Japan's approach to securing critical infrastructure has intensified considerably with the Active Cyber Defense Law and related reforms. For operators in designated sectors, understanding the scope of obligations is essential. This article presents only verified facts.
The 15 Critical Infrastructure Sectors
Under the framework connected to the Economic Security Promotion Act, entities providing essential infrastructure services across 15 sectors are subject to enhanced cybersecurity obligations. These sectors include electricity, gas, telecommunications, and finance, among others. The designation captures the operators whose disruption would have the most serious consequences for national functions.
The Shift from Passive to Active Defense
Japan's cybersecurity approach has historically been described as "passive" — relying on defensive measures such as firewalls and antivirus confined to the networks of targeted parties. The Active Cyber Defense Law, enacted in May 2025, marks a deliberate shift toward proactive, anticipatory defense at the national level.
For critical infrastructure operators, this national shift translates into greater expectations around incident detection, reporting, and cooperation with government bodies. The Basic Act on Cybersecurity already obligates critical infrastructure operators to make efforts to voluntarily and proactively enhance cybersecurity and to cooperate with national and local governments.
The Human Resources Challenge
One widely acknowledged obstacle to implementing active cyber defense in Japan is the shortage of cybersecurity experts. This shortage affects both government and private sectors and underscores the value of specialized external security expertise for organizations that cannot build large in-house offensive security teams.
What Critical Infrastructure Operators Should Do
Operators in the designated sectors should: understand whether they fall within the scope of the incident reporting obligation taking effect in or before November 2026; assess their actual security posture through expert-led testing; ensure they have the detection and reporting capabilities the evolving framework expects; and document their security measures as evidence of proactive compliance.
How Simuna Infosec Helps
Our human-led VAPT methodology directly addresses the expert-shortage challenge — providing critical infrastructure operators access to certified offensive security specialists without the need to build and retain a large internal team. We help operators in telecommunications, finance, and other critical sectors understand their real exposure and build the security foundation that Japan's evolving regulatory environment increasingly requires.
*This article reflects publicly available information as of mid-2026. Regulatory details evolve; consult qualified legal counsel for compliance decisions.*