Japan's Active Cyber Defense Act: What Businesses Need to Know (October 2026)

The Cyber Response Capability Enhancement Act (commonly called the Active Cyber Defense Act), scheduled for enforcement in October 2026, fundamentally strengthens Japan's national cybersecurity posture. It shifts from a reactive approach to proactive defense that aims to prevent attacks before they occur.

The act was passed during the 2025 ordinary Diet session and is scheduled for implementation within 18 months of promulgation.

Critical infrastructure operators (electricity, telecommunications, finance, transportation, healthcare) face new obligations:

• Mandatory incident reporting: Prompt government notification of significant cyberattacks
• Information sharing: Structured sharing of attack methods and vulnerability data
• Covered entities: Telecom carriers, power companies, banks, railways, medical institutions

The government gains authority to analyze communications metadata (IP addresses, connection destinations) to detect cyberattack indicators:

• Communications content is excluded (protecting constitutional secrecy of communications)
• Analysis limited to metadata only
• Monitored by the independent Cyber Communications Information Oversight Commission

The state gains authority to access and neutralize (e.g., remove malware from) attack-origin servers:

• Executed by police and Self-Defense Forces
• Requires prior review by an independent body
• Covers both domestic and foreign servers
• Post-hoc review permitted in emergencies

Even companies outside critical infrastructure should consider:

• Strengthening security against supply chain attacks
• Developing and regularly drilling incident response plans
• Meeting security requirements if partnering with critical infrastructure entities

No direct obligations are imposed on individuals. However, the government's use of communications metadata has prompted privacy discussions. Safeguards include independent oversight and the exclusion of communications content.