The Takeaway
On May 16, 2025, Japan enacted a sweeping new cybersecurity law authorizing the government to take pre-emptive action against digital threats from foreign actors, such as server-based malware campaigns and co-ordinated ransomware attacks — a sharp shift from its historically passive approach to responding to cyber incidents. The law, described by government officials as a framework for “active cyber defence,” is seen by some as more offensive in nature, as it allows state agencies to detect and disrupt cyber threats before they materialize.
While the law is intended to strengthen national security and reassure allies, thereby boosting Japan’s global credibility, the legislation raises serious questions about oversight, the protection of civil liberties, and possible international repercussions.
In Brief
- The Active Cyber Defense Law, which will become operational in 2027, will enable Japan’s police and Self-Defense Forces (i.e. the country’s military) to legally access and disable foreign servers identified as staging grounds for cyberattacks. It will identify these threats based on metadata such as IP addresses and traffic patterns collected from cross-border internet activity, rather than from the content of the communications.
- The law emerged in response to a sharp rise in cyber threats and attacks, including the 2023 breach of Japan’s National Center of Incident Readiness and Strategy for Cybersecurity by suspected Chinese actors, and a 2025 incident involving C$2.7 billion in unauthorized trades through hacked financial platforms. Other recent high-profile attacks include the Japan Airlines system outage in 2024 and the Tokushima hospital ransomware incident in 2022.
- To safeguard privacy rights, a new independent oversight body, tentatively named the Cyber Communications Oversight Commission, must approve or review any relevant actions.
- As part of its justification for passing the new law, Japan has cited countries such as Australia, Canada, Germany, the U.K., and the U.S., which have established comparable legal frameworks for neutralizing hostile foreign servers and analyzing cross-border communications.
Implications
This law departs from Japan’s traditionally reactive approach to cybersecurity. Not only is it the first legal framework authorizing the Japanese government to take countermeasures before actual harm occurs, but it also redefines cyberspace not merely as a space for espionage and criminal activity, but as a strategic frontier where national security, critical infrastructure, and civilian protection must be proactively defended. This shift signals Japan’s recognition that anticipating and neutralizing threats before they manifest is a core requirement of modern statecraft.
Critics say the law could infringe on Article 21 of the Japanese constitution, which guarantees the privacy of communications. Critics also question how far the government could go in analyzing digital traces — such as IP addresses, access logs, and connection patterns — before such metadata becomes functionally equivalent to personal information. While the law explicitly prohibits monitoring the content of domestic communications and limits analysis to metadata from cross-border traffic, the line between metadata and identifiable information is becoming increasingly blurred, especially with the use of artificial intelligence-driven pattern recognition. The government has announced that it will protect civil liberties by establishing a Cyber Communications Oversight Commission to review and authorize operations; however, the effectiveness and independence of this body is unclear, especially if authorities are granted greater discretion to act pre-emptively.
Japan’s new cybersecurity approach raises delicate questions about extraterritorial sovereignty and cyber norms. If the servers targeted by the new law are located in countries such as China or Russia, for example, even limited defensive actions could trigger diplomatic backlash or escalate into a broader conflict in cyberspace. Whether the reconfiguration of Japan’s security posture for the digital era strengthens deterrence or exacerbates geopolitical frictions will depend on how Tokyo navigates legal grey zones and manages sensitive cross-border dynamics.
What's Next
1. Industry adaptation, growing demand for cyber talent
Key digital infrastructure providers in Japan will need to meet expanded reporting obligations. The Ministry of Economy, Trade and Industry has launched new funding initiatives and procurement reforms to support local cybersecurity firms, aiming to grow the sector from C$8.7 billion (900 billion yen) to over C$28.9 billion (3 trillion yen) within a decade. However, Japan’s cybersecurity capacity has long been dependent on foreign vendors, and its chronic shortage of cyber talent could create a bottleneck. Scaling up a skilled workforce — especially for defensive AI and threat assessment — will be essential to realizing the goals of the new law.
2. Opportunities, challenges for Canada-Japan collaboration
Like Japan, Canada is also prioritizing the protection of digital infrastructure and data flows. As such, Ottawa can expand its role as a policy and technology partner through joint cyber exercises, cybersecurity research collaboration, information-sharing agreements, and public-private initiatives with Japan. However, Japan’s push for digital self-reliance may be an obstacle for foreign vendors and talent partners, as its procurement and research and development efforts increasingly favour domestic cybersecurity firms.
• Edited by Erin Williams, Senior Program Manager, Vina Nadjibulla, Vice-President Research & Strategy, and Ted Fraser, Senior Editor, APF Canada
