展新质生产力、推动经济高质量发展的迫切需要，是保障和改善民生、满足人民群众美好生活新期待的内在要求，是推进国家治理体系和治理能力现代化的有力支撑。	現在、新たな科学技術革命と産業変革が急速に進展し、人工知能などの新技術が台頭し、情報化はデジタル化、ネットワーク化、インテリジェント化という新たな段階へと飛躍的に発展している。情報化の進展を深く推進することは、情報革命の歴史的機会を確実に捉え、国際競争における新たな優位性を確保するための戦略的選択であり、新たな生産力を育成・発展させ、経済の高品質な発展を推進するための急務であり、国民生活の保障と改善、そして国民のより良い生活への新たな期待に応えるための内在的な要求であり、国家の統治体制と統治能力の現代化を推進するための強力な支えである。
2024 年，各地区各部门深入贯彻落实党中央、国务院决策部署，积极谋划改革创新举措，凝聚政策资源合力，扎实推进《“十四五”国家信息化规划》重大任务、重点工程、优先行动实施，创新发展能力显著增强，赋能发展作用日益明显，普惠发展效应持续释放，安全发展基础不断夯实，开放发展成果更加丰硕，全国信息化发展水平迈上新台阶，为开创新时代新征程网络强国建设新局面提供强大动力和坚实支撑。	2024 年、各地域、各部門は、党中央、国務院の決定・方針を深く貫徹し、改革・イノベーションの施策を積極的に立案し、政策資源の結集を図り、「第 14 次 5 カ年国家情報化計画」の主要任務、重点プロジェクト、優先行動の実施を着実に推進し、イノベーション開発能力が著しく強化され、開発への貢献がますます顕著になり、普及発展の効果が持続的に発揮され、安全発展の基盤がさらに強化され、開放発展の成果がさらに充実し、全国の情報化発展レベルが新たな段階に到達し、新時代におけるネットワーク強国建設の新たな局面を切り開くための強力な原動力と確固たる基盤を提供した。
一、2024 年国家信息化发展取得显著成效	1. 2024 年の国家情報化発展は顕著な成果を上げた
（一）创新发展能力显著增强。一是网络信息技术创新加速突破。集成电路研发制造能力不断增强，操作系统加速规模化应用，开源鸿蒙装机量超 10 亿台，量子信息、脑机接口、数字孪生等前沿技术创新成果不断涌现。生成式人工智能大模型技术能力持续跃升，截至 2024 年底，共 302 款生成式人工智能服务完成备案，注册用户总数超过 6 亿，多款大模型产品性能位于全球前列。区块链创新应用提质增效，加速融入货物运输、贸易、制造、能源、政务等重点领域，赋能实体经济发展。二是数字产业创新生态不断完善。2024 年，我国数字产业完成业务收入 35 万亿元，同比增长 5.5%。软件业务收入 13.73 万亿元，同比增长 10.0%。操作系统、数据库、人工智能等开源社区持续完善，产学研创新布局持续加强。信息化标准建设迈出新步伐，发布人工智能、物联网、数据等重点领域标准体系建设指南。三是信息化创新人才队伍持续壮大。信息化人才培养体系更加健全，全国数字经济本科专业达 227 个，教育科研模式变革加速演进，文献情报、化工、海洋、气象等重点领域大模型有效提升科研效率。国家教育数字化战略行动深入实施，建成世界最大的国家智慧教育公共服务平台。全民数字素养与技能持续提升，我国 60.61%的成年人和 64.69%的未成年人（12-17 周岁）具备初级及以上数字素养与技能。	（1）イノベーションと発展の能力が著しく強化された。第一に、ネットワーク情報技術のイノベーションが加速し、突破口を開いた。集積回路の研究開発・製造能力が不断に強化され、オペレーティングシステムの規模拡大が加速し、オープンソースの「鴻蒙」のインストール台数が10億台を超え、量子情報、脳機インターフェース、デジタルツインなどの先端技術イノベーションの成果が次々と現れている。生成型人工知能の大規模モデル技術能力は飛躍的に向上し、2024年末までに302件の生成型人工知能サービスが登録され、登録ユーザー数は6億人を超え、複数の大規模モデル製品の性能は世界トップクラスとなっている。ブロックチェーンの革新的な活用が効率と効果を向上させ、貨物輸送、貿易、製造、エネルギー、行政などの重点分野への統合が加速し、実体経済の発展に貢献している。第二に、デジタル産業のイノベーションエコシステムが継続的に整備された。2024 年、中国のデジタル産業の事業収入は 35 兆元、前年比 5.5% 増となる。ソフトウェア事業の収入は 13.73 兆元、前年比 10.0% 増となる。オペレーティングシステム、データベース、人工知能などのオープンソースコミュニティが継続的に整備され、産学連携のイノベーション体制が強化された。情報化標準の構築が新たな段階に入り、人工知能、モノのインターネット、データなどの重点分野における標準体系の構築指針が発表された。第三に、情報化イノベーション人材の育成が継続的に強化された。情報化人材の育成体制がさらに充実し、全国のデジタル経済関連学部学科は 227 学科に達し、教育研究モデルの変革が加速し、文献情報、化学、海洋、気象などの重点分野における大規模モデルが研究開発の効率を効果的に向上させている。国家教育デジタル化戦略行動が深く実施され、世界最大の国家スマート教育公共サービスプラットフォームが構築された。国民のデジタルリテラシーとスキルが継続的に向上し、中国の成人（60.61%）と未成年者（12～17歳、64.69%）の初級以上のデジタルリテラシーとスキルを有する割合が向上した。
（二）赋能发展作用日益明显。一是信息基础设施提档升级。截至 2024 年底，累计建成开通 5G 基站总数达 425.1 万个，5G 用户普及率超 71%，300 多个城市实现 5G-A 网络覆盖。建成 207 个千兆城市，千兆及以上速率光纤接入用户达到 2.07 亿户。IPv6 活跃用户数达 8.23 亿，移动网络和固定网络 IPv6 流量占比分别达到 65.60%和 24.95%。我国智能算力规模达 493EFLOPS（FP16）。移动物联网加快向“万物智联”发展，移动物联网（蜂窝）用户达 26.56 亿户。工业互联网加速规模化应用，实现 41 个工业大类全覆盖，车联网基础设施加速布局。北斗规模应用加速推进，北斗终端设备（不含消费类电子）应用数量超过 2800 万台（套）。二是数据资源开发利用提质扩面。数据基础制度体系初步建立，数据资源规模质量持续提升，2024 年我国年度数据生产量达 41.06ZB，同比增长 25%，累计数据存储量达 2.09ZB，同比增长 20.81%，数据标注成为新兴产业，7 个数据标注基地加快建设，数商企业数量超过 100 万家。三是数字技术和实体经济深度融合。智慧农业加快发展，实施《关于大力发展智慧农业的指导意见》。制造业数字化转型稳步推进，截至 2024 年底，重点工业企业数字化研发设计工具普及率、关键工序数控化率分别达到 82.7%、65.3%。服务业数字化有力拉动消费增长，全国网上零售额达 15.23 万亿元，数字消费规模超6 万亿元。数字化绿色化协同转型发展加快推进，印发《数字化绿色化协同转型发展实施指南》，累计建设 246 家国家绿色数据中心，产业数字化智能化同绿色化的融合程度持续深化。网信企业活力更加强劲，我国市值排名前 100 的互联网企业总市值、总营收、总利润和总研发投入均实现同比增长。	（2）発展への貢献がますます顕著になっている。第一に、情報インフラの高度化が進んだ。2024年末までに、5G基地局の累計設置数は425.1万基に達し、5Gユーザーの普及率は71%を超え、300以上の都市で5G-Aネットワークがカバーされる。207のギガビット都市が建設され、ギガビット以上の速度の光ファイバー接続ユーザー数は2億700万世帯に達した。IPv6のアクティブユーザー数は8億2300万に達し、モバイルネットワークと固定ネットワークのIPv6トラフィックの割合はそれぞれ65.60%と24.95%に達した。中国のスマートコンピューティング能力は493EFLOPS（FP16）に達した。モバイルIoTは「万物知能接続」への発展を加速し、モバイルIoT（セルラー）ユーザー数は26.56億に達した。産業用インターネットは規模拡大を加速し、41の主要産業分野をすべてカバーし、車載用インターネットインフラの整備が加速している。北斗の規模応用が加速し、北斗端末機器（消費電子製品を除く）の応用台数は2,800万台（セット）を超えた。第二に、データ資源の開発利用の質的向上と範囲が拡大した。データ基盤制度体系が概ね確立され、データ資源の規模と品質が継続的に向上し、2024年の中国の年間データ生産量はで41.06ZBに達し、前年比25%増加した。累計データ蓄積量は2.09ZBに達し、前年比20.81%増加した。データ注釈が新興産業として台頭し、7つのデータ注釈基地の建設が加速され、データ商社数は100万社を超えた。第三に、デジタル技術と実体経済の融合が深化した。スマート農業が急速に発展し、『スマート農業の積極的な発展に関する指導意見』が実施された。製造業のデジタル化転換が着実に進み、2024年末までに、重点工業企業のデジタル化研究開発設計ツール普及率、主要工程のNC化率はそれぞれ82.7%、65.3%に達した。サービス業のデジタル化が消費の伸びを強力に牽引し、全国のネット小売額は15.23兆元に達し、デジタル消費規模は6兆元を超えた。デジタル化とグリーン化の協調的発展が加速し、「デジタル化とグリーン化の協調的発展実施ガイドライン」が発行され、246 の国家グリーンデータセンターが建設され、産業のデジタル化、インテリジェント化、グリーン化の融合がさらに深まった。ネット情報企業の活力はさらに高まり、中国の上場企業時価総額トップ 100 社の総時価総額、総売上高、総利益、総研究開発費はいずれも前年比で増加した。
(三)普惠发展效应持续释放。一是数智生活服务加速普及。2024 年，我国网民规模达 11.08 亿人，互联网普及率升至 78.6%。数字健康服务资源扩容下沉，远程医疗覆盖全国所有市县，互联网医疗用户规模达 4.18 亿人，全国医保码用户超 12 亿人。电子社保卡领用人数达 10.7 亿人，提供线上服务 170.51 亿次。全国养老服务信息平台开通线上运营，累计访问量超 1800 万人次。全国就业信息资源库、就业公共服务平台加快建设，全国“一库一平台”初步建成。数字乡村建设向纵深推进，全面实现“县县通千兆、乡乡通 5G、村村通宽带”，乡村治理数字化水平不断提升。二是数字文化动能更加强劲。国家文化大数据体系建设稳步推进，公共文化数字化服务水平持续提升，推动优质文化资源直达基层。中央广播电视总台和 9 省市卫视超高清频道开播，带动超高清产业加速升级迭代。网络视听行业繁荣发展，用户规模达 10.91 亿人，成为群众文化生活的重要渠道。人工智能技术赋能网络文化传播，沉浸式数字演艺等文化新业态不断涌现。网络视频、网络游戏、网络新媒体平台蓬勃发展，网文、网剧、网游等数字内容加速出海，文化国际传播影响力不断提升。三是电子政务赋能减负增效。2024 年我国电子政务发展指数全球排名第 35 位，较 2022 年提升 8 位。各地依托政务服务平台推进“高效办成一件事”落地，重点事项覆盖范围逐步扩大，人工智能等新技术在政务服务部署应用。党政机关信息化建设深入推进，“数字人大”“数字政协”“数字纪检监察”建设取得新成效，数智化赋能司法公平正义。深化整治“指尖上的形式主义”，数字赋能基层工作取得积极成效。	(3) 普遍的な発展の効果が持続的に発揮された。第一に、デジタル・インテリジェントな生活サービスの普及が加速した。2024 年、中国のインターネットユーザー数は 11.08 億人に達し、インターネット普及率は 78.6% に上昇した。デジタル・ヘルスケアサービスの資源が拡大し、地方にも普及し、遠隔医療は全国のすべての市と県をカバーし、インターネット医療のユーザー数は 4.18 億人に達し、全国医療保険コードのユーザー数は 12 億人を超えた。電子社会保障カードの利用者数は10.7億人に達し、オンラインサービス提供回数は170.51億回に達した。全国高齢者サービス情報プラットフォームがオンライン運営を開始し、累計アクセス数は1,800万人を超えた。全国雇用情報資源庫、雇用公共サービスプラットフォームの構築が加速し、全国「一庫一プラットフォーム」が初步的に完成した。デジタル農村建設がさらに進展し、「県県千兆、郷郷5G、村村ブロードバンド」が全面的に実現し、農村統治のデジタル化レベルが不断に向上している。第二に、デジタル文化の動力がさらに強化された。国家文化ビッグデータ体系の構築が着実に進展し、公共文化のデジタル化サービスレベルが継続的に向上し、優良文化資源が基層に直接届くよう推進された。中央放送局と9つの省・直轄市の衛星放送局の超高精細チャンネルが放送を開始し、超高精細産業の急速なアップグレードと進化を推進している。ネットワーク視聴業界は繁栄し、ユーザー数は10億9,100万人に達し、国民文化生活の重要なチャネルとなっている。人工知能技術がネットワーク文化の伝播に力を与え、没入型デジタル芸能などの新しい文化産業が次々と登場している。ネット動画、ネットゲーム、ネット新メディアプラットフォームが活発に発展し、ネット小説、ネットドラマ、ネットゲームなどのデジタルコンテンツの海外進出が加速し、文化の国際的な発信力が不断に高まっている。第三に、電子政府が負担軽減と効率向上に貢献した。2024 年、中国の電子政府開発指数は世界ランキングで 35 位となり、2022 年から 8 位上昇した。各地は行政サービスプラットフォームを活用して「1 件の事務を効率的に処理」の実現を推進し、重点事項の対象範囲を徐々に拡大し、人工知能などの新技術を行政サービスに導入している。党政機関の情報化建設が深く推進され、「デジタル人民代表大会」「デジタル政治協商会議」「デジタル紀律検査」の構築が新たな成果を上げ、デジタル化による司法の公平・正義の実現に貢献している。指先での形式主義の是正を深め、デジタル化による草の根レベルの業務に積極的な成果を上げている。
（四）安全发展基础不断夯实。一是网络安全保障有力有序。网络安全顶层设计持续完善，《互联网政务应用安全管理规定》发布施行，《人工智能安全治理框架》1.0 版制定发布。组建全国网络安全标准化技术委员会，发布 36 项国家标准，推动 3 项强制性国家标准立项、3 项国际标准正式发布。网络安全教育、技术、产业融合发展，推进建设一流网络安全学院、网络安全专业院校，2024 年国家网络安全宣传周成功举办，宣传普及活动不断深入。二是数据安全治理扎实推进。数据跨境流动制度进一步优化完善，《促进和规范数据跨境流动规定》发布施行，截至 2024 年底，共完成数据出境安全评估项目 285 个，个人信息出境标准合同备案 1071 个。持续开展 APP 违法违规收集使用个人信息问题专项治理，累计受理群众投诉举报 9 万余条。三是网络综合治理更加完善。网络法治体系不断健全，我国已制定出台网络领域法律、行政法规、部门规章等 150 余部。开展“全国网络普法行”系列活动，网络普法工作取得明显成效。“清朗” 系列专项行动有力实施，着力整治打击涉企侵权信息、违法信息外链、“自媒体”无底线博流量、网络直播虚假和低俗信息等 10 类乱象。“净网 2024”专项行动持续推进，全年共侦办网络违法犯罪案件 11.9 万余起，有力维护网络空间秩序和公民合法权益。	（4）安全保障の基盤が着実に強化された。第一に、サイバーセキュリティの保障が強力かつ秩序正しく行われた。サイバーセキュリティのトップレベルの設計が継続的に改善され、「インターネット行政アプリケーションのセキュリティ管理規定」が公布・施行され、「人工知能のセキュリティガバナンスの枠組み」1.0版が策定・公表された。全国サイバーセキュリティ標準化技術委員会が設立され、36件の国家標準が公表され、3件の強制的な国家標準の制定と3件の国際標準の正式公表が進められた。ネットワークセキュリティ教育、技術、産業の融合発展を推進し、一流のネットワークセキュリティ学院、ネットワークセキュリティ専門学校の建設を推進し、2024年に国家ネットワークセキュリティ宣伝週間を成功裏に開催し、宣伝普及活動をさらに深化させた。第二に、データセキュリティのガバナンスが着実に推進された。データ越境流通制度がさらに最適化・整備され、「データ越境流通の促進と規範化に関する規定」が公布・施行され、2024年末までに、285件のデータ越境セキュリティアセスメントプロジェクトが完了し、1071件の個人情報越境に関する標準契約が登録された。APPによる個人情報の違法収集・使用に関する特別対策を引き続き実施し、9万件以上の国民からの苦情・通報を受け付けた。第三に、ネットワークの総合的な管理がさらに充実した。ネットワークの法治体制が継続的に整備され、中国はネットワーク分野に関する法律、行政法規、部門規則など150件以上を制定・公布した。「全国ネットワーク法普及運動」シリーズを展開し、ネットワークの法普及活動が顕著な成果を上げている。「清朗」シリーズ特別措置が強力に実施され、企業に関する権利侵害情報、違法情報への外部リンク、「自媒体」による無節操なアクセス数稼ぎ、ネットワーク生放送における虚偽や低俗な情報など、10種類の乱雑な現象の取締りに力を入れている。「ネット浄化2024」特別措置が継続的に推進され、年間で11万9,000件以上のネットワーク犯罪事件を捜査し、ネットワーク空間の秩序と市民の合法的な権利を強力に保護した。
（五）开放发展成果更加丰硕。一是理念主张凝聚国际广泛共识。主场外交深化网络空间国际合作，成功举办世界互联网大会乌镇峰会、中非互联网发展与合作论坛等重要国际会议活动，发布《全球数据跨境流动合作倡议》，积极搭建网络空间国际开放合作平台，深入参与人工智能全球治理，推动达成《全球数字契约》。二是网络空间交流合作深化拓展。在世贸组织达成《电子商务协定》，推动加入《全面与进步跨太平洋伙伴关系协定》（CPTPP）和《数字经济伙伴关系协定》（DEPA）相关进程。积极参与联合国、世贸组织、亚太经合组织、二十国集团、金砖国家、上海合作组织等机制下网络和数字议题交流。建立中欧数据跨境流动交流机制，与德国签署《关于中德数据跨境流动合作的谅解备忘录》。三是数字贸易促进高水平对外开放。出台《关于数字贸易改革创新发展的意见》，推动构建高水平对外开放的国际合作环境。2024 年，我国跨境电商进出口约 2.71 万亿元，同比增长 14%。“丝路电商”伙伴国数量增至 33 个，形成电子提单应用等制度创新成果。	（5）開放的な発展の成果がさらに充実した。第一に、理念と主張が国際的な幅広いコンセンサスを形成した。ホームグラウンド外交を通じて、サイバー空間における国際協力を深め、世界インターネット大会ウズベンサミット、中非インターネット開発・協力フォーラムなどの重要な国際会議を成功裏に開催し、「グローバルデータ越境流動協力イニシアチブ」を発表し、サイバー空間における国際的な開放的協力プラットフォームの構築に積極的に取り組み、人工知能のグローバルガバナンスに深く関与し、「グローバルデジタル契約」の締結を推進した。第二に、サイバー空間における交流と協力がさらに深まり、拡大した。世界貿易機関（WTO）で「電子商取引協定」が締結され、「包括的および先進的な環太平洋パートナーシップ協定」（CPTPP）および「デジタル経済パートナーシップ協定」（DEPA）への加盟プロセスが進められた。国連、WTO、アジア太平洋経済協力会議（APEC）、主要20カ国・地域（G20）、金砖諸国、上海協力機構などの枠組みにおけるネットワークとデジタルに関する議題の交流に積極的に参加した。中欧データ越境流動交流メカニズムを設立し、ドイツと「中独データ越境流動協力に関する覚書」に署名した。第三に、デジタル貿易は高度な対外開放を促進した。デジタル貿易の改革と革新的な発展に関する意見を発表し、高度な対外開放のための国際協力環境の構築を推進した。2024 年、中国の越境電子商取引の輸出入額は約 2.71 兆元となり、前年比 14% 増加する。「シルクロード電子商取引」パートナー国の数は 33 カ国に増加し、電子船荷証券の利用など制度面の革新的な成果が生まれた。
二、2024 年信息化发展成效评价	2. 2024年の情報化開発成果の評価
为扎实推进国家信息化发展战略规划实施，国家网信办组织有关部门和单位，开展了2024年国家信息化发展评价工作，重点分析31个省（自治区、直辖市）在关键能力、驱动引领、发展环境等方面的进展成效。评价结果显示，北京、浙江、上海、广东、江苏、山东、福建、四川、重庆、天津等10个地区信息化综合发展水平位居全国第一梯队。	国家情報化開発戦略計画の実行を確実に推進するため、国家インターネット情報通信局は関連部門および機関を組織し、2024年の国家情報化開発の評価作業を実施し、31の省（自治区、直轄市）の主要能力、推進力、開発環境などの分野における進展と成果を重点的に分析した。評価結果によると、北京、浙江、上海、広東、江蘇、山東、福建、四川、重慶、天津の10地域が、情報化の総合開発レベルで全国トップクラスに位置した。
同时，国家网信办开展了2024年国家信息化发展情况网络问卷调查活动。调查结果显示，受访网民普遍认为，2024 年信息化在创新学习工作方式、提升生活服务水平、增强公共治理能力等方面发挥了更加重要的作用，人民群众的获得感、幸福感、安全感更加明显；受访数字企业表示，2024年加强信息技术创新和人才培育，积极布局新产品、新应用、新业务，不断提升企业竞争力。	同時に、国家インターネット情報弁公室は、2024年国家情報化発展状況に関するインターネットアンケート調査を実施した。調査結果によると、回答したネットユーザーは、2024年に情報化が、学習・業務の方法の革新、生活サービスの向上、公共の統治能力の強化などにおいて、より重要な役割を果たし、国民の獲得感、幸福感、安心感がさらに高まったと広く認識している。また、回答したデジタル企業は、2024年に情報技術の革新と人材の育成を強化し、新製品、新アプリケーション、新事業の展開に積極的に取り組み、企業の競争力を継続的に向上させていくと回答した。
三、2025 年信息化发展形势与任务	3. 2025年の情報化発展の情勢と任務
当前，网络信息技术创新加速演进，以人工智能为代表的战略性新兴产业和未来产业蓬勃发展，信息化成为培育新质生产力、重塑世界发展格局的重要力量。从外部环境看，世界百年变局和信息革命浪潮叠加演进，国际形势复杂多变，不确定性、不稳定性因素增多。从技术趋势看，人工智能成为生产力发展新引擎，区块链带来生产关系新范式，要素内涵不断拓展，应用范式深入变革，数据、算法、算力成为重要战略资源。从自身发展看，网络信息技术产业生态有待加强，数据供给质量不高、流通机制不畅、应用潜力释放不够等问题依然存在，促进和规范新技术新应用发展面临新挑战。	現在、ネットワーク情報技術の革新が加速し、人工知能に代表される戦略的新興産業や未来産業が活発に発展しており、情報化は新しい生産力を育成し、世界の発展構造を再構築する重要な力となっている。外部環境を見ると、100年に1度の世界的な変化と情報革命の波が重なり合い、国際情勢は複雑かつ変化し、不確実性や不安定要素が増えている。技術動向を見ると、人工知能が生産力の発展の新たなエンジンとなり、ブロックチェーンが生産関係に新たなパラダイムをもたらし、要素の内包が拡大し、応用形態が深く変化し、データ、アルゴリズム、計算能力が重要な戦略的資源となっている。自体の発展を見ると、ネットワーク情報技術産業のエコシステムは強化が必要であり、データ供給の品質が低く、流通メカニズムが不十分、応用ポテンシャルが十分に発揮されていないなどの問題が依然として存在し、新技術・新応用の発展を促進・規範化するための新たな課題に直面している。
2025 年是“十四五”规划收官、“十五五”规划谋篇布局之年，也是全面深化网信领域改革、推进网络强国建设的关键一年。要坚持以习近平新时代中国特色社会主义思想特别是习近平总书记关于网络强国的重要思想为指导，深入贯彻党的二十届三中全会精神和 2025 年全国两会精神，以更大的力度、更实的举措推进信息化发展迈上新台阶。	2025 年は「第 14 次 5 カ年計画」の最終年であり、「第 15 次 5 カ年計画」の立案・策定の年であり、ネット情報分野における改革を全面的に深化させ、ネットワーク強国建設を推進する重要な年でもある。習近平新時代中国特色社会主義思想、特に習近平総書記のネットワーク強国に関する重要な思想を指針とし、第 20 回中国共産党中央委員会第 3 回全体会議の精神と 2025 年の全国人民代表大会の精神を深く貫き、より大きな力、より具体的な施策をもって、情報化の発展を新たな段階へと推進していく必要がある。
一是坚持自立自强，加快推动网络信息技术创新和产业生态发展。加快核心技术创新突破，强化集成电路、基础软件和工业软件、人工智能、量子信息等重点领域布局，全链条推进技术攻关、成果应用。推动人工智能、操作系统、数据库、第五代精简指令集（RISC-V）等生态建设，支持开源社区和开源基础设施发展，鼓励和规范发展新型研发机构。强化企业科技创新主体地位，推动建立健全投融资支持服务体系。推进数字产业创新发展，促进平台经济健康发展，打造具有国际竞争力的数字产业集群。培育量子科技、具身智能、6G等未来产业，积极推动“人工智能+”行动，深化人工智能大模型垂直领域应用，培育数智化新服务新产品。建强信息化创新人才队伍，加强信息化基础学科、新兴学科、交叉学科建设，培养多层次复合型人才队伍。	第一に、自立自強を堅持し、ネットワーク情報技術の革新と産業生態系の発展を加速する。コア技術の革新と突破を加速し、集積回路、基礎ソフトウェア、産業用ソフトウェア、人工知能、量子情報などの重点分野への取り組みを強化し、技術開発と成果の応用を全工程にわたって推進する。人工知能、オペレーティングシステム、データベース、第5世代簡略命令セット（RISC-V）などのエコシステムの構築を推進し、オープンソースコミュニティとオープンソースインフラストラクチャの発展を支援し、新しい研究開発機関の育成と規範化を促進する。企業の科学技術イノベーションの主体としての地位を強化し、投資・融資支援サービスの体系の確立を推進する。デジタル産業の革新的な発展を推進し、プラットフォーム経済の健全な発展を促進し、国際競争力のあるデジタル産業クラスターを構築する。量子技術、具身知能、6Gなどの未来産業を育成し、「人工知能+」の取り組みを積極的に推進し、人工知能の大規模モデルを垂直分野に応用し、デジタル化による新しいサービスや新製品を育成する。情報化イノベーション人材の育成を強化し、情報化基礎学、新興学、学際学の発展を推進し、多層的な複合型人材を育成する。
二是坚持驱动引领，加快推动信息化赋能新质生产力发展。建设泛在智联的信息基础设施，有序推进 5G-A 规模部署，加快 6G 技术研发和标准研制，持续提升“双千兆”网络覆盖广度和深度，适度超前建设移动物联网络，深化 IPv6 技术创新和融合应用，深入实施“东数西算”工程，推动卫星互联网发展。加快完善数据基础制度体系，扩大公共数据资源供给，提升数据资源开发利用水平，探索建立公共数据分类分级授权机制，分类施策开展公共数据、企业数据、个人数据开发利用，打造安全可信流通环境。推进数字技术与实体经济深度融合，加快发展智慧农业，深入实施制造业数字化转型发展行动、中小企业数字化赋能专项行动、智能制造工程，推动数字技术与现代服务业深度融合。加速数字化绿色化协同转型发展，促进网信企业高质量发展。	第二に、推進力を維持し、情報化による新しい生産力の開発を加速する。ユビキタスな情報インフラを構築し、5G-A の規模展開を順序よく推進し、6G 技術の研究開発と標準の策定を加速し、「双千兆」ネットワークのカバー範囲と深さを継続的に向上させ、モバイル IoT ネットワークを適度に先行して構築し、IPv6 技術の革新と融合アプリケーションを深め、「東数西算」プロジェクトを徹底的に実施し、衛星相互ネットワークの開発を推進する。データ基盤制度体系の整備を加速し、公共データ資源の供給を拡大し、データ資源の開発利用レベルを高め、公共データ、企業データ、個人データの分類・段階別認可メカニズムの構築を模索し、分類別施策を実施して公共データ、企業データ、個人データの開発利用を推進し、安全で信頼性の高い流通環境を構築する。デジタル技術と実体経済の融合を推進し、スマート農業の発展を加速し、製造業のデジタル化転換発展行動、中小企業デジタル化能力強化特別行動、スマート製造プロジェクトを深く実施し、デジタル技術と現代サービス業の融合を推進する。デジタル化とグリーン化の協調的転換発展を加速し、ネット情報企業の質の高い発展を促進する。
三是坚持为民惠民，加快推动信息化发展成果更多更公平惠及全民。深化信息为民惠民服务，深入实施国家教育数字化战略，建强用好国家智慧教育公共服务平台，推进智慧医疗建设，发展智慧养老服务，优化数字社保、就业和人力资源服务。实施数字乡村强农惠农富农专项行动，推动城乡信息化融合发展。深化全民数字素养与技能提升行动，加快弥合数字鸿沟、智能鸿沟。推进文化数字化创新发展，深入实施国家文化数字化战略，丰富优质数字文化产品供给，培育全景式沉浸体验文化新业态。以信息化推进国家治理体系和治理能力现代化，推动智能社会发展与治理，深化数字赋能政务服务，推进人工智能、区块链等新技术创新应用，推进“高效办成一件事”基本覆盖政务服务高频事项，深化整治“指尖上的形式主义”。深入推进公共安全和应急、国土空间、生态环境等领域治理信息化建设。	第三に、国民のために、国民に恩恵をもたらすことを堅持し、情報化の発展の成果をより公平に国民全体に迅速に還元する。国民に恩恵をもたらす情報化サービスを深め、国家教育デジタル化戦略を徹底的に実施し、国家のスマート教育公共サービスプラットフォームの構築と活用を強化し、スマート医療の構築を推進し、スマート介護サービスを育成し、デジタル社会保障、雇用、人材サービスを最適化する。デジタル農村強化、農業振興、農民の富の増大のための特別措置を実施し、都市と農村のデジタル化融合の発展を推進する。国民全体のデジタルリテラシーとスキルの向上策を深め、デジタル格差、スマート格差の解消を加速する。文化のデジタル化の革新的な発展を推進し、国家文化デジタル化戦略を深く実施し、質の高いデジタル文化製品の供給を充実させ、全景的な没入型体験という新しい文化産業を育成する。情報化により国家の統治体制と統治能力の近代化を推進し、スマート社会の発展と統治を推進し、デジタルによる行政サービスの強化を深め、人工知能、ブロックチェーンなどの新技術の革新的な活用を推進し、「1つのことを効率的に成し遂げる」ことを行政サービスの頻度の高い事項にほぼ適用し、「指先での形式主義」の是正を深める。公共の安全と緊急事態、国土空間、生態環境などの分野における統治の情報化建設を深く推進する。
四是坚持系统观念，加快优化完善信息化健康可持续发展的环境。筑牢网络和数据安全屏障，强化关键信息基础设施安全保护，深化网络安全教育技术产业融合发展，推进网络和数据安全产业发展，加快研制关键信息基础设施安全、网络安全产品互联互通、数据分类分级、数据安全风险评估等方面标准规范，进一步完善数据出境安全管理制度。健全信息化发展治理体系，加强网络空间法治建设，积极探索新兴领域立法，推进网络执法协调，严厉打击网络违法行为，加强网络法治宣传，保障网络空间主体合法权益。健全网络综合治理体系，规范网络信息内容和传播秩序，持续开展“清朗”系列专项行动，培育积极健康的网络环境。	第四に、システム概念を堅持し、情報化の健全かつ持続可能な発展のための環境の最適化と整備を加速する。ネットワークとデータのセキュリティのバリアを強化し、重要な情報インフラのセキュリティ保護を強化し、ネットワークセキュリティ教育と産業の融合を深め、ネットワークとデータセキュリティ産業の発展を推進し、重要な情報インフラのセキュリティ、ネットワークセキュリティ製品の相互接続、データの分類・格付け、データセキュリティリスクのアセスメントなどに関する標準・規範の策定を加速し、データ越境のセキュリティ管理体制をさらに整備する。情報化の発展に関する統治体制を整備し、ネットワーク空間の法治建設を強化し、新興分野における立法を積極的に模索し、ネットワーク法執行の調整を推進し、ネットワーク上の違法行為を厳しく取り締まり、ネットワークの法治に関する広報を強化し、ネットワーク空間の主体の合法的な権利と利益を確保する。ネットワークの総合的な統治体制を整備し、ネットワーク上の情報内容と伝播の秩序を規範化し、「清朗」シリーズ特別措置を継続的に実施し、積極的で健全なネットワーク環境を育成する。
五是坚持全球视野，加快推进多层次网络空间国际交流合作。加强世界互联网大会等国际组织建设，共同推进网络空间成果共享。积极参与构建网络空间国际规则和标准体系，提升贡献度和影响力。推动“数字丝绸之路”走深走实，深化同新兴市场国家、周边和发展中国家网络空间务实合作。积极推动制度型开放，主动对接国际高标准经贸规则，推进数字贸易高质量发展。支持网信企业出海，提升企业国际竞争力。	第五に、グローバルな視野を堅持し、多層的なサイバー空間の国際交流と協力を加速する。世界インターネット大会などの国際組織の構築を強化し、サイバー空間の成果の共有を共同で推進する。サイバー空間の国際的なルールや標準体系の構築に積極的に参加し、貢献度と影響力を高める。「デジタルシルクロード」の深化と実践を推進し、新興市場諸国、周辺諸国、開発途上諸国とのサイバー空間における実践的な協力を深める。制度面の開放を積極的に推進し、国際的な高水準の経済貿易ルールに自主的に対応し、デジタル貿易の高品質な発展を推進する。ネット情報企業の海外進出を支援し、企業の国際競争力を高める。

2025.08.13 00:00 in 情報セキュリティ / サイバーセキュリティ, in 個人情報保護 / プライバシー, in ESG/CSR, in IoT, in AI/Deep Learning, in 量子技術 | Permalink | Comments (0)
Tweet

2025.08.10

英国 ICO 年度報告書 2024-2025 (2025.07)

こんにちは、丸山満彦です。

英国の個人データ保護機関 (Information commissioner's Office; ICO) が年度報告書を公表していますね...

