Cybersecurity 2026 Comparisons

The Basic Act on Cybersecurity is Japan’s fundamental law on cybersecurity, and the Act on the Protection of Personal Information (APPI) is the country’s principal data protection law. On 16 May 2025, the Cyber Response Capabilities Enhancement Act and an Act to Amend the Related Laws (the “Active Cyber Defence Acts”), which enhance active cyberdefence, were approved for the government to proactively respond to the increasing threat posed by cyber-attacks.

Pursuant to the APPI, personal data breaches are subject to mandatory reporting and notification requirements – see 2.3 Incident Response and Notification Obligations. 

The Active Cyber Defence Acts establish a framework for public-private collaboration in cybersecurity, permit the use of communications information for cybersecurity, and authorise access to attackers’ servers for the purpose of neutralisation. The Unfair Competition Prevention Act prohibits the infringement of trade secrets, and the Act on Prohibition of Unauthorised Computer Access outlaws unauthorised computer access. The Penal Code also includes penalties for some cybersecurity crimes. The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications.

Japan does not have specific regulations for secure software development.

For more details on the laws cited above and other relevant laws, see 1.2 Cybersecurity Laws.

The Basic Act on Cybersecurity regulates the responsibility of the national and local governments for cybersecurity (Articles 4 and 5). It also stipulates the obligation of critical information infrastructure operators, cyberspace-related business providers, and research institutions such as universities (Articles 6, 7 and 8) to exert efforts to ensure cybersecurity.

The APPI, Japan’s principal data protection law, provides the basic principles for the government’s regulatory policies and authority, as well as requirements for private business operators who handle personal information (“handling operators”).

Another important law is the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (the “My Number Act”), which stipulates special rules for “My Number”– a 12-digit individual number assigned to each resident of Japan.

The Active Cyber Defence Acts aim to enable the government to respond proactively to the growing threat of cyber-attacks. They consist of four pillars:

• public-private collaboration;
• the use of communications information by the government;
• government access to attackers’ servers and the neutralisation of cyberthreats; and
• the development of organisational and institutional frameworks.

Private-sector entities directly affected by the Active Cyber Defence Acts include critical infrastructure operators (see 2.1 Scope of Critical Infrastructure Cybersecurity Regulation), businesses related to systems used by critical infrastructure operators, telecommunications carriers, and IT vendors.

In addition to the regulatory framework applicable under the Economic Security Promotion Act (see 2.2 Critical Infrastructure Cybersecurity Requirements), critical infrastructure operators are subject to obligations to submit notifications upon the introduction of specified critical computers that could affect core systems in the event of a cybersecurity breach, as well as obligations to report security incidents when they become aware of such incidents. They may also be requested by the government to engage in consultations towards the conclusion of agreements concerning the sharing of communications information, and to co-operate by participating as members of government-established councils.

Telecommunications carriers may be required to take measures to provide specified communications data in response to requests from the government.

IT vendors may be required to implement damage prevention measures and to submit reports or materials concerning vulnerabilities related to hardware designated as specified critical computers by critical infrastructure operators, as well as programmes incorporated therein. In addition, they may be required to co-operate with critical infrastructure operators to enable them to properly fulfil their obligations to report security incidents. The jourei, or ordinances, enacted by local governments contain public-sector obligations.

The Unfair Competition Prevention Act prohibits the infringement of trade secrets and provides for causes of actions in civil cases, such as compensation for damages and injunctive relief, as well as criminal sanctions. Data used in services that are accumulated to a significant extent and managed by electronic or magnetic means and shared with limited specific persons are protected as “limited provision data”. Unauthorised acquisition or utilisation of data for limited provision may be deemed to be unfair competition, which is subject to compensation for damages and injunctive relief but not criminal sanctions.

The Act on the Prohibition on Unauthorised Computer Access outlaws:

• the use of another person’s identification codes (eg, passwords) to access remote computers via telecommunications networks;
• inputting information (excluding identification codes) or commands to evade access restrictions on remote computers via telecommunications networks;
• obtaining, supplying or storing someone else’s identification codes without legitimate reason (Articles 3, 4, 5 and 6); and
• phishing or creating a false impression of being a network administrator and requesting identification codes (Article 7).

