Cybersecurity · Japan
Cybersecurity regulation in Japan (2026)
Japan shaded by its cybersecurity status
Japan operates a comprehensive cybersecurity regime anchored by the 2014 Basic Act on Cybersecurity, which sets national policy, defines government roles, and mandates a periodic Cybersecurity Strategy (latest issued December 2025). In May 2025 Japan enacted the Active Cyber Defense Act, a major shift from passive to active defense that adds public-private collaboration, government monitoring of certain communications data, and incident-reporting/notification duties for designated critical-infrastructure operators (phasing in by late 2026/2027). Mandatory personal-data breach reporting to the PPC has applied since the 2022 APPI amendments, alongside sector-specific rules from regulators such as the FSA.
Key points
The Basic Act on Cybersecurity (2014) establishes Japan's basic cybersecurity policy, clarifies the responsibilities of national/local government and operators, and requires formulation of a national Cybersecurity Strategy.
Enacted 16 May 2025, the ACDA moves Japan from passive to active defense via four pillars: public-private collaboration, monitoring of communications data, counter-access to attack sources, and neutralization by authorities; provisions phase in through 2027.
Following the May 2025 legislation, NISC was reorganized into the National Cybersecurity Office (NCO), headed by a National Cyber Director, established in July 2025 as the central coordinating body.
Since the April 2022 APPI amendments, operators must report qualifying breaches (sensitive data, risk of property harm, malicious/cyberattack cause, or >1,000 affected individuals) to the PPC and notify affected individuals — a prompt preliminary report (typically 3-5 days) plus a final report within 30 days (60 for malicious cases).
The ACDA introduces an incident-reporting obligation for designated essential-infrastructure providers and advance notification when deploying specified critical computers; this regime is set to take effect on or before November 2026.
The Financial Services Agency's Comprehensive Guidelines for Supervision of Major Banks require banks to report cybersecurity incidents immediately upon becoming aware, including damage summary, remediation, user/public notification, and preventive measures; METI/IPA issue cross-sector management guidelines.
Timeline - major decisions & events
Japan's Cabinet adopted a new five-year cybersecurity strategy framing cyberattacks as a 'serious security threat' and committing to a state-led model coordinating police, the SDF, and the private sector to detect and respond to threats.
The Japan Times ↗Japan reorganized NISC into the National Cybersecurity Office, headed by a National Cyber Director, with enhanced staffing and elevated reporting to the prime minister—centralizing cross-government cyber policy ahead of active-defense implementation.
National Cybersecurity Office (NCO) ↗The Diet passed landmark legislation authorizing the government to monitor foreign-origin internet traffic and pre-emptively neutralize hostile cyber infrastructure abroad—a decisive shift from passive to active cyber defense, phasing in through 2026–2027.
Nippon.com ↗The BlackSuit ransomware group breached media giant Kadokawa, leaking roughly 254,000 individuals' data and crippling the Niconico platform; Kadokawa reportedly paid ~$3M yet data was still leaked, underscoring Japan's private-sector exposure.
Kadokawa Corporation ↗A LockBit 3.0 ransomware attack disabled the Nagoya Port Unified Terminal System, halting Japan's busiest cargo port (≈10% of national trade) for over two days and exposing critical-infrastructure OT vulnerabilities.
The Register ↗This law introduced prior government screening of critical equipment and outsourcing by designated essential-infrastructure operators (electricity, finance, telecoms, etc.), embedding supply-chain cybersecurity review into national economic security.
Japanese Law Translation (Govt of Japan) ↗The amended Act on the Protection of Personal Information made reporting to the Personal Information Protection Commission and notifying affected individuals mandatory for breaches involving cyberattacks, sensitive data, or 1,000+ records.
Japanese Law Translation (Govt of Japan) ↗The Cabinet approved Japan's third national strategy under the Basic Act, prioritizing a 'free, fair and secure cyberspace' and explicitly citing rising state-sponsored threats from China, Russia, and North Korea.
NISC / Govt of Japan ↗Amendments expanded coordination mechanisms, creating a Cybersecurity Council to facilitate public-private information sharing among government, critical-infrastructure operators, and experts.
U.S. Library of Congress ↗The Act took effect, establishing the Cybersecurity Strategic Headquarters and giving the renamed National center of Incident readiness and Strategy for Cybersecurity (NISC) statutory authority over national policy and government-wide defense.
Japanese Law Translation (Govt of Japan) ↗Japan passed its first dedicated cybersecurity law—the first among G7 nations—setting national principles, defining responsibilities of government and infrastructure operators, and mandating a national cybersecurity strategy.
U.S. Library of Congress ↗Act No. 128 of 1999 criminalized unauthorized access, obtaining/supplying others' login credentials, and related conduct—the foundational statute underpinning Japan's anti-hacking enforcement and access-control obligations.
Japanese Law Translation (Govt of Japan) ↗Japan - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →