Akasaka International Law, Patent & Accounting Office.

Japan Cyber Defense Law 2025 | Key Rules

Oct 08, 2025UP!

Dated: May 20, 2025

In May 2025, Japan passed the Active Cyber Defense Law. It gives the government new powers to fight cyber threats.

Legal and IT teams now ask: “What does this mean for us?” and “What should we do now?”

This article outlines the law’s three pillars. It also shows what companies must prepare today.

Pillar 1: Public-Private Collaboration

The law builds a joint cybersecurity system. The government and private firms will now act together. Cyber defense is no longer just a company issue. It is a national one.

Rules for Critical Infrastructure

Fifteen sectors, such as energy, gas, and finance, are named Critical Infrastructure Operators. They must meet new legal duties:

  • Notify the government before major system changes.
  • Report incidents when attacks occur.

Ignoring these rules can bring fines up to 2 million yen. Compliance is now mandatory.

Information-Sharing Council

The government will create an Information-Sharing Council. It lets companies exchange threat data safely.

Members must protect shared data. This network strengthens each industry’s defense level.

Pillar 2: Use of Communication Data

The government may collect limited data to spot early cyber threats. Strict privacy rules apply to all activities.

Two Collection Types

  • With Consent: Data is gathered through formal deals with operators.
  • Without Consent: In rare emergencies, such as foreign attacks, data can be collected without consent.

All data is filtered by system. Investigators never see private messages. The Cyber Communications Oversight Commission checks every action.

Pillar 3: Neutralizing Malicious Servers

If an attack risks lives or property, the government may enter attacker servers and stop malware. It works like firefighting in cyberspace.

Strict Conditions

This power applies only in emergencies. Two tests must be met:

  • A real threat to life, safety, or property.
  • An urgent need for action.

Only certified Cyber Defense Officers can act. Their work is reviewed after every case.

[Action] What Companies Should Do Now

Firms must prepare before incidents happen. Fast reporting and solid log control are key.

[Expert Insight]
Cybersecurity is not a cost. It is a core part of business survival.

The law demands quick and accurate reports. Companies that plan early will recover faster and earn more trust.

1. Set Clear Reporting Rules

Decide when and how to report. Create simple triggers, such as:

  • Recovery time over six hours.
  • More than 10,000 records affected.

Add these to your Incident Reporting SLA. Train all staff on timing and flow.

2. Control Logs and Protect Data

Accurate logs prove what happened. Record who accessed what and when. Store data in secure, tamper-proof systems.

Use WORM storage for safety. Test your backup and recovery tools often.

Reference Sources:

Author

Akasaka International Law & Accounting Office
Attorney at Law, Shinji Sumida

You are welcome to contact us via the Contact Form to discuss and for more information.