The Penal Code prohibits:

• the creation of false electromagnetic records that are related to rights, duties or the certification of facts (Article 161-2);
• fraud by using computers (Article 246-2);
• the destruction of electromagnetic records in use by a public office or concerning private rights or duties (Articles 258 and 259);
• the obstruction of business by damaging computers or electromagnetic records or causing them to operate counter to their original purpose (Article 234-2); and
• the creation, provision, acquisition or storage of computer viruses (Articles 168-2 and 168-3).

The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications (Article 41.6(iii)) and to report serious breaches to the Ministry of Internal Affairs and Communications (MIC).

The Instalment Sales Act requires businesses handling credit card numbers to take necessary and appropriate measures to prevent the leakage, loss or damage of or to those credit card numbers (Article 35-16).

The Payment Services Act requires prepaid payment instrument issuers, funds transfer service providers, and virtual currency exchange service providers to take necessary and appropriate measures to prevent the leakage, loss or damage of or to information pertaining to their respective businesses (Articles 21, 49 and 63-8).

Sector-specific regulators impose additional information security obligations on some industries including the financial and healthcare sectors. For the financial sector, the Financial Services Agency (FSA) has issued the Comprehensive Guidelines for the Supervision of Major Banks, etc, which provide for cybersecurity obligations of financial institutions. For details on cybersecurity guidelines in finance, see 3. Operational Resilience in the Financial Sector. As for the healthcare industry, an enforcement order on the Medical Care Act requires hospitals, clinics and birthing centres to take appropriate steps to ensure cybersecurity (Article 14.2) and an enforcement order of the Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices also requests pharmacies to do the same (Article 11.2). Further, various ministries have issued other relevant guidelines:

• the Ministry of Health, Labour and Welfare (MHLW) issued the Guidelines on Safety Management of Medical Information Systems (last amended in May 2023);
• the Ministry of Economy, Trade and Industry (METI) and MIC jointly issued the Guidelines on Safety Management for Providers of Information Systems and Services Handling Medical Information (last amended in July 2023);
• MIC published comprehensive measures for the security of the internet of things (IoT) (July 2016); and
• MIC published guidelines on the application of the Telecommunications Business Act to reports of serious accidents (volume 7, December 2023).

The regulator tasked with enforcing and implementing the APPI is the Personal Information Protection Commission (PPC”, which has the following powers under the law:

• to require handling operators to report or submit materials regarding their handling of personal information (Article 146), which the APPI defines as information about living individuals that can identify specific individuals or contains what is referred to in the law as an “individual identification code” (Article 2.1);
• to enter a handling operator’s offices or other locations to investigate, make enquiries, or view records or other documents (Article 146);
• to provide guidance or advice to handling operators (Article 147);
• to recommend that handling operators cease any acts constituting a violation of the APPI and take other necessary measures to correct the violation (Article 148.1);
• to order handling operators to take necessary measures to implement the PPC’s recommendations and to rectify certain violations of the APPI (Articles 148.2 and 148.3); and
• when the PPC issues orders pursuant to Articles 148.2 and 148.3, and handling operators violate the order, the PPC may publicly announce the violation (Article 148.4).

The National Police Agency and the Public Prosecutors Office are responsible for the criminal investigation and prosecution of cybercrimes.

Among the non-regulatory government authorities that are also directly involved with cybersecurity, the Information-technology Promotion Agency of Japan (IPA) and the National Cybersecurity Office (NCO) are particularly notable. The NCO was formerly known as the National Center for Incident Readiness and Strategy for Cybersecurity (NISC) and was established in July 2025 as its enhanced successor. The IPA regularly publishes important guidelines and provides information on cybersecurity. The more important guidelines include the Cybersecurity Management Guidelines for small and mid-sized companies on information security, and guidelines on preventing insider data breaches. The IPA also runs the J-CSIP (Initiative for Cybersecurity Information Sharing Partnership of Japan), which shares cybersecurity information of critical information infrastructure operators (ie, operators of businesses that provide infrastructure that is the foundation of people’s living conditions and economic activities, the functional failure or deterioration of which could have a highly significant impact on society).

The NCO’s responsibilities include:

• serving as the secretariat of the Cybersecurity Strategic Headquarters;
• monitoring and analysing unauthorised activities targeting information systems of administrative organs;
• providing necessary advice, information and other assistance, as well as conducting audits, to ensure cybersecurity; and
• carrying out comprehensive co-ordination concerning the assurance of cybersecurity.

The NCO was established in light of the enactment of the Active Cyber Defence Acts. For more on other regulators, refer to 1.1 Cybersecurity Regulation Strategy and 1.2 Cybersecurity Laws.

The Cybersecurity Policy for Critical Infrastructure Protection defines the following 15 sectors as critical information infrastructure:

• airports;
• aviation;
• chemical industry;
• credit cards;
• electric power supply;
• financial services;
• gas supply;
• information and communication;
• government and administration;
• logistics and shipping;
• medical;
• petroleum industry;
• ports and harbours;
• railways; and
• water supply.

The aforementioned cybersecurity policy also encourages critical information infrastructure operators to periodically assess their progress in implementing security measures and policies.

Under the APPI, handling operators not limited to critical infrastructure must take necessary and appropriate action for security control over the personal data that they handle, including preventing the leakage, loss or damage of or to personal data (Article 23).

The PPC is the regulator primarily responsible for the APPI and the My Number Act; it has published guidelines for the handling of personal information (the “PPC Guidelines”).

The PPC Guidelines provide examples of these handling measures, such as establishing and implementing basic policies, internal rules, and organisational, personal and technical security measures, as well as understanding of the external environment. “Understanding of the external environment” is a security measure, newly introduced by the amendments to the Guidelines, which requires handling operators who process personal data in foreign countries to understand the local legal systems for personal information protection and, taking into consideration those legal systems, to take necessary and appropriate measures to ensure the security of personal data. Effective since April 2024, the PPC Guidelines also require handling operators to take security control over personal information that is collected and expected to be treated as personal data to prevent cyber-attackers from intercepting it on the operators’ behalf.

According to the APPI, when a handling operator allows its employees to handle personal data, it must exercise necessary and appropriate supervision over the employees to ensure security control over the personal data (Article 24). The APPI also requires handling operators to ensure that the entities to whom they have entrusted the handling of personal data (eg, third-party vendors) take appropriate measures to ensure security control over the personal data (Article 25).

Under the Economic Security Promotion Act, important critical infrastructure businesses are individually designated by the competent ministry as Specified Essential Infrastructure Service Providers. They are required to take measures to reduce or eliminate risk factors among parties involved in the supply chain. Some of the requirements include establishing measures to:

• prevent unauthorised changes to specified critical facilities;
• prevent service interruptions;
• confirm any legal or contractual violations by parties involved in the supply chain; and
• prevent unintended changes by subcontractors.

On 16 May 2025, the Act on the Protection of Economic Security Information took effect, introducing a security clearance system under which information designated by the government as important to national security, including information concerning critical infrastructure and supply chains of critical goods, may be handled only by persons who require access to it and whose reliability has been confirmed.

The Cybersecurity Policy for Critical Infrastructure Protection provides for the reporting obligations of critical information infrastructure operators in the following instances:

• if there is a legal reporting requirement by law or regulation;
• if the operator has determined that an incident has had a serious impact on people’s lives or the operator’s services and that information must be shared; and
• in other cases where the operator has determined that information must be shared.

Definition of Data Security Incident, Breach or Cybersecurity Event

The APPI stipulates mandatory obligations to report data breach incidents to the PPC and to notify affected data subjects in cases where their rights or interests are likely to be infringed (Article 26). The PPC Ordinance defines a data security incident or breach as the actual or possible occurrence of the leakage, loss or damage of or to personal data. The details of the requirements are discussed below.

There is also a special rule for “My Number” under the My Number Act. There is no general regulation to impose a mandatory reporting obligation for cybersecurity events that do not involve a personal data breach. However, there are various regulations generally mandating certain types of service providers to report all incidents affecting their services to the authorities. This reporting obligation also covers cases where service failure results from a cyber-attack.

