(Draft)

Since the adoption of ‘active cyber defence’(Noudouteki Cyber Bougyo) in the 2022 National Security Strategy, a bill on ‘active cyber defence,’ which has been the subject of much debate, has been announced and passed by Diet on May 16th,2025.

#I do not like the term “Active Cyber Defence Law” because the meaning of “Active Cyber Defence” depends on the context/American English or British English. Actually most Japanese cyber specialist thought it involves offensive cyber means when it was proposed in 2022.

The law is titled the ‘Cyber Response Capability Enhancement Bill and Related Measures Act.’

The official names are ‘Bill on Measures to Prevent Damage Caused by Unlawful Acts Against Important Electronic Computers’ and ‘Bill on Measures to Amend Related Laws in Connection with the Enforcement of the Act on Measures to Prevent Damage Caused by Unlawful Acts Against Important Electronic Computers.’

My blog on this topic is quite extensive, so for now, I will refer you to the entry titled ‘Active Cyber Defence – Recommendations for Improving Response Capabilities in the Field of Cyber Security (Part 1) – Strengthening Public-Private Partnerships.’(Japanese) I would like to examine the bill in detail.

1 Overview

1.1 Overview

The overview of this bill is available here.

• ‘Bill on the Prevention of Damage Caused by Unauthorised Acts Against Important Electronic Computers’ (New Law)
• ‘Bill on the implementation of Related Laws in Connection with the Enforcement of the Law on the Prevention of Damage Caused by Unauthorised Acts Against Important Electronic Computers’ (Implementation Law)

These two laws constitute the bill.

1.2 Explanatory Materials

The explanatory materials are available here. The contents are as follows:

• Background of the Discussion (page 3-4)
• About the Bill (page 5-22)

(The numbers correspond to the slide pages.)

This is quite extensive. In this area,

1. public-private collaboration
2. use of communication information
3. access and neutralisation measures
4. organisational and institutional reforms

and other areas have been addressed through the enactment of the legislation.

Regarding the provisions, Sections 1 and 2 are stipulated in the ‘Bill on the Prevention of Damage Caused by Unlawful Acts Against Important Electronic Computers (Cyber Response Capability Enhancement Bill),’ while Sections 3 and 4 are stipulated in the ‘Bill on the implementation of Related Laws in Connection with the Enforcement of the Law on the Prevention of Damage Caused by Unlawful Acts Against Important Electronic Computers (Cyber Response Capability Enhancement Law Implementation Bill).’

A diagram illustrating this is as follows.

 

We will examine the points of interest in each area.

2 ‘Bill on the Prevention of Damage Caused by Unlawful Acts Against Important Electronic Computers (Cyber Response Capability Enhancement Bill)’

We will examine the new law, the ‘Bill on the Prevention of Damage Caused by Unlawful Acts Against Important Electronic Computers (Cyber Response Capability Enhancement Bill).’ (here)

2.1 Purpose, etc.

The purpose of this law is to

This law is enacted in recognition of the increasing importance of ensuring the cybersecurity of important electronic computers of the state and other entities, given that the cybersecurity of such systems may be compromised due to the development of the Internet and other advanced information and communications networks, the advancement of information and communications technology, the complexification of the international situation, and other factors, thereby posing a risk of harming the safety of the state and its citizens or causing significant impacts on citizens’ lives or economic activities. The bill aims to:a system for reporting specific cyber incidents by designated social infrastructure operators, the acquisition of communication information to prevent damage caused by specific unauthorised acts in foreign communications targeting important electronic computers, the review and inspection of such communication information by the Cyber Communication Information Oversight Committee, and the provision of analysis results of such communication information, among other measures, with the aim of preventing damage caused by unauthorised acts targeting important electronic computers.

(Article 1). The diagram below illustrates this.

The definition (Article 2) of cybersecurity is the same as that in the Basic Act on Cybersecurity (Article 2, paragraph 1), so there should be no problem. ‘Important electronic computers’ are defined.

‘Important electronic computers’ means electronic computers that fall under any of the following items (omitted).

1  Electronic computers used by the following entities, where a breach of cybersecurity would result in damage to important information (i.e., special defence secrets as defined in Article 1, Paragraph 3 of the Law on the Protection of Secrets under the Japan-U.S. Mutual Defence Assistance Agreement, etc. (Law No. 166 of 1954), specific secrets as defined in Article 3, Paragraph 1 of the Law on the Protection of Specific Secrets (Law No. 108 of 2013),equipment, etc. secret as defined in Article 27, Paragraph 1 of the Law on Strengthening the Foundation for the Development and Production of Equipment, etc. Procured by the Ministry of Defense (Act No. 54 of 2023), or important economic security information as defined in Article 3, Paragraph 1 of the Law on the Protection and Utilisation of Important Economic Security Information (Act No. 27 of 2024). The same applies in Item 3.)(excluding those falling under the next item)

