What is the Active Cyber Defense Law in simple terms?

It is a 2025 Japanese law that allows the government to proactively neutralize serious cyber threats, including by entering attacker servers. It also legally requires companies, particularly in critical sectors, to report incidents and collaborate with the government to strengthen national security.

What are the new requirements for businesses under this law?

Companies designated as Critical Infrastructure Operators must notify the government of major system changes and report cyber incidents when they occur. Failure to comply can result in financial penalties, making internal incident response planning an essential legal duty.

What are the penalties for non-compliance?

Firms that fail to meet their mandatory reporting or notification duties can face fines of up to 2 million yen. This penalty underscores the legal importance of establishing clear compliance procedures and maintaining accurate operational and security records.

What immediate steps should my company take to prepare?

First, establish clear internal rules for when and how to report incidents to the government. Second, ensure you have a robust, tamper-proof system for logging all system access and activities. This is critical for demonstrating compliance and managing incident response effectively.

Home > Blog > Japan Cyber Defense Law 2025 | Key Rules

Japan Cyber Defense Law 2025 | Key Rules

Oct 08, 2025

Blog

Dated: May 20, 2025

In May 2025, Japan passed the Active Cyber Defense Law. It gives the government new powers to fight cyber threats.

Legal and IT teams now ask: “What does this mean for us?” and “What should we do now?”

This article outlines the law’s three pillars. It also shows what companies must prepare today.

Pillar 1: Public-Private Collaboration

The law builds a joint cybersecurity system. The government and private firms will now act together. Cyber defense is no longer just a company issue. It is a national one.

Rules for Critical Infrastructure

Fifteen sectors, such as energy, gas, and finance, are named Critical Infrastructure Operators. They must meet new legal duties:

Notify the government before major system changes.
Report incidents when attacks occur.

Ignoring these rules can bring fines up to 2 million yen. Compliance is now mandatory.

Information-Sharing Council

The government will create an Information-Sharing Council. It lets companies exchange threat data safely.

Members must protect shared data. This network strengthens each industry’s defense level.

Pillar 2: Use of Communication Data

The government may collect limited data to spot early cyber threats. Strict privacy rules apply to all activities.

Two Collection Types

With Consent: Data is gathered through formal deals with operators.
Without Consent: In rare emergencies, such as foreign attacks, data can be collected without consent.

All data is filtered by system. Investigators never see private messages. The Cyber Communications Oversight Commission checks every action.

Pillar 3: Neutralizing Malicious Servers

If an attack risks lives or property, the government may enter attacker servers and stop malware. It works like firefighting in cyberspace.

Strict Conditions

This power applies only in emergencies. Two tests must be met:

A real threat to life, safety, or property.
An urgent need for action.

Only certified Cyber Defense Officers can act. Their work is reviewed after every case.

[Action] What Companies Should Do Now

Firms must prepare before incidents happen. Fast reporting and solid log control are key.

[Expert Insight]
Cybersecurity is not a cost. It is a core part of business survival.

The law demands quick and accurate reports. Companies that plan early will recover faster and earn more trust.

1. Set Clear Reporting Rules

Decide when and how to report. Create simple triggers, such as:

Recovery time over six hours.
More than 10,000 records affected.

Add these to your Incident Reporting SLA. Train all staff on timing and flow.

2. Control Logs and Protect Data

Accurate logs prove what happened. Record who accessed what and when. Store data in secure, tamper-proof systems.

Use WORM storage for safety. Test your backup and recovery tools often.

Reference Sources:

Author

Akasaka International Law & Accounting Office
Attorney at Law, Shinji Sumida

You are welcome to contact us via the Contact Form to discuss and for more information.