Most Japan FSI firms cannot tell you how many TLS certificates they run. They cannot tell you when those certificates expire, which systems depend on them, or which cryptographic algorithms underpin each one. That is the baseline. Post-quantum migration lands on top of it.
The CBOM gap
A Cryptographic Bill of Materials is the prerequisite to every PQC migration plan. You cannot migrate what you cannot inventory. Building a CBOM in an organisation with two decades of PKI debt — certificates issued by NEC, Fujitsu, and Hitachi systems managing infrastructure since the 1990s — is not a software project. It is a process of institutional archaeology. And those incumbent infrastructure vendors have conflicted incentives when it comes to exposing the complexity of what they built.
The 47-day mandate collision
The CA/Browser Forum has mandated that maximum TLS certificate validity drops to 47 days by 2029. This is not theoretical. Organisations that cannot currently describe their certificate inventory are about to face automated renewal cycles that will break systems they did not know depended on specific certificates. That mandate and PQC migration are on a collision course for Japan FSI, and there is no comfortable sequencing.
What the G7 said
The G7 published its PQC financial sector roadmap in January 2026. It sets expectations for financial sector institutions across G7 economies to begin structured PQC transition planning by end of 2026. Japan is a G7 member and the FSA takes G7 financial sector commitments seriously. This is now a regulatory compliance question, not a speculative security one.
What good looks like
Keyfactor is doing the right things in Japan. Their approach starts with certificate lifecycle visibility — the CBOM layer — before touching PQC algorithm migration. That sequencing is correct. Organisations that try to jump straight to PQC without first knowing what they have will generate expensive incidents and then have to do the inventory work anyway.
IBM’s 2025 Quantum-Safe Readiness Index puts the average organisation at 25 out of 100. Japan FSI likely scores lower than that average. The infrastructure incumbents running most of this PKI — NEC, Fujitsu, Hitachi — have crypto-agility roadmaps that are, to be generous, opaque.