In May, Japan's National Parliament passed the landmark Active Cyber Defense Law, marking a pivotal shift in the country's cybersecurity strategy. The scope of the legislation extends significantly beyond its title, encompassing a range of provisions aimed at modernizing government institutions and enhancing Japan's overall cybersecurity framework.

Arguably the law’s most consequential component is the change in data collection practices. Specifically, it grants the Japanese government statutory authority to intercept foreign internet traffic traversing domestic infrastructure—an approach consistent with the practices of other nations. Crucially, while domestic communications remain outside the scope of this surveillance authority, intelligence derived from these intercepts may be utilized to identify and counter emerging cyber threats. 

The law also mandates that operators of critical infrastructure, which were determined under the Economic Security Promotion Act 2022, report cybersecurity incidents to government – albeit what needs to be reported and when remains unclear.

These two data collection mechanisms - interception of foreign traffic and mandatory incident reporting - will serve as foundational intelligence feeds to detect ongoing or prospective cyberattacks. In turn, responses will be executed either by the National Police Agency or by the Self-Defense Forces.

A Strategic Shift Grounded in Historical and Constitutional Constraints

Japan’s approach to cybersecurity is influenced by historical and constitutional path dependencies stemming from the post-World War II era. Japan has a pacifist constitution, most notably through Article 9, which renounces war and limits military activities strictly to self-defense. This legal and cultural framework constrained the development of offensive intelligence capabilities, including signals intelligence (SIGINT), which in many Western countries evolved into sophisticated cyber operations.

Unlike Australia, the U.S. or the U.K., where robust SIGINT agencies like the Australian Signals Directorate, the National Security Agency or the Government Communications Network transitioned seamlessly into cyber domains, Japan’s intelligence and military posture historically emphasized defensive, non-interventionist roles. This has created a unique set of challenges as Japan now seeks to build proactive cyber capabilities, ensuring that new initiatives like the law remain compliant with constitutional constraints while addressing rapidly evolving cyber threats.

With this historical backdrop, the new law empowers government agencies, under strict oversight, to monitor and respond to suspicious cyber activities before they cause harm, while also reinforcing public-private collaboration in the defense of the nation’s digital ecosystem. 

Japan's move towards active cyber defense has been driven by increasing cyberattacks from regional and global criminals and nation-state actors. China’s ever expanding cyber capabilities and operations targeting Japan, along with growing regional strategic uncertainty, are driving this shift. The country's 2022 National Security Strategy formally directed the government to address these escalating risks, aiming to match or exceed the cyber capabilities of major Western countries and align more closely with international cybersecurity practices.

A three pillar approach

The law is built around three main pillars, which will be implemented and take effect in phases:

• Pillar 1 – Strengthening Public-Private Collaboration: The law establishes a new Cyber Council, expected to be launched in the next six months, which aims to enhance information sharing and incident response between government agencies and key private-sector partners. This Council will be a central platform for threat intelligence exchange, response coordination, and strategic planning.

• Pillar 2 – Leveraging Information and Data Under Communications for Threat Detection: The law provides clear legal authority for the use of communications-related data to identify and analyze cyber threats. This capability is expected to be operational within two and a half years.

• Pillar 3 – Remote Access and Neutralization Measures: The third pillar empowers government authorities to remotely access and neutralize attacker infrastructure, such as malicious servers or malware command nodes. These actions will be carried out under strict legal and procedural oversight, and only when necessary to prevent or mitigate serious cyber incidents. It is expected to be operational within a year and a half. 

Japan’s planned Cyber Council draws inspiration from the U.S. Joint Cyber Defense Collaborative (JCDC), an initiative under the Department of Homeland Security that enables real-time collaboration between government and private-sector cybersecurity stakeholders.

The new policy strengthens opportunities for intelligence sharing and joint cyber operations with allies, particularly in efforts to counter China’s cyber espionage. It also opens the door for enhanced cooperation within frameworks like the Quad, which includes Japan, the U.S., Australia, and India. Similarly, Japan’s Cyber Council is envisioned as a centralized hub for coordinated cyber threat response and information sharing, with several key priorities guiding its design and operation: 

• Broader inclusion of cybersecurity stakeholders: In addition to critical infrastructure operators, the Council may include cybersecurity vendors, academic institutions, and other relevant experts to provide a well-rounded operational perspective.
  
  
• Operational focus over policy debate: The emphasis will be on actionable collaboration, such as threat intelligence sharing, incident coordination, and readiness planning, rather than lengthy policy discussions.
  
  
• Building trust and ensuring confidentiality: Membership in the Council will require strong security practices (including provision of security clearances to industry representatives) and a commitment to confidentiality, given the sensitive nature of the information being shared.
  
  
• International collaboration: While international companies may be invited to participate, access to certain data or decision-making processes will be carefully managed to align with Japan’s national security interests.

New Rules on Cyber Incident Reporting

The new rules will likely apply to approximately 250 entities across 15 critical sectors, captured in the Economic Security Promotion Act 2022, including finance, telecommunications, transportation, energy, and other industries vital to national security and public welfare.

Under these regulations, covered organizations will be required to report cybersecurity incidents to both the newly established Cyber Council and their relevant ministries. While data breaches will continue to fall under Japan’s existing data protection laws, these new rules expand the scope of reportable incidents and may evolve to include additional categories as standards develop over time.

Japan’s enactment of the Active Cyber Defense Law marks a significant evolution in its national security landscape, bridging long standing constitutional principles with the imperatives of modern digital defense. By laying down clear legal authority, checks and balances, fostering robust public-private collaboration, and empowering agencies to detect and neutralize threats, this legislation positions Japan to meet the challenges of an increasingly complex cyber domain.

Industry — both domestic and international — will be pivotal to the law’s success, as effective information sharing, timely incident reporting, and coordinated response efforts require the active engagement of private-sector partners across borders, particularly those operating critical infrastructure within Japan. 

While questions remain about implementation and the scope of intelligence activities, the law underscores Japan’s commitment to building a resilient, proactive cybersecurity framework that aligns with global best practices while respecting domestic legal traditions. As the law’s provisions are phased in, Japan will be well positioned to strengthen its international cybersecurity partnerships.

‍