2021-2022から公表していたのですね...

英国の場合は政府も複式簿記ですから、ちゃんと資本の部に該当する部分も明確にされていますね...

2025年3月31日現在

Taxpayers’ equity £7,682,000

となっていますね...

日本政府も複式簿記を取り入れたら良いのにね...

注記もそれなりに充実しています...

● ICO - Annual reports

・2025.07 [PDF] Annual report 2024-25

Performance report	業績報告書
Information Commissioner’s foreword	情報コミッショナーのまえがき
Senior Independent Director’s report	上級独立取締役の報告書
Our purpose and strategic enduring objectives	当社の目的と戦略的目標
Causes	原因
The legislation we oversee	当局が監督する法律
Our stakeholders	当局のステークホルダー
A year in review	1 年の振り返り
Milestones through the year	1 年の主な出来事
Performance overview	業績の概要
Key risks	主なリスク
Performance analysis	業績分析
Financial performance summary	財務実績の概要
Sustainability	持続可能性
Whistleblowing disclosures	内部通報の開示
Going concern	継続企業
Accountability report	説明責任報告書
Corporate governance report	コーポレートガバナンス報告書
Remuneration and staff report	報酬および従業員報告書
Parliamentary accountability	議会に対する説明責任
The Certificate and Report of the Comptroller and Auditor General to the Houses of Parliament	会計検査院長による議会への証明書および報告書
Financial statements	財務諸表
Statement of comprehensive net expenditure	包括純支出計算書
Statement of financial position	財務状況計算書
Statement of cash flows	キャッシュフロー計算書
Statement of changes in taxpayers’ equity	納税者資本変動計算書
Notes to the accounts	財務諸表の注記

主要財務諸表...

包括純支出計算書

財務状況計算書

キャッシュフロー計算書

納税者資本変動計算書

過去分

・Annual report 2023-24

過年度の訂正と補足

・2024 Annual Report Corrections And Clarifications

・Annual report 2022-23

・Annual report 2021-22

2025.08.10 00:00 in 個人情報保護 / プライバシー, in 監査 / 認証, in ESG/CSR, in 内部統制 / リスクマネジメント, in AI/Deep Learning | Permalink | Comments (0)
Tweet

2025.07.30

SEC Cybersecurity の開示昨年からの比較...

こんにちは、丸山満彦です。

2023.07.26にSECのルールが改正され、Cybersecurityについての開示が強化され、2023.12.15以後に終了する事業年度から、その開示が求められることになりましたが、それから1年と半年以上がすぎ、Form10-Kに記載されている事例、Form20-Fに記載されている事例もあります。２年間比較ができるようになったので、ちょっと紹介...

米国企業の場合は、10-KのItem 1C. Cybersecurityに

Risk Management and Strategyとして、サイバーセキュリティの脅威から生じる重要性のあるリスクの評価、特定、管理についてのプロセスがある場合には、

そのプロセスが、全体的リスク管理システムまたはプロセスに統合されているか、またどのように統合されているか
そのプロセスに関連して、評価者、コンサルタント、監査人またはその他の第三者を従事させているか
第三者の利用に関連するサイバーセキュリティの脅威から生じるリスクを監視および特定するプロセスを有しているか

を記載することになります。

また、過去のサイバーセキュリティインシデントの結果を含むサイバーセキュリティの脅威から生じるリスクが、その企業の事業戦略、業績、財務状況を含め、重要な影響を与えたか、重要な影響を与える可能性が合理的に高いかどうか、どのように影響を与えた（または、与える可能性が合理的に高いか）を記載する必要があります。。。

そして、

Governanceとして、サイバーセキュリティリスクについての取締役会の監督、経営者の役割についての記載が必要となります。

取締役会としての監督については、

サイバーセキュリティの脅威から生じるリスクの監督に責任を負う、取締役委員会または小委員会の特定
そのようなリスクについて取締役会または委員会が情報提供を受けるプロセス

経営者としての役割としては、

経営委員会または役職がそのようなリスクの評価や管理の責任を負うか、責任を負う場合には
- どの経営委員会又は役職が負うのか、
- その担当者や委員が有する関連する専門知識
その担当者または委員会がサイバーセキュリティインシデントの防止、検出、軽減、是正についての情報を提供され、監視を行うプロセス
その担当者または委員会は、当該リスクに関する情報を取締役会または取締役会内の委員会や小委員会に報告するか

海外企業の場合は、20-FのItem 16K. Cybersecurityに

そのプロセスが、全体的リスク管理システムまたはプロセスに統合されているか、またどのように統合されているか
そのプロセスに関連して、評価者、コンサルタント、監査人またはその他の第三者を従事させているか
第三者の利用に関連するサイバーセキュリティの脅威から生じるリスクを監視および特定するプロセスを有しているか

を記載することになります。

そして、

Governanceとして、サイバーセキュリティリスクについての取締役会の監督、経営者の役割についての記載が必要となります。

取締役会としての監督については、

サイバーセキュリティの脅威から生じるリスクの監督に責任を負う、取締役委員会または小委員会の特定
そのようなリスクについて取締役会または委員会が情報提供を受けるプロセス

経営者としての役割としては、

経営委員会または役職がそのようなリスクの評価や管理の責任を負うか、責任を負う場合には
- どの経営委員会又は役職が負うのか、
- その担当者や委員が有する関連する専門知識
その担当者または委員会がサイバーセキュリティインシデントの防止、検出、軽減、是正についての情報を提供され、監視を行うプロセス
その担当者または委員会は、当該リスクに関する情報を取締役会または取締役会内の委員会や小委員会に報告するか

詳細のルールは[PDF] SEC 17 CFR Parts 229, 232, 239, 240, and 249 [Release Nos. 33-11216; 34-97989; File No. S7-09-22] RIN 3235-AM89 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

1_20240714072701

● SECURITIES AND EXCHANGE COMMISSION - EDGAR

ということで、まずは、昨年みた10-K企業の比較...

・IBM

・Intel

・Boeing

・American Express

・Johnson & Johnson

・Pfizer

・Coca-Cola

・McDonalds Corp.

McDonaldsを除くと大きな変更はないように思います。（もともと、毎年大きな変更するようなものではないですし...）

・ INTERNATIONAL BUSINESS MACHINES CORP (IBM)

・Intel

・2024.01.26 10-K (Annual report)	・2025.01.31 10-K (Annual report)
Cybersecurity	Cybersecurity
We face significant and persistent cybersecurity risks due to: the breadth of geographies, networks, and systems we must defend against cybersecurity attacks; the complexity, technical sophistication, value, and widespread use of our systems, products and processes; the attractiveness of our systems, products and processes to threat actors (including state-sponsored organizations) seeking to inflict harm on us or our customers; the substantial level of harm that could occur to us and our customers were we to suffer impacts of a material cybersecurity incident; and our use of third-party products, services and components. We are committed to maintaining robust governance and oversight of these risks and to implementing mechanisms, controls, technologies, and processes designed to help us assess, identify, and manage these risks. While we have not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. Such incidents, whether or not successful, could result in our incurring significant costs related to, for example, rebuilding our internal systems, writing down inventory value, implementing additional threat protection measures, providing modifications or replacements to our products and services, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as incurring significant reputational harm. In addition, these threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventative measures. We have seen an increase in cyberattack volume, frequency, and sophistication. We seek to detect and investigate unauthorized attempts and attacks against our network, products, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to our internal processes and tools and changes or updates to our products and services; however, we remain potentially vulnerable to known or unknown threats. In some instances, we, our suppliers, our customers, and the users of our products and services can be unaware of a threat or incident or its magnitude and effects. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm. See "Risk Factors" for more information on our cybersecurity risks and product vulnerability risks.	We face significant and persistent cybersecurity risks due to: the breadth of geographies, networks, and systems we must defend against cybersecurity attacks; the complexity, technical sophistication, value, and widespread use of our systems, products and processes; the attractiveness of our systems, products, and processes to threat actors (including state-sponsored organizations) seeking to inflict harm on us or our customers; the substantial level of harm that could occur to us and our customers were we to suffer impacts of a material cybersecurity incident; and our use of third-party products, services, and components. We are committed to maintaining robust governance and oversight of cybersecurity risks and to implementing mechanisms, controls, technologies, and processes designed to help us assess, identify, and manage these risks. See "Risk Factors" for more information on our cybersecurity risks and product vulnerability risks. While we have not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. We have seen an increase in cyberattack volume, frequency, and sophistication. Our cybersecurity program and governance approach are designed to protect our network and information systems, and we have policies, procedures, processes, and controls in place to identify, manage, and respond to risks from cybersecurity threats. We seek to detect and investigate unauthorized attempts and attacks against our network, products, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to our internal processes and tools and changes or updates to our products and services; however, we remain potentially vulnerable to known or unknown threats. In some instances, we, our suppliers, our customers, and the users of our products and services can be unaware of a threat or incident or its magnitude and effects. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm.
We aim to incorporate industry best practices throughout our cybersecurity program. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and other processes to assess, identify, and manage material cybersecurity risks. Our cybersecurity program is designed to be aligned with applicable industry standards and is assessed annually by independent third-party auditors. We have processes in place to assess, identify, manage, and address material cybersecurity threats and incidents. These include, among other things: annual and ongoing security awareness training for employees; mechanisms to detect and monitor unusual network activity; and containment and incident response tools. We actively engage with industry groups for benchmarking and awareness of best practices. We monitor issues that are internally discovered or externally reported that may affect our products, and have processes to assess those issues for potential cybersecurity impact or risk. We also have a process in place to manage cybersecurity risks associated with third-party service providers. We impose security requirements upon our suppliers, including: maintaining an effective security management program; abiding by information handling and asset management requirements; and notifying us in the event of any known or suspected cyber incident.	We aim to incorporate industry best practices throughout our cybersecurity program. Our cybersecurity program includes written policies, standards, and procedures for information security, product security, and data privacy; is designed to be aligned with applicable industry standards; and is assessed annually by independent third-party auditors. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and other processes to assess, identify, manage, and address material cybersecurity threats, risks, and incidents. These include, among other things: annual and ongoing security awareness training for employees; mechanisms to detect and monitor unusual network activity; and containment and incident response tools. We actively engage with industry groups for benchmarking and awareness of best practices. We monitor issues that are internally discovered or externally reported and have processes to assess those issues for potential cybersecurity impact or risk. We also have a process in place to manage cybersecurity risks associated with third-party service providers. We impose security requirements upon our suppliers, including: maintaining an effective security management program; abiding by information handling and asset management requirements; and notifying us in the event of any known or suspected cyber incident.
Our Board of Directors has ultimate oversight of cybersecurity risk, which it manages as part of our enterprise risk management program. That program is utilized in making decisions with respect to company priorities, resource allocations, and oversight structures. The Board of Directors is assisted by the Audit & Finance Committee, which regularly reviews our cybersecurity program with management and reports to the Board of Directors. Cybersecurity reviews by the Audit & Finance Committee or the Board of Directors generally occur at least twice annually, or more frequently as determined to be necessary or advisable. A number of Intel directors have experience in assessing and managing cybersecurity risk.	Our Board of Directors has ultimate oversight of cybersecurity risk, which it manages as part of our enterprise risk management program. That program is utilized in making decisions with respect to company priorities, resource allocations, and oversight structures. The Board of Directors is assisted by the Audit & Finance Committee, which regularly reviews our cybersecurity program with management and reports to the Board of Directors. Cybersecurity reviews by the Audit & Finance Committee or the Board of Directors generally occur at least twice annually, or more frequently as determined to be necessary or advisable. A number of Intel directors have experience in assessing and managing cybersecurity risk.
Our cybersecurity program is run by our Chief Information Security Officer (CISO), who reports to our Executive Vice President and Chief Technology Officer (CTO). Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security team, many of whom hold cybersecurity certifications such as a Certified Information Systems Security Professional or Certified Information Security Manager, and through the use of technological tools and software and results from third party audits. Our CISO and CTO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our CISO has served in that position since 2015 and, before Intel, was previously the Chief Security Officer at McAfee and the Chief Information Officer and CISO for the US House of Representatives. Our CTO joined Intel in 2021 and was previously Senior Vice President and CTO at VMware, with responsibility for product security. Our CISO and CTO regularly report directly to the Audit & Finance Committee or the Board of Directors on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate issues. In addition, we have an escalation process in place to inform senior management and the Board of Directors of material issues.	Our cybersecurity program is run by our Chief Information Security Officer (CISO), who reports to our Executive Vice President and Chief Technology Officer (CTO). Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security team—many of whom hold cybersecurity certifications such as a Certified Information Systems Security Professional or Certified Information Security Manager—and through the use of technological tools and software and results from third-party audits. Our CISO and CTO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our CISO has served in that position since 2015 and, before Intel, was the Chief Security Officer at McAfee and the Chief Information Officer and CISO for the US House of Representatives. Our CTO joined Intel in 2021 and was previously Senior Vice President and CTO at VMware, with responsibility for product security. Our CISO and CTO regularly report directly to the Audit & Finance Committee or the Board of Directors on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate issues. In addition, we have an escalation process in place to inform senior management and the Board of Directors of material issues.

・Boeing

・2024.01.31 10-K (Annual report)	・2025.02.03 10-K (Annual report)
Item 1C.Cybersecurity	Item 1C.Cybersecurity
Risk Management and Strategy	Risk Management and Strategy
Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers, suppliers, and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, other industry-recognized standards, and contractual requirements, as applicable. We also leverage government partnerships, industry and government associations, third-party benchmarking, the results from regular internal and third-party audits, threat intelligence feeds, and other similar resources to inform our cybersecurity processes and allocate resources.	Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers, suppliers, and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, other industry-recognized standards, and contractual requirements, as applicable. We also leverage government partnerships, industry and government associations, third-party benchmarking, the results from regular internal and third-party audits, threat intelligence feeds, and other similar resources to inform our cybersecurity processes and allocate resources.
We maintain security programs that include physical, administrative and technical safeguards, and we maintain plans and procedures whose objective is to help us prevent and timely and effectively respond to cybersecurity threats or incidents. Through our cybersecurity risk management process, we continuously monitor cybersecurity vulnerabilities and potential attack vectors to company systems as well as our aerospace products and services, and we evaluate the potential operational and financial effects of any threat and of cybersecurity countermeasures made to defend against such threats. We continue to integrate our cyber practice into our Enterprise Risk Management program and our Compliance Risk Management program, both of which are overseen by our Board of Directors and provide central, standardized frameworks for identifying and tracking cyber-related business and compliance risks across the Company. Risks from cybersecurity threats to our products and services are also overseen by our Board of Directors. In addition, we periodically engage third-party consultants to assist us in assessing, enhancing, implementing, and monitoring our cybersecurity risk management programs and responding to any incidents.	We maintain security programs that include physical, administrative and technical safeguards, and we maintain plans and procedures whose objective is to help us prevent and timely and effectively respond to cybersecurity threats or incidents. Through our cybersecurity risk management process, we continuously monitor cybersecurity vulnerabilities and potential attack vectors to company systems as well as our aerospace products and services, and we evaluate the potential operational and financial effects of any threat and of cybersecurity countermeasures made to defend against such threats. We continue to integrate our cyber practice into our Enterprise Risk Management program and our Compliance Risk Management program, both of which are overseen by our Board of Directors and provide central, standardized frameworks for identifying and tracking cyber-related business and compliance risks across the Company. Risks from cybersecurity threats to our products and services are also overseen by our Board of Directors. In addition, we periodically engage third-party consultants to assist us in assessing, enhancing, implementing, and monitoring our cybersecurity risk management programs and responding to any incidents.
As part of our cybersecurity risk management process, we conduct “tabletop” exercises during which we simulate cybersecurity incidents to ensure that we are prepared to respond to such an incident and to highlight any areas for potential improvement in our cyber incident preparedness. These exercises are conducted at both the technical level and senior management level, which has included participation by a member of our Board of Directors. In addition, all employees are required to pass a mandatory cybersecurity training course on an annual basis and receive monthly phishing simulations to provide “experiential learning” on how to recognize phishing attempts.	As part of our cybersecurity risk management process, we conduct “tabletop” exercises during which we simulate cybersecurity incidents to ensure that we are prepared to respond to such an incident and to highlight any areas for potential improvement in our cyber incident preparedness. In addition, all employees are required to complete a mandatory cybersecurity training course on an annual basis and receive monthly phishing simulations to provide “experiential learning” on how to recognize phishing attempts.
We have established a cybersecurity supply chain risk management program, which is a cross-functional program that forms part of our Enterprise Risk Management program and is supported by our security, compliance, and supply chain organizations. Through this evolving program, we assess the risks from cybersecurity threats that impact select suppliers and third-party service providers with whom we share personal identifying and confidential information. We continue to evolve our oversight processes to mature how we identify and manage cybersecurity risks associated with the products or services we procure from such suppliers. We generally require our suppliers to adopt security-control principles based on industry-recognized standards.	We have established a cybersecurity supply chain risk management program, which is a cross-functional program that forms part of our Enterprise Risk Management program and is supported by our security, compliance, and supply chain organizations. Through this evolving program, we assess the risks from cybersecurity threats that impact select suppliers and third-party service providers with whom we share personal identifying and confidential information. We continue to evolve our oversight processes to mature how we identify and manage cybersecurity risks associated with the products or services we procure from such suppliers. We generally require our suppliers to adopt security-control principles based on industry-recognized standards.
We have experienced, and may in the future experience, whether directly or through our supply chain or other channels, cybersecurity incidents. While prior incidents have not materially affected our business strategy, results of operations or financial condition, and although our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cyber incident would not materially affect our business strategy, results of operations or financial condition. See “Risks Related to Cybersecurity and Business Disruptions” in “Risk Factors” on page 14 of this Form 10-K.	We have experienced, and may in the future experience, whether directly or through our supply chain or other channels, cybersecurity incidents. While prior incidents have not materially affected our business strategy, results of operations or financial condition, and although our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cyber incident would not materially affect our business strategy, results of operations or financial condition. See “Risks Related to Technology, Security and Business Disruptions” in “Risk Factors” on pages 14 - 15 of this Form 10-K.
Governance	Governance
Our Board of Directors has overall responsibility for risk oversight, with its committees assisting the Board in performing this function based on their respective areas of expertise. Our Board of Directors has delegated oversight of risks related to cybersecurity to two Board committees, the Audit Committee and the Aerospace Safety Committee, and each committee reports on its activities and findings to the full Board after each meeting. The Audit Committee is charged with reviewing our cybersecurity processes for assessing key strategic, operational, and compliance risks. Our Chief Information Officer and Senior Vice President, Information Technology & Data Analytics (CIO) and our Chief Security Officer (CSO) provide presentations to the Audit Committee on cybersecurity risks at each of its bimonthly meetings. These briefings include assessments of cyber risks, the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance. In addition, the Audit Committee has designated one of its members with expertise in cyber risk management to meet regularly with management and review our cybersecurity strategy and key initiatives and progress toward our objectives. In the event of a potentially material cybersecurity event, the Chair of the Audit Committee is notified and briefed, and meetings of the Audit Committee and/or full Board of Directors would be held, as appropriate. The Aerospace Safety Committee provides oversight of the risks from cybersecurity threats related to our aerospace products and services. The Aerospace Safety Committee receives regular updates and reports from senior management, including the Chief Engineer, the Chief Aerospace Safety Officer, and the Chief Product Security Engineer, who provide briefings on significant cybersecurity threats or incidents that may pose a risk to the safe operation of our aerospace products. Both committees brief the full Board on cybersecurity matters discussed during committee meetings, and the CIO provides annual briefings to the Board on information technology and data analytics related matters, including cybersecurity.	Our Board of Directors has overall responsibility for risk oversight, with its committees assisting the Board in performing this function based on their respective areas of expertise. Our Board of Directors has delegated oversight of risks related to cybersecurity to two Board committees, the Audit Committee and the Aerospace Safety Committee, and each committee reports on its activities and findings to the full Board after each meeting. The Audit Committee is charged with reviewing our cybersecurity processes for assessing key strategic, operational, and compliance risks. Our Chief Information Digital Officer and Senior Vice President, Information Technology & Data Analytics (CIDO) and our Chief Security Officer (CSO) provide presentations to the Audit Committee on cybersecurity risks at each of its bimonthly meetings. These briefings include assessments of cyber risks, the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance. In addition, the Audit Committee has designated one of its members with expertise in cyber risk management to meet regularly with management and review our cybersecurity strategy and key initiatives and progress toward our objectives. In the event of a potentially material cybersecurity event, the Chair of the Audit Committee is notified and briefed, and meetings of the Audit Committee and/or full Board of Directors would be held, as appropriate. The Aerospace Safety Committee provides oversight of the risks from cybersecurity threats related to our aerospace products and services. The Aerospace Safety Committee receives regular updates and reports from senior management, including the Chief Engineer, the Chief Aerospace Safety Officer, and the Chief Product Security Engineer, who provide briefings on significant cybersecurity threats or incidents that may pose a risk to the safe operation of our aerospace products. Both committees brief the full Board on cybersecurity matters discussed during committee meetings, and the CIDO provides annual briefings to the Board on information technology and data analytics related matters, including cybersecurity.
At the management level, we have established a Global Security Governance Council (the Council) to further strengthen our cybersecurity risk management activities across the Company, including the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Council is responsible for developing and coordinating enterprise cybersecurity policy and strategy, and for providing guidance to key management and oversight bodies.	At the management level, we have established a Global Security Governance Council (the Council) to further strengthen our cybersecurity risk management activities across the Company, including the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Council is responsible for developing and coordinating enterprise cybersecurity policy and strategy, and for providing guidance to key management and oversight bodies.
Richard Puckett, as our CSO, serves as the chair of the Council. He is responsible for overseeing a unified security program that provides cybersecurity, fire and protection operations, physical security, insider threat, and classified security. Mr. Puckett has nearly 30 years of experience in the cybersecurity industry, including, prior to joining Boeing in 2022, as Chief Information Security Officer of SAP SE and Thomson Reuters Corporation, Vice President, Product and Commercial Security of General Electric, Inc., and Senior Security Architect at Cisco Systems, Inc. He reports directly to the CIO and meets regularly with other members of senior management and the Audit Committee.	Trent Cox, Vice President of Product and Business Operations, is serving as our interim CSO. In that role, he chairs the Council and is responsible for overseeing a unified security program that provides cybersecurity, fire and protection operations, physical security, insider threat, and classified security. Mr. Cox has over 25 years of experience in the aerospace and defense industry, including, prior to joining Boeing in 2024, Chief Information Officer of Raytheon UK, Deputy CIO and Executive Director of Collins Aerospace and Raytheon Intelligence and Space, and Executive Director for Program Execution for the Raytheon Missile Systems businesses. He reports directly to the CIDO and meets regularly with other members of senior management and the Audit Committee.
The Council also includes, among other senior executives, our Chief Engineer, Chief Information Officer, Chief Aerospace Safety Officer and Chief Product Security Engineer, who each have several decades of business and senior leadership experience managing risks in their respective fields, collectively covering all aspects of cybersecurity, data and analytics, product security engineering, enterprise engineering, safety and the technical integrity of our products and services.	The Council also includes, among other senior executives, our CIDO, Chief Engineer, Chief Information Officer, Chief Aerospace Safety Officer and Chief Product Security Engineer, who each have several decades of business and senior leadership experience managing risks in their respective fields, collectively covering all aspects of cybersecurity, data and analytics, product security engineering, enterprise engineering, safety and the technical integrity of our products and services.
The Council meets monthly and updates key members of the Company’s Executive Council on progress towards specific cybersecurity objectives. A strong partnership exists between Information Technology, Enterprise Security, Corporate Audit, and Legal so that identified issues are addressed in a timely manner and incidents are reported to the appropriate regulatory bodies as required.	The Council meets monthly and updates key members of the Company’s Executive Council on progress towards specific cybersecurity objectives. A strong partnership exists between Information Technology, Enterprise Security, Corporate Audit, and Law so that identified issues are addressed in a timely manner and incidents are reported to the appropriate regulatory bodies as required.

・American Express

・2024.02.09 10-K (Annual report)	・2025.02.07 10-K (Annual report)
ITEM 1C CYBERSECURITY	ITEM 1C CYBERSECURITY
We maintain an information security and cybersecurity program and a cybersecurity governance framework that are designed to protect our information systems against operational risks related to cybersecurity./span>	We maintain an information security and cybersecurity program and a cybersecurity governance framework that are designed to protect our information systems against operational risks related to cybersecurity.
Cybersecurity Risk Management and Strategy	Cybersecurity Risk Management and Strategy
We define information security and cybersecurity risk as the risk that the confidentiality, integrity or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Information security and cybersecurity risk is an operational risk that is measured and managed as part of our operational risk framework. Operational risk is incorporated into our comprehensive Enterprise Risk Management (ERM) program, which we use to identify, aggregate, monitor, report and manage risks. For more information on our ERM program, see “Risk Management” under “MD&A.”	We define information security and cybersecurity risk as the risk that the confidentiality, integrity or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Information security and cybersecurity risk is an operational risk that is measured and managed as part of our operational risk framework. Operational risk is incorporated into our comprehensive Enterprise Risk Management (ERM) program, which we use to identify, aggregate, monitor, report and manage risks. For more information on our ERM program, see “Risk Management” under “MD&A.”
Our Technology Risk and Information Security (TRIS) program, which is our enterprise information security and cybersecurity program incorporated in our ERM program and led by our Chief Information Security Officer (CISO), is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our colleagues or our customers. The TRIS program is built upon a foundation of advanced security technology, employs a highly trained team of experts and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response and recovery capabilities. The TRIS program includes our Enterprise Incident Response Program, which manages information security incidents involving compromises of sensitive information, and our Cyber Crisis Response Plan, which provides a documented framework for handling high-severity security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills at both a technical and management level, and our colleagues receive annual cybersecurity awareness training.	Our Technology Risk and Information Security (TRIS) program, which is our enterprise information security and cybersecurity program incorporated in our ERM program and led by our Chief Information Security Officer (CISO), is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our colleagues or our customers. The TRIS program is built upon a foundation of advanced security technology, employs a highly trained team of experts and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response and recovery capabilities. The TRIS program includes our Enterprise Incident Response Program, which manages information security incidents involving compromises of sensitive information, and our Cyber Crisis Response Plan, which provides a documented framework for handling high-severity security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills at both a technical and management level, and our colleagues receive annual cybersecurity awareness training.
In addition, we incorporate reviews by our Internal Audit Group and external expertise in our TRIS program, including an independent third-party assessment of our cybersecurity measures and controls and a third-party cyber maturity assessment of our TRIS program against the Cyber Risk Institute Profile standards for the financial sector. We also invest in threat intelligence, collaborate with our peers in areas of threat intelligence, vulnerability management, incident response and drills, and are active participants in industry and government forums.	In addition, we incorporate reviews by our Internal Audit Group and external expertise in our TRIS program, including an independent third-party assessment of our cybersecurity measures and controls and a third-party cyber maturity assessment of our TRIS program against the Cyber Risk Institute Profile standards for the financial sector. We also invest in threat intelligence, collaborate with our peers in areas of threat intelligence, vulnerability management, incident response and drills, and are active participants in industry and government forums.
Cybersecurity risks related to third parties are managed as part of our Third Party Management Policy, which sets forth the procurement, risk management and contracting framework for managing third-party relationships commensurate with their risk and complexity. Our Third Party Lifecycle Management (TLM) program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring and termination. Our TLM program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional security requirements depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls.	Cybersecurity risks related to third parties are managed as part of our Third Party Management Policy, which sets forth the procurement, risk management and contracting framework for managing third-party relationships commensurate with their risk and complexity. Our Third Party Lifecycle Management (TLM) program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring and termination. Our TLM program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional security requirements depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls.
While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive and, similar to other global financial institutions, we, as well as our customers, colleagues, regulators, service providers and other third parties, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of cyber attacks. We continue to assess the risks and changes in the cyber environment, invest in enhancements to our cybersecurity capabilities, and engage in industry and government forums to promote advancements in our cybersecurity capabilities, as well as the broader financial services cybersecurity ecosystem. For more information on risks to us from cybersecurity threats, see “A major information or cybersecurity incident or an increase in fraudulent activity could lead to reputational damage to our brand and material legal, regulatory and financial exposure, and could reduce the use and acceptance of our products and services.” under “Risk Factors.”	While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive and, similar to other global financial institutions, we, as well as our customers, colleagues, regulators, service providers and other third parties, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of cyberattacks. We continue to assess the risks and changes in the cyber environment, invest in enhancements to our cybersecurity capabilities, and engage in industry and government forums to promote advancements in our cybersecurity capabilities, as well as the broader financial services cybersecurity ecosystem. For more information on risks to us from cybersecurity threats, see “A major information or cybersecurity incident or an increase in fraudulent activity could lead to reputational damage to our brand and material legal, regulatory and financial exposure, and could reduce the use and acceptance of our products and services.” under “Risk Factors.”
Cybersecurity Governance	Cybersecurity Governance
Under our cybersecurity governance framework, our Board and our Risk Committee are primarily responsible for overseeing and governing the development, implementation and maintenance of our TRIS program, with the Board designating our Risk Committee to provide oversight and governance of technology and cybersecurity risks. Our Board receives an update on cybersecurity at least once a year from our CISO or their designee. Our Risk Committee receives reports on cybersecurity at least twice a year, including in at least one joint meeting with our Audit and Compliance Committee, and our Board and these committees all receive ad hoc updates as needed. In addition, our Risk Committee annually approves our TRIS program.	Under our cybersecurity governance framework, our Board and Risk Committee are primarily responsible for overseeing and governing the development, implementation and maintenance of our TRIS program, with our Board designating our Risk Committee to provide oversight and governance of technology and cybersecurity risks. Our Board receives an update on cybersecurity at least once a year from our CISO or their designee. Our Risk Committee receives reports on cybersecurity at least twice a year, including in at least one joint meeting with our Audit and Compliance Committee, and our Board and these committees all receive ad hoc updates as needed. In addition, our Risk Committee annually approves our TRIS program.
We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Operational Risk Management Committee (ORMC), chaired by our Chief Operational Risk Officer, provides oversight and governance for our information security risk management activities, including those related to cybersecurity.This includes efforts to identify, measure, manage, monitor and report information security risks associated with our information and information systems and potential impacts to the American Express brand. The ORMC escalates risks to our Enterprise Risk Management Committee (ERMC), chaired by our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report also provided to our Risk Committee, the ORMC and ERMC.	We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Operational Risk Management Committee (ORMC), chaired by our Chief Operational Risk Officer, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, measure, manage, monitor and report information security risks associated with our information and information systems and potential impacts to the American Express brand. The ORMC escalates risks to our Enterprise Risk Management Committee (ERMC), chaired by our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report also provided to our Risk Committee, the ORMC and ERMC.
Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the ORMC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters. Our current CISO has held a series of roles in telecommunications, networking and information security at American Express, including promotion to the CISO role in 2013 and the addition of responsibility for technology risk management in 2023. Prior to joining American Express, our current CISO served in a variety of technology leadership roles at a public pharmaceutical and biotechnology company for 14 years. Our CISO reports to the Chief Information Officer, information about whom is included in “Information About Our Executive Officers” under “Business.”	Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the ORMC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters. Our current CISO has held a series of roles in telecommunications, networking and information security at American Express, including promotion to the CISO role in 2013, and is also responsible for technology risk management. Prior to joining American Express, our current CISO served in a variety of technology leadership roles at a public pharmaceutical and biotechnology company for 14 years. Our CISO reports to the Chief Information Officer, information about whom is included in “Information About Our Executive Officers” under “Business.”
For more information on our risk governance structure, see “Risk Management — Governance” and “Risk Management —Operational Risk Management Process” under “MD&A.”	For more information on our risk governance structure, see “Risk Management — Governance” and “Risk Management —Operational Risk Management Process” under “MD&A.”

