World Watch/Japan/Cybersecurity
Language:EnglishSpanishFrenchGermanPortugueseHindi

Cybersecurity · Japan

Cybersecurity - Japan

Comprehensive lawBasic Act on Cybersecurity (Act No. 104 of 2014), supplemented by the Active Cyber Defense Act (enacted May 2025); coordinated by the National Cybersecurity Office (NCO) under the National Cyber Director. Personal-data breach duties sit in the Act on the Protection of Personal Information (APPI), enforced by the Personal Information Protection Commission (PPC).

Japan operates a comprehensive cybersecurity regime anchored by the 2014 Basic Act on Cybersecurity, which sets national policy, defines government roles, and mandates a periodic Cybersecurity Strategy (latest issued December 2025). In May 2025 Japan enacted the Active Cyber Defense Act, a major shift from passive to active defense that adds public-private collaboration, government monitoring of certain communications data, and incident-reporting/notification duties for designated critical-infrastructure operators (phasing in by late 2026/2027). Mandatory personal-data breach reporting to the PPC has applied since the 2022 APPI amendments, alongside sector-specific rules from regulators such as the FSA.

Foundational law

The Basic Act on Cybersecurity (2014) establishes Japan's basic cybersecurity policy, clarifies the responsibilities of national/local government and operators, and requires formulation of a national Cybersecurity Strategy.

source 1source 2
Active Cyber Defense Act (2025)

Enacted 16 May 2025, the ACDA moves Japan from passive to active defense via four pillars: public-private collaboration, monitoring of communications data, counter-access to attack sources, and neutralization by authorities; provisions phase in through 2027.

source 1source 2
National authority (NCO)

Following the May 2025 legislation, NISC was reorganized into the National Cybersecurity Office (NCO), headed by a National Cyber Director, established in July 2025 as the central coordinating body.

source 1
Personal-data breach reporting (APPI)

Since the April 2022 APPI amendments, operators must report qualifying breaches (sensitive data, risk of property harm, malicious/cyberattack cause, or >1,000 affected individuals) to the PPC and notify affected individuals — a prompt preliminary report (typically 3-5 days) plus a final report within 30 days (60 for malicious cases).

source 1source 2
Critical-infrastructure incident reporting

The ACDA introduces an incident-reporting obligation for designated essential-infrastructure providers and advance notification when deploying specified critical computers; this regime is set to take effect on or before November 2026.

source 1source 2
Sector-specific rules (finance)

The Financial Services Agency's Comprehensive Guidelines for Supervision of Major Banks require banks to report cybersecurity incidents immediately upon becoming aware, including damage summary, remediation, user/public notification, and preventive measures; METI/IPA issue cross-sector management guidelines.

source 1source 2

Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →