Japan has enacted the Active Cyber Defense Law (“ACD”) — a landmark legislative framework that empowers both the public and private sectors to proactively defend against cyber threats.
This law was enacted on 16 May 2025 and will take full effect by 2027, following a phased implementation.
The ACD has four strategic pillars:
- Strengthening Public-Private Collaboration
- Use of Communication Data
- Access and Neutralization
- Organizational and Structural Readiness
Of these four pillars, (1) and (2) have a significant impact on private businesses.
The following businesses need to comply with the new obligations under the ACD:
- Critical Infrastructure Operators (“CIO”)
Entities designated under the Economic Security Promotion Act, including business operators that offer essential infrastructure services in 15 sectors such as electricity, gas, telecommunications and finance - Telecommunications Service Providers
- IT Vendors
- Manufacturers, importers, distributors, and providers of computers or programs embedded therein and used as part of Critical Systems
Key Obligations
Critical Infrastructure Operators
- Notification obligations on Key Systems
CIOs must notify regulators when introducing certain important systems (“Critical Systems”) that the relevant regulations specify as having a risk of suspending or declining the functions of the facilities and programs used for their infrastructure services, if cybersecurity is compromised. - Incident Reporting Obligations
CIOs must report cybersecurity incidents or potential threats involving Critical Systems to both the relevant ministries and the Prime Minister’s Office. - Cooperation on Data Sharing with Authorities
The government may ask CIOs to conclude an agreement to share cross-border communication data. While executing the agreement is voluntary, operators must engage in discussions with the government unless there is a justifiable reason. The government will conduct a cybersecurity analysis using data provided by CIOs and share the results with them. - Establishment of a New Council
The Council on Information Sharing and Countermeasures (“Council”) will be established. CIOs and IT vendors will be added as Council members. The Council is authorized to share confidential, security-relevant information with its members and may request the submission of data or other forms of cooperation necessary to prevent cyber-related harm.
Telecommunications Service Providers
- Government Access to Communication Data Without Business’s Consent
With approval from the Cyber Communications Oversight Committee, the government may access communication data when cyberattack-related communications are suspected to be transmitted. Access will only be allowed when it is difficult to detect and assess cyber-attacks by other means (foreign-to-foreign communications) or when analyzing communications with designated foreign systems is necessary to detect cyber threats targeting Japan (foreign-to-domestic and domestic-to-foreign communications).
Telecommunications service providers may be required to cooperate with the government, including providing information about their facilities and connecting equipment for data sharing. They are not permitted to refuse such a request without a justifiable reason.
IT Vendors
- Vulnerability Disclosure and Remediation
The government may notify the relevant IT vendors about vulnerabilities identified in Critical Systems and publish remediation guidance. For vulnerabilities affecting Critical Systems, the competent minister may request that corrective actions be taken and reports and information submitted. While these requests are not binding, vendors need to make reasonable efforts to respond. - Cooperation with CIOs
IT vendors may be indirectly impacted by the CIO’s incident reporting obligation. If a vendor is targeted in a cyberattack, the CIO may request the vendor to cooperate in fulfilling its reporting obligation.
Click here to read this article, which was originally published in the 7th edition of LIR Japan.