For example, under the Telecommunications Business Act, if an incident occurs and causes the suspension or deterioration of the quality of services for more than the prescribed number of hours and affects a certain number of users specified by the relevant ordinance, the telecommunications business operator must report the incident to MIC. Furthermore, MIC has the authority to issue orders to improve the business practices of licensed telecommunications service providers. Another example is financial institutions; many laws regulating financial sectors oblige them to report material service failure to the authorities.

Data Elements Covered

Breach of data security is applicable to personal data. The APPI defines personal data as personal information that is contained in a personal information database (Article 16.3), which is a collection of information (including personal information) that is systematically organised to enable a computer or some other means to search for particular personal information. However, this term excludes the collection of information that a cabinet order indicates as having little possibility of harming an individual’s rights or interests considering how that collection uses personal information (Article 16.4). Examples of collections of information that are excluded from this definition include commercially available telephone directories or car navigation systems.

The PPC Ordinance prescribes that a mandatory data breach report is required if a data breach includes personal data (excluding advanced encryption or other measures that are necessary to protect the rights and interests of the individual):

• containing “special care-required personal information”;
• that is likely to cause property damage if used inappropriately;
• that is likely to have been committed for an improper purpose (effective since April 2024, personal information that is already or will be collected and expected to be treated as personal data is also included in this requirement); or
• of more than 1,000 individuals.

Special care-required personal information is defined as personal information comprising a data principal’s race, creed, social status, medical history, criminal record, the fact of having been a victim of a crime, or other descriptions that may be prescribed by a cabinet order as requiring special care in handling so as not to cause unfair discrimination, prejudice or other disadvantages to the data subject (Article 2.3).

Governmental authorities that have specific jurisdiction over some of the 15 critical information infrastructure sectors have issued specific guidelines, described below, concerning cybersecurity.

For the healthcare industry, see 6.3 Cybersecurity in the Healthcare Sector. For the financial industry, see 3 Operational Resilience in the Financial Sector.

The Ministry of Land, Infrastructure, Transport and Tourism (MLIT) has issued:

• Safety Guidelines for Ensuring Information Security for Air Transport Operators for aviation services;
• Safety Guidelines for Ensuring Information Security in the Airport Sector for airport services;
• Safety Guidelines for Ensuring Information Security for Railway Operators for railway services;
• Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services (motor vehicle transportation);
• Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services (warehouse operations);
• Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services (ship operations);
• Safety Guidelines for Ensuring Information Security for the Logistics Sector for water supply services; and
• Safety Guidelines for Ensuring Information Security for the Logistics Sector for ports and harbours.

The MLIT also issues information security countermeasure checklists for railway services, bus services, bus terminals, taxis, hotels, ferries, and airports and airport buildings.

The FSA issued the Comprehensive Guidelines for the Supervision of Major Banks, etc (the “SMB Comprehensive Guidelines”), which mention cybersecurity obligations, referring to the Guidelines on Cybersecurity for the Finance Sector (the “CSFS Guidelines”). The SMB Comprehensive Guidelines further include measures regarding operational resilience, which refers to the ability of financial institutions to continue to maintain the minimum level of their critical operations even in the event of a system failure, terrorist attack, cyber-attack, infectious disease, natural disaster, or other event. The SMB Comprehensive Guidelines specify the actions to be taken by boards of directors and the authorities’ regulations to achieve operational resilience.

These Guidelines do not have any extraterritorial scope of applicability.

On 8 December 2025, a draft amendment to the SMB Comprehensive Guidelines was released, and public comments were invited until 13 January 2026. The amendment aims to strengthen measures to address cyber-risks related to online banking services and includes additional details on recommended fraud prevention measures, such as implementation of phishing-resistant multi-factor authentication.

Not limited to the financial sector, when a handling operator entrusts personal data, it must exercise the necessary and appropriate supervision over the entrusted person to ensure security control over the entrusted personal data (Article 25 of the APPI). Handling operators must supervise the entrustees to ensure that the same levels of security control are taken as those imposed on the operators under the APPI.

