Japan’s Active Cyber Defense Law: what businesses need to know

To address the growing threat of cyberattacks targeting government systems and critical infrastructure, Japan has enacted the Active Cyber Defense Law (“ACD”). The ACD is a landmark legislative framework that empowers both public and private sectors to proactively defend against cyber threats.
The law was enacted on 16 May 2025 and will take full effect by 2027 by way of a phased implementation.

The ACD has the following four strategic pillars:
1. Strengthening public-private collaboration
It aims for stronger cooperation between government and private entities, including (i) information sharing and analysis and (ii) coordinated vulnerability response.
2. Use of communication data
It grants the government authority to collect and analyze communication data under certain conditions to detect and respond to cyber threats.
3. Access and neutralization
It authorizes the government to access and neutralize attacker infrastructure including servers used for cyberattacks.
4. Organizational and structural readiness
It establishes new governance structures and protocols to support national cyber defense capabilities.

Of these, pillars 1. and 2. are likely to have the most significant impacts on private businesses.