・Johnson & Johnson

・2024.02.16 10-K (Annual report)	・2025.02.13 (Annual report)
Item 1C.Cybersecurity	Item 1C.Cybersecurity
Risk management and strategy	Risk management and strategy
The Company has documented cybersecurity policies and standards, assesses risks from cybersecurity threats, and monitors information systems for potential cybersecurity issues. To protect the Company’s information systems from cybersecurity threats, the Company uses various security tools supporting protection, detection, and response capabilities. The Company maintains a cybersecurity incident response plan to help ensure a timely, consistent response to actual or attempted cybersecurity incidents impacting the Company.	The Company has documented cybersecurity policies and standards, assesses risks from cybersecurity threats, and monitors information systems for potential cybersecurity issues. To protect the Company’s information systems from cybersecurity threats, the Company uses various security tools supporting protection, detection, and response capabilities. The Company maintains a cybersecurity incident response plan to help ensure a timely, consistent response to actual or attempted cybersecurity incidents impacting the Company.
The Company also identifies and assesses third-party risks within the enterprise, and through the Company's use of third-party service providers, across a range of areas including data security and supply chain through a structured third-party risk management program.	The Company also identifies and assesses third-party risks within the enterprise, and through the Company's use of third-party service providers, across a range of areas including data security and supply chain through a structured third-party risk management program.
The Company maintains a formal information security training program for all employees that includes training on matters such as phishing and email security best practices. Employees are also required to complete mandatory training on data privacy.	The Company maintains a formal information security training program for all employees that includes training on matters such as phishing and email security best practices. Employees are also required to complete mandatory training on data privacy.
To evaluate and enhance its cybersecurity program, the Company periodically utilizes third-party experts to undertake maturity assessments of the Company’s information security program.	To evaluate and enhance its cybersecurity program, the Company periodically utilizes third-party experts to undertake maturity assessments of the Company’s information security program.
To date, the Company is not aware of any cybersecurity incident that has had or is reasonably likely to have a material impact on the Company’s business or operations; however, because of the frequently changing attack techniques, along with the increased volume and sophistication of the attacks, there is the potential for the Company to be adversely impacted. This impact could result in reputational, competitive, operational or other business harm as well as financial costs and regulatory action. Refer to the risk factor captioned An information security incident, including a cybersecurity breach, could have a negative impact to the Company’s business or reputation in Part I, Item 1A. Risk factors for additional description of cybersecurity risks and potential related impacts on the Company.	To date, the Company is not aware of any cybersecurity incident that has had or is reasonably likely to have a material impact on the Company’s business or operations; however, because of the frequently changing attack techniques, along with the increased volume and sophistication of the attacks, there is the potential for the Company to be adversely impacted. This impact could result in reputational, competitive, operational or other business harm as well as financial costs and regulatory action. Refer to the risk factor captioned An information security incident, including a cybersecurity breach, could have a negative impact to the Company’s business or reputation in Part I, Item 1A. Risk factors for additional description of cybersecurity risks and potential related impacts on the Company.
Governance - management’s responsibility	Governance - management’s responsibility
The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity controls designed to address cybersecurity threats and risks. The Chief Information Officer (CIO), who is a member of the Company’s Executive Committee, and the Chief Information Security Officer (CISO) are responsible for assessing and managing cybersecurity risks, including the prevention, mitigation, detection, and remediation of cybersecurity incidents.	The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity controls designed to address cybersecurity threats and risks. The Chief Information Officer (CIO), who is a member of the Company’s Executive Committee, and the Chief Information Security Officer (CISO) are responsible for assessing and managing cybersecurity risks, including security incident detection, response, and recovery.
The Company’s CISO, in coordination with the CIO, is responsible for leading the Company’s cybersecurity program and management of cybersecurity risk. The current CISO has over twenty-five years of experience in information security, and his background includes technical experience, strategy and architecture focused roles, cyber and threat experience, and various leadership roles.	The Company’s CISO, in coordination with the CIO, is responsible for leading the Company’s cybersecurity program and management of cybersecurity risk. The current CISO has over twenty-five years of experience in information security, and his background includes technical experience, strategy and architecture focused roles, cyber and threat experience, and various leadership roles.
Governance - board oversight	Governance - board oversight
The Company’s Board of Directors oversees the overall risk management process, including cybersecurity risks, directly and through its committees. The Regulatory Compliance & Sustainability Committee (RCSC) of the board is primarily responsible for oversight of risk from cybersecurity threats and oversees compliance with applicable laws, regulations and Company policies related to, among others, privacy and cybersecurity.	The Company’s Board of Directors oversees the overall risk management process, including cybersecurity risks, directly and through its committees. The Regulatory Compliance & Sustainability Committee (RCSC) of the board is primarily responsible for oversight of risk from cybersecurity threats and oversees compliance with applicable laws, regulations and Company policies related to, among others, privacy and cybersecurity.
RCSC meetings include discussions of specific risk areas throughout the year including, among others, those relating to cybersecurity.The CISO provides at least two updates each year to RCSC on cybersecurity matters. These reports include an overview of the cybersecurity threat landscape, key cybersecurity initiatives to improve the Company’s risk posture, changes in the legal and regulatory landscape relative to cybersecurity, and overviews of certain cybersecurity incidents that have occurred within the Company and within the industry.	RCSC meetings include discussions of specific risk areas throughout the year including, among others, those relating to cybersecurity. The CISO provides quarterly updates each year to RCSC on cybersecurity matters. These reports include an overview of the cybersecurity threat landscape, key cybersecurity initiatives to improve the Company’s risk posture, changes in the legal and regulatory landscape relative to cybersecurity, and overviews of certain cybersecurity incidents that have occurred within the Company and within the industry.

・Pfizer

・Coca-Cola

・McDonalds Corp.

・2024.02.22 10-K (Annual report)	・2025.02.25 10-K (Annual report)
CYBERSECURITY	CYBERSECURITY
	Cybersecurity risk is an important and evolving focus for McDonald’s. Significant resources are devoted to protecting and enhancing the security of computer systems, software, networks, storage devices, and other technology. The Company’s security efforts are designed to protect against, among other things, cybersecurity attacks that can result in unauthorized access to confidential information, the destruction of data, disruptions to or degradations of service, the sabotaging of systems or other damage. McDonald’s has implemented measures and controls that it believes are reasonably designed to address the evolving cybersecurity risk environment, including enhanced threat monitoring. In addition, McDonald’s continues to regularly review its capabilities to address associated risks, such as those relating to the management of administrative access to systems.
	Third parties that help to facilitate the Company’s business activities (e.g., franchisees, vendors, suppliers, service providers, etc.) are also sources of cybersecurity risk to McDonald’s, and we have various processes and programs to manage cybersecurity risks associated with our third parties. Despite these risk-mitigation measures, a cybersecurity event impacting a third party may compromise Company data or negatively impact the Company’s ability to conduct business, which could have a material adverse effect on our business.
	Risks from cybersecurity threats, including as a result of any previous cybersecurity events, did not materially affect McDonald’s or its business strategy, results of operations or financial condition in 2024. Notwithstanding having what McDonald’s believes to be a comprehensive approach to address cybersecurity risk, no company is immune to cybersecurity threats, and McDonald’s may not be successful in preventing or mitigating a future cybersecurity incident that could have a material adverse effect on McDonald’s or its business strategy, results of operations or financial condition. In evaluating cybersecurity incidents, management considers the potential impact to the Company’s results of operations, control framework, and financial condition, as well as the potential impact, if any, to our business strategy and/or reputation.
	For additional information on risks from cybersecurity threats, please see our Risk Factors beginning on page 28.
Governance	Governance
Management has primary responsibility for enterprise-wide risk management (“ERM”), including cybersecurity risk, within our Company, as detailed below. Our Board of Directors is responsible for overseeing our ERM framework and exercises this oversight both as a full Board and through its standing committees. Our Board’s Public Policy & Strategy Committee (“PPS Committee”) has oversight responsibility for our strategy and processes relating to cybersecurity risk management. Our PPS Committee receives updates at regular intervals on cybersecurity matters from management, including our Global Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) who, as discussed below, are responsible for assessing and managing material cybersecurity risks. Such updates include a discussion of the status of our cybersecurity landscape and our cybersecurity strategies, including potential risks and mitigation efforts. If a cybersecurity incident meets our established internal escalation threshold, accelerated reporting of the incident is provided to the applicable members of the Board. The PPS Committee also considers potential remedies to any strategic or process gaps that may be identified during the Company’s review of specific cybersecurity incidents.	Management has primary responsibility for enterprise-wide risk management (“ERM”), including cybersecurity risk, within our Company, as detailed below. Our Board of Directors (the “Board”) is responsible for overseeing our ERM framework and exercises this oversight both as a full Board and through its standing committees. Our Board’s Audit & Finance Committee (“A&F Committee”) has oversight responsibility for our strategy and processes relating to cybersecurity risk management. Our A&F Committee receives updates at regular intervals on cybersecurity matters from management, including our Global Chief Information Officer (“CIO”) and Global Chief Information Security Officer (“CISO”) who, as discussed below, are responsible for assessing and managing material cybersecurity risks. Such updates include discussion of the status of our cybersecurity landscape and our cybersecurity strategies, including potential risks and mitigation efforts. For certain significant cybersecurity incidents, our procedures contemplate accelerated reporting of the incident to the applicable members of the Board. The A&F Committee also considers potential remedies to any strategic or process gaps that may be identified during the Company’s review of specific cybersecurity incidents.
Our Board of Directors recognizes the importance to the Company of effectively identifying, assessing and managing risks that could have a significant impact on our business strategy. The ERM framework leverages internal risk committees comprised of cross-functional leadership who meet regularly to evaluate and prioritize risks, including cybersecurity risk, in the context of our strategy, with further escalation to our CEO, Board and/or Committees, as appropriate. Effective management of cybersecurity risks is critical to the successful execution of our business strategy.	Our Board recognizes the importance to the Company of effectively identifying, assessing and managing risks that could have a significant impact on our business strategy. The ERM framework leverages internal risk committees comprised of cross-functional leadership who meet regularly to evaluate and prioritize risks, including cybersecurity risk, in the context of our strategy, with further escalation to our CEO, Board and/or Committees, as appropriate. Effective management of cybersecurity risks is critical to the successful execution of our business strategy.
Risk Management and Strategy	Risk Management and Strategy
Our CIO and CISO are responsible for assessing and implementing our cybersecurity risk management programs, which are informed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. These leaders and their teams have significant relevant experience in various fields, such as incident response, application security, data protection, network security and identity and access management, and have implemented and executed security programs across multiple industries at Fortune 100 companies. Our programs are designed to create a comprehensive, cross-functional approach to identify and mitigate cybersecurity risks as well as to prevent cybersecurity incidents in an effort to support business continuity and achieve operational resiliency.	The CISO reports to the CIO. McDonald’s CIO and CISO are responsible for assessing and implementing our cybersecurity risk management programs, which are informed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. These leaders and their teams have significant relevant experience in various fields, such as incident response, application security, data security, network security and identity and access management, and have implemented and executed security programs across multiple industries at Fortune 100 companies. Our programs are designed to create a comprehensive, cross-functional approach to identify, assess, manage and mitigate cybersecurity risks as well as to mitigate cybersecurity incidents to support business continuity and achieve operational resiliency.
We leverage certain third-party providers and local technology support teams to help execute certain aspects of our cybersecurity risk management programs. We also engage third parties in assessments and testing of our policies, processes and standards that are designed to identify and remediate cybersecurity incidents. These efforts include a wide range of activities focused on evaluating the effectiveness of the program, including audits, modeling, tabletop exercises and vulnerability testing. We also periodically engage independent third parties to perform assessments and evaluations of certain aspects of our information security control environment and operation of our program. Further, we have various processes and programs to manage cybersecurity risks associated with our use of third-party vendors and suppliers.	The CISO leads the Global Cybersecurity organization, which is responsible for executing the Company’s Global Cybersecurity Program and initiatives. This global program is responsible for identifying technology and cybersecurity risks and for implementing and maintaining controls to manage cybersecurity threats. These controls are designed to mitigate, detect and respond to cybersecurity incidents to help safeguard the confidentiality, integrity and availability of McDonald’s infrastructure, resources and information.
We provide regular, mandatory training for employees regarding cybersecurity threats to bring awareness on how they can help prevent and report potential cybersecurity incidents. In addition, key stakeholders involved with our cybersecurity risk management programs receive additional training and regularly participate in scenario-based training exercises to support the effective administration of our programs.	McDonald’s Global Cybersecurity Program includes the following functions:
We have established and regularly tested incident response processes and controls that identify and risk-rank incidents through a centralized system to promote timely escalation of cybersecurity incidents that exceed a particular level of risk, including escalation of incidents of sufficient magnitude or severity to our CIO and CISO. In evaluating cybersecurity incidents, management considers the potential impact to our results of operations, control framework, and financial condition, as well as the potential impact, if any, to our business strategy or reputation.	• Cybersecurity Services, which is responsible for deploying and operating the frontline security controls that are designed to protect and defend McDonald’s against cyber-attacks. Cybersecurity teams are focused on specific areas of a layered defense, including Network Security, Endpoint Protection, Identity and Access Management, Data Protection, and others, to ensure that these controls are integrated into critical systems and processes throughout the McDonald’s environment and operating effectively.
Cybersecurity threats, including as a result of our previous cybersecurity incidents, have not materially affected our results of operations or financial condition, including our business strategy, in 2023. For additional information on risks from cybersecurity threats, please see our Risk Factors beginning on page 28.	• Cyber Defense, which is responsible for implementing and maintaining controls designed to detect and respond to cybersecurity incidents against McDonald’s and includes a dedicated function for incident response and regular monitoring for cybersecurity threats and vulnerabilities, including those among McDonald’s third-party suppliers. The Company has established and regularly tested incident response processes and controls that identify and risk-rank incidents through a centralized system to promote timely escalation of cybersecurity incidents that exceed a particular level of risk, including escalation of incidents of sufficient magnitude or severity to the CIO and CISO.
	• Cyber Governance, Risk & Compliance, which is responsible for operationalizing technology risk and control frameworks, analyzing regulatory developments that may impact McDonald’s, and developing control catalogs and assessments of controls, as well as overseeing governance and reporting of technology and cybersecurity risk. The team provides awareness and training that reinforces information risk and security management practices and compliance with McDonald’s policies, standards and practices. The training is mandatory for all employees globally on a periodic basis, and it is supplemented by Company-wide testing initiatives, including periodic phishing tests.
	• Cyber Market Engagement, which is responsible for working with our market teams, International Developmental Licensee partners, and other entities to ensure a consistent approach for cybersecurity across the McDonald’s system.
	The governance structure for the Global Cybersecurity organization is designed to appropriately identify, escalate, and mitigate cybersecurity risks. Cybersecurity risk management and its governance and oversight are integrated into McDonald’s operational risk management framework, including through the escalation of key risk and control issues to management and the development of risk mitigation plans for heightened risk and control issues.
	As needed, McDonald’s engages third-party assessors or auditing firms with industry-recognized expertise on cybersecurity matters to review specific aspects of McDonald’s cybersecurity risk management framework, processes and controls. These efforts include a wide range of activities focused on evaluating the effectiveness of the program, including audits, modeling, tabletop exercises and vulnerability testing.

日本企業...昨年と順番かえてます...

・三菱UFJファイナンシャルグループ

・三井住友ファイナンシャル

・みずほファイナンシャル

・ORIX

・野村ホールディングス

・タケダ

・ソニー

・トヨタ

・ホンダ

みずほファインシャルサービスは、開示がより詳細になっていますね...

・三菱UFJファイナンシャルグループ

・2024.07.30 20-F (Annual report - foreign issuer)	・2025.07.07 20-F (Annual report - foreign issuer)
Item 16K. Cybersecurity	Item 16K. Cybersecurity
Overview	Overview
As a financial institution operating globally, we are exposed to various cybersecurity risks, including ransomware, phishing, and distributed denial of service attacks. These risks are often influenced by criminal activity, international conflicts and other threat environments but are becoming increasingly more sophisticated and complex to deal with. We take seriously our responsibilities for securing the assets entrusted to us by our customers against cybersecurity threats and our obligation to provide secure and stable financial services. We have identified risks and threats posed by cyber-attacks and other relevant events as one of our top risks and have been developing and implementing cybersecurity measures under management leadership. During the fiscal year ended March 31, 2024, we did not identify any cybersecurity threats that have materially affected, or were reasonably likely to materially affect, our business strategy, results of operations or financial condition.	As a financial institution operating globally, we are exposed to various cybersecurity risks, including ransomware, phishing, and distributed denial of service attacks. These risks are often influenced by criminal activity, international conflicts and other threat environments but are becoming increasingly more sophisticated and complex to deal with. We take seriously our responsibilities for securing the assets entrusted to us by our customers against cybersecurity threats and our obligation to provide secure and stable financial services. We have identified risks and threats posed by cyber-attacks and other relevant events as one of our top risks and have been developing and implementing cybersecurity measures under management leadership. During the fiscal year ended March 31, 2025, we did not identify any cybersecurity threats that have materially affected, or were reasonably likely to materially affect, our business strategy, results of operations or financial condition.
While we endeavor to remain vigilant for, and continue to develop and implement measures to address, cybersecurity risk, we may not be able to prevent or mitigate a future cybersecurity incident that could have a material adverse impact on our business strategy, performance, and financial stability. See “Item 3.D. Key Information—Risk Factors—Operational Risk—Our operations are highly dependent on our information, communications and transaction management systems and are subject to an increasing risk of cyber-attacks and other information security threats and to changes in the business and regulatory environment.”	While we endeavor to remain vigilant for, and continue to develop and implement measures to address, cybersecurity risk, we may not be able to prevent or mitigate a future cybersecurity incident that could have a material adverse impact on our business strategy, performance, and financial stability. See “Item 3.D. Key Information—Risk Factors—Operational Risk—Our operations are highly dependent on our information, communications and transaction management systems and are subject to an increasing risk of cyber-attacks and other information security threats and to changes in the business and regulatory environment.”
Cybersecurity Risk Management Process	Cybersecurity Risk Management Process
We manage cybersecurity risk as a subset of IT risk, which is included in the broader risk category of operational risk. Operational risk is defined as the risk of potential loss resulting from inadequate or ineffective internal processes, people and systems, or due to external events. Cybersecurity risk management is integrated into our comprehensive risk management framework where we have adopted a three lines of defense approach. The first line of defense is the Cyber Security Division, which is the team primarily responsible for identifying and mitigating risks as well as designing and executing controls to manage cybersecurity risk. The second line of defense is the Corporate Risk Management Division, which is responsible for assessing and monitoring cybersecurity risk as well as testing the effectiveness of cybersecurity risk controls independently from the first line. The third line of defense is the Internal Audit Division, which audits the effectiveness of first-line and second-line cybersecurity risk management.	We manage cybersecurity risk as a subset of IT risk, which is included in the broader risk category of operational risk. Operational risk is defined as the risk of potential loss resulting from inadequate or ineffective internal processes, people and systems, or due to external events. Cybersecurity risk management is integrated into our comprehensive risk management framework where we have adopted a three lines of defense approach. The first line of defense is the Cyber Security Division, which is the team primarily responsible for identifying and mitigating risks as well as designing and executing controls to manage cybersecurity risk. The second line of defense is the Corporate Risk Management Division, which reports to the Group Chief Risk Officer (CRO) and which is responsible for assessing and monitoring cybersecurity risk as well as testing the effectiveness of cybersecurity risk controls independently from the first line. The third line of defense is the Internal Audit Division, which audits the effectiveness of first-line and second-line cybersecurity risk management.
Our cybersecurity risk management program incorporates features based on globally recognized standards such as those issued by the National Institute of Standards and Technology (NIST). Based on such globally recognized standards, the Cyber Security Division, which is supervised by the Group Chief Information Security Officer (CISO), establishes policies and standards to protect our information systems and conducts cybersecurity risk assessments. Among its other responsibilities, the Division also focuses on threat intelligence, including centralized information collection and impact analysis on newly discovered vulnerabilities and past experience, and prevention and remediation of such impacts on a global group-wide basis. Additionally, the Division conducts daily monitoring of our external-facing systems to identify and prevent any flaws in security updates or configuration settings. In an effort to enhance our round-the-clock monitoring and incident response capabilities on a global group-wide basis, we have established the MUFG Cyber Security Fusion Center (MUFG CSFC), which specializes in cybersecurity threat analysis and information security solutions. At the subsidiary level, the Computer Security Incident Response Teams (CSIRTs) have been established within subsidiaries to receive, investigate and implement measures in response to reports of cybersecurity incidents from within such respective subsidiaries in coordination with the MUFG Computer Security Incident Response Team (MUFG-CERT), a team established within the Cyber Security Division for centralizing our cybersecurity incident responses.	Our cybersecurity risk management program incorporates features based on globally recognized standards such as those issued by the National Institute of Standards and Technology (NIST). Based on such globally recognized standards, the Cyber Security Division, which is supervised by the Group Chief Information Security Officer (CISO), establishes policies and standards to protect our information systems and conducts cybersecurity risk assessments. Among its other responsibilities, the Division also focuses on threat intelligence, including centralized information collection and impact analysis on newly discovered vulnerabilities and past experience, and prevention and remediation of such impacts on a global group-wide basis. Additionally, the Division conducts daily monitoring of our external-facing systems to identify and prevent any flaws in security updates or configuration settings. In an effort to enhance our round-the-clock monitoring and incident response capabilities on a global group-wide basis, we have established the MUFG Cyber Security Fusion Center (MUFG CSFC), which specializes in cybersecurity threat analysis and information security solutions. At the subsidiary level, the Computer Security Incident Response Teams (CSIRTs) have been established within subsidiaries to receive, investigate and implement measures in response to reports of cybersecurity incidents from within such respective subsidiaries in coordination with the MUFG Computer Security Incident Response Team (MUFG-CERT), a team established within the Cyber Security Division for centralizing our cybersecurity incident responses.
We regularly conduct exercises and drills designed to ensure our ability to effectively perform cybersecurity incident response functions. We have also expanded our collaborative activities with government agencies, other companies in the financial industry and other information security communities, including the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Financials Information Sharing and Analysis Center Japan (F-ISAC), the Forum of Incident Response and Security Teams (FIRST) and the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). Furthermore, in order to minimize third-party risks, we conduct risk assessments on third-party vendor contracts prior to contract initiation and subsequently conduct annual reviews to identify any significant changes in the risk environment. We also require our vendors to adhere to the standards set by us in order to ensure that our risk management protocols are consistently maintained. Along with regularly conducted internal reviews of our cybersecurity risk management program against market trends and best practices, we engage audit firms and external consultants as needed, receive evaluations, and utilize the results of these evaluations to continuously ensure and enhance the effectiveness of our program.	We regularly conduct exercises and drills designed to ensure our ability to effectively perform cybersecurity incident response functions. We have also expanded our collaborative activities with government agencies, other companies in the financial industry and other information security communities, including the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Financials Information Sharing and Analysis Center Japan (F-ISAC), the Forum of Incident Response and Security Teams (FIRST) and the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). Furthermore, in order to minimize third-party risks, we conduct risk assessments on third-party vendor contracts prior to contract initiation and subsequently conduct annual reviews to identify any significant changes in the risk environment. We also require our vendors to adhere to the standards set by us in order to ensure that our risk management protocols are consistently maintained. Along with regularly conducted internal reviews of our cybersecurity risk management program against market trends and best practices, we engage audit firms and external consultants as needed, receive evaluations, and utilize the results of these evaluations to continuously ensure and enhance the effectiveness of our program.
Governance	Governance
The Group Chief Information Officer (CIO) is responsible for operating and maintaining our cybersecurity risk management program and regularly reports on significant cybersecurity-related matters to the Board of Directors as well as the Executive Committee. In the fiscal year ended March 31, 2024, the cybersecurity-related matters reported on by the Group CIO to the Board of Directors included the progress and future policy directions of various key measures, such as those designed to protect public internet assets with subject to significant attack risk, to strengthen the security posture of our internal information security environment, and to improve the security posture of our overseas facilities. As the most senior manager responsible for cybersecurity risk, the Group CISO supervises the Cyber Security Division and directly reports to the Group CIO. The Cyber Security Division receives information on cybersecurity incidents from the CSIRTs in accordance with our policies and procedures, supervises and coordinates incident response at our group companies, and provides relevant information to the Group CISO, the Group CIO, the Corporate Risk Management Division and, as appropriate, other senior management members. Our current Group CIO has over twenty years of experience in IT management, including cybersecurity risk management, and has experience as a member of a government information security organization. Similarly, the current Group CISO and senior members of the Cyber Security Division have extensive cybersecurity management experience and expertise, with many members participating in financial industry information security organizations, including the F-ISAC.	The Group Chief Information Officer (CIO) is responsible for operating and maintaining our cybersecurity risk management program and regularly reports on significant cybersecurity-related matters to the Board of Directors as well as the Executive Committee. In the fiscal year ended March 31, 2025, the cybersecurity-related matters reported on by the Group CIO to the Board of Directors included a plan for enhancing our global group-wide cybersecurity governance program such as updating the global risk assessment framework and securing resources. The Group CIO receives direct reporting from the Group CISO, who, as the most senior manager responsible for cybersecurity risk, supervises the Cyber Security Division. The Cyber Security Division receives information on cybersecurity incidents from the CSIRTs in accordance with our policies and procedures, supervises and incident response at our group companies, and provides relevant information to the Group CISO, the Group CIO, the Corporate Risk Management Division and, as appropriate, other senior management members. Our current Group CIO has over twenty years of experience in IT management, including cybersecurity risk management, and has experience as a member of a government information security organization. Similarly, the current Group CISO and senior members of the Cyber Security Division have extensive cybersecurity management experience and expertise, with many members participating in financial industry information security organizations, including the F-ISAC.
The Board of Directors decides key management policies and is responsible for management oversight. Decisions on particularly important matters, such as decisions on key management policies as cybersecurity risk management policy for the entire Group, and oversight of the execution of duties related to cybersecurity by directors and corporate executive officers are performed by the Board of Directors. In addition, the Risk Committee and the Audit Committee are established under the Board of Directors to assist the Board with oversight. The Risk Committee discusses and makes recommendations to the Board of Directors on material matters, including cybersecurity, relating to the risk management operations, matters relating to top risk matters and any other material matters that require discussion, and any other material matters that require discussion by the Risk Committee. The Audit Committee obtains reports from management, the Internal Audit Division and the external auditor on any cybersecurity risks and the risk management and corporate governance frameworks and the operation of such frameworks, and oversees them, and assists oversight of the Board of Directors.	The Board of Directors decides key cybersecurity risk management policies and oversees the execution of our cybersecurity risk management program on a global group-wide basis as part of its responsibility for deciding key management policies and overseeing management. The Board of Directors is informed by, and discusses with, the Group CIO, the Group CRO, who is responsible for assessing and overseeing management of material risks on a global group-wide basis, and other management members on important matters relating to risks from cybersecurity threats and management of such risks, while being assisted by board committees, including the Risk Committee and the Audit Committee, with the oversight of the execution of duties related to cybersecurity risk management carried out by directors and corporate executives. The Risk Committee receives reports from management and the Corporate Risk Management Division on, among other things, cybersecurity threats and incidents, risk trends in cybersecurity threat indicators, and the results of evaluations of the effectiveness of first-line controls in cybersecurity threat prevention and detection conducted by external consultants or audit firms, and discusses and makes recommendations to the Board of Directors on material cybersecurity risk-related matters. The Audit Committee obtains reports from management, the Internal Audit Division and external auditors on risks from cybersecurity threats, the management of such risks, and the design and operation of the corporate governance framework for cybersecurity risk management and, based on its analysis and expertise, assists the oversight of cybersecurity risk management by the Board of Directors.
Our cybersecurity risk management program is also operated and maintained under the supervision of the Board of Directors with the report on significant cybersecurity-related matters by the Group CIO and the assistance of the Risk Committee and the Audit Committee.