If a handling operator uses cloud services, this may not be considered as entrustment and therefore the above-mentioned obligation under Article 25 of the APPI may not apply. Instead, businesses that use cloud services must still take appropriate security control over the personal data stored in cloud services as part of their own duties.

The APPI does not provide for data portability rights.

The SMB Comprehensive Guidelines require businesses to report to the authorities when they become aware of a computer system failure or a cybersecurity incident, when they are recovering from such incidents, and when they have identified the cause of an incident. Where the business detects that a cyber-attack will or is highly likely to have an impact on customers or business, a report is required even if a system failure or incident does not occur. For details on the SMB Comprehensive Guidelines, see 3.1 Scope of Financial Sector Operational Resilience Regulation.

The FSA may impose administrative disposition on financial businesses that have violated or may be at risk of violating laws or regulations. Such disposition includes on-site inspections and orders to improve business operations.

For offshoring, please note that there are special restrictions on the transfer of personal data to foreign countries. In principle, the APPI requires the transferor to obtain the prior consent of individuals whose personal data will be transferred to third parties located in foreign countries (Article 28). In other words, overseas transfer restrictions will apply if a foreign company transfers user data to another company outside Japan. Conversely, if it transfers user data to a company in Japan, these overseas transfer restrictions will not apply. The overseas transfer restrictions apply even where outsourcing would otherwise qualify as an exception to local third-party data transfer restrictions.

The data subjects’ consent to overseas data transfers is not necessary if the following apply:

• the foreign country is designated by the PPC as a country with a data protection regime with a level of protection equivalent to that of Japan (only EEA member countries and the UK have been designated to date);
• the third-party recipient has an equivalent system of data protection that meets the standards prescribed by the ordinance issued by the PPC (the “PPC Ordinance”) – ie, either of the following:
1. there is assurance, by appropriate and reasonable methodologies, that the recipient will treat the disclosed personal data in accordance with the spirit of the requirements on handling personal data under the APPI; or
2. the recipient has been certified under an international arrangement, recognised by the PPC, regarding its system of handling personal data.

The implementation of the PPC Ordinance is set out in the PPC Guidelines, which provide that “appropriate and reasonable methodologies” include agreements between the data importer and exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI. With respect to PPC-recognised international frameworks, to date, the PPC Guidelines have identified only the APEC Cross Border Privacy Rules (CBPR) as a recognised international framework on the handling of personal data.

The CSFS Guidelines require that threat-led penetration testing be carried out on a regular basis.

There is no uniform legislation on cyber-resilience. Specific aspects of cyber-resilience are stipulated in each of the individual regulations.

Specific aspects of cyber-resilience are stipulated in each of the individual regulations.

The Labelling Scheme based on the Japan Cyber-Security Technical Assessment Requirements (JC-STAR) provides an evaluation index for the security functions of IoT products. This system is provided by the IPA, and its application began in March 2025.

Handling operators must establish appropriate safeguards to protect personal data (Article 23 of the APPI) and report data breaches to the PPC and, in cases where their rights or interests are likely to have been infringed, notify affected data subjects (Article 26 of the APPI).

MIC and METI published the AI Business Guidelines for AI developers, service providers and users in April 2024. These Guidelines urge businesses to invest in and implement robust security management throughout the entire AI lifecycle, including cybersecurity. They also suggest considering appropriate cyber-access controls.

On 25 December 2025, MIC published draft guidelines outlining technical measures to ensure AI security and prevent information leakage, as well as unintended changes to or shutdowns of AI systems caused by unauthorised operations. These guidelines apply to AI developers and service providers as defined in the AI Business Guidelines.

The MHLW issued the Guidelines on Safety Management of Medical Information Systems (last amended in May 2023). While the MHLW guidelines and an announcement issued by the Ministry in October 2018 indicate that medical service providers should report cybersecurity incidents to the authorities, no special rules have been issued for statutory data breach reporting or notification in this regard.

MIC and METI jointly issued the Guidelines on Safety Management for Providers of Information Systems and Services Handling Medical Information (last amended in July 2023).