Japan's Active Cyber Defense Law represents one of the most significant shifts in the country's cybersecurity posture in decades. For enterprises operating in Japan — particularly those in critical infrastructure sectors — understanding what the law actually requires, and when, is essential. This article presents only verified facts about the legislation.
When the Law Was Enacted
The Active Cyber Defense Law (also referred to as the Cyber Response Capability Enhancement Act) was passed by Japan's National Diet on May 16, 2025. It is already enacted law — not a pending bill. However, it follows a phased implementation and is expected to take full effect by 2027.
This phasing is important for enterprises planning their compliance timelines. The law does not impose all of its obligations at once.
The Four Pillars
The legislation is structured around four pillars: strengthened public-private cooperation, use of internet communications data for threat detection, access and neutralization measures against attack sources, and organizational restructuring of Japan's cybersecurity institutions.
As part of the organizational restructuring, Japan's National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was restructured and enhanced to become the National Cybersecurity Office (NCO) in July 2025.
Who Must Comply
The obligations with the most significant impact on private businesses fall on Critical Infrastructure Operators and entities designated under the Economic Security Promotion Act. This includes business operators providing essential infrastructure services across 15 sectors — among them electricity, gas, telecommunications, and finance. Manufacturers, importers, distributors, and providers of computers or programs embedded in and used as part of critical systems are also within scope.
The November 2026 Incident Reporting Obligation
One specific obligation has a defined near-term deadline: the incident reporting obligation applicable to specified essential infrastructure providers is set to take effect in or before November 2026. Enterprises in scope should ensure they have the detection, assessment, and reporting capabilities in place ahead of this date.
What This Means for Security Testing
While the Active Cyber Defense Law focuses on national defense capabilities and incident reporting rather than prescribing specific penetration testing requirements, the broader regulatory environment it creates raises the bar for demonstrable cybersecurity resilience among critical infrastructure operators. Organizations preparing for the incident reporting obligation benefit from understanding their actual vulnerability exposure through expert-led security assessment — knowing where you are exposed is the foundation of being able to detect and report incidents accurately.
How Simuna Infosec Helps
Our human-led VAPT methodology helps critical infrastructure operators in Japan understand their real attack surface before incidents occur. We have experience securing the infrastructure of a global precision-technology manufacturer with operations across Japan. For organizations navigating the phased implementation of the Active Cyber Defense Law, we provide the security assessment foundation needed to build genuine cyber resilience.
*This article reflects publicly available information as of mid-2026. Regulatory details evolve; consult qualified legal counsel for compliance decisions.*