Why “Active Defense” Now? — The Background and Strategic Shift Behind the New Law

On May 16, 2025, Japan’s National Diet passed the Cyber Response Capability Enhancement Act, widely known as the Active Cyber Defense Law (ACD Law).
This marks a historic transformation in Japan’s cybersecurity and national defense posture—from a traditionally passive “defensive-only” approach to one that incorporates proactive, preemptive measures.

The law’s emergence was not sudden. It was a strategic necessity, driven by the qualitative evolution of cyber threats in Japan’s security environment.
Whereas earlier cyberattacks primarily sought data theft and espionage, modern attacks increasingly aim to disrupt critical infrastructure and paralyze national functions.
The 2015 Japan Pension Service data breach was focused on stealing personal information, but recent incidents—such as the ransomware attack that shut down Nagoya Port’s container terminals—have revealed far more destructive potential.
Attacks targeting aviation, finance, and healthcare systems have multiplied, and many are believed to originate from state-backed organizations rather than mere criminal groups. These threats have thus evolved into matters of national security, not just law enforcement.

Traditional cybersecurity, focused on defending organizational perimeters, has reached its limits—akin to a castle under siege, endlessly fortifying its walls.
Modern threats, designed to infiltrate and disable systems from within, demand a new strategy: Active Cyber Defense (ACD).
This approach involves detecting attack indicators early and neutralizing the source before damage occurs—a decisive shift from reactive defense to proactive prevention.

Japan formally endorsed this change in the 2022 National Security Strategy, which declared the goal of developing cyber capabilities “on par with or surpassing those of major Western nations” and explicitly endorsed active defense.

The move was also strongly backed by the business sector, which recognized cyberattacks as a direct risk to economic stability and corporate operations.
Thus, the ACD Law reflects both national security imperatives and economic demands for resilience.
It also expands the interpretation of Japan’s “exclusively defensive defense” principle to cyberspace.
By allowing measures that neutralize threats before an attack—potentially through accessing or disabling hostile servers—the law blurs the line between defense and preemption.
Critics argue this verges on offensive action, making the law a watershed moment not just in policy, but in Japan’s postwar security philosophy itself.

The Four Pillars of the Law — Public-Private Integration and New Government Powers

The ACD Law restructures Japan’s cyber defense system around four key pillars, creating a unified, centralized national framework that transcends the old siloed bureaucracy.

1. Strengthening Public-Private Collaboration
Recognizing that cyber defense cannot rely on government alone, the law mandates cooperation with private industry.
Fifteen sectors of critical infrastructure—including energy, finance, and transportation—are now legally obligated to report cyber incidents or early signs of intrusion to the government.
They must also notify authorities before introducing new core IT systems, with penalties for noncompliance.
A new Cybersecurity Council will facilitate information sharing between the government, major corporations, and SMEs within supply chains, forming an integrated ecosystem against cyber threats.

2. Utilization of Telecommunications Data
The government is now authorized to analyze communication metadata provided by telecom operators to detect potential attacks in advance.
Importantly, this excludes the content of communications and applies only to international traffic, where either the sender or receiver is located overseas.
This ensures that domestic communications remain off-limits to government monitoring.

3. Access and Neutralization Measures
The law’s most “active” and controversial provision allows law enforcement and the Self-Defense Forces to access and neutralize attack sources, both domestic and foreign, when facing imminent cyber threats of national significance.
Permitted actions include deleting malicious code or altering configurations to block attackers’ access—explicitly excluding any physical destruction of infrastructure.

4. Organizational Reform
The existing National Center of Incident Readiness and Strategy for Cybersecurity (NISC) will be reorganized into a more powerful entity: the National Cyber Operations Office (NCO).
The NCO will act as Japan’s central “command hub,” coordinating cyber defense policy across ministries and leading public-private cooperation with enhanced authority.

Together, these four pillars form an integrated defense architecture:
the NCO acts as the “brain,” critical infrastructure operators as the “sensors,” metadata analysis as the “intelligence unit,” and the police and SDF as the “operational forces.”