・三井住友ファイナンシャル

・2024.06.27 20-F (Annual report - foreign issuer)	・2025.06.27 (Annual report - foreign issuer)
Item 16K. Cybersecurity	Item 16K.Cybersecurity
The risk of cybersecurity threats is growing ever more serious as a result of the accelerated digitization of financial services and changes to the surrounding environment. We strengthen our security controls in order to achieve a society that is resilient to cybersecurity threats and provide more secure services to our customers.	The risk of cybersecurity threats is growing ever more serious as a result of the accelerated digitization of financial services and changes to the surrounding environment. We strengthen our security controls in order to achieve a society that is resilient to cybersecurity threats and provide more secure services to our customers.
SMFG and some of our group companies have established a “Declaration of Cybersecurity Management.” This declaration indicates that we acknowledge cybersecurity as a key management issue, and expresses a commitment to enhancing the security posture not just within our organization, but across society as a whole. Under this declaration, we promote the strengthening of cybersecurity controls led by management in order to counter the increasing severity and sophistication of cyber threats.	SMFG and some of our group companies have established a “Declaration of Cybersecurity Management.” This declaration indicates that we acknowledge cybersecurity as a key management issue, and expresses a commitment to enhancing the security posture not just within our organization, but across society as a whole. Under this declaration, we promote the strengthening of cybersecurity controls led by management in order to counter the increasing severity and sophistication of cyber threats.
Risk Management and Strategy	Risk Management and Strategy
We define cybersecurity threats as one of the top risks for our group. Under the concept of “three lines of defense,” we have integrated cybersecurity risk management, which assesses, identifies, and manages material risks from cybersecurity threats, into a company-wide framework and have established a structure with over 600 personnel. Cybersecurity risk management forms part of our cybersecurity operational plan, which is subject to approval by the Management Committee.	We define cybersecurity threats as one of the top risks for our group. Under the concept of “three lines of defense,” we have integrated cybersecurity risk management, which assesses, identifies, and manages material risks from cybersecurity threats, into a company-wide framework and have established a structure with over 700 personnel. Cybersecurity risk management forms part of our cybersecurity operational plan, which is subject to approval by the Management Committee.
We periodically engage third-party consultants to conduct maturity assessments based on global cybersecurity frameworks to test our cybersecurity controls. Using our threat intelligence function, we collect information such as the latest cybersecurity threats, vulnerabilities and geopolitical developments, and leverage them to detect and prevent those cybersecurity threats. To deter attacks exploiting vulnerabilities, we regularly conduct vulnerability assessments using various tools and also conduct threat-led penetration testing by entrusting external vendors to penetrate actual systems and evaluate vulnerabilities.	We periodically engage third-party consultants to conduct maturity assessments based on global cybersecurity frameworks to test our cybersecurity controls. Using our threat intelligence function, we collect information such as the latest cybersecurity threats, vulnerabilities and geopolitical developments, and leverage them to detect and prevent those cybersecurity threats. To deter attacks exploiting vulnerabilities, we regularly conduct vulnerability assessments using various tools and also conduct threat-led penetration testing by entrusting external vendors to penetrate actual systems and evaluate vulnerabilities.
We have designed a multilayered cyber defense system that includes detection and interception of suspicious communications from the outside, as well as operation and monitoring of various security programs and systems, to protect against various cyberattacks such as unauthorized access and mass access attacks. We have established a Security Operation Center (“SOC”) with a 24-hour, 365-day monitoring function and locate SOCs in various regions. Through coordination among SOCs in each region, we further strengthen security monitoring on a group-wide basis.	We have designed a multilayered cyber defense system that includes detection and interception of suspicious communications from the outside, as well as operation and monitoring of various security programs and systems, to protect against various cyberattacks such as unauthorized access and mass access attacks. We have established a Security Operation Center (“SOC”) with a 24-hour, 365-day monitoring function and locate SOCs in various regions. Through coordination among SOCs in each region, we further strengthen security monitoring on a group-wide basis.
In terms of preparedness for cyber incidents, we established a Computer Security Incident Response Team (“CSIRT”) to prepare for any incidents and have set up a response system. The CSIRT actively collects cyber information on attackers’ methods and vulnerabilities from both inside and outside of our organization and shares them with external organizations such as government authorities in relevant nations and the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) or other relevant organizations as necessary. In addition, we regularly participate in attack simulation exercises conducted by outside experts or the authorities to further strengthen our cyberattack response and resilience. We have established risk management processes including in relation to third parties such as outsourced vendors, and regularly monitor the actual situation.	In terms of preparedness for cyber incidents, we established a Computer Security Incident Response Team (“CSIRT”) to prepare for any incidents and have set up a response system. The CSIRT actively collects cyber information on attackers’ methods and vulnerabilities from both inside and outside of our organization and shares them with external organizations such as government authorities in relevant nations and the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) or other relevant organizations as necessary. In addition, we regularly participate in attack simulation exercises conducted by outside experts or the authorities to further strengthen our cyberattack response and resilience. We have established risk management processes including in relation to third parties such as outsourced vendors, and regularly monitor the actual situation.
For the fiscal year ended March 31, 2024, there were no cybersecurity incidents that had a material impact on our results of operations or financial condition.	For the fiscal year ended March 31, 2025, there were no cybersecurity incidents that had a material impact on our results of operations or financial condition.
Governance	Governance
The Management Committee regularly discusses cybersecurity risk management in order to further strengthen our security posture based on our cybersecurity operational plan.	The Management Committee regularly discusses cybersecurity risk management in order to further strengthen our security posture based on our cybersecurity operational plan.
In order to clarify the roles and responsibilities for promoting the effectiveness of security controls, the position of Group Chief Information Security Officer (“CISO”) has been assigned under the Group Chief Information Officer (“CIO”) and the Group Chief Risk Officer (“CRO”). The Group CISO is responsible for supervision and direction of controls to manage cybersecurity threats on a group-wide basis. The current Group CISO has been working in the systems sector for many years and has extensive experience in cybersecurity, technology risk management and information security. Group Vice CISOs and regional CISOs are stationed under the Group CISO to help secure cybersecurity controls.	In order to clarify the roles and responsibilities for promoting the effectiveness of security controls, the position of Group Chief Information Security Officer (“CISO”) has been assigned under the Group Chief Information Officer (“CIO”) and the Group Chief Risk Officer (“CRO”). The Group CISO is responsible for supervision and direction of controls to manage cybersecurity threats on a group-wide basis. The current Group CISO has been working in the systems sector for many years and has extensive experience in cybersecurity, technology risk management and information security. Group Vice CISOs and regional CISOs are stationed under the Group CISO to help secure cybersecurity controls.
Our directors, in their capacities serving on the full board of directors as well as on the risk committee and audit committee, obtain information and oversee the status of the cybersecurity risk management. Based on reports from the Group CIO regarding the status of cybersecurity risk management, the board supervises the cybersecurity operational plan and its implementation on risk management related to systems, including cybersecurity. The risk committee oversees the implementation of the cybersecurity operational plan on comprehensive risk management, which includes cybersecurity risk, based on regular reports from the Group CRO. The audit committee supervises the implementation status based on regular reports from the Group CISO on the status of cybersecurity controls. Additionally, members of our board of directors periodically receive reports on cybersecurity information including external threat trends and our cybersecurity control measures from the Group CISO.	Our directors, in their capacities serving on the full board of directors as well as on the risk committee and audit committee, obtain information and oversee the status of the cybersecurity risk management. Based on reports from the Group CIO regarding the status of cybersecurity risk management, the board supervises the cybersecurity operational plan and its implementation on risk management related to systems, including cybersecurity. The risk committee oversees the implementation of the cybersecurity operational plan on comprehensive risk management, which includes cybersecurity risk, based on regular reports from the Group CRO. The audit committee supervises the implementation status based on regular reports from the Group CISO on the status of cybersecurity controls. Additionally, members of our board of directors periodically receive reports on cybersecurity information including external threat trends and our cybersecurity control measures from the Group CISO.

・みずほファイナンシャル

・2024.06.26 20-F (Annual report - foreign issuer)	・2025.06.25 20-F (Annual report - foreign issuer)
ITEM 16K. Cybersecurity	ITEM 16K. Cybersecurity
Cybersecurity Strategy	Cybersecurity Strategy
Many of our systems are connected to our domestic and overseas locations, and the systems of our customers and various payment institutions, through a global network. In light of the growing sophistication and scope of cyber-attacks, we recognize cybersecurity as an important management issue and continuously promote cybersecurity measures under management leadership.	Many of our systems are connected to our domestic and overseas locations, and the systems of our customers and various payment institutions, through a global network. As cyber attacks become more sophisticated, we recognize cybersecurity as an important management issue and continuously promote cybersecurity measures under management leadership.
We define cybersecurity risk as the risk that the group may incur tangible or intangible losses due to cybersecurity-related problems that occur at the group and/or at its clients, along with organizations, etc., that have a business relationship with the group, such as outside vendors and goods/services suppliers and view it as one of our top risks. Accordingly, we have established a system to centrally manage cybersecurity risk through the Risk Appetite Framework and the Comprehensive Risk Management Framework.	We define cybersecurity risk as the risk that the group may incur tangible or intangible losses due to cybersecurity-related problems that occur at the group and/or at its clients, along with organizations, etc., that have a business relationship with the group, such as outside vendors and goods/services suppliers and view it as one of our top risks. Accordingly, we have established a system to centrally manage cybersecurity risk through the Risk Appetite Framework and the Comprehensive Risk Management Framework.
Governance System	Governance System
At Mizuho Financial Group, the Board of Directors deliberates and resolves fundamental issues related to cybersecurity risk management. The Board of Directors receives reports from the Group Chief Information Security Officer (“CISO”) *1 on cybersecurity risks that may have an impact on management policies and strategies, annual business plans, medium- to long-term business plans, etc., other cybersecurity risks that the Board of Directors should be aware of from a medium- to long-term perspective, and important matters such as the status of risk control.	At Mizuho Financial Group, the Board of Directors deliberates and resolves fundamental issues related to cybersecurity risk management. The Board of Directors receives reports from the Group Chief Information Security Officer (“CISO”) on cybersecurity risks that may have an impact on management policies and strategies, annual business plans, medium- to long-term business plans, etc., other cybersecurity risks that the Board of Directors should be aware of from a medium- to long-term perspective, and important matters such as the status of risk control.
The Risk Committee and the IT/Digital Transformation Committee 2, both of which are advisory bodies to the Board of Directors, each receive reports from the Group CRO on the status of comprehensive risk management and from the Group CISO on basic matters related to cybersecurity risk management, evaluate conformity with our basic management policies and the appropriateness of our cyber initiatives, and present recommendations or opinions to the Board of Directors. In addition, the independent third line in the three lines of defense 3 conducts audits on the initiatives of the first and second lines, and reports the results to the Operational Audit Committee, etc.	The Risk Committee and the IT/Digital Transformation Committee 1, both of which are advisory bodies to the Board of Directors, each receive reports from the Group CRO on the status of comprehensive risk management and from the Group CISO on basic matters related to cybersecurity risk management, evaluate conformity with our basic management policies and the appropriateness of our cyber initiatives, and present recommendations or opinions to the Board of Directors. In addition, the independent third line in the three lines of defense 2 conducts audits on the initiatives of the first and second lines, and reports the results to the Operational Audit Committee, etc.
Under such supervision by the Board of Directors, the President and Chief Executive Officer oversees the cybersecurity risk management of Mizuho Financial Group, and the Group CISO, in accordance with the instructions of the Group CIO and the Group CRO, establishes measures for risk management through autonomous control activities by the first line, and monitoring, measurement, and evaluation by the second line of such autonomous control activities by the first line and give instructions to prevent cybersecurity risks that may arise from fraud or outsourcing, and to respond appropriately to cyber incidents.	Under such supervision by the Board of Directors, the President and Chief Executive Officer oversees the cybersecurity risk management of Mizuho Financial Group, and the Group CISO, in accordance with the instructions of the Group CIO and the Group CRO, establishes measures for risk management through autonomous control activities by the first line, and monitoring, measurement, and evaluation by the second line of such autonomous control activities by the first line and give instructions to prevent cybersecurity risks that may arise from fraud or outsourcing, and to respond appropriately to cyber incidents.
The Group CISO has been engaged in the IT and systems industry for more than 30 years and, with extensive knowledge and experience, is responsible for the planning and operation of cybersecurity risk management.	The Group CISO has been engaged in the IT and systems industry for more than 30 years and, with extensive knowledge and experience, is responsible for the planning and operation of cybersecurity risk management.
Based on the instructions of the Group CISO, the Cybersecurity Management Department identifies possible cybersecurity risks to our business and systems, evaluates our preparedness, assesses risks identified by analyzing the location and magnitude of cybersecurity risks, and then reviews and formulates additional measures to strengthen risk control, such as preventive measures and reactive responses, and strengthens risk control and governance through reflection in business plans.	Based on the instructions of the Group CISO, the Cybersecurity Management Department identifies possible cybersecurity risks to our business and systems, evaluates our preparedness, assesses risks identified by analyzing the location and magnitude of cybersecurity risks, and then reviews and formulates additional measures to strengthen risk control, such as preventive measures and reactive responses, and strengthens risk control and governance through reflection in business plans.
The Cybersecurity Management Department reports to the Group CISO on the status of cybersecurity risk management, and the Group CISO reports, and if applicable, submits proposals for deliberation, to the Management Committee via the IT Strategy Promotion Committee and to the Board of Directors, each on the status of our cybersecurity measures, etc., with the aim of developing and strengthening a system for ensuring cybersecurity.	The Cybersecurity Management Department reports to the Group CISO on the status of cybersecurity risk management, and the Group CISO regularly reports, and if applicable, submits proposals for deliberation, to the Management Committee via the IT Strategy Promotion Committee and to the Board of Directors, each on the status of our cybersecurity measures, etc., with the aim of developing and strengthening a system for ensuring cybersecurity.
We have appointed a person in charge of cybersecurity and have established a communication system at group companies, to monitor the status of our cybersecurity measures and to quickly gather information when an incident occurs.	We have appointed a person in charge of cybersecurity and have established a communication system at group companies, to monitor the status of our cybersecurity measures and to quickly gather information when an incident occurs.
Initiatives for Cybersecurity Measures	Initiatives for Cybersecurity Measures
Based on the cybersecurity risks identified and assessed by the Cybersecurity Management Department, Mizuho Financial Group promotes cybersecurity risk management measures across the group, globally and in our supply chains. Specifically, the Mizuho-Cyber Incident Response Team 4 and other highly qualified professionals are deployed, and a 24-hour, 365-day a year monitoring system is in place using an integrated Security Operation Center 5, etc., while making full use of intelligence and advanced technologies in cooperation with external specialized agencies.	To identify and prevent the manifestation of cybersecurity risks, we collaborate with external organizations such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and other financial institutions. We collect threat intelligence and implement prioritized measures based on the potential impact on us.
Our systems have a virus analysis and a multi-layered defense mechanism, and we are working to strengthen our resilience by implementing Threat-Led Penetration Testing *6 to test the effectiveness of these technical measures and the effectiveness of the response process.	Specifically, we take measures to ensure consistent security throughout the entire system development lifecycle, from the planning phase to the development and operation phases.
We are also focusing on human resources development, such as conducting study groups for directors including outside directors, cybersecurity training for each executive layer, and phishing email training for all executives and employees at least once every six months.	After the release of systems, we promptly identify and address the impact of disclosed vulnerability information on our group’s system by introducing configuration management database, and vulnerability scanner systems.
We confirm in advance and on a regular basis the security management preparedness, including responses in the event of a cyber-incident, of third parties such as cloud service providers that provide outsourcing and cloud services. When we receive reports of cyber-incidents from third parties, in addition to identifying and analyzing the impact on the group, we also strive to respond appropriately to risks when there is concern about the impact on the group.	To evaluate the effectiveness of these technical measures against cyber attacks on our systems, we also regularly conduct vulnerability assessments and Threat-Led Penetration Testing *3.
In order to evaluate the maturity of these cybersecurity measures, we refer to third party assessment by the Cybersecurity Assessment Tool of the Federal Financial Institutions Examination Council and the Cybersecurity Framework of the National Institute of Standards and Technology.	As part of our preparedness measures, the Mizuho-Cyber Incident Response Team 4 and other highly qualified professionals are deployed, and a 24-hour, 365-day a year monitoring system is in place using an integrated Security Operation Center 5, etc.
	We are also focusing on human resources development, such as conducting study groups for directors including outside directors, cybersecurity training for each executive and employee layer, and phishing email training for all executives and employees at least once every six months.
	Additionally, we confirm in advance before, and on a regular basis after entering into a contract with a third party, the security management preparedness, including responses in the event of a cyber incident, of third parties such as cloud service providers that provide outsourcing and cloud services. When we receive reports of cyber incidents from third parties, in addition to identifying and analyzing the impact on the group, we also strive to respond appropriately to risks when there is concern about the impact on the group.
	We verify the effectiveness of our cybersecurity posture by referring to external frameworks related to cybersecurity, such as the Cybersecurity Framework developed by the National Institute of Standards and Technology and guidelines on cybersecurity published by the Financial Services Agency. Additionally, we also undergo evaluations by third parties.
	Impact and Response When a Cyber-Incident Occurs
	As a result of our enhanced cybersecurity measures, we are not aware of any past cyber attacks that could have had a significant impact on investor decisions or could have materially affected our business operations, results of operations and financial condition, in the fiscal year ended March 31, 2025. However, in the event of a cyber attack due to a failure to strengthen cybersecurity measures, leaks or falsification of electronic data, suspension of business operations, information leaks, and unauthorized remittances may occur and cause inconvenience and disadvantage to our customers.
	In addition, our business operations, results of operations and financial condition may be materially affected by compensation for damages, administrative actions and damage to reputation.
	In the unlikely event that a cyber-incident is detected, or if it is determined on firm grounds that the likelihood of a cyber incident occurring is very high, the Cybersecurity Management Department will report the cyber incident to the Group CISO. The Group CISO reports to the Management Committee and the Board of Directors when particularly important incidents occur or are likely to occur.
Based on the instructions from the Group CISO, the Cybersecurity Management Department monitors the cause of the incident (including incidents for which the likelihood of occurrence is determined on firm grounds to be very high), the nature and extent of the damage or expected damage, supports the formulation of effective containment, eradication, and recovery measures, analyzes attack methods or expected attack methods based on cyber-incident information, and conducts incident response.	Based on the instructions from the Group CISO, the Cybersecurity Management Department monitors the cause of the incident (including incidents for which the likelihood of occurrence is determined on firm grounds to be very high), the nature and extent of the damage or expected damage, supports the formulation of effective containment, eradication, and recovery measures, analyzes attack methods or expected attack methods based on cyber incident information, and conducts incident response.
Even after incident recovery, the Cybersecurity Management Department monitors changes that could lead to cyber-incidents in the group and promptly reports to the Group CISO when a breach of the threshold is identified. In addition, the Cybersecurity Management Department analyzes and evaluates the status of causes and risks, and implements necessary measures after consulting with the Group CISO on the response policy.	Even after incident recovery, the Cybersecurity Management Department monitors changes that could lead to cyber incidents in the group and promptly reports to the Group CISO when a breach of the threshold is identified. In addition, the Cybersecurity Management Department analyzes and evaluates the status of causes and risks, and implements necessary measures after consulting with the Group CISO on the response policy.
*1 Chief Information Security Officer	*1 IT/Digital Transformation Committee (as described in “Item6.C. Board Practices”)
*2 IT/Digital Transformation Committee (as described in “Item6.C. Board Practices”)	*2 Three lines of defense (concept for defining and classifying organizational functions and responsibilities in risk management and compliance)
*3 Three lines of defense (concept for defining and classifying organizational functions and responsibilities in risk management and compliance)	*3 Threat-Led Penetration Testing (evaluation of systems and response processes by analyzing targeted threats and conducting attacks that mimic actual attacks)
*4 Cyber Incident Response Team (incident response teams within the Cybersecurity Management Department that specialize in information security issues within the organization)	*4 Cyber Incident Response Team (incident response teams within the Cybersecurity Management Department that specialize in information security issues within the organization)
*5 Security Operation Center (a specialized team within the Cybersecurity Management Department that monitors and analyzes threats to information systems in organizations such as enterprises)	*5 Security Operation Center (a specialized team within the Cybersecurity Management Department that monitors and analyzes threats to information systems in organizations such as enterprises)
*6 Threat-Led Penetration Testing (evaluation of systems and response processes by analyzing targeted threats and conducting attacks that mimic actual attacks)

・ORIX

・野村ホールディングス

・2024.06.26 20-F (Annual report - foreign issuer)	・2025.06.23 20-F (Annual report - foreign issuer)
Item 16K.Cybersecurity	Item 16K.Cybersecurity
Risk Management and Strategy	Risk Management and Strategy
Nomura maintains a comprehensive cybersecurity strategy. Identifying, assessing and managing cybersecurity threats and risks are an integral component of Nomura’s Operational Risk Management (ORM) Framework. See Item 11. “Quantitative and Qualitative Disclosures about Market, Credit and Other Risk—Operational Risk Management Framework” for further information on the framework.	Nomura maintains a comprehensive cybersecurity strategy. Identifying, assessing and managing cybersecurity threats and risks are an integral component of Nomura’s Operational Risk Management (ORM) Framework. See Item 11. “Quantitative and Qualitative Disclosures about Market, Credit and Other Risk—Overview of Risk Management Policy and Procedures” for further information on the framework.
Nomura has invested and is continuing to invest in its cybersecurity strategy to address fast-evolving and sophisticated cybersecurity threats while at the same time complying with extensive global, legal and regulatory expectations. Our cybersecurity programs are designed to be in line with industry best practice standards and include core capabilities such as Security Governance, Security Awareness and Training, Threat Intelligence & Management, Security Operations Management, Vulnerability Management, Application Security, Data Security, and Identity and Access Management.	Nomura has invested and is continuing to invest in its cybersecurity strategy to address fast-evolving and sophisticated cybersecurity threats while at the same time complying with extensive global, legal and regulatory expectations. Our cybersecurity programs are designed to be in line with industry best practice standards and include core capabilities such as Security Governance, Security Awareness and Training, Threat Intelligence & Management, Security Operations Management, Vulnerability Management, Application Security, Data Security, and Identity and Access Management.
Nomura is regularly engaging various external service providers to perform independent assessments of our cybersecurity programs and controls. The results from these independent engagements are integrated into updates to our cybersecurity strategy as appropriate. We also conduct our own regular internal security assessments, such as penetration testing, vulnerability scanning, red teaming, and tabletop cyber attack simulations.	Nomura is regularly engaging various external service providers to perform independent assessments of our cybersecurity programs and controls. The results from these independent engagements are integrated into updates to our cybersecurity strategy as appropriate. We also conduct our own regular internal security assessments, such as penetration testing, vulnerability scanning, red teaming, and tabletop cyber attack simulations.
Nomura has developed a Third-Party Security Risk Management program that monitors and assesses the cybersecurity controls of our third-party vendors, which include, among others, service providers, SaaS providers, contractors, consultants, suppliers, etc. This program provides a consistent, controlled, cross-divisional approach to managing the services provided by third-party vendors. We perform various risk identification activities including security questionnaires, threat intel reports, SOC2 Type 2 attestation, and onsite reviews for critical suppliers. We also perform periodic reassessment of existing critical vendors. Security risks and exceptions observed are monitored per our global Operational Risk Management framework.	Nomura has developed a Third-Party Security Risk Management program that monitors and assesses the cybersecurity controls of our third-party vendors, which include, among others, service providers, SaaS providers, contractors, consultants, suppliers, etc. This program provides a consistent, controlled, cross-divisional approach to managing the services provided by third-party vendors. We perform various risk identification activities including security questionnaires, threat intel reports, SOC2 Type 2 attestation, and onsite reviews for critical suppliers. We also perform periodic reassessment of existing critical vendors. Security risks and exceptions observed are monitored per our global Operational Risk Management framework.
During the fiscal year ended March 31, 2024, we did not identify any risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, there is no guarantee that our business strategy, results of operations and financial condition will not be materially affected by a future cybersecurity incident, and we cannot provide assurances that we have not had occurrences of undetected cybersecurity incidents. See Item 3.D “ Risk Factors ” for further information on our cybersecurity-related risks.	During the year ended March 31, 2025, we did not identify any risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, there is no guarantee that our business strategy, results of operations and financial condition will not be materially affected by a future cybersecurity incident, and we cannot provide assurances that we have not had occurrences of undetected cybersecurity incidents. See Item 3.D “Risk Factors” for further information on our cybersecurity-related risks.
Cybersecurity Risk Governance	Cybersecurity Risk Governance
Nomura’s cybersecurity strategy and programs are managed by senior officers: the Group Chief Information Officer (“CIO”), who is supported by the Group Chief Information Security Officer (“CISO”) and the Group Chief Data Officer (“CDO”).	Nomura’s cybersecurity strategy and programs are managed by senior officers: the Group Chief Information Officer (“CIO”), who is supported by the Group Chief Information Security Officer (“CISO”) and the Group Chief Data Officer (“CDO”).
These senior officers have extensive experience in technology, cybersecurity, information security, and data protection and privacy. The CIO has over 35 years of experience in various engineering, IT, Operations and information security roles. The CISO has over 20 years of experience leading cybersecurity teams at financial institutions, including in the areas of security engineering, risk and control management, data privacy, information security, and cybersecurity. The CDO has over 25 years of experience in data and analytics-led business transformation.	These senior officers have extensive experience in technology, cybersecurity, information security, and data protection and privacy. The CIO has over 35 years of experience in various engineering, IT, Operations and information security roles. The CISO has over 25 years of experience leading cybersecurity teams at financial institutions, including in the areas of security engineering, risk and control management, data privacy, information security, and cybersecurity. The CDO has over 25 years of experience in data and analytics-led business transformation.
Our Board of Directors (“BoD”) has overall responsibility for risk management, with its committees assisting the BoD in performing this function based on their respective areas of expertise. Our BoD delegates its authority to execute business to the Executive Officers led by Group CEO to the extent permitted by law. Among the matters delegated to the Executive Officers by the BoD, the most important matters of business are decided upon deliberation by the Executive Management Board (“EMB”) which consists of the Executive Officers. The EMB delegates responsibility for deliberation of matters concerning risk management including cybersecurity risks to the Group Risk Management Committee (“GRMC”). The CIO is an observer of the EMB and the GRMC, and provides cybersecurity updates to the EMB and the GRMC.	Our Board of Directors (“BoD”) has overall responsibility for risk management, with its committees assisting the BoD in performing this function based on their respective areas of expertise. Our BoD delegates its authority to execute business to the Executive Officers led by Group CEO to the extent permitted by law. Among the matters delegated to the Executive Officers by the BoD, the most important matters of business are decided upon deliberation by the Executive Management Board (“EMB”) which consists of the Executive Officers. The EMB delegates responsibility for deliberation of matters concerning risk management including cybersecurity risks to the Group Risk Management Committee (“GRMC”). The CIO is an observer of the EMB and the GRMC, and provides cybersecurity updates to the EMB and the GRMC.
The GRMC, based on a delegation from the EMB, meets regularly and reports on its activities and findings to the EMB. These meetings cover critical security topics such as resources and budget in cybersecurity risk mitigation and governance, cybersecurity risks, as well as security incidents and cyber tabletop simulations. In addition to these regular reporting activities to the GRMC, the EMB, and the BoD, potentially material cybersecurity events will be escalated to the same management bodies as well as key stakeholders according to Nomura’s security incident response process including crisis management perspectives.	The GRMC, based on a delegation from the EMB, meets regularly and reports on its activities and findings to the EMB. These meetings cover critical security topics such as resources and budget in cybersecurity risk mitigation and governance, cybersecurity risks, as well as security incidents and cyber tabletop simulations. In addition to these regular reporting activities to the GRMC, the EMB, and the BoD, potentially material cybersecurity events will be escalated to the same management bodies as well as key stakeholders according to Nomura’s security incident response process including crisis management perspectives.

・タケダ

・ソニー

・トヨタ

・ホンダ

⚫︎ まるちゃんの情報セキュリティ気まぐれ日記

・2024.10.25 米国 SEC Unisys、Checkpointほか、年次報告書における誤解を与えるセキュリティ開示で罰金を支払う...

・2024.07.19 SECのルールの改正によるサイバーセキュリティ開示 (20-F) 阿里巴巴 (Alibaba)、捜狐 (SOHU)、網易 (NETEASE) の場合

・2024.07.15 SECのルールの改正によるサイバーセキュリティ開示 (20-F) 三井住友ファイナンシャル、ORIX、みずほファイナンシャル、野村、タケダ、ソニー、トヨタ、ホンダの場合（MUFGも追加）

・2024.07.14 SECのルールの改正によるサイバーセキュリティ開示 (10-K) IBM, Intel, Boeing, AMEX, Jonson & Johnson, Pfizer, Coca-Cola. McDonaldsの場合

2025.07.30 00:00 in 情報セキュリティ / サイバーセキュリティ, in 法律 / 犯罪, in ESG/CSR, in 内部統制 / リスクマネジメント | Permalink | Comments (0)
Tweet

2025.07.28

中国 AIグローバルガバナンス行動計画（2025.07.26）

こんにちは、丸山満彦です。

2025.07.10に欧州委員会が「汎用 AI 実践規範」を公表し、2025.07.23に米国トランプ政権が「AI行動計画」を発表していますが2025.07.26に中国は「AIグローバルガバナンス行動計画」を発表していますね...

インターネット自体についてもそうですが、AIについても公共財として位置付け、多国間参加型の包括的ガバナンスモデルがよいとし、「世界AI協力機構」を設立してはどうかと提案をしていますね...

概要...

1、AIの機会を共に把握する
2、AIの革新的な発展を促進する
3、あらゆる産業へのAI活用を推進する
4、デジタルインフラの構築を加速する
5、多様で開放的なイノベーションエコシステムを構築する
6、高品質なデータの供給を積極的に推進する
7、エネルギー・環境問題に効果的に対応する
8、標準と規範に関するコンセンサスを促進する
9、公共部門が率先して導入・活用する
10、AIのセキュリティガバナンスを実施する
11、「グローバル・デジタル契約」を共同で実施する
12、AI能力構築に関する国際協力を強化する
13、多国間参加型の包括的ガバナンスモデルを構築する

AIについては、安全保障上も今後の大きな鍵になるとして米国、欧州、中国、英国、日本といった主要国が積極的に投資をしていくとしていますね...　IT関連が強いインドももちろんAIに力を入れていますね...

国内外のAI関係者の声として、最近の中国の躍進はすごいという感じのようですね...

⚫︎ 中国人民共和国人民中央政府

あいさつ...

・2025.07.26 李强出席2025世界人工智能大会暨人工智能全球治理高级别会议开幕式并致辞

李强出席2025世界人工智能大会暨人工智能全球治理高级别会议开幕式并致辞	李強、2025年世界AI大会およびAIグローバルガバナンスに関するハイレベル会合の開会式への出席と挨拶
新华社上海7月26日电（记者王慧慧、龚雯）国务院总理李强7月26日在上海出席2025世界人工智能大会暨人工智能全球治理高级别会议开幕式并致辞。	新華社上海7月26日電（記者王慧慧、龚雯）国務院総理の李強は7月26日、上海で開催された2025世界AI大会およびAIグローバルガバナンスハイレベル会議の開会式に出席し、挨拶を行った。
李强表示，习近平主席今年4月在上海考察时强调，人工智能技术加速迭代，正迎来爆发式发展；要加强政策支持和人才培养，努力开发更多安全可靠的优质产品。当前，全球智能化浪潮风起云涌，人工智能领域创新呈群体性突破之势，语言大模型、多模态大模型和具身智能等领域日新月异，推动人工智能向更高效、强智能的方向快速发展。人工智能与实体经济深度融合的特征更加明显，已经开始赋能千行百业、走进千家万户，成为经济增长的新引擎，渗透到社会生活各方面。同时人工智能带来的风险挑战引发广泛关注，如何在发展和安全之间寻求平衡，亟需进一步凝聚共识。无论科技如何变革，都应当为人类所利用、为人类所掌控，朝着向善普惠的方向发展。人工智能也应当成为造福人类的国际公共产品。	李強氏は、今年4月に上海を視察した際、習近平国家主席が、人工知能技術は急速な進化を遂げ、爆発的な発展の段階に差し掛かっているとし、政策支援と人材育成を強化し、より安全で信頼性が高く、高品質な製品の開発に努める必要があると強調したと述べた。現在、世界的なインテリジェント化の波が押し寄せ、人工知能分野のイノベーションはあらゆる面で飛躍的な進歩の兆しを見せている。大規模言語モデル、大規模マルチモーダルモデル、具体化知能などの分野は急速に進化しており、人工知能のより効率的でインテリジェントな開発を推進している。人工知能と実体経済の融合はますます顕著になり、さまざまな産業に力を与え、何百万もの家庭に浸透し、経済成長の新たなエンジンとなり、社会生活のあらゆる側面に浸透している。同時に、人工知能がもたらすリスクや課題も広く注目されている。開発とセキュリティのバランスをどのように取るかについては、さらなる合意形成が必要だ。技術がどのように進化しようとも、それは人類によって活用され、制御され、すべての人々の利益となる方向へ進むべきだ。AIもまた、人類の利益となる国際的な公共財となるべきだ。
李强围绕如何把握人工智能公共产品属性、推进人工智能发展和治理，提出三点建议。一是更加注重普及普惠，充分用好人工智能发展的已有成果。要坚持开放共享、智能平权，让更多国家和群体从中受益。中国“人工智能+”行动深入推进，愿共享发展经验和技术产品，帮助世界各国特别是全球南方国家加强能力建设，让人工智能发展成果更好惠及全球。二是更加注重创新合作，力求更多突破性的人工智能科技硕果。要深化基础科学和技术研发合作，加强企业和人才交流，为人工智能发展不断注入新动力。中国愿同各国联合开展技术攻关，加大开源开放力度，共同推动人工智能发展迈上更高水平。三是更加注重共同治理，确保人工智能在造福人类上最终修成正果。要坚持统筹发展和安全，加强各国对接协调，推动早日形成具有广泛共识的人工智能全球治理框架和规则。中国高度重视人工智能全球治理，积极参与推动多双边合作，愿向国际社会提供更多中国方案，贡献更多中国智慧。中国政府倡议成立世界人工智能合作组织。	李強氏は、AIの公共財としての特性をどのように把握し、AIの発展とガバナンスを推進するかについて、3つの提案を行った。第一に、普及にさらに重点を置き、AIの発展の成果を十分に活用することだ。開放と共有、スマートの平等を堅持し、より多くの国や集団が恩恵を受けるようにすべきだ。中国は「AI+」の取り組みを深く推進しており、開発経験や技術製品を共有し、世界各国、特にグローバル・サウス諸国の能力強化を支援し、AIの発展の成果が世界により一層還元されるようにしたいと考えている。第二に、イノベーションと協力にさらに重点を置き、より多くの画期的なAI技術の成果を追求することだ。基礎科学と技術研究開発の協力を深め、企業と人材の交流を強化し、AIの発展に新たな活力を絶えず注入していく必要がある。中国は各国と共同で技術開発に取り組み、オープンソースとオープンイノベーションの取り組みを強化し、AIの発展を新たな高みに引き上げることを目指す。第三に、共同統治にさらに重点を置き、AIが人類に恩恵をもたらすという最終目標を確実に達成することだ。開発と安全の調和を図り、各国間の連携と調整を強化し、幅広い合意に基づくAIのグローバルなガバナンスの枠組みとルールを早期に確立する。中国は、AIのグローバルなガバナンスを非常に重視し、多国間・二国間協力の推進に積極的に参加し、国際社会により多くの中国の解決策を提供し、より多くの中国の知恵を貢献したいと考えている。中国政府は、世界AI協力機構の設立を提唱している。
联合国秘书长古特雷斯等发表致辞。国内外嘉宾及人工智能产学研领域代表1000多人出席大会开幕式。	グテーレス国連事務総長らが挨拶を行った。国内外の来賓、AIの産学研究分野の代表者など1000人以上が大会開会式に出席した。
开幕式后，李强同与会外方嘉宾、国际组织代表共同巡馆，并与有关科研机构和企业负责人互动交流。	開会式の後、李強は、出席した外国の来賓や国際機関代表とともに会場を見学し、関連研究機関や企業の責任者たちと意見交換を行った。
大会发表《人工智能全球治理行动计划》。	大会では、「AIグローバルガバナンス行動計画」が発表された。
陈吉宁、吴政隆参加上述活动。	陳吉寧、呉政隆も上記の行事に参加した。

全文...

・2025.07.26 人工智能全球治理行动计划（全文）

人工智能全球治理行动计划（全文）	AIグローバルガバナンス行動計画（全文）
新华社上海7月26日电 7月26日，2025世界人工智能大会暨人工智能全球治理高级别会议发表《人工智能全球治理行动计划》。全文如下：	新華社上海7月26日電 7月26日、2025年世界AI大会およびAIグローバルガバナンスハイレベル会議は、「AIグローバルガバナンス行動計画」を発表した。全文は以下の通り。
人工智能全球治理行动计划	AIグローバルガバナンス行動計画
人工智能是人类发展的新领域，是新一轮科技革命和产业变革的重要驱动力量，也可以是造福人类的国际公共产品。人工智能带来前所未有发展机遇，也带来前所未遇风险挑战。智能时代，唯有同球共济，我们才能在充分发挥人工智能潜力的同时，确保其发展的安全性、可靠性、可控性和公平性，最终落实联合国《未来契约》及其附件《全球数字契约》有关承诺，为所有人创造包容、开放、可持续、公平、安全和可靠的数字和智能未来。	人工知能（AI）は、人類の発展における新たな分野であり、新たな科学技術革命と産業変革の重要な推進力であり、人類に恩恵をもたらす国際的な公共財でもある。AIは、かつてない発展の機会をもたらす一方で、これまでにないリスクや課題も伴う。インテリジェント時代において、私たちは、AIの潜在能力を最大限に発揮しつつ、その発展の安全性、信頼性、制御性、公平性を確保し、最終的には国連「未来契約」およびその付属文書「グローバル・デジタル契約」に関する公約を実現し、すべての人々に、包摂的で、開かれた、持続可能で、公平、安全かつ信頼性の高いデジタルとインテリジェントな未来を創出していく必要がある。
为此，我们提出《人工智能全球治理行动计划》，呼吁各方在遵循向善为民、尊重主权、发展导向、安全可控、公平普惠、开放合作的目标和原则基础上，切实采取有效行动，协力推进全球人工智能发展与治理。	そのため、私たちは「AIグローバルガバナンス行動計画」を提唱し、善と民衆のために、主権を尊重し、開発志向、安全で制御可能、公平で包括的、開かれた協力という目標と原則に基づき、実効的な措置を講じ、グローバルなAIの開発とガバナンスを推進するよう、すべての関係者に呼びかける。
一、共同把握人工智能机遇。呼吁各国政府、国际组织、企业、科研院校、民间机构和公民个人等各主体积极参与、携手合作，加快数字基础设施建设，共同探索人工智能技术前沿创新，推动人工智能在全球范围的普及和应用，最大程度释放人工智能在赋能全球经济社会发展、助力落实联合国2030年可持续发展议程、应对全球挑战等方面的巨大潜力。	1、AIの機会を共に把握する。各国政府、国際機関、企業、研究機関、民間団体、市民個人など、あらゆる主体が積極的に参加し、連携して協力し、デジタルインフラの構築を加速し、AI技術の最先端のイノベーションを共に探求し、AIの世界的な普及と応用を推進し、AIが世界経済社会の発展、国連2030年持続可能な開発アジェンダの実現、グローバルな課題への対応などに持つ大きな可能性を最大限に引き出すよう呼びかける。
二、促进人工智能创新发展。秉持开放共享精神，鼓励大胆尝试探索，搭建各类国际科技合作平台，营造创新友好的政策环境，加强政策与监管协调，促进技术合作与成果转化，降低和消除技术壁垒，共同推动人工智能技术创新突破与持续发展，深度挖掘“人工智能+”开放应用场景，提升全球人工智能创新发展水平。	2、AIの革新的な発展を促進する。開放と共有の精神を堅持し、大胆な試みと探求を奨励し、さまざまな国際科学技術協力プラットフォームを構築し、イノベーションに優しい政策環境を整え、政策と規制の調整を強化し、技術協力と成果の転換を促進し、技術的障壁を削減・排除し、AI技術の革新的な突破と持続的な発展を共同で推進し、「AI+」のオープンな応用分野を深く掘り下げ、世界におけるAIの革新的な発展のレベルを高める。
三、推动人工智能赋能千行百业。推进人工智能赋能工业制造、消费、商贸流通、医疗、教育、农业、减贫等领域，推动人工智能在自动驾驶、智慧城市等场景的深度应用，构建丰富多样、健康向善的人工智能应用生态。推进智能基础设施建设和共享，开展跨国人工智能应用合作，交流最佳实践，共同探索推进人工智能全面赋能实体经济。	3、あらゆる産業へのAI活用を推進する。AIを工業製造、消費、商流、医療、教育、農業、貧困削減などの分野に活用し、自動運転、スマートシティなどの分野におけるAIの深い活用を推進し、多様で健全かつ良質なAIの応用エコシステムを構築する。スマートインフラの構築と共有を推進し、国境を越えたAIの応用協力を行い、ベストプラクティスを交換し、AIの実体経済への全面的な活用を共同で探求する。
四、加快数字基础设施建设。加快全球清洁电力、新一代网络、智能算力、数据中心等基础设施建设，完善具备互操作性的人工智能和数字基础设施布局，推动统一算力标准体系建设，支持各国特别是全球南方结合自身国情发展人工智能技术和服务，助力全球南方真正接触和应用人工智能，推动人工智能包容普惠发展。	4、デジタルインフラの構築を加速する。グローバルなクリーン電力、新世代ネットワーク、インテリジェントな計算能力、データセンターなどのインフラの構築を加速し、相互運用可能なAIとデジタルインフラのレイアウトを整備し、統一的な計算能力の標準体系の構築を推進し、各国、特にグローバル・サウスが自国の国情に合わせてAI技術とサービスを開発し、グローバル・サウスがAIに真に接触し、活用することを支援し、AIの包摂的で包括的な発展を推進する。
五、营造多元开放创新生态。充分发挥各国政府和产学界等多元主体与平台机制作用，共同推动人工智能治理国际交流和对话，打造跨国开源社区和安全、可靠开源平台，推动基础资源开放共享，降低技术创新和应用门槛，避免重复投入与资源浪费，促进人工智能技术服务普惠性、可及性。推动开源合规体系建设，明确和落实开源社区技术安全准则，促进技术文档、接口文档等开发资源开放共享，加强上下游产品兼容适配和互联互通等开源生态建设，实现非敏感技术资源开放流动。	5、多様で開放的なイノベーションエコシステムを構築する。各国政府や産学界などの多様な主体とプラットフォームのメカニズムを最大限に活用し、AIのガバナンスに関する国際交流と対話を共同で推進し、国境を越えたオープンソースコミュニティと安全で信頼性の高いオープンソースプラットフォームを構築し、基礎的なリソースのオープン共有を推進し、技術革新と応用における参入障壁を下げ、重複投資と資源の無駄遣いを回避し、AIの技術サービスの普及と利用可能性を促進する。オープンソースのコンプライアンス体制の構築を推進し、オープンソースコミュニティの技術安全基準を明確にし、実施し、技術文書、インターフェース文書などの開発リソースのオープンな共有を促進し、上流と下流の製品の互換性、相互接続性などのオープンソースエコシステムの構築を強化し、非機密技術リソースのオープンな流通を実現する。
六、积极推进优质数据供给。以优质数据推动人工智能发展，合作推动数据依法有序自由流动，探索构建数据共享的全球性机制平台，合作打造高质量数据集，为人工智能发展注入更多养料。同时，积极维护个人隐私和数据安全，提高人工智能数据语料多样化，消除歧视和偏见，促进、保护和保全人工智能生态系统和人类文明的多样性。	6、高品質なデータの供給を積極的に推進する。高品質なデータによってAIの発展を推進し、協力してデータの合法的かつ秩序ある自由な流通を推進し、データ共有のグローバルなメカニズムプラットフォームの構築を探求し、協力して高品質のデータセットを構築し、AIの発展にさらなる栄養を注入する。同時に、個人のプライバシーとデータセキュリティを積極的に保護し、AIのデータコーパスの多様性を高め、差別や偏見を排除し、AIのエコシステムと人類の文明の多様性を促進、保護、保全する。
七、有效应对能源环境问题。倡导“可持续人工智能”理念，支持不断探索创新资源节约、环境友好的人工智能发展模式，联合制定人工智能能效水效标准，推广低功耗芯片、高效算法等绿色计算技术。鼓励就人工智能开发节能进行对话与合作，共同寻找最佳解决办法。推动人工智能赋能绿色转型发展、气候变化应对、生物多样性保护等领域，扩大人工智能技术在相关方面应用，加强国际合作，分享最佳实践。	7、エネルギー・環境問題に効果的に対応する。「持続可能なAI」の概念を提唱し、資源の節約と環境に優しいAIの開発モデルの探求と革新を継続的に支援し、AIのエネルギー効率および水効率の標準を共同で策定し、低消費電力チップ、高効率アルゴリズムなどのグリーンコンピューティング技術を普及させる。AIの開発における省エネに関する対話と協力を促進し、最善の解決策を共同で模索する。AIがグリーンな転換、気候変動への対応、生物多様性の保護などの分野に活力を与えることを推進し、AI技術の関連分野への応用を拡大し、国際協力を強化し、ベストプラクティスを共有する。
八、促进标准及规范共识。支持推动各国标准制定机构对话，依托国际电信联盟、国际标准化组织、国际电工委员会等国际标准组织，重视发挥产业界作用，加快推进安全、产业、伦理等关键领域技术标准制修订，在人工智能领域建立科学、透明、包容的规范框架。积极消除算法偏见，平衡技术进步、风险防范与社会伦理，促进标准体系包容性与互操作性。	8、標準と規範に関するコンセンサスを促進する。各国標準策定機関間の対話を推進し、国際電気通信連合、国際標準化機構、国際電気標準会議などの国際標準化機関を活用し、産業界の役割を重視して、安全、産業、倫理などの重要分野における技術標準の策定と改正を加速し、AI分野における科学的、透明、包括的な規範の枠組みを構築する。アルゴリズムの偏見を積極的に排除し、技術の進歩、リスクの防止、社会倫理のバランスを取り、標準システムの包括性と相互運用性を促進する。
九、公共部门率先部署应用。各国公共部门应成为人工智能应用和治理的引领者、示范者，积极在医疗、教育、交通等公共服务领域优先部署可靠的人工智能，并加强国际交流合作。同时，对上述人工智能系统的安全性进行定期评估，尊重专利、软件著作权等知识产权。严格遵守数据和隐私保护，积极探索训练数据的依法有序交易，共同推动数据的合规开放利用，提升公共管理和服务水平。	9、公共部門が率先して導入・活用する。各国公共部門は、AIの活用とガバナンスのリーダー、モデルとなり、医療、教育、交通などの公共サービス分野において、信頼性の高いAIの導入を優先的に推進し、国際交流・協力を強化する。同時に、上記のAIシステムの安全性を定期的にアセスメントし、特許、ソフトウェアの著作権などの知的財産権を尊重する。データおよびプライバシーの保護を厳格に遵守し、トレーニングデータの合法的かつ秩序ある取引を積極的に模索し、データのコンプライアンスに準拠した利用を共同で推進し、公共の管理およびサービスのレベルを向上させる。
十、开展人工智能安全治理。及时开展人工智能风险研判，提出针对性防范应对措施，构建具有广泛共识的安全治理框架。探索分类分级管理，建立人工智能风险测试评估体系，推进威胁信息共享和应急处置机制建设。完善数据安全和个人信息保护规范，加强训练数据采集、模型生成等环节数据安全管理。加大技术研发投入，实施安全开发规范，提高人工智能可解释性、透明性、安全性。探索人工智能服务可追溯管理制度，防范人工智能技术误用、滥用。提倡建立开放性平台，共享最佳实践，在全球范围推动人工智能安全治理国际合作。	10、AIのセキュリティガバナンスを実施する。AIのリスクを適時に分析・判断し、的を絞った予防・対応策を提案し、幅広いコンセンサスに基づくセキュリティガバナンスの枠組みを構築する。分類・階層化管理を模索し、AIのリスク評価・試験制度を確立し、脅威情報の共有と緊急対応メカニズムの構築を推進する。データセキュリティと個人情報保護に関する規範を整備し、トレーニングデータの収集、モデル生成などの段階におけるデータセキュリティ管理を強化する。技術研究開発への投資を増やし、セキュリティ開発規範を実施し、AIの解釈可能性、透明性、セキュリティを向上させる。AIサービスのトレーサビリティ管理制度を模索し、AI技術の誤用、乱用を防止する。開放的なプラットフォームの構築を推進し、ベストプラクティスを共有し、世界規模でAIの安全ガバナンスに関する国際協力を推進する。
十一、共同落实《全球数字契约》。积极落实联合国《未来契约》及其附件《全球数字契约》有关承诺，坚持以联合国为主渠道，以帮助发展中国家弥合数字鸿沟、实现公平普惠发展为目标，在遵守国际法、尊重国家主权和发展差异基础上，推动构建包容、公平的多边全球数字治理体系。支持在联合国框架下建立国际人工智能科学小组和全球人工智能治理对话两项机制并尽早运行，就人工智能全球治理特别是促进人工智能安全、公平、普惠发展开展有意义的讨论。	11、「グローバル・デジタル契約」を共同で実施する。国連「未来契約」およびその附属文書「グローバル・デジタル契約」に関する約束を積極的に実施し、国連を主なチャネルとし、開発途上国のデジタル格差の解消と公平で包括的な発展の実現を目標とし、国際法、国家主権、開発の差異を尊重しつつ、包摂的で公平な多国間グローバルデジタルガバナンスシステムの構築を推進する。国連枠組みの下で、国際AI科学グループとグローバルAIガバナンス対話という2つのメカニズムの設立と早期運用を支援し、AIグローバルガバナンス、特にAIの安全、公平、包摂的な発展の促進について有意義な議論を行う。
十二、加强人工智能能力建设国际合作。把人工智能能力建设国际合作置于全球人工智能治理议程的突出位置，鼓励人工智能领先国家通过人工智能基础设施建设合作、共建联合实验室、共建安全测评互认平台、举办人工智能能力建设教育培训、组织人工智能产业供需对接活动、共同开展人工智能高质量数据集和语料库建设等实际行动，支持发展中国家加强人工智能创新、应用、治理等方面的综合能力建设。共同提高公众人工智能素养和技能水平，特别是保障和强化妇女儿童的数字和智能权益，弥合智能鸿沟。	12、AI能力構築に関する国際協力を強化する。AI能力構築に関する国際協力を、グローバルなAIガバナンスの議題の重要な位置に置き、AI先進国に対し、AIインフラ整備協力、共同研究施設の設立、安全評価相互認証プラットフォームの共同構築、AI能力構築に関する教育訓練の実施、AI産業の需給マッチングイベントの開催、高品質なデータセットやコーパス共同構築など、具体的な行動を通じて、開発途上国のAIのイノベーション、応用、ガバナンスなどに関する総合的能力構築を支援する。一般市民のAIリテラシーとスキルレベルを共同で向上させ、特に女性や子供たちのデジタルおよび知能に関する権利を保障・強化し、知能格差を埋める。
十三、构建多方参与的包容治理模式。支持搭建基于公共利益、各类主体共同参与的包容治理平台。鼓励各国人工智能企业开展对话交流，借鉴各自在人工智能不同领域的应用实践案例，推动具体领域和场景下的人工智能创新、应用以及伦理、安全合作。鼓励各类研究智库、国际论坛搭建全球和区域性交流合作平台，确保各国人工智能研究者、开发者和治理部门保持技术和政策沟通。	13、多国間参加型の包括的ガバナンスモデルを構築する。公共の利益に基づき、さまざまな主体が参加する包括的ガバナンスプラットフォームの構築を支援する。各国のAI企業が対話と交流を行い、AIのさまざまな分野における応用事例を相互に参考にし、具体的な分野や場面におけるAIのイノベーション、応用、倫理、安全に関する協力を推進する。各種研究シンクタンクや国際フォーラムが、グローバルおよび地域的な交流協力プラットフォームの構築を促進し、各国のAI研究者、開発者、および統治部門間の技術および政策のコミュニケーションを確保する。

● 中央网络安全和信息化委员会办公室 (Cyberspace Administration of China: CAC)

・2025.07.25 世界互联网大会举行人工智能发展与治理交流会

世界互联网大会举行人工智能发展与治理交流会	世界インターネット大会、AIの開発とガバナンスに関する交流会を開催
7月23日下午，世界互联网大会人工智能发展与治理交流会在福建泉州举行。中国国家互联网信息办公室副主任王京涛出席会议并介绍中国人工智能发展与治理情况。世界互联网大会秘书长任贤良致欢迎辞。	7月23日午後、世界インターネット大会のAIの開発とガバナンスに関する交流会が福建省泉州で開催された。中国国家サイバースペース管理局副局長の王京涛氏が会議に出席し、中国のAIの開発とガバナンスの状況について紹介した。世界インターネット大会事務局長の任賢良氏が歓迎の挨拶を行った。
会议指出，中国高度重视人工智能的发展与安全。当前中国人工智能发展呈现积极有序发展的良好态势，一是坚持政策供给，初步构建中国特色人工智能安全治理体系；二是坚持创新发展，积极发挥人工智能新质生产力作用；三是坚持安全保障，全生命周期助力企业提升安全防护能力；四是坚持合作开放，携手构建网络空间命运共同体。下一步将持续健全治理机制，统筹发展和安全，进一步推动人工智能向着有益、安全、公平的方向健康有序发展。	会議では、中国はAIの開発と安全を非常に重視していると指摘された。現在、中国のAIの開発は、積極的かつ秩序ある発展の好傾向を示している。その要因は、第一に、政策の供給を堅持し、中国の特徴を備えたAIの安全ガバナンス体制を初步的に構築したこと、第二に、革新的な開発を堅持し、AIの新たな生産力の役割を積極的に発揮したこと、第三に、安全保障を堅持し、ライフサイクル全体を通じて企業の安全保護能力の向上を支援したこと、第四に、協力と開放を堅持し、ネットワーク空間の運命共同体を構築することだ。今後は、ガバナンスメカニズムの継続的な整備、開発と安全の総合的な調整、AIの有益、安全、公平な方向への健全かつ秩序ある発展をさらに推進していく。
中国国家互联网信息办公室网络管理技术局、网络安全协调局、国际合作局负责人参加会议，并在互动环节就人工智能相关政策问题与会员代表进行交流。与会代表表示，本次交流会加深了企业对政策的了解，积极回应了企业关切，希望大会继续组织专题交流活动，为会员搭建广泛交流、深度沟通的平台，持续助力企业成长发展。	中国国家サイバースペース管理局のネットワーク管理技術局、ネットワークセキュリティ調整局、国際協力局の責任者も会議に出席し、交流セッションでAI関連政策について会員代表と意見交換を行った。参加者は、今回の交流会により、企業としての政策理解が深まり、企業の関心事に積極的に対応できたと評価し、今後も会員企業間の幅広い交流と深いコミュニケーションの場となる専門的交流会を開催し、企業の成長と発展を支援していくことを期待していると述べた。
本次活动由世界互联网大会主办，来自高通、IBM、诺基亚贝尔、华为、平安集团、百度、腾讯、京东、澳门电讯、麒盛科技、VIVO等50余家会员企业代表参会。	このイベントは、世界インターネット大会が主催し、クアルコム、IBM、ノキアベル、ファーウェイ、平安集団、百度、テンセント、京東、マカオテレコム、麒盛科技、VIVOなど、50社以上の会員企業代表者が参加した。

⚫︎ まるちゃんの情報セキュリティ気まぐれ日記

・2025.07.25 米国ホワイトハウス AI行動計画(2025.07.23)

・2025.07.25 欧州委員会汎用 AI 実践規範 (2025.07.10)

2025.07.28 05:00 in 情報セキュリティ / サイバーセキュリティ, in ESG/CSR, in AI/Deep Learning, in 安全保障 | Permalink | Comments (0)
Tweet

2025.07.12

欧州 ENISA 2024年統合活動報告書 (2025.06.30)

こんにちは、丸山満彦です。

ENISAの2024年の活動報告が公表されています。ある意味、ENISAの統合報告書ですね...

民主主義国家では、政府がおこなっている活動については、議会による承認が重要となるわけですが、その承認をとるためにも、議会が承認をした計画通りに執行され（予算もふくめて）いることを説明することが重要となりますね...

政府と国民の代表である議会との間に適切な緊張関係がないと良くないというわけですよね...

ENISAはEUの機関なので、EU議会による承認ということが重要となりますね...

ENISAの報告書では、内部統制についても報告されていますね...内部統制については、COSOをベースにしているようですね...（５つの構成要素について17の原則...）。上場企業の経理、金融庁の開示関係の関係者には馴染みがある概念だと思います...

もちろん、決算書は、いわゆる貸借対照表も公表されています...

同じ民主主義国家の日本がこのレベルをめざしているのかどうかはわかりませんが、参考になると思います...

ちなみに、強調されている主な成果...

最初の欧州連合のサイバーセキュリティ状況報告書
CVE 番号付与機関
NIS2 指令のサポート
認証(EUCC)
サイバーヨーロッパ演習
ENISA サイバーセキュリティ支援活動
状況認識

● ENISA

・2025.06.30 ENISA Consolidated Annual Activity Report 2024

・[PDF]

目次...

ABOUT ENISA	ENISA について
FOREWORD	まえがき
ENISA MANAGEMENT BOARD ASSESSMENT	ENISA 経営委員会アセスメント
EXECUTIVE SUMMARY	エグゼクティブサマリー
PART I ACHIEVEMENTS OF THE YEAR	第 I 部 2024年の成果
PART II (a) MANAGEMENT	第 II 部 (a) 経営
2.1 Management Board	2.1 経営委員会
2.2 Major developments	2.2 主な進展
2.3 Budgetary and financial management	2.3 予算および財務管理
2.4 Delegation and sub delegation ...	2.4 権限の委譲および再委譲 ...
2.5 Human resources management	2.5 人事管理
2.6 Strategy for efficiency gains	2.6 効率向上のための戦略
2.7 Assessment of audit and ex post evaluation results during the reporting year	2.7 報告年度における監査および事後評価の結果の評価
2.8 a Follow up of recommendations and action plans for audits and evaluations	2.8 a 監査および評価に関する勧告および行動計画のフォローアップ
2.8 b Follow-up of recommendations issued following investigations by the European Anti-Fraud Office	2.8 b 欧州不正対策局による調査の結果として出された勧告のフォローアップ
2.9 Follow-up of observations from the discharge authority	2.9 予算承認機関からの意見のフォローアップ
2.10 Environmental management	2.10 環境管理
2.11 Assessment by management	2.11 経営陣による評価
PART II (B) EXTERNAL EVALUATIONS	第 II 部 (B) 外部評価
PART III ASSESSMENT OF THE EFFECTIVENESS OF THE INTERNAL SYSTEMS	第 III 部内部システムの有効性のアセスメント
3.1 Effectiveness of internal control systems	3.1 内部統制システムの有効性
3.1.1 Assessment of the control environment component	3.1.1 統制環境要素のアセスメント
3.1.2 Assessment of the risk assessment component	3.1.2 リスクアセスメント要素のアセスメント
3.1.3 Assessment of the control activities component	3.1.3 統制活動要素のアセスメント
3.1.4 Assessment of the information and communication component	3.1.4 情報と伝達要素の評価
3.1.5 Assessment of the monitoring activities component	3.1.5 モニタリング活動要素の評価
3.2 Conclusions of assessment of internal control systems	3.2 内部統制システムの評価結果
3.3 Statement of the internal control coordinator in charge of risk management and internal control	3.3 リスクマネジメントおよび内部統制を担当する内部統制コーディネーターの声明
PART IV MANAGEMENT ASSURANCE	第 IV 部経営陣の保証
4.1 Review of the elements supporting assurance	4.1 保証を裏付ける要素のレビュー
4.2 Reservations ..	4.2 留保事項
PART V DECLARATION OF ASSURANCE	第 5 部保証の表明
ANNEX I CORE BUSINESS STATISTICS	附属書 I 主要事業統計
ANNEX II STATISTICS ON FINANCIAL MANAGEMENT	附属書 II 財務管理に関する統計
ANNEX III ORGANISATION CHART	附属書 III 組織図
ANNEX IV 2023 ESTABLISHMENT PLAN AND ADDITIONAL INFORMATION ON HUMAN RESOURCES MANAGEMENT	附属書 IV 2023 年の設立計画および人事管理に関する追加情報
ANNEX V HUMAN AND FINANCIAL RESOURCES BY ACTIVITY	附属書 V 活動別の人材および財源
ANNEX VI GRANT, CONTRIBUTION AND SERVICE-LEVEL AGREEMENT	附属書 VI 助成金、拠出金およびサービスレベル契約
ANNEX VII ENVIRONMENTAL MANAGEMENT	附属書 VII 環境管理
ANNEX VIII ANNUAL ACCOUNTS ...	附属書 VIII 年次決算
ANNEX IX LIST OF ABBREVIATIONS	附属書 IX 略語一覧

まえがき...

FOREWORD	まえがき
by the Executive Director	事務局長
Jun-25	2024年6月25日
I2024 marked a significant milestone for the Agency on its 20-year anniversary. Since 2004, ENISA has been dedicated to pursuing and to a great extent, achieving a high common level of cybersecurity across the European Union. I would like to thank the ENISA Management Board, all ENISA stakeholders and particularly its staff, past and present, for their important contributions to 20 years of making Europe more cybersecure.	2024年は、ENISA が 20 周年を迎える重要な節目となった。2004年以来、ENISA は、欧州連合（EU）全域におけるサイバーセキュリティの共通レベルの高さを追求し、その大部分を達成するために尽力してきた。ENISA 経営委員会、ENISAのすべての関係者、そして特に、過去および現在の ENISA スタッフのメンバーが、20 年間にわたり、ヨーロッパのサイバーセキュリティの向上に多大な貢献をしてきたことに感謝する。
In 2024, the Agency marked several significant achievements over the year, with the following milestones standing out:	2024年、ENISAは年間を通じていくつかの重要な成果を上げた。特に以下のマイルストーンが際立っている。
• First State of the Union Cybersecurity Report: This report provides an evidence-based overview of the state of play of cybersecurity and an assessment of cybersecurity capabilities across Europe. Since its establishment, ENISA has been steadfast in its commitment to providing expertise and strategic support to EU Member States. This report has been made possible by means of input sourced from the ENISA Cybersecurity Index, that provides a baseline for the State of the Union Cybersecurity Report, the NIS Investment Report and both the ENISA Threat Landscape 2024 and the updated Foresight 2030 Threats Report, all of which provide long term strategic guidance on cybersecurity challenges. The State of the Union Cybersecurity Report provides policy recommendations to address shortcomings identified and bolster cybersecurity, cooperation and resilience.	• 最初の欧州連合のサイバーセキュリティ状況報告書：この報告書は、サイバーセキュリティの現状に関する証拠に基づく概要と、欧州全体のサイバーセキュリティ能力のアセスメントを記載している。ENISA は設立以来、EU 加盟国に対して専門知識と戦略的支援を提供することに堅固な姿勢で取り組んでいる。この報告書は、サイバーセキュリティに関する EU 連合の現状報告書、NIS 投資報告書、ENISA 脅威の展望 2024、および更新された Foresight 2030 脅威報告書に基礎となる ENISA サイバーセキュリティ指数から得られた情報に基づいて作成された。これらの報告書はすべて、サイバーセキュリティの課題に関する長期的な戦略的指針を示している。EU サイバーセキュリティ報告書は、特定された課題に対処し、サイバーセキュリティ、協力、レジリエンスを強化するための政策提言を提示している。
• CVE Numbering Authority: ENISA has been authorised as a Common Vulnerabilities and Exposures (CVE) Numbering Authority, which has enhanced the support that ENISA renders to EU CSIRTs in terms of Coordinated Vulnerability Disclosure. Under this light, the EU has been equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it. ENISA progressed with the implementation of the vulnerability database requirement from the NIS 2 Directive. The database will provide aggregated, reliable, and actionable information on cybersecurity vulnerabilities affecting ICT products and services. The database ensures transparency to all users and will stand as an efficient source of information to find mitigation measures.	• CVE 番号付与機関：ENISA は、共通脆弱性およびエクスポージャー (CVE) 番号付与機関として認可され、脆弱性の調整開示に関して ENISA が EU CSIRT に提供する支援を強化している。この観点から、EU は、脆弱性およびそれに関連するリスクの管理を大幅に改善するために設計された重要なツールを装備している。ENISA は、NIS 2 指令の脆弱性データベース要件の実施を進めた。このデータベースは、ICT 製品およびサービスに影響を与えるサイバーセキュリティの脆弱性に関する、集約された信頼性の高い実用的な情報を提供する。このデータベースは、すべてのユーザーに透明性を確保し、緩和措置を見つけるための効率的な情報源となる。
• NIS2 Directive Support: ENISA continued to work closely with EU Member States to support them with implementing the NIS2 Directive. ENISA provided expertise and guidance to build up cybersecurity resilience and deploy comprehensive, purpose-made, awareness material.	• NIS2 指令のサポート：ENISA は、NIS2 指令の実施を支援するため、EU 加盟国と緊密な連携を継続した。ENISA は、サイバーセキュリティのレジリエンスを構築し、包括的で目的別意識向上資料を展開するための専門知識とガイダンスを提供した。
• Certification: In early 2024, the Implementing Regulation on the EU cybersecurity certification scheme on Common Criteria (EUCC), was published on the Official Journal marking a significant achievement. Furthermore, a new Commission request for a cybersecurity certification scheme on the certification of the EU Digital Identity Wallets has been received and met with the acceptance of the Agency and the establishing of a dedicated Ad Hoc Working Group, to complement ongoing work on EUCS and EU5G.	• 認証：2024 年初頭、共通基準に関する EU サイバーセキュリティ認証スキームの実施規則（EUCC）が官報に掲載され、大きな成果となった。さらに、EU デジタル ID ウォレットの認証に関するサイバーセキュリティ認証スキームに関する新たな委員会要請が受理され、EUCS および EU5G に関する継続的な作業を補完するため、当機関がこれを受け入れ、専用のアドホック作業部会が設立された。
• Cyber Europe Exercise: The 7th edition has been one of the largest cybersecurity exercises in Europe ever and it focused on the resilience of the EU energy sector. This exercise is evidence of the commitment of ENISA to advancing preparedness and response capacities to protect critical infrastructure, a building block of the digital single market. This pan-European exercise brought together 30 national cybersecurity agencies, several EU agencies, bodies and networks and over 1000 experts supporting a broad range of areas including incident response, decision-making etc. In addition, the exercises performed by ENISA currently map to the roles identified in the European Cybersecurity Skills Framework (ECSF), thus allowing actors across sectors and Members States to foster a resilient and skilled workforce capable of addressing evolving threats.	• サイバーヨーロッパ演習：第7回目は、これまでで最大規模のサイバーセキュリティ演習のひとつであり、EU エネルギーセクターのレジリエンスに焦点を当てた。この演習は、デジタル単一市場の基盤である重要インフラを保護するための準備と対応能力の向上に ENISA が取り組んでいることを示す証拠だ。この汎欧州演習には、30 の国のサイバーセキュリティ機関、複数の EU 機関、団体、ネットワーク、およびインシデント対応、意思決定など幅広い分野を支援する 1000 人以上の専門家が参加した。さらに、ENISA が実施する演習は、欧州サイバーセキュリティスキルフレームワーク（ECSF）で識別された役割に対応しており、これにより、セクターや加盟国間の関係者が、進化する脅威に対処できる、レジリエンスとスキルを備えた人材の育成を促進することができる。
• ENISA Cybersecurity Support Action: By implementing and delivering ex-ante and ex-port services via the Agency’s Cybersecurity Support Action, ENISA contributed to further developing cyber preparedness and response capabilities at the EU and MS level. All 27 Member States participated in the programme, which consolidated a total of 482 requests for services.	• ENISA サイバーセキュリティ支援活動： ENISA は、サイバーセキュリティ支援活動を通じて事前および事後対応サービスを実施・提供することにより、EU および加盟国レベルでのサイバー準備および対応能力のさらなる向上に貢献した。27 加盟国すべてがプログラムに参加し、合計 482 件のサービス要請が統合された。
• Situational Awareness: The Agency established a Threat Information Management system, thus contributing to the cooperative response by further strengthening its situational awareness capabilities. It also consolidated and leveraged the ENISA Cyber Partnership Programme, which onboarded 10 companies to embed the private sector contribution primarily within the EU Joint Cyber Assessment Report (EU-JCAR). The number of contributing MS also increased and the CSIRTs Network and EU-CyCLONe contributed to the cooperative response through effective situational awareness. ENISA provided 8 briefings to HWPCI which contributed to increased situational awareness at Council level.	• 状況認識：ENISA は脅威情報管理システムを構築し、状況認識能力をさらに強化することで、協調的な対応に貢献した。また、ENISA サイバーパートナーシッププログラムを統合・活用し、10 社の企業を参加させて、主に EU 共同サイバーアセスメント報告書（EU-JCAR）に民間部門の貢献を反映させた。貢献する加盟国の数も増え、CSIRT ネットワークと EU-CyCLONe は、効果的な状況認識を通じて協力的な対応に貢献した。ENISA は HWPCI に 8 回のブリーフィングを実施し、理事会レベルでの状況認識の向上に貢献した。
In 2024, the revised strategic objectives adopted by the ENISA Management Board and restructuring of ENISA’s operational services will likely empower the Agency to remain agile and ahead of cybersecurity challenges. In early 2025, a comprehensive survey of operational activities highlighted the strong added value of ENISA’s deliverables in the past two years, with 88% of stakeholders reporting significant benefits from our outputs. Significantly 89% of stakeholders confirmed that ENISA’s work does not duplicate, or it only partially duplicates, albeit at very small proportions, Member States efforts—underscoring the Agency’s alignment with the needs of Member States. Finally, 96% of respondents had trust in ENISA’s ability to achieve its mandate. The survey results will shape our future processes, ensuring that we continue meeting stakeholder needs and delivering high-value results in a timely fashion.	2024 年には、ENISA 理事会が採択した戦略目標の改訂と ENISA の業務サービスの再編により、ENISA は引き続き機敏性を発揮し、サイバーセキュリティの課題に先んじて対応することができるようになるだろう。2025 年初めに実施された業務活動に関する包括的な調査では、過去 2 年間の ENISA の成果の付加価値の高さが強調され、88% の利害関係者が ENISA の成果から大きな恩恵を受けたと報告している。重要なことに、89% の利害関係者が、ENISA の業務は加盟国の取り組みと重複していない、あるいはごくわずかに重複しているだけであると回答しており、ENISA が加盟国のニーズに合致していることを強調している。最後に、回答者の 96% が、ENISA の任務達成能力に信頼を寄せている。この調査結果は、私たちの今後のプロセスに活かされ、ステークホルダーのニーズに応え、価値の高い成果をタイムリーに提供し続けることを保証するものである。
I would like to thank all contributors to the survey for their invaluable feedback provided. I am immensely grateful to the broader cybersecurity community, including experts, advisors, partners, and staff, alike, for all their contributions throughout 2024. Together, we continue keeping Europe cyber secure.	この調査に協力いただいた皆様、貴重なご意見をお寄せくださった皆様に、心より感謝申し上げる。2024 年を通じて、専門家、アドバイザー、パートナー、スタッフなど、サイバーセキュリティコミュニティの皆様からいただいたご支援に、心より感謝する。今後も、皆様と協力し、ヨーロッパのサイバーセキュリティの確保に努めていく。

内部統制...

III ASSESSMENT OF THE EFFECTIVENESS OF THE INTERNAL CONTROL SYSTEMS	III 内部統制システムの有効性のアセスメント
3.1. Effectiveness of internal control systems	3.1. 内部統制システムの有効性
Internal control is established in the context of ENISA’s fundamental budgetary principles and associated with sound financial management. Internal control is broadly defined in the agency’s financial regulation as a process designed to provide reasonable assurance of achieving objectives. This definition very much mirrors the standard definition of internal control adopted by the Committee of Sponsoring Organizations of the Treadway Commission (https://www.coso.org).	内部統制は、ENISA の基本的な予算原則の文脈で確立されており、健全な財務管理と関連している。内部統制は、機関の財務規則において、目標の達成を合理的に保証するためのプロセスとして広く定義されている。この定義は、トレッドウェイ委員会支援組織委員会（https://www.coso.org）が採用している内部統制の標準的な定義と非常によく似ている。
In this context, ENISA adopted its internal control framework by Management Board Decision No MB/2019/12 and amending Management Board Decision No MB/2022/11. It is based on the relevant framework of the Commission (which follows the Committee of Sponsoring Organizations of the Treadway Commission framework) and includes five internal control components and 17 internal control principles. The five internal control components are the building blocks that underpin the structure of the framework; they are interrelated and must be present and effective at all levels of ENISA for internal control over operations to be considered effective. Each component comprises one or more internal control principles. Applying these principles helps to provide reasonable assurance that ENISA’s objectives have been met. The principles specify the actions required for the internal control to be effective.	この文脈において、ENISA は、理事会決定 MB/2019/12 および理事会決定 MB/2022/11 の改正により、内部統制の枠組みを採用した。これは、欧州委員会の関連枠組み（トレッドウェイ委員会支援組織委員会（Committee of Sponsoring Organizations of the Treadway Commission）の枠組みに準拠）に基づき、5 つの内部統制構成要素と 17 の内部統制原則で構成されています。5 つの内部統制構成要素は、枠組みの構造を支える構成要素であり、相互に関連しており、業務に対する内部統制が有効であると認められるためには、ENISA のすべてのレベルにおいて存在し、有効に機能している必要があります。各要素は、1 つ以上の内部統制原則で構成されている。これらの原則を適用することで、ENISA の目標が達成されていることを合理的に保証することができる。原則は、内部統制を有効にするために必要な措置を規定している。
To assess the components and principles of the internal control framework, a set of 66 indicators was adopted (as amended by Management Board Decision No MB/2022/11). The indicators are assessed individually and supported by the relevant evidence. The assessment of the internal control is an important part of ENISA’s internal control framework, and it is conducted on an annual basis. For 2024, this assessment was based on the indicators of the framework, and also on additional information from specific (risk) assessment reports, audit findings and other relevant sources. The assessment also followed the related guidance and templates developed through the EU agencies’ Performance Development Network.	内部統制枠組みの要素および原則を評価するために、66 の指標（経営委員会決定 MB/2022/11 により改正）が採用されている。指標は個別に評価され、関連する証拠によって裏付けられている。内部統制の評価は、ENISA の内部統制の枠組みの重要な部分であり、毎年実施されている。2024 年の評価は、枠組みの指標に加え、特定の（リスク）アセスメント報告書、監査結果、その他の関連情報源からの追加情報に基づいて実施された。また、この評価は、EU 機関パフォーマンス開発ネットワークを通じて作成された関連ガイダンスおよびテンプレートにも準拠している。
3.1.1. Assessment of the control environment component	3.1.1. 統制環境の構成要素の評価
The control environment component consists of five principles, as described below.	統制環境の構成要素は、以下の 5 つの原則で構成されている。
Principle 1 – ENISA demonstrates commitment to integrity and ethical values	原則 1 – ENISA は、誠実さと倫理的価値観へのコミットメントを表明する
The assessment concluded that this principle is present and functioning, but some improvements are needed, mainly in the area of training sessions on ethics and integrity for staff	評価の結果、この原則は存在し、機能しているものの、主に職員に対する倫理および誠実さに関する研修の分野において、いくつかの改善が必要であると結論付けられました。
To increase the rate of participation in such training, the agency should consider a diversity of training plans/programmes to address different levels of staff knowledge/maturity. Nevertheless, various types of information materials are at the disposal of staff, such as training content and the most up-to-date reports by the Commission’s Investigation and Disciplinary Office.	このような研修への参加率を高めるため、機関は、職員の知識・成熟度の違いに対応するための多様な研修計画・プログラムを検討すべきである。とはいえ、研修内容や欧州委員会の調査・懲戒局による最新の報告書など、さまざまな種類の情報資料が職員に提供されている。
Principle 2 – ENISA’s management exercises responsibility for overseeing the development and performance of its internal control systems	原則 2 – ENISA の経営陣は、内部統制システムの開発と運用を監督する責任を果たす
The ENISA strategy, adopted in 2020, was reviewed during the reporting period and the MB adopted the new version in November 2024. The revised strategy is a cooperative effort of the Executive Director, the MB and the ENISA Task Force on supporting the review of ENISA’s strategy and mandate. For this purpose, input was gathered from the ENISA Advisory Group, the NLO network and ENISA staff.	2020 年に採択された ENISA の戦略は、報告期間中に見直され、2024 年 11 月に MB が新しいバージョンを採択した。改訂された戦略は、ENISA の戦略と任務の見直しを支援する ENISA タスクフォース、事務局長、MB の協力による成果である。この目的のために、ENISA 諮問グループ、NLO ネットワーク、および ENISA 職員から意見が収集された。
The assessment concluded that this principle is present and functioning well, and only minor improvements are needed. ENISA’s management is regularly updated on the result of its internal controls, but some recommendations should be more actively and formally followed up, in order to improve the overall effectiveness of ENISA’s internal control systems.	アセスメントの結果、この原則は存在し、適切に機能しており、わずかな改善で十分であると結論付けられた。ENISA の経営陣は、内部統制の結果について定期的に最新情報を受け取っているが、ENISA の内部統制システムの全体的な有効性を向上させるため、一部の勧告については、より積極的かつ正式なフォローアップを行う必要がある。
Principle 3 – ENISA’s management establishes structures, reporting lines and appropriate authorities and responsibilities in pursuit of the agency’s objectives	原則 3 – ENISA の経営陣は、機関の目標を達成するために、組織、報告系統、適切な権限および責任を確立する
The assessment concluded that this principle is present and functioning well, and only minor improvements are needed. On a regular basis, the agency publishes on its intranet the adopted and updated organisation charts. Delegation of authority is clearly documented and regularly updated via various executive director decisions, notably on specifying the roles and responsibilities of ENISA’s structural entities and on a framework of the financial delegation of the authorising officer.	この原則は存在し、適切に機能していると評価され、わずかな改善で十分であると結論付けられた。ENISA は、採用および更新された組織図をイントラネットに定期的に公開している。権限の委譲は、ENISA の組織体の役割と責任、および財務担当官の財務権限の委譲に関する枠組みについて、執行取締役の決定を通じて明確に文書化され、定期的に更新されている。
Principle 4 – ENISA demonstrates commitment to attracting, developing and retaining competent individuals in alignment with its objectives	原則 4 – ENISA は、その目標に沿って、有能な人材の採用、育成、維持に努める。
The assessment concluded that this principle is present and functioning well. One minor improvement is needed, in the area of learning opportunities for ENISA’s staff, which should be more comprehensive. This point was further addressed in 2024 with the introduction of a new competence framework for ENISA.	アセスメントの結果、この原則は存在し、適切に機能していると結論付けられた。ENISA 職員の学習機会の分野において、より包括的な内容とするという軽微な改善が必要だ。この点は、2024 年に ENISA の新しいコンピテンシー枠組みが導入されることでさらに改善される予定だ。
Principle 5 – ENISA holds itself accountable for its internal control responsibilities in pursuit of the agency’s objectives	原則 5 – ENISA は、機関の目標の達成に向けて、内部統制の責任について自ら説明責任を果たす。
The assessment concluded that this principle is present and functioning well, and only minor improvements are needed. As part of its internal controls, the agency regularly reviews and monitors its annual objectives to ensure that pre-set objectives will be reached. While midterm reviews are planned, significant effort is expended on the ex ante evaluation and continuous monitoring of projects through the weekly ENISA management team meetings. In particular, each project starts with an inception, meaning that it passes an assessment by the management team, may be further reviewed for guidance and then finally presented to the management team for closure. This ensures that the management team has a clear view of, and is able to follow up on, the agency’s annual objectives throughout the year.	評価の結果、この原則は存在し、適切に機能しており、わずかな改善点のみが必要であると結論付けられた。内部統制の一環として、ENISA は、あらかじめ設定した目標が確実に達成されるように、年間目標を定期的に見直し、監視している。中間レビューも予定されているが、毎週開催される ENISA 経営陣会議を通じて、事前の評価とプロジェクトの継続的なモニタリングに多大な努力が払われている。特に、各プロジェクトは、経営陣によるアセスメントに合格し、指導のためにさらにレビューされる場合があり、最終的に経営陣に提出されて終了となる。これにより、経営陣は、年間を通じて、機関の年間目標を明確に把握し、その達成状況をフォローアップすることができる。
3.1.2. Assessment of the risk assessment component	3.1.2. リスクアセスメント要素の評価
The risk assessment component consists of four principles, as presented below.	リスクアセスメント要素は、以下の 4 つの原則で構成されている。
Principle 6 – ENISA specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives	原則 6 – ENISA は、目標に関連するリスクの特定と評価を可能にするよう、目標を十分に明確に規定する。
The assessment concluded that this principle is present and functioning well. Pre-defined targets for annual objectives are set in the SPD. ENISA’s SPD is drafted based on input from all units and teams across the agency, and in consultation with stakeholders, before it is formally adopted by the agency’s MB. Throughout the year, the agency’s outputs are planned, reviewed and finalised in close consultation with stakeholders, including ENISA’s MB, the advisory group and the NLO network. ENISA uses its objectives as a basis for allocating resources to achieve policy, operational and financial performance goals. [Indicator 26 on 73% of SPD KPIs met or outperformed target set]	評価の結果、この原則は存在し、適切に機能していると結論付けられました。年間目標の事前目標は、SPD に設定されています。ENISA の SPD は、機関全体のすべての部門およびチームからの意見、および利害関係者の協議に基づいてドラフトが作成され、その後、機関の MB によって正式に採択される。年間を通じて、ENISA の MB、諮問グループ、NLO ネットワークなどの利害関係者と緊密な協議を行い、機関の成果を計画、見直し、確定する。ENISA は、政策、業務、財務のパフォーマンス目標を達成するための資源の配分基準として、その目標を用いる。[指標 26：SPD KPI の 73% が目標を達成または上回った]
Principle 7 – ENISA identifies risks to the achievement of its objectives across the organisation and analyses risks as a basis for determining how the risks should be managed	原則 7 – ENISA は、組織全体の目標達成に対するリスクを識別し、そのリスクを分析して、リスクの管理方法を決定する。
The assessment concluded that this principle is present and functioning well, but improvement is needed in the follow-up of implementation of mitigating measures. Since 2022, a centralised risk management approach has been implemented at the agency level. An enterprise risk management (ERM) framework was adopted based on the Commission’s risk assessment guidance. An IT security risk management framework was also formalised and interlinked with the ERM framework. Based on the frameworks adopted, a risk assessment exercise is conducted on an annual basis (entailing an ERM and an IT security risk assessment). The cross-cutting risks were presented in a corporate risk register, and specific risks in each unit/team were also identified. As regards these assessments, no critical risks were identified in 2024.	評価の結果、この原則は存在し、適切に機能しているが、緩和措置の実施のフォローアップには改善が必要であると結論付けられた。2022 年以降、機関レベルで一元化されたリスクマネジメントアプローチが実施されている。欧州委員会のリスクアセスメントガイダンスに基づき、エンタープライズリスクマネジメント（ERM）の枠組みが採用された。また、IT セキュリティリスクマネジメントの枠組みも正式に策定され、ERM 枠組みと相互に関連付けられた。採用された枠組みに基づき、リスクアセスメントが毎年実施されている（ERM および IT セキュリティリスクアセスメントを含む）。部門横断的なリスクは企業リスク登録簿に記載され、各部門/チームにおける具体的なリスクも識別された。これらのアセスメントに関しては、2024 年には重大なリスクは識別されなかった。
Principle 8 – ENISA considers the potential for fraud in assessing risks to the achievement of objectives	原則 8 – ENISA は、目標の達成に対するリスクを評価する際に、不正の可能性を考慮する
The assessment concluded that this principle is present and functioning well.	評価の結果、この原則は実施されており、適切に機能していると結論付けられた。
The agency’s anti-fraud strategy was updated in 2021 and formally adopted by Management Board Decision No B/2021/5. Within 2024, the revision of the antifraud strategy took place and a new action plan was put forward for adoption by the MB within 2025. A dedicated anti-fraud web page is available on ENISA’s intranet, where all staff can access relevant regulations, documents and training material. Training in fraud prevention, which forms part of training in ethics and integrity, is delivered regularly (however, the participation rate should be improved).	機関の不正防止戦略は2021年に更新され、管理委員会決定第B/2021/5号により正式に採択された。2024年中に不正防止戦略の見直しが行われ、2025年中に管理委員会で採択される新たな行動計画が提示された。ENISA のイントラネットには、全職員が関連規則、文書、研修資料にアクセスできる不正防止専用のウェブページが用意されている。倫理および誠実性に関する研修の一部として、不正防止に関する研修が定期的に実施されている（ただし、参加率の向上が必要）。
Principle 9 – ENISA identifies and analyses significant change	原則 9 – ENISA は、重要な変化を識別し、分析する
The assessment concluded that this principle is present and functioning well and that only minor improvements are needed. Change is managed through different processes within the agency. At the operational level, continuous monitoring of the work programme activities in the weekly management team meetings enables the identification and analysis of any significant change (thus enabling further reflection of this change in internal activities). The establishment of dedicated committees (the IT Management Committee, the Budget Management Committee and the Intellectual Property Rights Management Committee) further supports change management at the corporate level. In 2024, whereas the Cybersecurity Act, which outlines the mandate and tasks of ENISA, has been complemented with the adoption of the NIS2 and conclusion of legislative negotiations on CRA and CSOA, ENISA Management has revised the establishment of ENISA’s internal structures via its decision 2024/10. This revision was further complemented by Executive Director Decision No 63/2024, which further specifies the roles and responsibilities of ENISA’ s structural entities. In the context of this structural adjustment, three Task Forces were established by the Executive Director, with a view to engage staff members, managers and that agency’s HR in the change management process. Several relevant trainings sessions were also organised to that end. This shows ENISA’s capacity to identify new challenges and to quickly react by adapting itself to best meet the underlying objectives and to best deliver additional tasks entrusted to ENISA.	評価の結果、この原則は存在し、適切に機能しており、わずかな改善で十分であると結論付けられた。変化は、機関内のさまざまなプロセスを通じて管理されている。業務レベルでは、毎週開催される経営陣会議で作業プログラムの活動を継続的に監視することで、重要な変化を特定・分析することができ（その結果、この変化を内部活動にもさらに反映させることができる）、変化の管理がさらに強化されている。また、専門委員会（IT 管理委員会、予算管理委員会、知的財産権管理委員会）の設置により、企業レベルでの変化の管理がさらに強化されている。2024 年、ENISA の使命と任務を規定するサイバーセキュリティ法が、NIS2 の採択および CRA および CSOA に関する立法交渉の妥結により補完されたことを受け、ENISA 経営陣は、決定 2024/10 により ENISA の内部構造の再編を見直した。この見直しは、ENISA の組織体の役割と責任をさらに明確にした執行取締役決定第 63/2024 号によってさらに補完された。この組織調整に関連して、執行取締役は、スタッフ、管理職、および同機関の HR を変更管理プロセスに関与させることを目的として、3 つのタスクフォースを設立した。この目的のために、いくつかの関連トレーニングセッションも開催された。これは、ENISA が新たな課題を識別し、その根本的な目標を最もよく達成し、ENISA に委託された追加の業務を最善の方法で遂行するために、自らを適応させて迅速に対応できる能力を有していることを示している。
3.1.3. Assessment of the control activities component	3.1.3. 統制活動要素の評価
The control activities component consists of three principles, as presented below.	統制活動要素は、以下に示す 3 つの原則で構成されている。
Principle 10 – ENISA selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to an acceptable level	原則 10 – ENISA は、目標の達成に対するリスクを許容可能なレベルまで緩和するのに貢献する統制活動を選択し、開発する。
The assessment concluded that this principle is present and functioning, but some improvements are needed, in particular the agency’s business continuity plan, which needs to be finalised and tested.	アセスメントの結果、この原則は存在し、機能しているが、特に、最終決定と試験が必要な機関の事業継続計画について、いくつかの改善が必要であると結論付けられた。
Principle 11 – ENISA selects and develops general controls on technology to support the achievement of objectives	原則 11 – ENISA は、目標の達成を支援するための技術に関する全般統制を選択し、開発する。
The assessment concluded that this principle is present and functioning, but some improvements are needed. Efforts to mitigate IT risks yielded results in 2024, leading to the downgrading of certain identified risks. However, some IT risks are of a continuous nature, such as the risks stemming from cybersecurity threats, which are constantly evolving.	この原則は存在し、機能していると評価されたが、いくつかの改善が必要だ。IT リスクの緩和に向けた取り組みは 2024 年に成果を上げ、特定されたリスクの一部は格下げされた。しかし、サイバーセキュリティの脅威に起因するリスクなど、絶えず進化する継続的な IT リスクも存在する。
Principle 12 – ENISA deploys control activities through policies that establish what is expected and through procedures that put policies into action	原則 12 – ENISA は、期待される事項を定めた方針および方針を実施するための手順を通じて、管理活動を展開する。
The assessment concluded that this principle is present and functioning, but some improvements are needed. Recurrent weaknesses identified by internal control tools (such as the registry of exceptions) in recent years have not yet been effectively addressed. In addition, ENISA’s internal policies and procedures are not always adequately documented or communicated to staff. For example, from the analysis of the 2024 register of exception, out of 15 noncompliant events (i.e. exceptions), the vast majority (11) concerned a posteriori transactions (i.e. the budgetary or legal commitments were not compliant to proceed forward with the transaction). This weakness was identified by previous control activities, but no specific procedure was introduced to further mitigate this usually minor risk.	評価の結果、この原則は存在し、機能しているが、いくつかの改善が必要であると結論付けられた。近年、内部統制ツール（例外登録簿など）によって特定された繰り返しの弱点は、まだ効果的に対処されていない。さらに、ENISA の内部方針および手順は、必ずしも適切に文書化または職員に伝達されているわけではない。例えば、2024 年の例外登録簿の分析によると、15 件の違反事例（すなわち例外）のうち、その大部分（11 件）は事後的な取引（すなわち、予算上または法律上の約束が取引の遂行に準拠していなかった）に関するものであった。この弱点は、以前の統制活動によって特定されていたが、この通常軽微なリスクをさらに緩和するための具体的な手続きは導入されていなかった。
Nevertheless, none of the 15 identified exceptions was assessed as being of high risk (13 were assessed as low risk and two as medium risk) and only four exceptions were deemed to be of material relevance. Out of these four exceptions, two were related to non-compliance with the contractual terms for the supply of services (i.e. 1) price indexation required by national laws was not foreseen in the original contract and 2) contract extension was not formally signed), one was related to a late budgetary commitment (a posteriori transaction) and the last one was related to non-compliance with procurement rules.	それにもかかわらず、特定された 15 件の例外のうち、リスクが高いと評価されたものは 1 件もなかった（13 件はリスクが低い、2 件はリスクが中程度と評価された）。これらの4件の例外のうち、2件はサービス供給に関する契約条項の不遵守（1）国内法で要求される価格指数連動が元の契約に明記されていなかった、2）契約延長が正式に署名されていなかった）に関連し、1件は事後的な予算コミットメント（事後的な取引）に関連し、最後の1件は調達規則の不遵守に関連していました。
3.1.4. Assessment of the information and communication component	3.1.4. 情報と伝達の構成要素の評価
The information and communication component consists of three principles, as presented below.	情報と伝達の構成要素は、以下の 3 つの原則で構成されている。
Principle 13 – ENISA obtains or generates and uses relevant quality information to support the functioning of its internal control systems	原則 13 – ENISA は、内部統制システムの機能を支援するために、関連する質の高い情報を取得または生成し、活用する。
The assessment concluded that this principle is present and functioning, and only minor improvements are needed. For example, internal information-sharing and the mapping of information could be improved and the compliance with need-toknow principle (to access internal information) needs further monitoring.	評価の結果、この原則は存在し、機能しており、わずかな改善のみが必要であると結論付けられました。例えば、内部情報共有や情報マッピングの改善、および（内部情報へのアクセスに関する）必要に応じた情報開示の原則の遵守について、さらなるモニタリングが必要だ。
Principle 14 – ENISA communicates information internally, including objectives and responsibilities for internal control, that is necessary to support the functioning of its internal control systems	原則 14 – ENISA は、内部統制システムの機能を支援するために必要な、内部統制に関する目標や責任などの情報を内部で伝達する
The assessment concluded that this principle is present and functioning well. There is transparency in the agency regarding objectives, challenges, actions taken or to be taken and results achieved. Minutes of the weekly management team meeting are made available by email to all staff. In addition, frequent question-and-answer sessions for all staff on various relevant topics were held during 2024. Midterm reviews are used to communicate objectives achieved and ongoing, and substantial effort is put into ex ante evaluation of the projects, starting with a detailed inception presentation during management team meetings. The same projects may then be reviewed for guidance during management team meetings and are then presented to the management team for finalisation. This ensures that the management team has a clear view of and is able to follow up on the annual objectives throughout the year. Moreover, there is a separate communication line for whistleblowing arrangements. The basic principles, relevant definitions and the reporting mechanism are described in ENISA’s Management Board Decision No MB/2018/10 on whistleblowing.	評価の結果、この原則は存在し、適切に機能していると結論付けられた。目標、課題、実施済みまたは実施予定の措置、および達成結果については、機関内に透明性が確保されている。毎週開催される経営陣会議の議事録は、全職員に電子メールで配布されている。さらに、2024 年には、さまざまな関連トピックに関する全職員向けの質疑応答セッションが頻繁に開催された。中間レビューは、達成目標および進行中の目標の伝達に利用されており、経営陣会議での詳細な開始プレゼンテーションから始まる、プロジェクトの事前評価に多大な努力が払われている。その後、同じプロジェクトは、経営陣会議で指導のために見直され、経営陣に提出されて最終決定される。これにより、経営陣は年間目標を明確に把握し、年間を通じてその達成状況をフォローアップすることができる。さらに、内部通報制度に関する別のコミュニケーションルートも設けられている。基本原則、関連定義、報告メカニズムについては、内部通報に関する ENISA の経営委員会決定 MB/2018/10 に記載されている。
Principle 15 – ENISA communicates with external parties about matters affecting the functioning of its internal control systems	原則 15 – ENISA は、内部統制システムの機能に影響を与える事項について、外部関係者とコミュニケーションを図る
The assessment concluded that this principle is present and functioning well. ENISA communicates its activities in a transparent way and in line with internal control principles. Moreover, ENISA has an up-to-date communication strategy and stakeholder strategy in place.	アセスメントの結果、この原則は満たされており、適切に機能していると結論付けられた。ENISA は、内部統制の原則に従って、その活動を透明性をもって伝達している。さらに、ENISA は、最新のコミュニケーション戦略およびステークホルダー戦略を策定している。
3.1.5. Assessment of the monitoring activities component	3.1.5. モニタリング活動要素の評価
The monitoring activities component consists of two principles, as presented below.	モニタリング活動要素は、以下の 2 つの原則で構成されている。
Principle 16 – ENISA selects, develops and conducts ongoing and/or separate assessments to ascertain whether the components of internal control are present and functioning	原則 16 – ENISA は、内部統制の構成要素が整備され、機能しているかどうかを検証するために、継続的および/または個別の評価を選択、開発、実施する。
The assessment concluded that this principle is present and functioning, but some improvement is needed, mainly in the area of timely follow-up of recommendations issued by internal controls.	評価の結果、この原則は存在し、機能しているものの、主に内部統制による勧告のタイムリーなフォローアップの分野において、いくつかの改善が必要であると結論付けられました。
Principle 17 – ENISA assesses and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management as appropriate	原則 17 – ENISA は、内部統制の欠陥をタイムリーに評価し、必要に応じて上級管理職を含む是正措置を担当する関係者に伝達する。
The assessment concluded that this principle is present and functioning, but the effectiveness of the monitoring of mitigation measures remains to be demonstrated.	この原則は存在し、機能していると評価されたが、緩和措置のモニタリングの有効性については、まだ実証されていない。
3.2. Conclusions of the assessment of internal control systems	3.2. 内部統制システムの評価結果
Weaknesses identified by ENISA’s internal and external auditors, respectively IAS and ECA ⁽⁷⁵⁾, are duly taken into account when assessing ENISA’s internal controls. In its 2024’s assessment, ENISA concluded that appropriate corrective actions have been internally	ENISA の内部監査人および外部監査人である IAS および ECA ⁽⁷⁵⁾ がそれぞれ指摘した弱点は、ENISA の内部統制の評価において適切に考慮されている。2024 年の評価において、ENISA は、IAS および ECA が指摘した監査所見に対処するための適切な是正措置が内部的に実施されていると結論付けた。
implemented to address the audit observations raised by IAS and ECA. In particular, the implementation of the enhanced cybersecurity support action which originally triggered the 2023 ECA’s qualified opinion on the legality and regularity of payments ⁽⁷⁶⁾ is, since late 2023, governed by a contribution agreement signed between DG CNECT and ENISA. This formal agreement adequately removed any legal barrier impeding a smooth and efficient operational deployment of the cybersecurity support action in order to best meet the requests and needs of the Member States.	特に、2023 年の ECA の支払いの合法性および適正性に関する限定的意見⁽⁷⁶⁾ のきっかけとなった、サイバーセキュリティ支援措置の強化の実施は、2023 年後半以降、DG CNECT と ENISA との間で締結された貢献協定によって規定されている。この正式な協定により、加盟国の要請やニーズに最善で対応するための、サイバーセキュリティ支援措置の円滑かつ効率的な運用展開を妨げる法的障害が適切に排除された。
3.3. Statement of the Manager in charge of risk management and internal control	3.3. リスクマネジメントおよび内部統制担当マネージャーの声明
The overall assessment shows that the internal controls at ENISA provide reasonable assurance that policies, processes, tasks and behaviours of the agency, taken together, facilitate its effective and efficient operation, help to ensure the quality of internal and external reporting, and help to ensure compliance with its regulations. That being said, some improvements are needed in certain areas, in order to increase effectiveness and ensure proper implementation of the internal controls in the future.	総合的な評価によると、ENISA の内部統制は、その政策、プロセス、業務、および行動が総合的に、機関の効率的かつ効果的な運営を促進し、内部および外部報告の品質の確保、ならびにその規制の遵守の確保に貢献していることを合理的に保証している。とはいえ、将来的に内部統制の有効性を高め、その適切な実施を確保するためには、特定の分野においていくつかの改善が必要だ。
I, the undersigned,	私、
Andreas MITRAKAS,	アンドレアス・ミトラカス
in charge of risk management and internal control within ENISA,	は、ENISA 内のリスクマネジメントおよび内部統制を担当する
In my capacity as Head of Unit for Executive Directors Office in charge of risk management and internal control, I declare that in accordance with ENISA’s Internal Control Framework, I have reported my advice and recommendations on the overall state of internal control in the Agency to the Executive Director.	私は、リスクマネジメントおよび内部統制を担当する事務局長室長として、ENISA の内部統制の枠組みに従い、機関の内部統制の全体的な状況に関する助言および勧告を事務局長に報告したことをここに宣言する。
I hereby certify that the information provided in the present Consolidated Annual Activity Report and in its annexes is, to the best of my knowledge, accurate, reliable and complete.	私は、本統合年次活動報告書およびその附属書に記載された情報は、私の知る限り、正確、信頼性が高く、完全であることをここに証明する。
Andreas Mitrakas	アンドレアス・ミトラカス
Head of Unit for Executive Directors Office	事務局長室ユニット長
⁽⁷⁵⁾For more details, please see also section “2.7. Assessment of audit and ex post evaluation results during the reporting year”	⁽⁷⁵⁾詳細については、「2.7. 報告年度における監査および事後評価の結果のアセスメント」も参照のこと。
⁽⁷⁶⁾For more details, please see also section “2.7.2. European Court of Auditors”	⁽⁷⁶⁾詳細については、「2.7.2. 欧州会計監査院」も参照のこと。

● まるちゃんの情報セキュリティ気まぐれ日記

・2023.04.08 金融庁「財務報告に係る内部統制の評価及び監査の基準並びに財務報告に係る内部統制の評価及び監査に関する実施基準の改訂について（意見書）」の公表について

2025.07.12 00:00 in 情報セキュリティ / サイバーセキュリティ, in 法律 / 犯罪, in 監査 / 認証, in ESG/CSR, in 内部統制 / リスクマネジメント | Permalink | Comments (0)
Tweet

2025.06.18

欧州委員会 GenAI4EU：「ヨーロッパ製」の生成的 AI を推進するための資金援助

こんにちは、丸山満彦です。

欧州は米国、中国に比べてAI分野の出遅れがあるということで、力を入れておりますね...