Yet this new partnership carries dual implications of cooperation and coercion.
While envisioned as an “ecosystem” where society unites against cyber threats, companies may remain reluctant to disclose incidents due to reputational risk.
Mandatory reporting with penalties enhances government visibility but could lead to formalistic compliance rather than genuine collaboration.
Ultimately, the system’s success will depend on trust—whether the government can provide valuable feedback and foster reciprocal transparency with the private sector.

Privacy and Sovereignty — Constitutional and International Legal Challenges

Because of its sweeping powers, the ACD Law raises profound questions about constitutional rights and international law, centering on two issues: the right to privacy in communications and respect for state sovereignty.

1. “Secrecy of Communications” under Article 21 of the Constitution
Legal experts, including the Japan Federation of Bar Associations, warn that government analysis of telecommunications data could lead to mass surveillance.
Even if limited to metadata, large-scale aggregation and pattern analysis could reveal individuals’ associations or beliefs, chilling free expression and political dissent.
The government counters that such restrictions are justified under the “public welfare” clause and cites safeguards:

Limiting surveillance to international metadata

Requiring approval from an independent oversight body, the Cyber Communications Information Oversight Commission

However, critics question the true independence and transparency of this commission, fearing potential overreach.
This conflict reflects a deeper issue — a trust deficit between state power and civil liberties, rather than a mere legal debate.

2. State Sovereignty and Cross-Border Operations
The “access and neutralization” provisions raise significant international law concerns.
If an attack source resides abroad, Japan’s unilateral action to infiltrate and modify foreign servers could be viewed as a violation of sovereignty.
Countries like China maintain that any unauthorized access to domestic ICT systems constitutes such a breach.

Japan justifies these measures under countermeasures and necessity doctrines in international law, claiming legality in cases of imminent, existential threat.
Yet the thresholds are high, and misinterpretation by other states could lead to retaliation or escalation.

The law effectively gives Japan capabilities similar to the U.S. “Defend Forward” doctrine—enabling proactive cyber operations alongside allies—but it also places Japan in a geopolitical gray zone.
While legally empowered, actual use of these capabilities will face intense political and constitutional constraints.
Thus, the law both enhances Japan’s strategic credibility and imposes new dilemmas on future governments about when and how to act.

Challenges and Outlook — The Road Ahead for Japan’s Cybersecurity

The passage of the ACD Law marks not an endpoint, but the beginning of Japan’s next cybersecurity challenge.
Turning this ambitious framework into an operational reality will require overcoming severe obstacles.

The most urgent issue is a shortage of skilled personnel.
Japan lacks tens of thousands of cybersecurity experts capable of handling advanced threats, conducting forensic analysis, and enforcing the new legal framework.
Estimates suggest a shortfall of around 170,000 professionals across government and industry.
Without qualified experts—“the software” driving the legal “hardware”—even the best laws risk becoming hollow.
Worse, insufficient expertise could lead to misuse or overreach of powerful authorities.

While the government is expanding cyber units within the Defense Ministry and promoting university-level training, Japan must also develop a public-private talent exchange system, fostering a sustainable, ethical, and capable workforce.

Technological dependency poses another structural risk.
Japan’s cybersecurity tools and threat intelligence platforms are heavily reliant on foreign vendors, leaving the nation vulnerable to supply chain disruptions during crises.
Building a domestic technology ecosystem for cyber defense, ensuring autonomy and resilience, is a long-term strategic goal.

The law is set for full implementation around 2027, with a mandatory three-year review clause to ensure adaptability to changing threats and technologies.
Rather than a fixed solution, the ACD Law should be viewed as a catalyst—a mechanism to continuously evolve Japan’s security posture in the digital age.

Through this legislation, Japan steps onto the global stage not merely as a victim of cyberattacks, but as an active defender capable of shaping cyberspace norms.
This will deepen cooperation with allies like the U.S., but will also intensify domestic debates over privacy, legality, and proportionality.

The true question now is not simply how Japan defends itself—but what kind of nation it chooses to become in the cyber era.
The passage of this law marks the start of a long, complex journey toward that answer.