新興企業、中小企業の活用についても力を入れています。

日本と環境が似ている部分もあると思うので、参考になる部分が多い（米国や中国と比べて）のではないかと思います。（英国もそうかもですが...）

● European Commission

・2025.06.11 GenAI4EU: Funding opportunities to boost Generative AI “made in Europe”

GenAI4EU: Funding opportunities to boost Generative AI “made in Europe”	GenAI4EU：「ヨーロッパ製」の生成的 AI を推進するための資金援助の機会
The European Commission has launched a first wave of EU funding opportunities to integrate generative Artificial Intelligence (AI) in Europe’s strategic sectors, and keep their competitive edge.	欧州委員会は、生成的人工知能（AI）をヨーロッパの戦略的分野に統合し、その競争力を維持するための EU 資金援助の第一弾を開始しました。
Researchers, innovators, companies and other interested organisations can find broad EU funding opportunities to join forces to develop and deploy generative AI in Europe’s strategic sectors as part of the GenAI4EU flagship initiative. The initiative is now surpassing the initial commitment of €500 million announced in the AI innovation package in January 2024, with close to €700 million funding planned in Horizon Europe, the Digital Europe Programme, and the European Innovation Council.	研究者、イノベーター、企業、その他の関心のある組織は、GenAI4EU フラッグシップイニシアチブの一環として、欧州の戦略的分野における生成的 AI の開発と展開に協力するための幅広い EU 資金調達機会を見つけることができる。このイニシアチブは、2024年1月に AI イノベーションパッケージで発表された当初の 5 億ユーロのコミットメントを上回り、ホライズン・ヨーロッパ、デジタル・ヨーロッパ・プログラム、および欧州イノベーション評議会で 7 億ユーロ近くの資金が計画されている。
For example, researchers can receive EU funding of between 15 and 17 million euro to leverage multimodal data to advance generative AI in biomedical research by, among others, moving towards predictive and personalised medicine. This concrete GenAI application helps industry’s competitiveness but also makes healthcare treatments more effective. The call HORIZON-HLTH-2025-01-TOOL-03 will close in September 2025.	例えば、研究者は、予測医療や個別化医療への移行など、マルチモーダルデータを活用して生物医学研究における生成的 AI を推進するために、1,500 万から 1,700 万ユーロの EU 資金援助を受けることができる。この具体的な GenAI の応用は、産業の競争力向上に貢献するだけでなく、医療の効率化にもつながる。公募「HORIZON-HLTH-2025-01-TOOL-03」は 2025 年 9 月に締め切られる。
This is only one of the many opportunities available to stakeholders interested in joining the GenAI4EU initiative, as listed on the tab "funding opportunities".	これは、GenAI4EUイニシアチブへの参加に興味のある関係者が利用できる多くの機会の一つに過ぎない。詳細は「資金調達機会」タブに記載されている。

Horizon Europe Work Programme 2025 の案件...

Horizon Europe		Title of the call
1 Health	健康	HLTH-2025-01-TOOL-03: GenAI4EU: Leveraging multimodal data to advance Generative Artificial Intelligence applicability in biomedical research	マルチモーダルデータを活用して、生物医学研究における生成的人工知能の適用性を推進
1 Health	健康	HLTH-2025-01-CARE-01: GenAI4EU: End user-driven application of Generative Artificial Intelligence models in healthcare	医療における生成的人工知能モデルのエンドユーザー主導の適用
3 Civil security for society	社会の市民安全	CL3-2025-02-CS-01: Generative AI for Cybersecurity applications	サイバーセキュリティアプリケーションのための生成的 AI
4 Digital, Industry, Space	デジタル、産業、宇宙	CL4-2025-04-DIGITAL-EMERGING-07: Advancing General Purpose AI through Enhanced Learning Strategies	強化された学習戦略による汎用 AI の進歩
4 Digital, Industry, Space	デジタル、産業、宇宙	CL4-2025-04-DIGITAL-EMERGING-04: Assessment methodologies for General Purpose AI capabilities and risks	汎用 AI の機能とリスクの評価方法論
4 Digital, Industry, Space	デジタル、産業、宇宙	CL4-2025-03-DIGITAL-EMERGING-09: Challenge-Driven GenAI4EU Booster (Pharma/Drug and Aerospace)	課題駆動型 GenAI4EU ブースター（製薬/医薬品および航空宇宙）
4 Digital, Industry, Space	デジタル、産業、宇宙	CL4-2025-03-DIGITAL-EMERGING-07: GenAI4EU in Robotics and industrial automation	ロボティクスと産業自動化における GenAI4EU
4 Digital, Industry, Space	デジタル、産業、宇宙	CL4-2025-03-HUMAN-18: GenAI4EU central Hub	GenAI4EU 中央ハブ
4 Digital, Industry, Space	デジタル、産業、宇宙	CL4-2025-03-HUMAN-15: GenAI4EU: Generative AI for Virtual Worlds: Advanced technologies for better performance and hyper personalised and immersive experience	GenAI4EU 仮想世界のための生成的AI：パフォーマンスの向上と、高度にパーソナライズされた没入型体験を実現する先進技術
4 Digital, Industry, Space	デジタル、産業、宇宙	CL4-2025-04-DATA-03: Software Engineering for AI and Generative AI	AI および生成的 AI 向けのソフトウェアエンジニアリング
4 Digital, Industry, Space	デジタル、産業、宇宙	CL4-2025-04-DATA-02: Empowering AI/Generative AI along the Cognitive Computing continuum	コグニティブ・コンピューティングの連続体における AI/生成的 AI の強化
4 Digital, Industry, Space	デジタル、産業、宇宙	CL4-2025-03-DATA-13: Fostering Innovative and Compliant Data Ecosystems	革新的でコンプライアンスに準拠したデータエコシステムの育成
4 Digital, Industry, Space	デジタル、産業、宇宙	CL4-INDUSTRY-2025-01-DIGITAL-61: AI Foundation models in science (GenAI4EU)	科学における AI 基礎モデル（GenAI4EU）
5 Energy	エネルギー	CL5-2025-05-D3-19: Innovative solutions for a Generative AI-powered digital spine of the EU energy system	EU エネルギーシステムの生成的 AI によるデジタルバックボーンのための革新的なソリューション
5 Mobility	モビリティ	CL5-2025-04-D6-01: Advancing remote operations to enable the sustainable and smart mobility of people and goods based on operational and societal needs (CCAM Partnership) – Societal Readiness Pilot	運用上および社会的ニーズに基づく、人と物の持続可能でスマートなモビリティを実現するための遠隔操作の推進（CCAM パートナーシップ） – 社会準備パイロット
5 Mobility	モビリティ	CL5-2025-04-D6-08: Accelerating freight transport and logistics digital innovation	貨物輸送と物流のデジタルイノベーションの加速
5 Mobility	モビリティ	CL5-2025-04-D2-05: Accelerated multi-physical and virtual testing for battery aging, reliability, and safety evaluation (Batt4EU Partnership)	バッテリー老化、信頼性、安全性の評価のためのマルチフィジカルおよびバーチャルテストの加速（Batt4EUパートナーシップ）
5 Mobility	モビリティ	CL5-2025-01-D5-01: Solutions for road Light Duty Vehicles – Societal Readiness Pilot	道路用軽車両向けのソリューション – 社会的準備度パイロット
5 Mobility	モビリティ	CL5-2025-01-D5-02: Cybersecure and resilient e-mobility ecosystem	サイバーセキュリティとレジリエンスに優れた e-モビリティエコシステム
5 Mobility	モビリティ	CL5-2025-04-D6-09: Reliable data and practices to measure and account transport emissions in multimodal transport chains	マルチモーダル輸送チェーンにおける輸送排出量を測定・報告するための信頼性の高いデータと実践
5 Mobility	モビリティ	CL5-2025-04-D6-10: Integrating inland waterway transport in smart shipping and multimodal logistics chains	内陸水路輸送をスマートシッピングおよびマルチモーダル物流チェーンに統合
6 Agrifood	農業食品	CL6-2025-01-ZEROPOLLUTION-06: Provide digital solutions tailored to small and medium-sized farms to monitor and sustainably manage agricultural inputs and natural resources	中小規模の農場に、農業投入資材および天然資源を監視し、持続的に管理するための、カスタマイズされたデジタルソリューションを提供する
6 Agrifood	農業食品	CL6-2025-01-CIRCBIO-06: Open Topic: Innovative solutions for the sustainable and circular transformation of SMEs	オープントピック：中小企業の持続可能で循環型の変革のための革新的なソリューション
6 Agrifood	農業食品	CL6-2025-03-GOVERNANCE-09: Delivering Earth Intelligence to accelerate the green and digital transition	グリーンおよびデジタル移行を加速するための地球インテリジェンスの提供
6 Agrifood	農業食品	CL6-2025-03-GOVERNANCE-14: Preparing farmers, their workforce and advisors to the future of agriculture by providing the right knowledge and skills at the right time and place	適切な知識とスキルを適切なタイミングで適切な場所に提供することにより、農家、その労働力、およびアドバイザーを農業の未来に備える
6 Agrifood	農業食品	CL6-2025-01-CIRCBIO-10: Unleashing the potential and advancing the impact of the digitalisation/AI of the bio-based value chains	バイオベースのバリューチェーンのデジタル化/AI の可能性を解き放ち、その影響力を高める
6 Agrifood	農業食品	CL6-2025-01-BIODIV-09: Strengthening pathways to alternative socio-economic models for continuous improvement of biodiversity	生物多様性の継続的な改善のための代替的な社会経済モデルへの道筋を強化する

参考

・Horizon Europe

EUの研究・イノベーションのための主要な資金援助プログラム
2021年から2027年までのホライゾンヨーロッパの指示資金額は935億ユーロ（156兆円）
国連の持続可能な開発目標の達成を支援し、EUの競争力と成長を後押し
EUの政策を開発、支援、実施する上で、協力を促進し、研究とイノベーションの影響力を強化
雇用を創出し、EUの人材プールを十分に活用し、経済成長を後押しし、産業競争力を促進し、強化された欧州研究領域における投資効果を最適化
EUおよび関連国の法人が参加できる

・The Digital Europe Programme

企業、国民、行政機関にデジタル・テクノロジーを導入することに重点を置いた EUの資金提供プログラム
スーパーコンピューティング、人工知能、サイバーセキュリティ、高度なデジタルスキルといった主要な能力分野におけるプロジェクトを支援
経済と社会全体におけるデジタル技術の幅広い活用の確保を目指す
強化された欧州デジタル・イノベーション・ハブ（EDIH）のネットワークを通じて、デジタル変革を支援

・GenAI4EU: Creating European Champions in Generative AI

Horizon EuropeのAI Boost project (2023) に基づくもの
変革的なAI主導型ソリューションを市場に投入することを目指す新興企業や中小企業を支援
人工知能の新興企業や中小企業を支援するAIイノベーションパッケージ、およびEUにおける信頼できるAIの開発、展開、利用を目標とするEU AI Act に沿って、このチャレンジは、Strategic Technologies for Europe Platform（STEP）の下で特定された重要な技術分野
新しいGenAIモデルの開発と検証を進める；
既存のモデルを、より小型で高速かつエネルギー効率に優れたモデルが適用可能な特定の分野やデータタイプに適応させる；
既存のワークフローにGenAIソリューションを統合してテストし、必要に応じて、認証や市販後調査を含む、規制のサンドボックスや実際の環境でテストする；

製造、ロボット工学、健康、エネルギー、農業食品、モビリティ、航空宇宙-は、EU産業戦略とドラギ・レポートで特定された分野と一致

● まるちゃんの情報セキュリティ気まぐれ日記

・2024.06.07 欧州委員会安全で信頼できる人工知能におけるEUのリーダーシップを強化するため、AI事務局を設置 (2024.05.29)

ドラギ・レポート

・2024.10.01 欧州ドラギ・レポート欧州の競争力の未来 (2024.09.09)

2025.06.18 00:00 in 情報セキュリティ / サイバーセキュリティ, in ESG/CSR, in AI/Deep Learning | Permalink | Comments (0)
Tweet

2025.05.22

金融庁サステナビリティ情報の保証に関する専門グループの議論...

こんにちは、丸山満彦です。

金融庁では、金融審議会の元に、「サステナビリティ情報の開示と保証のあり方に関するワーキング・グループ」を設置し、サステナビリティ情報の開示と保証のあり方について議論をしておりますが、さらにその中に保証（アシュアランス）については専門性も高いことから「サステナビリティ情報の保証に関する専門グループ」を設置し、より深い議論をしています。

まだ、議論の途中ではありますが、今までの議論について、まとめておこうと思いました。なお、5月27日に次回会議が開催される予定です。

なお、この専門グループの座長は、情報セキュリティ大学院大学で私と一緒に「情報セキュリティ・システム監査」の講義をしている堀江先生です。

「サステナビリティ情報の開示と保証のあり方に関するワーキング・グループ」については、サイバーセキュリティの開示について一緒に勉強会をしていた神田先生も委員として参画されていますね...

● 金融庁 - 金融審議会 - サステナビリティ情報の保証に関する専門グループ

サステナビリティ情報の保証に関する専門グループ
2025.05.27	第４回
開催通知
2025.04.17	第３回
開催通知
資料
資料１	事務局説明資料
	1. サステナビリティ保証業務実施者に求められる規律の在り方
	（１）前回いただいた主なご意見
	（２）保証業務実施者に求められる業務管理体制（人的体制）
	（３）自主規制機関に関する検討
	（４）任意の保証
	2. ご議論いただきたい事項
	サステナビリティ保証業務実施者に求められる規律の在り方	⚫ 保証業務実施者に求められる人的体制の整備に関して、P.13の事務局提案について、どう考えるか。
		⚫ 業務執行責任者に求められる知識・能力に関して、P.14の事務局提案について、どう考えるか。
		⚫ 行政機関と自主規制機関の役割の在り方に関して、P.20の事務局提案について、どう考えるか。
		⚫ 任意の保証について、P.25の方向性について、どう考えるか。
2025.03.21	第２回
開催通知
資料
資料１	事務局説明資料
	1. 第１回専門グループでご議論いただいた規律の在り方について
	（１）前回いただいた主なご意見（全体）
	（２）検討の考え方
	① 従来の財務情報とサステナビリティ情報の違い
	② 現行実務とサステナビリティ保証業務の違い
	③ 財務諸表監査とサステナビリティ保証業務の違い
	④ まとめ
	（３）前回いただいた主なご意見（個別論点）と考慮すべき事項
	（４）サステナビリティ保証制度を検討するに当たって考慮すべき事項
	2. サステナビリティ保証業務実施者に求められる規律の在り方
	（１）自主規制機関の役割
	（２）サステナビリティ保証制度の全体像
	3. 任意の保証の論点
	4. ご議論いただきたい事項
	サステナビリティ保証業務実施者に求められる規律の在り方	サステナビリティ保証について、留意すべき事項（P18）を前提に、
		⚫ 前回ご議論いただいた、登録制度・登録要件、業務制限、義務・責任、保証基準、倫理独立性を検討するに当たって考慮すべき事項として、P25に記載された点についてどう考えるか。
		⚫ P27に示した自主規制機関の役割について、どう考えるか。
		⚫ P29に示したサステナビリティ保証制度の全体像について、どう考えるか。
	任意の保証	⚫ 任意のサステナビリティ保証について、P32、P33に挙げた論点についてどう考えるか。また、任意のサステナビリティ保証について、これ以外に考えられる論点はあるか。
資料２	意見書（阪委員）
資料３	意見書（田辺委員）
資料４	意見書（弥永委員）
議事録
2025.02.12	第１回
開催通知
資料
資料１	「サステナビリティ情報の保証に関する専門グループ」メンバー名簿
資料２	事務局説明資料
	1. サステナビリティ保証制度について
	（１）サステナビリティ情報の信頼性確保の必要性
	（２）サステナビリティ保証制度導入における論点
	（３）ワーキンググループで示された方向性
	2. サステナビリティ保証業務実施者に求められる規律の在り方
	（１）検討の考え方
	（２）登録要件（業務管理体制等）
	（３）業務制限、義務・責任
	（４）保証基準、倫理・独立性
	3. ご議論いただきたい事項
	サステナビリティ保証業務実施者に求められる規律の在り方	⚫ サステナビリティ保証業務実施者に求められる規律の在り方として、P27のような規律の在り方が考えられるがどうか。
資料３	日本公認会計士協会説明資料
資料４	日本適合性認定協会説明資料
議事録

1_20240514050602

● まるちゃんの情報セキュリティ気まぐれ日記

サステナビリティで検索...

・2025.03.19 公認会計士協会国際監査・保証基準審議会（IAASB）国際サステナビリティ保証基準（ISSA）5000 「サステナビリティ保証業務の一般的要求事項」の解説記事 (2025.03.17)

・2025.03.19 サステナビリティ基準委員会サステナビリティ開示基準を公表 (2025.03.05)

・2025.03.10 公認会計士協会「保証」と類似した用語 (2025.03.07)

・2025.03.05 公認会計士協会「サステナビリティ報告に対する信頼の構築と保証への準備：サステナビリティ情報のためのガバナンスと内部統制」の翻訳(2025.02.27)

・2025.01.29 IAASB サステナビリティ保証に関する国際標準5000のファクトシート、FAQ、導入ガイドなど... (2025.01.27)

・2024.11.15 IAASB サステナビリティ保証に関する国際標準5000「サステナビリティ保証業務に関する一般要求事項」 (2024.11.12)

・2024.06.29 経済産業省「企業情報開示のあり方に関する懇談会課題と今後の方向性（中間報告）」を取りまとめ (2024.06.25)

・2024.06.09 金融庁コーポレートガバナンス改革の実践に向けたアクション・プログラム 2024

・2024.05.14 金融庁金融審議会「サステナビリティ情報の開示と保証のあり方に関するワーキング・グループ」

・2024.04.06 日本公認会計士協会サステナビリティ報告・保証業務等に関するIESBA倫理規程改訂公開草案の翻訳

・2024.03.03 日本公認会計士協会「サステナビリティ報告に対する信頼の構築：早急に求められる統合的内部統制」の翻訳 (2024.02.26)

・2023.12.13 経団連 IAASB公開草案国際サステナビリティ保証基準 (ISSA) 5000「サステナビリティ保証業務の一般的要求事項」へのコメント (2023.12.01)

・2023.11.22 内部監査人協会 COSO『サステナビリティ報告に係る有効な内部統制(ICSR)の実現』の翻訳 (2023.10.04)

・2023.09.25 日本公認会計士協会 IAASB公開草案国際サステナビリティ保証基準（ISSA）5000「「サステナビリティ保証業務の一般的要求事項」

・2023.06.15 IFAC サステナビリティ報告書の保証 (2023.05.31)

・2021.04.27 欧州委員会非財務情報開示指令の改正案発表対象企業が大幅に増加

・2021.04.05 コーポレートガバナンス・コード改訂（案）

・2020.11.26 英国生まれの国際統合報告委員会 (IIRC) と米国生まれのサステナビリティ会計基準審議会 (SASB) が合併に・・・

一気に10年以上遡りますが...（記録は残しておくものですね...リンクは切れていますが...）

・2009.03.27 KPMGあずさサステナビリティ株式会社（あずさ監査法人グループ）のCSR報告書に対する独立第三者の審査報告書

・2007.02.23 日興コーディアル中央青山PwCサスティナビリティ研究所及び新日本監査法人によるサスティナビリティ報告書に対する保証意見

・2005.10.24 環境報告書審査・登録制度が始まる

2025.05.22 06:45 in 監査 / 認証, in ESG/CSR, in 内部統制 / リスクマネジメント | Permalink | Comments (0)
Tweet

まるちゃんの情報セキュリティ気まぐれ日記

サイト内検索

Archives

Categories

Recent Posts

Recent Comments

Recent Trackbacks

連載 (ITmedia)

ウェブページ

ESG/CSR

2025.10.31

紹介クロスセクター・サイバーセキュリティ法蔦大輔監修森・濱田松本法律事務所

2025.10.09

OECD 方針文書：AIトレーニングのための関連データ収集メカニズムのマッピング(2025.10.03)他

2025.09.20

AIイノベーションのための共同プライバシー宣言を採択 (2025.09.17)

2025.08.13

中国国家情報化発展報告 (2024年) (2025.07.30)

2025.08.10

英国 ICO 年度報告書 2024-2025 (2025.07)

2025.07.30

SEC Cybersecurity の開示昨年からの比較...

2025.07.28

中国 AIグローバルガバナンス行動計画（2025.07.26）

2025.07.12

欧州 ENISA 2024年統合活動報告書 (2025.06.30)

2025.06.18

欧州委員会 GenAI4EU：「ヨーロッパ製」の生成的 AI を推進するための資金援助

2025.05.22

金融庁サステナビリティ情報の保証に関する専門グループの議論...

より以前の記事一覧

その他のカテゴリー

ココログ

まるちゃん

関連団体

情報法関連Blog

情報法 Web

セキュリティ Blog

セキュリティ web

内部統制

・2024.02.26 10-K (Annual report)	・2025.02.25 10-K (Annual report)
Item 1C.Cybersecurity:	Item 1C.Cybersecurity:
Risk Management and Strategy	Risk Management and Strategy
Cybersecurity is a critical part of risk management at IBM and is integrated with the company’s overall enterprise risk management framework. The Board of Directors and the Audit Committee of the Board are responsible for overseeing management’s execution of cybersecurity risk management and for assessing IBM’s approach to risk management. Senior management is responsible for assessing and managing IBM’s exposure to cybersecurity risks on an ongoing basis.	Cybersecurity is a critical part of risk management at IBM and is integrated with the company’s overall enterprise risk management framework. The Board of Directors and the Audit Committee of the Board are responsible for overseeing management’s execution of cybersecurity risk management and for assessing IBM’s approach to risk management. Senior management is responsible for assessing and managing IBM’s exposure to cybersecurity risks on an ongoing basis.
From an enterprise perspective, we implement a multi-faceted risk management approach based on the National Institute of Standards and Technology Cybersecurity Framework. We have established policies and procedures that provide the foundation upon which IBM’s infrastructure and data are managed. We regularly assess and adjust our technical controls and methods to identify and mitigate emerging cybersecurity risks. We use a layered approach with overlapping controls to defend against cybersecurity attacks and threats on IBM networks, end-user devices, servers, applications, data, and cloud solutions.	From an enterprise perspective, we implement a multi-faceted risk management approach based on the National Institute of Standards and Technology Cybersecurity Framework. We have established policies and procedures that provide the foundation upon which IBM’s infrastructure and data are managed. We regularly assess and adjust our technical controls and methods to identify and mitigate emerging cybersecurity risks. We use a layered approach with overlapping controls to defend against cybersecurity attacks and threats on IBM networks, end-user devices, servers, applications, data, and cloud solutions.
We draw heavily on our own commercial security solutions and services to manage and mitigate cybersecurity risks. IBM maintains a Security Operations Center (“SOC”) that monitors for threats to IBM’s networks and systems, utilizing threat intelligence provided by a range of sources, including the IBM Security X-Force Exchange platform, which maintains one of the largest compilations of threat intelligence in the world. We also rely on tools licensed from third party security vendors to monitor and manage cybersecurity risks. We periodically engage third parties to supplement and review our cybersecurity practices and provide relevant certifications.	We draw heavily on our own commercial security solutions and services to manage and mitigate cybersecurity risks. IBM maintains a Security Operations Center (“SOC”) that monitors for threats to IBM’s networks and systems, utilizing threat intelligence provided by a range of sources, including the IBM Security X-Force Exchange platform, which maintains one of the largest compilations of threat intelligence in the world. We also rely on tools licensed from third party security vendors to monitor and manage cybersecurity risks. We periodically engage third parties to supplement and review our cybersecurity practices and provide relevant certifications.
We have a global incident response process, managed by IBM’s Computer Security Incident Response Team (“CSIRT”), that relies primarily on internal expertise to respond to cybersecurity threats and attacks. We utilize a combination of online training, educational tools, videos and other awareness initiatives to foster a culture of security awareness and responsibility among our workforce, including responsibility for reporting suspicious activity.	We have a global incident response process, managed by IBM’s Computer Security Incident Response Team (“CSIRT”), that relies primarily on internal expertise to respond to cybersecurity threats and attacks. We utilize a combination of online training, educational tools, videos and other awareness initiatives to foster a culture of security awareness and responsibility among our workforce, including responsibility for reporting suspicious activity.
IBM has a third party supplier risk management program to oversee and identify risks from cybersecurity threats associated with its use of third party service providers and vendors. Risks are assessed and prioritized based, among other things, on the type of offering/engagement, supplier assessments, threat intelligence, and industry practices.	IBM has a third party supplier risk management program to oversee and identify risks from cybersecurity threats associated with its use of third party service providers and vendors. Risks are assessed and prioritized based, among other things, on the type of offering/engagement, supplier assessments, threat intelligence, and industry practices.
As discussed in greater detail in Item 1A., "Risk Factors," the company faces numerous and evolving cybersecurity threats, including risks originating from intentional acts of criminal hackers, hacktivists, nation states and competitors; from intentional and unintentional acts or omissions of customers, contractors, business partners, vendors, employees and other third parties; and from errors in processes or technologies, as well as the risks associated with an increase in the number of customers, contractors, business partners, vendors, employees and other third parties working remotely. While the company continues to monitor for, identify, investigate, respond to and remediate cybersecurity risks, including incidents and vulnerabilities, there have not been any that have had a material adverse effect on the company, though there is no assurance that there will not be cybersecurity risks that will have a material adverse effect in the future.	As discussed in greater detail in Item 1A., "Risk Factors," the company faces numerous and evolving cybersecurity threats, including risks originating from the increased use of AI, intentional acts of individual and groups of criminal hackers, hacktivists, state-sponsored organizations, nation states and competitors; from intentional and unintentional acts or omissions of customers, contractors, business partners, vendors, employees and other third parties; and from errors in processes or technologies, as well as the risks associated with the number of customers, contractors, business partners, vendors, employees and other third parties working remotely. While the company continues to monitor for, identify, investigate, respond to and remediate cybersecurity risks, including incidents and vulnerabilities, there have not been any that have had a material adverse effect on the company, though there is no assurance that there will not be cybersecurity risks that will have a material adverse effect in the future.
Governance	Governance
IBM’s Enterprise & Technology Security (“E&TS”) organization has oversight responsibility for the security of both IBM’s internal systems and external offerings and works across all of the organizations within the company to protect IBM, its brand, and its clients against cybersecurity risks. E&TS also addresses cybersecurity risks associated with third party suppliers. For these purposes, E&TS includes a dedicated Chief Information Security Officer (“CISO”) whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture, and processes for IBM’s internal systems. The CISO manages the CSIRT. The CISO also manages the Product Security Incident Response Team (“PSIRT”), which focuses on product vulnerabilities potentially affecting the security of offerings sold to customers. IBM also has Business Information Security Officers (“BISO”) who coordinate with the Office of the CISO on security issues specific to particular business segments.	IBM’s Enterprise & Technology Security (“E&TS”) organization has oversight responsibility for the security of both IBM’s internal systems and external offerings and works across all of the organizations within the company to protect IBM, its brand, and its clients against cybersecurity risks. E&TS also addresses cybersecurity risks associated with third party suppliers. For these purposes, E&TS includes a dedicated Chief Information Security Officer (“CISO”) whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture, and processes for IBM’s internal systems. The CISO manages the CSIRT. The CISO also manages the Product Security Incident Response Team (“PSIRT”), which focuses on product vulnerabilities potentially affecting the security of offerings sold to customers. IBM also has Business Information Security Officers (“BISO”) who are coordinated by the Office of the CISO on security issues specific to particular business segments.
The CSIRT team, together with the Office of the Chief Information Officer (“CIO”), Cyber Legal, Corporate Security, and BISOs, engages in on-going reviews of incidents, threat intelligence, detections, and vulnerabilities, including to assess client and regulatory impact. Events of interest are promptly reported to the Senior Vice President (“SVP”) for Legal & Regulatory Affairs and General Counsel (“GC”) and the SVP overseeing cybersecurity (“SVP Sponsor”).	The CSIRT team, together with the Office of the Chief Information Officer (“CIO”), Cyber Legal, Corporate Security, and BISOs, engages in on-going reviews of incidents, threat intelligence, detections, and vulnerabilities, including to assess client and regulatory impact. Events of interest are promptly reported to the Senior Vice President (“SVP”) and Chief Legal Officer ("CLO"), and the SVP overseeing cybersecurity (“SVP Sponsor”).
Incidents are delegated to an appropriate incident response team for assessment, investigation, and remediation. Depending on the nature of the matter, the incident response team may include individuals from E&TS, the Office of the CISO, the Office of the CIO, Cyber Legal, Business Units, the Chief Privacy Office, Human Resources, Procurement, Finance and Operations, and Corporate Security. The incident response teams advise and consult with the GC and the SVP Sponsor, as appropriate.	Incidents are delegated to an appropriate incident response team for assessment, investigation, and remediation. Depending on the nature of the matter, the incident response team may include individuals from E&TS, the Office of the CISO, the Office of the CIO, Cyber Legal, Business Units, the Office of Privacy and Responsible Technology, Human Resources, Procurement, Finance and Operations, and Corporate Security. The incident response teams advise and consult with the CLO and the SVP Sponsor, as appropriate.
The Cybersecurity Advisory Committee (“CAC”) meets regularly and is responsible for overseeing management of the Company’s cybersecurity risk. The CAC is composed of, among others, SVPs from the major business units, the SVP Sponsor, and the GC. The CAC is responsible for, among other things, setting the Company’s governance structure for managing cybersecurity risk and reviewing noteworthy cybersecurity incidents and strategies to prevent recurrence. IBM management responsible for managing cybersecurity risk reflects a cross-section of functions from across the organization with significant experience in managing such risk as well as the technologies underlying these risks. They also hold leadership positions outside of IBM in the field of cybersecurity, serving on governing and advisory boards of public and private institutions at the forefront of issues related to cybersecurity, including technology development, cybersecurity policy, and national security.	The Cybersecurity Advisory Committee (“CAC”) meets regularly and is responsible for overseeing management of the Company’s cybersecurity risk. The CAC is composed of, among others, SVPs from the major business units, the SVP Sponsor, and the CLO. The CAC is responsible for, among other things, setting the Company’s governance structure for managing cybersecurity risk and reviewing noteworthy cybersecurity incidents and strategies to prevent recurrence. IBM management responsible for managing cybersecurity risk reflects a cross-section of functions from across the organization with significant experience in managing such risk as well as the technologies underlying these risks. They also hold leadership positions outside of IBM in the field of cybersecurity, serving on governing and advisory boards of public and private institutions at the forefront of issues related to cybersecurity, including technology development, cybersecurity policy, and national security.
The Board of Directors and the Audit Committee oversees the cyber governance process. Leadership from E&TS, including the CISO, make regular presentations to the Audit Committee and the full Board on identification, management, and remediation of cybersecurity risks, both internal and external, as well as threat intelligence, emerging global policies and regulations, cybersecurity technologies, and best practices. In addition, senior management provides briefings as needed to the Audit Committee Chair, the Audit Committee, and, as appropriate, the full Board, on cybersecurity issues and incidents of potential interest.	The Board of Directors and the Audit Committee oversee the cyber governance process. Leadership from E&TS, including the CISO, make regular presentations to the Audit Committee and the full Board on identification, management, and remediation of cybersecurity risks, both internal and external, as well as threat intelligence, emerging global policies and regulations, cybersecurity technologies, and best practices. In addition, senior management provides briefings as needed to the Audit Committee Chair, the Audit Committee, and, as appropriate, the full Board, on cybersecurity issues and incidents of potential interest.

・2024.02.22 10-K (Annual report)	・2025.02.27 10-K (Annual report)
ITEM 1C CYBERSECURITY	ITEM 1C CYBERSECURITY
Managing cybersecurity risk is a crucial part of our overall strategy for safely operating our business. We incorporate cybersecurity practices into our Enterprise Risk Management (ERM) approach, which is subject to oversight by our BOD. Our cybersecurity policies and practices are aligned with relevant industry standards.	Managing cybersecurity risk is a crucial part of our overall strategy for safely operating our business. We incorporate cybersecurity practices into our Enterprise Risk Management (ERM) program. Management is responsible for assessing and managing risk, including through the ERM program, subject to oversight by our BOD. Our cybersecurity policies and practices are aligned with NIST (National Institute of Standards and Technology) industry standards.
Consistent with our overall ERM program and practices, our cybersecurity program includes:	Consistent with our overall ERM program and practices, our cybersecurity program includes:
• Vigilance: We maintain a global cybersecurity operation that endeavors to detect, prevent, contain, and respond to cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing business disruptions. <	•Vigilance: We maintain a global cybersecurity operation that endeavors to detect, prevent, contain, and respond to cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing business disruptions.
• External Collaboration: We collaborate with public and private entities, including intelligence and law enforcement agencies, industry groups and third-party service providers to identify, assess and mitigate cybersecurity risks.	•External Collaboration: We collaborate with public and private entities, including intelligence and law enforcement agencies, industry groups and third-party service providers to identify, assess and mitigate cybersecurity risks.
• Systems Safeguards: We deploy technical safeguards that are designed to protect our information systems, products, operations and sensitive information from cybersecurity threats. These include firewalls, intrusion prevention and detection systems, disaster recovery capabilities, malware and ransomware prevention, access controls and data protection. We continuously conduct vulnerability assessments to identify new risks and periodically test the efficacy of our safeguards through both internal and external penetration tests.	•Systems Safeguards: We deploy technical safeguards that are designed to protect our information systems, products, operations and sensitive information from cybersecurity threats. These include firewalls, intrusion prevention and detection systems, disaster recovery capabilities, malware and ransomware prevention, access controls and data protection. We continuously conduct vulnerability assessments to identify new risks and periodically test the efficacy of our safeguards through both internal and external penetration tests.
• Education: We provide periodic training for all personnel regarding cybersecurity threats, with such training appropriate to the roles, responsibilities and access of the relevant Company personnel. Our policies require all workers to report any real or suspected cybersecurity events.	•Education: We provide periodic training for all personnel regarding cybersecurity threats, with such training appropriate to the roles, responsibilities and access of the relevant Company personnel. Our policies require all workers to report any real or suspected cybersecurity events.
• Supplier Ecosystem Management: We extend our cybersecurity management control expectations to our supply chain ecosystem, as applicable. This includes identifying cybersecurity risks presented by third parties.	•Supplier Ecosystem Management: We extend our cybersecurity management control expectations to our supply chain ecosystem, as appropriate. This includes identifying cybersecurity risks presented by third parties.
• Incident Response Planning: We have established, and maintain and periodically test, incident response plans that direct our response to cybersecurity events and incidents. Such plans include the protocol by which material incidents would be communicated to executive management, our BOD, external regulators and shareholders.	•Incident Response Planning: We have established, and maintain and periodically test, incident response plans that direct our response to cybersecurity events and incidents. Such plans include the protocol by which certain significant or potentially material incidents would be communicated to executive management, our BOD, external regulators and shareholders, as appropriate.
• Enterprise-Wide Coordination: We engage experts from across the Company to identify emerging risks and respond to cybersecurity threats. This cross-functional approach includes personnel from our R&D, manufacturing, commercial, technology, legal, compliance, internal audit and other business functions.	•Enterprise-Wide Coordination: We engage relevant stakeholders from across the Company to identify emerging risks and respond to cybersecurity threats. This cross-functional approach includes personnel from our R&D, manufacturing, commercial, technology, legal, compliance, internal audit and other business functions.
• Governance: Our BOD’s oversight of cybersecurity risk management is led by the Audit Committee, which oversees our ERM program. Cybersecurity threats, risks and mitigation are periodically reviewed by the Audit Committee and such reviews include both internal and independent assessment of risks, controls and effectiveness.	•Governance: Our BOD’s oversight of cybersecurity risk management is led by the Audit Committee, which oversees our ERM program. Cybersecurity threats, risks and mitigation are periodically reviewed by the Audit Committee and such reviews include both internal and independent assessment of risks, controls and effectiveness.
Our risk assessment efforts have indicated that we are a target for theft of intellectual property, financial resources, personal information, and trade secrets from a wide range of actors including nation states, organized crime, malicious insiders and activists. The impacts of attacks, abuse and misuse of Pfizer’s systems and information include, without limitation, loss of assets, operational disruption and damage to Pfizer’s reputation.	Our risk assessment efforts have indicated that we are a target for theft of intellectual property, financial resources, personal information, and trade secrets from a wide range of actors including nation states, organized crime, malicious insiders and activists. The impacts of attacks, abuse and misuse of Pfizer’s systems and information could include, without limitation, loss of assets, operational disruption and damage to Pfizer’s reputation.
A key element of managing cybersecurity risk is the ongoing assessment and testing of our processes and practices through auditing, assessments, drills and other exercises focused on evaluating the sufficiency and effectiveness of our risk mitigation. We regularly engage third parties to perform assessments of our cybersecurity measures, including information security maturity assessments and independent reviews of our information security control environment and operating effectiveness. Certain results of such assessments and reviews are reported to the Audit Committee and the BOD, as appropriate, and we make adjustments to our cybersecurity processes and practices as necessary based on the information provided by the third-party assessments and reviews.	A key element of managing cybersecurity risk is the ongoing assessment and testing of our processes and practices through auditing, assessments, drills and other exercises focused on evaluating the sufficiency and effectiveness of our risk mitigation. We regularly engage third parties to perform assessments of our cybersecurity measures, including information security maturity assessments and independent reviews of our information security control environment and operating effectiveness. Certain results of such assessments and reviews are reported by the Chief Information Security Officer (CISO) to certain senior leaders, the Audit Committee and the BOD, as appropriate, and we make adjustments to our cybersecurity processes and practices as necessary based on the information provided by the third-party assessments and reviews.
The Audit Committee oversees cybersecurity risk management, including the policies, processes and practices that management implements to prevent, detect and address risks from cybersecurity threats. The Audit Committee receives regular briefings on cybersecurity risks and risk management practices, including, for example, recent developments in the external cybersecurity threat landscape, evolving standards, vulnerability assessments, third-party and independent reviews, technological trends and considerations arising from our supplier ecosystem. The Audit Committee may also promptly receive information regarding any material cybersecurity incident that may occur, including any ongoing updates regarding the same. The Audit Committee periodically discusses our approach to cybersecurity risk management with our Chief Information Security Officer (CISO).	The Audit Committee oversees cybersecurity risk management, including the policies, processes and practices that management implements to prevent, detect and address risks from cybersecurity threats. The Audit Committee receives periodic briefings on, and discusses with our CISO, cybersecurity risks and risk management practices, including, for example, recent developments in the external cybersecurity threat landscape, evolving standards, vulnerability assessments, third-party and independent reviews, technological trends and considerations arising from our supplier ecosystem. The Audit Committee may also promptly receive information regarding certain significant or potentially material cybersecurity incidents that may occur, including any ongoing updates regarding the same.
Our CISO is a member of our management team who is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across the Company. The CISO works in coordination with other members of the management team, including, among others, the Chief Digital Officer, the Chief Financial Officer, the Chief Compliance and Risk Officer and the General Counsel and their designees. We believe our business leaders have the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats.	Our CISO is a member of our management team who is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across the Company. We believe our CISO and the information security organization have the appropriate expertise, background and depth of experience relating to monitoring the prevention, mitigation, detection and remediation of cybersecurity incidents to manage risks arising from cybersecurity threats. The CISO works in coordination with other members of the management team, including, among others, the Chief Digital Officer, the Chief Financial Officer and the Chief Legal Officer and their designees.
Our CISO, along with leaders from our privacy and corporate compliance functions, collaborate to implement a program designed to manage our exposure to cybersecurity risks and to promptly respond to cybersecurity incidents. Prompt response to incidents is delivered by multi-disciplinary teams in accordance with our incident response plan. Through ongoing communications with these teams during incidents, the CISO monitors the triage, mitigation and remediation of cybersecurity incidents, and reports such incidents to executive management, the Audit Committee and other Pfizer colleagues in accordance with our cybersecurity policies and procedures, as is appropriate.	Our CISO, along with leaders from our privacy and corporate compliance functions, collaborate to implement a program designed to manage our exposure to cybersecurity risks and to promptly respond to cybersecurity incidents. Prompt response to incidents is delivered by multi-disciplinary teams in accordance with our incident response plan. Through ongoing communications with these teams during incidents, the CISO monitors the triage, mitigation and remediation of cybersecurity incidents, and reports such incidents to executive management, the Audit Committee and other Pfizer colleagues in accordance with our cybersecurity policies and procedures, as is appropriate.
As of the date of this Form 10-K, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition at this time. For further discussion of the risks associated with cybersecurity incidents, see the Item 1A. Risk Factors—Information Technology and Security section in this Form 10-K.	For the fiscal year ended December 31, 2024, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. For further discussion of the risks associated with cybersecurity incidents, see the Item 1A. Risk Factors—Information Technology and Security section in this Form 10-K.

・2024.06.27 20-F (Annual report - foreign issuer)	・2025.06.24 20-F (Annual report - foreign issuer)
Item 16K.Cybersecurity	Item 16K.Cybersecurity
(1) Risk management and strategy	(1) Risk management and strategy
Our Information Security Control Department reports to and manages cyber and information security risks to the Information Technology Management Committee.	Our Information Security Control Department reports to and manages cyber and information security risks to the Information Technology Management Committee.
Our Information Security Control Department has established a cyber and information security awareness training program for our consolidated group companies. All employees of our consolidated group companies, including investee companies, and employees of outsourcing companies with access to our network are required to take online training at least once a year. These educational programs also include phishing e-mails simulations, which are conducted several times a year on an irregular basis. We also provide training through escalation and response simulations in the event of a cyber or information security incident.	Our Information Security Control Department has established a cyber and information security awareness training program for our consolidated group companies. All employees of our consolidated group companies, including investee companies, and employees of outsourcing companies with access to our network are required to take online training at least once a year. These educational programs also include phishing e-mails simulations, which are conducted several times a year on an irregular basis. We also provide training through escalation and response simulations in the event of a cyber or information security incident.
Each of our consolidated group companies is assigned an Information Security Accountable Owner, and cyber and information security knowledge and the Group’s security policies are shared with the companies on a quarterly basis to raise readiness levels across the ORIX Group.	Each of our consolidated group companies is assigned an Information Security Accountable Owner, and cyber and information security knowledge and the Group’s security policies are shared with the companies on a quarterly basis to raise readiness levels across the ORIX Group.
In order to control cyber and information security risks we face through our interactions with and reliance on third parties, such as through our outsourcing activities and use of cloud services, we conduct regular security assessments of business partners and outsourcing vendors. In addition, we have a framework in place for the Information Security Control Department to evaluate the security risks of information systems and cloud services provided by business partners and outsourcing vendors.	In order to control cyber and information security risks we face through our interactions with and reliance on third parties, such as through our outsourcing activities and use of cloud services, we conduct regular security assessments of business partners and outsourcing vendors. In addition, we have a framework in place for the Information Security Control Department to evaluate the security risks of information systems and cloud services provided by business partners and outsourcing vendors.
The Information Security Control Department is responsible for assessing and managing our cyber and information security risks and where necessary, engages third-party consultants for advice regarding specific areas where enhanced controls or in-depth analysis is required.	The Information Security Control Department is responsible for assessing and managing our cyber and information security risks and where necessary, engages third-party consultants for advice regarding specific areas where enhanced controls or in-depth analysis is required.
The ORIX Group has also established a framework to respond to cyber and information security incidents and to mitigate the risk of security breaches, system failures and information leaks, including cyber attacks and damage to information security systems. A system has been established to assess the impact on operations and the likelihood of secondary damage in the event of a cyber and information security incident caused by cyber attacks. The Information Security Control Department analyzes and investigates the incident and also works with the legal department and compliance department to minimize the impact of the incident and prevent secondary damage. Any serious incidents are reported to the Executive Officer in charge of the Information Security Control Department and appropriate action is taken under his/her direction. The current Executive Officer in charge of information security at ORIX has extensive knowledge of information technology and security, cultivated through his experience with system development, project management and security management in over two decades at various international companies prior to joining ORIX Corporation, including over a decade of experience in the financial business sector.	The ORIX Group has also established a framework to respond to cyber and information security incidents and to mitigate the risk of security breaches, system failures and information leaks, including cyber attacks and damage to information security systems. A system has been established to assess the impact on operations and the likelihood of secondary damage in the event of a cyber and information security incident caused by cyber attacks. The Information Security Control Department analyzes and investigates the incident and also works with the legal department and compliance department to minimize the impact of the incident and prevent secondary damage. Any serious incidents are reported to the Executive Officer in charge of the Information Security Control Department and appropriate action is taken under his/her direction. The current Executive Officer in charge of information security at ORIX has extensive knowledge of information technology and security, cultivated through his experience with system development, project management and security management in over two decades at various international companies prior to joining ORIX Corporation, including over a decade of experience in the financial business sector.
In the current fiscal year, we did not identify any cyber or information security incidents that have materially affected or are reasonably likely to materially affect our business activities, results of operations or financial condition.	In the current fiscal year, we did not identify any cyber or information security incidents that have materially affected or are reasonably likely to materially affect our business activities, results of operations or financial condition.
(2) Governance	(2) Governance
The ORIX Group has established internal rules governing the structure, basic policies, management standards for information security, education, and audits in accordance with global standards for information security controls such as ISO and NIST.	The ORIX Group has established internal rules governing the structure, basic policies, management standards for information security, education, and audits in accordance with global standards for information security controls such as ISO and NIST.
The Information Security Management Rules stipulate that strategies and policies regarding cyber and information security and its response policies for cyber and information security incidents, are to be discussed and determined at the Information Technology Committee, consisting of the Group CEO, CFO and other members. In addition, the response status of any cyber or information security incident is reported to the Audit Committee by the Executive Officer in charge of the Information Security Control Department to ensure appropriate information sharing.	The Information Security Management Rules stipulate that strategies and policies regarding cyber and information security and its response policies for cyber and information security incidents, are to be discussed and determined at the Information Technology Committee, consisting of the Group CEO, chief financial officer (“CFO”) and other members. In addition, the response status of any cyber or information security incident is reported to the Audit Committee by the Executive Officer in charge of the Information Security Control Department to ensure appropriate information sharing.
We have a system in place to determine the seriousness of cyber or information security incidents, report to the Disclosure Committee in a timely manner, as well as to disclose information on cyber security risks, strategies, and governance on a regular basis, in addition to the status of incident management. In addition to the management of incidents, we have also established a system that enables regular disclosure of cyber security risks, strategies, and governance.	We have a system in place to determine the seriousness of cyber or information security incidents, report to the Disclosure Committee in a timely manner, as well as to disclose information on cyber security risks, strategies, and governance on a regular basis, in addition to the status of incident management. In addition to the management of incidents, we have also established a system that enables regular disclosure of cyber security risks, strategies, and governance.
We have also established company-wide security requirements with which all consolidated group companies must comply, such as keeping systems up to date through vulnerability management program and technical measures for network defense. We have also established internal rules for security log management that take into account physical and logical boundaries with external networks as well as information breaches caused by internal fraud.	We have also established company-wide security requirements with which all consolidated group companies must comply, such as keeping systems up to date through vulnerability management program and technical measures for network defense. We have also established internal rules for security log management that take into account physical and logical boundaries with external networks as well as information breaches caused by internal fraud.

・2024.06.25 20-F (Annual report - foreign issuer)	・2025.06.20 20-F (Annual report - foreign issuer)
Item 16K. Cybersecurity	Item 16K. Cybersecurity
Sony recognizes the importance of cybersecurity, both in achieving financial success for the company and in maintaining the trust of its stakeholders, which include shareholders, customers, employees, suppliers, and business partners.	Sony recognizes the importance of cybersecurity, both in achieving financial success for the company and in maintaining the trust of its stakeholders, which include shareholders, customers, employees, suppliers, and business partners.
Risk Management & Strategy	Risk Management & Strategy
As part of Sony’s risk management framework, Sony maintains and continuously strives to enhance its information security program. This program covers the entire Sony Group and is implemented in accordance with policies and standards, which include cybersecurity risk management and governance frameworks, and guidance, developed by Sony and based on globally recognized industry best practices and standards. The policies define information security responsibilities within Sony and outline certain actions and procedures that officers and employees are required to follow, including with respect to the assessment and management of cybersecurity risks to Sony, including its systems and information. The policies, standards, and guidance are structured to help Sony respond effectively to the dynamically changing environment of cybersecurity threats, cybersecurity risks, technologies, laws, and regulations. Sony modifies its policies, standards, and guidance as needed to adjust to this changing environment.	As part of Sony’s risk management framework, Sony maintains and continuously strives to enhance its information security program. This program covers the entire Sony Group and is implemented in accordance with policies and standards, which include cybersecurity risk management and governance frameworks, and guidance, developed by Sony and based on globally recognized industry best practices and standards. The policies define information security responsibilities within Sony and outline certain actions and procedures that officers and employees are required to follow, including with respect to the assessment and management of cybersecurity risks to Sony, including its systems and information. The policies, standards, and guidance are structured to help Sony respond effectively to the dynamically changing environment of cybersecurity threats, cybersecurity risks, technologies, laws, and regulations. Sony modifies its policies, standards, and guidance as needed to adjust to this changing environment.
If Sony’s cybersecurity risk management controls are overcome by a cyber attacker, Sony follows an incident response plan and escalation process as defined in the information security program. The response process includes an assessment of whether an incident may be material, and this assessment is adjusted as necessary as additional facts become known during the incident response. Any incident that is assessed as potentially material is escalated to Sony’s senior management and is reported to the two outside Directors in charge of information security on Sony Group Corporation’s Board of Directors (the “Board”).	If Sony’s cybersecurity risk management controls are overcome by a cyber attacker, Sony follows an incident response plan and escalation process as defined in the information security program. The response process includes an assessment of whether an incident may be material, and this assessment is adjusted as necessary as additional facts become known during the incident response. Any incident that is assessed as potentially material is escalated to Sony’s senior management and is reported to the two outside Directors in charge of information security on Sony Group Corporation’s Board of Directors (the “Board”).
In the fiscal year ended March 31, 2024, Sony was the victim of several cyberattacks. None of these incidents was assessed to be material, nor did they materially affect Sony’s business strategy, the results of its operations, or its financial condition. However, there can be no guarantee that this will be the case with a future incident. For more information about risks Sony faces from cyberattacks, please refer to “Sony’s brand image, reputation and business may be harmed and Sony may be subject to legal claims if there is a breach or other compromise of Sony’s information security or that of its third-party service providers or business partners.” included in “Risk Factors” in “Item 3. Key Information.”	In the fiscal year ended March 31, 2025, Sony was the victim of several cyberattacks. None of these incidents was assessed to be material, nor did they materially affect Sony’s business strategy, the results of its operations, or its financial condition. However, there can be no guarantee that this will be the case with a future incident. For more information about risks Sony faces from cyberattacks, please refer to “Sony’s brand image, reputation and business may be harmed and Sony may be subject to legal claims if there is a breach or other compromise of Sony’s information security or that of its third-party service providers or business partners.” included in “Risk Factors” in “Item 3. Key Information.”
Sony has also established policies and processes to help identify and manage cybersecurity risks associated with third parties, including companies that provide services and products to Sony, and companies that hold Sony information or have electronic access to Sony systems or information. The policies and processes include assessment of the cybersecurity and privacy programs at certain third parties, the use of this risk information when making contracting decisions, and the use of contract language that includes cybersecurity and privacy requirements.	Sony has also established policies and processes to help identify and manage cybersecurity risks associated with third parties, including companies that provide services and products to Sony, and companies that hold Sony information or have electronic access to Sony systems or information. The policies and processes include assessment of the cybersecurity and privacy programs at certain third parties, the use of this risk information when making contracting decisions, and the use of contract language that includes cybersecurity and privacy requirements.
Most of the information security program is implemented by Sony employees. Sony also engages the services of external providers to enhance and support its information security program, including leading cyber response specialists as may be needed, and consultants to evaluate and help improve organization, policies, and other aspects of the program.	Most of the information security program is implemented by Sony employees. Sony also engages the services of external providers to enhance and support its information security program, including leading cyber response specialists as may be needed, and consultants to evaluate and help improve organization, policies, and other aspects of the program.
Structure and Governance of Sony’s Information Security Program	Structure and Governance of Sony’s Information Security Program
Sony’s information security program is under the responsibility of a Senior Executive, specifically, the Sony Group Chief Digital Officer (“CDO”), and the Sony Group Chief Information Security Officer (“CISO”), who reports to the CDO.	Sony’s information security program is under the responsibility of a Senior Executive, specifically, the Sony Group Chief Digital Officer (“CDO”), and the Sony Group Global Information Security Officer (“GISO”), who reports to the CDO.
Under the leadership of the CDO and CISO, and supported by a global information security team that works across the entire Sony Group, Sony implements the cybersecurity risk management and governance frameworks that are described in its policies and standards. Each business segment of Sony has a senior information security leader, called an Executive Information Security Officer (“EISO”), who reports both to the CISO and to the senior management of the particular business unit. EISOs and their associated teams are responsible for ensuring implementation and operation of the information security program in a way that is tailored to each specific business unit, including as it relates to the assessment and management of cybersecurity risks. The CISO coordinates with the EISOs to monitor the proper implementation and compliance with Sony’s cybersecurity policies and standards.	Under the leadership of the CDO and the GISO, and supported by a global information security team that works across the entire Sony Group, Sony implements the cybersecurity risk management and governance frameworks that are described in its policies and standards. Each business segment of Sony has a senior information security leader, called an Executive Information Security Officer (“EISO”), who reports both to the GISO and to the senior management of the particular business unit. The EISOs and their associated teams are responsible for ensuring implementation and operation of the information security program in a way that is tailored to each specific business unit, including as it relates to the assessment and management of cybersecurity risks. The GISO coordinates with the EISOs to monitor the implementation of Sony’s cybersecurity policies and standards.
The current CDO has experience within Sony in launching and overseeing the development, technical operation, and business operations of large-scale network products and services, including overseeing implementation and operation of the information security program. The current CISO has more than 40 years of experience in cybersecurity. Before joining Sony, the CISO served as Deputy Chief Information Officer for Cybersecurity of the U.S. Department of Defense (the department’s equivalent of a CISO) and before that, as the Chief Information Assurance Executive at the Defense Information Systems Agency (DISA), an agency of the U.S. Department of Defense.	The current CDO has experience in launching and overseeing the development, technical operation, and business operations of large-scale network products and services at Sony, including overseeing implementation and operation of the information security program. The current GISO has more than 40 years of experience in cybersecurity. Before joining Sony, the GISO served as Deputy Chief Information Officer for Cybersecurity of the U.S. Department of Defense (the Department’s equivalent of a Chief Information Security Officer) and before that, as the Chief Information Assurance Executive at the Defense Information Systems Agency (DISA), an agency of the U.S. Department of Defense.
To oversee the information security program, the Sony Group CEO and COO receive regular reports from the CDO, monthly reports from the CISO, additional reports as needed during the response to a cyber incident, and briefings from the CDO and CISO at various times during the year. The head of each Sony business segment also receives the monthly reports from the CDO and the CISO, as well as reports and briefings from the business segment EISO.	The Sony Group CEO receives regular reports from the CDO and/or the GISO, additional reports as needed during the response to a cyber incident, and briefings from the CDO and GISO at various times during the year. The head of each Sony business segment also receives regular briefings from the CDO and the GISO, as well as reports and briefings from the business segment EISO.
The Board oversees Sony’s information security efforts, including in the following ways:	The Board oversees Sony’s information security risks, significant incidents, policies and key initiatives, including in the following ways. The full Board receives reports from the outside Directors in charge of information security as well as briefings several times a year from the CDO and the GISO, and also engages in discussion of these matters.
• Two outside Directors oversee Sony’s information security efforts, via monthly meetings and ad-hoc incident response communications with the CDO and CISO. Those meetings address, among other matters, significant cybersecurity incidents and Sony Group-level policies and key initiatives regarding cybersecurity.	• As of the date of this report, the following two outside Directors oversee Sony’s information security efforts, via monthly meetings and ad-hoc incident response communications with the CDO and GISO.(*)
- One of these two outside Directors has extensive experience in the development of large-scale information systems, including experience with management of the risks associated with cyberattacks.	- Joseph A. Kraft Jr., outside Director, serves simultaneously as the Chair of the Audit Committee.
- The other outside Director serves simultaneously as the Chair of the Audit Committee.	- Neil Hunt, outside Director, has extensive experience in the development of large-scale information systems, including experience with the management of cybersecurity risks.
• The full Board receives reports from the outside Directors in charge of information security and briefings several times a year from the CDO and the CISO. The full Board also engages in discussion of these matters.	* Sony Group Corporation has proposed “To elect 11 Directors” as an agenda item for the Ordinary General Meeting of Shareholders to be held on June 24, 2025. If the proposal is approved, three (3) outside Directors in charge of information security (the current outside Directors Joseph A. Kraft Jr. and Neil Hunt, and a new outside Director, Ms. Nora Denzel) will be appointed at the Board of Directors meeting to be held after the Ordinary General Meeting of Shareholders.
	- Ms. Nora Denzel has wide experience in information technology cultivated at several Silicon Valley-based companies, including experience with the management of cybersecurity risks.

・2024.06.20 20-F (Annual report - foreign issuer)	・2025.06.18 20-F (Annual report - foreign issuer)
Item 16K. Cybersecurity	Item 16K. Cybersecurity
Risk Management and Strategy	Risk Management and Strategy
Honda has established a management system and standards for information system security in order to minimize the negative impact on its business and business results from the occurrence of cybersecurity incidents. Based on these standards, we have implemented security measures in both hardware and software aspects to strengthen the security of our information systems. To address security, including product security, we have established a cross-functional system across business and manufacturing systems, software, quality, and other areas.	Honda has established a management system and standards for information system security in order to minimize the negative impact on its business and business results from the occurrence of cybersecurity incidents. Based on these standards, we have implemented security measures in both hardware and software aspects to strengthen the security of our information systems. To address security, including product security, we have established a cross-functional system across business and manufacturing systems, software, quality, and other areas.
We develop rules and procedures based on laws and regulations, formulate response flows, verify and implement measures for improvement through cybersecurity exercises, and develop human resources, among other things. We also utilize solutions for managing cybersecurity information and monitoring malicious activities to monitor and analyze cybersecurity threats and vulnerabilities, and in the event of a security incident related to a cyberattack with a significant impact on Honda, we establish a Global Emergency Headquarters under the supervision and monitoring of the Risk Management Officer, and the supervisory division in charge of risks from cybersecurity threats plays a central role in quickly ascertaining the actual situation and taking measures to minimize the impacts of cybersecurity incidents from a company-wide perspective.	We develop rules and procedures based on laws and regulations, formulate response flows, verify and implement measures for improvement through cybersecurity exercises, and develop human resources, among other things. We also utilize solutions for managing cybersecurity information and monitoring malicious activities to monitor and analyze cybersecurity threats and vulnerabilities, and in the event of a security incident related to a cyberattack with a significant impact on Honda, we establish a Global Emergency Headquarters under the supervision and monitoring of the Risk Management Officer, and the supervisory division in charge of risks from cybersecurity threats plays a central role in quickly ascertaining the actual situation and taking measures to minimize the impacts of cybersecurity incidents from a company-wide perspective.
When implementing third-party packaged software and cloud services, we make decisions based on risk assessments following established security standards and conduct annual checks after implementation. In response to cyberattacks on production facilities and suppliers, we verify the status of security measures at both domestic and overseas production facilities and suppliers. Based on the results of these verifications, we take measures to strengthen security, such as supporting the introduction of solutions for managing cybersecurity incident information, and monitoring malicious activities. For such activities to strengthen security, we have concluded outsourcing agreements with security consulting companies and external specialists to receive support.	When implementing third-party packaged software and cloud services, we make decisions based on risk assessments following established security standards and conduct annual checks after implementation. In response to cyberattacks on production facilities and suppliers, we verify the status of security measures at both domestic and overseas production facilities and suppliers. Based on the results of these verifications, we take measures to strengthen security, such as supporting the introduction of solutions for managing cybersecurity incident information, and monitoring malicious activities. For such activities to strengthen security, we have concluded outsourcing agreements with security consulting companies and external specialists to receive support.
With regard to personal information protection regulations and cybersecurity-related laws and regulations in various countries, in addition to current regulations, we collect and monitor information on regulatory trends that are expected to be enforced in the future.	With regard to personal information protection regulations and cybersecurity-related laws and regulations in various countries, in addition to current regulations, we collect and monitor information on regulatory trends that are expected to be enforced in the future.
These comprehensive cybersecurity response processes are incorporated into Honda’s comprehensive risk management system and will be discussed in detail in the following “Governance” section.	These comprehensive cybersecurity response processes are incorporated into Honda’s comprehensive risk management system and will be discussed in detail in the following “Governance” section.
For a description of information security-related risks, including risks from cybersecurity threats, identified by Honda as of the filing date of this Annual Report, please refer to Item 3. “Key Information—D. Risk Factors—Information Security Risks”.	For a description of information security-related risks, including risks from cybersecurity threats, identified by Honda as of the filing date of this Annual Report, please refer to Item 3. “Key Information—D. Risk Factors—Information Security Risks”.
Honda has been targeted by cyberattacks in the past; however, no risks from cybersecurity threats have been identified that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, over the past three fiscal years, including the fiscal year that is the subject of this annual report.	Honda has been targeted by cyberattacks in the past; however, no risks from cybersecurity threats have been identified that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, over the past three fiscal years, including the fiscal year that is the subject of this annual report.
Governance	Governance
Based on the resolution of the Board of Directors, the Board of Directors has appointed the Director, Executive Vice President and Representative Executive Officer as the Risk Management Officer, who monitors and supervises the response status of significant risks, including risks from cybersecurity threats.	Based on the resolution of the Board of Directors, the Board of Directors has appointed the Senior Managing Executive Officer and Chief Officer for Automobile Operations as the Risk Management Officer*, who monitors and supervises the response status of significant risks, including risks from cybersecurity threats.
The Risk Management Committee, chaired by the Risk Management Officer, has been established to deliberate on important matters related to risk management, including risk from cybersecurity threats. Honda has established the Honda Global Risk Management Policy, which stipulates the Company’s basic policy for risk management, the collection of risk information, and the response system in the event of risk occurrence.	The Risk Management Committee, chaired by the Risk Management Officer, has been established to deliberate on important matters related to risk management, including risk from cybersecurity threats. Honda has established the Honda Global Risk Management Policy, which stipulates the Company’s basic policy for risk management, the collection of risk information, and the response system in the event of risk occurrence.
In accordance with the aforementioned Policy, Honda has designated its cybersecurity supervisory divisions to conduct risk assessments and report the status of cybersecurity risk responses to the Risk Management Officer through the Risk Management Committee. The designated cybersecurity supervisory divisions consisted of 64 members as of the filing date of this Annual Report with practical experience in various roles related to information technology, including security, auditing, and systems are established in both the Quality Innovation Operations and Corporate Administration Operations divisions. The Risk Management Officer, who has knowledge and experience in overall risk management, receives technical support from the cybersecurity risk supervisory divisions, and monitors and supervises the responses to risks from cybersecurity threats.	In accordance with the aforementioned Policy, Honda has designated its cybersecurity supervisory divisions to conduct risk assessments and report the status of cybersecurity risk responses to the Risk Management Officer through the Risk Management Committee. The designated cybersecurity supervisory divisions consists of members with practical experience in various roles related to information technology, including security, auditing, and systems are established in both the Quality Innovation Operations and Corporate Administration Operations divisions. The Risk Management Officer, who has knowledge and experience in overall risk management, receives technical support from the cybersecurity risk supervisory divisions, and monitors and supervises the responses to risks from cybersecurity threats.
In the event of a material cybersecurity incident, the cybersecurity risk supervisory divisions are to immediately report it to the Risk Management Officer. Upon receiving the report, the Risk Management Officer is to establish a Global Emergency Headquarters, which coordinate with relevant organizations affected by the incident in order to prevent and contain the crisis. Such response status is reported to the Board of Directors and the Executive Council as necessary based on the judgment of the Risk Management Officer.	In the event of a material cybersecurity incident, the cybersecurity risk supervisory divisions are to immediately report it to the Risk Management Officer through the Risk Management Committee. Upon receiving the report, the Risk Management Officer is to establish a Global Emergency Headquarters, which coordinate with relevant organizations affected by the incident in order to prevent and contain the crisis. Such response status is reported to the Board of Directors and the Executive Council as necessary based on the judgment of the Risk Management Officer.
	* After the ordinary general meeting of shareholders to be held on June 19, 2025 and the resolution of the Board of Directors following such meeting, the position will become Director, Senior Managing Executive Officer and Chief Officer for Automobile Operations.