(a) Agencies established under the provisions of laws and placed under the Cabinet, agencies placed under the jurisdiction of the Cabinet, the Imperial Household Agency, agencies specified in Article 49, Paragraph 1 or 2 of the Cabinet Office Establishment Act (Act No. 89 of 1999), agencies specified in Article 3, Paragraph 2 of the National Administrative Organisation Act (Act No. 120 of 1948), the Audit Bureau, or agencies established under such agencies

(b) Local public entities

(c) Independent administrative agencies (meaning independent administrative agencies as defined in Article 2, paragraph 1 of the Independent Administrative Agencies Act (Act No. 103 of 1999); the same applies in (e) )

(d) Local independent administrative agencies (meaning local independent administrative agencies as defined in Article 2, paragraph 1 of the Local Independent Administrative Agencies Act (Act No. 118 of 2003); the same applies in (e) )

(e) Legal entities directly established by law, legal entities established by special laws through special establishment procedures (excluding independent administrative agencies), or legal entities established by special laws and requiring the approval of an administrative agency for their establishment (excluding local independent administrative agencies), as specified by Cabinet Order

2. Specific social infrastructure operators (as defined in Article 50, Paragraph 1 of the Act on the Promotion of the Integrated Implementation of Economic Measures for the Assurance of Security (Act No. 43 of 2022); the same applies in the following paragraph)Electronic computers used by such entities, where a breach of cybersecurity could result in the cessation or degradation of the functions of specific important facilities as defined in Article 50, paragraph (1) of the aforementioned Act, as specified by Cabinet Order (including those constituting part of such specific important facilities)

3. Computers used by businesses that hold important information (excluding corporations falling under items (i) to (v) of the preceding paragraph) that, in the event of a breach of their cybersecurity, pose a risk of causing serious disruption to the business operations related to the management of important information at such businesses, as specified by Cabinet Order (excluding those listed in the preceding paragraph).

You can find interesting definitions as follows;

• Specific unlawful acts
• Communication information (including communication information in transit, communication information under the control of the parties, and acquired communication information)
• Specific Overseas   unlawful communication acts
• Mechanical information (IP addresses, instruction information, and other information specified by Cabinet Order)
• Communication information holding entities

“Specific improper  acts” are defined as follows;

1. Acts constituting the offence specified in Article 168-2, paragraph 2 of the Penal Code (Meiji 40, Law No. 45) -> Provision of electromagnetic records containing unlawful instructions

2. Unauthorised access acts (as defined in Article 2, Paragraph 4 of the Act on the Prohibition of Unauthorised Access to Computer Systems and the Prevention of Damage to Computer Systems (Act No. 128 of 2000). The same applies in Article 80, Paragraph 1.)

3. Acts that constitute crimes under Chapter 35 of Part II of the Penal Code committed using a computer, and which are committed by harming the cybersecurity of the computer (including acts committed by causing a malfunction in the telecommunications lines connected to the computer) -> Obstruction of business

are listed.

Other concepts will be addressed in the followings.

Article 3 sets out the basic policy. The specific contents are as follows:

• Basic matters concerning the prevention of damage caused by specific unlawful acts against important electronic computers
• Basic matters concerning the conclusion of agreements between parties as provided for in Article 13
• Basic matters concerning the handling of communication information by communication information holding agencies
• Basic matters concerning the organisation and analysis of information as provided for in Article 37
• Basic matters concerning the provision of comprehensive organised and analysed information
• Basic matters concerning the organisation of the council specified in Article 45, paragraph 1 (referred to simply as ‘council’ in Articles 29 and 37)
• In addition to the above, other necessary matters concerning the prevention of damage caused by specific unauthorised acts against important electronic computers

Therefore, I do not think there are any particular issues.

2.2 Public-private partnership

As for public-private partnership,

1. Incident reporting, etc. by core infrastructure operators
2. Establishment of a council for information sharing and countermeasures
3. Strengthening vulnerability response

These are discussed separately.

2.2.1 Incident reporting by critical infrastructure operators

This is Chapter 2, ‘Reporting of Specific Security Incidents, etc., by Special Social Infrastructure Operators,’ of the ‘Law on the Prevention of Damage Caused by Unauthorised Acts Against Important Electronic Computers.’ The specific contents are as follows:

1. Notification of specific important electronic computers (Article 4)
2. Reporting of specific incident events, etc. (Article 5)
3. Orders (Article 6)
4. Statement of the Prime Minister’s opinion (Article 7)
5. Security measures, etc. (Article 8)
6. Submission of reports or materials (Article 9)
7. Guidance and preamble (Article 10)

The key point here is the reporting of specific incident events, etc. (Article 5).

Article 5: Special social infrastructure operators must report to the relevant minister in charge of special social infrastructure facilities and the Prime Minister, in accordance with the provisions of the relevant ministerial ordinance, the occurrence of specific intruded incidents related to designated important electronic computers or incidents that may cause such incidents, as specified by the relevant ministerial ordinance.

A ‘specific intruded incident’ refers to

 Incident where an important electronic computer that results in the cyber security of such important electronic computer is compromised by an act of specific improper acts

(Article 2, Paragraph 5). The definition of ‘cyber security’ is the same as that specified in Article 2 of the Cyber Security Basic Act (Act No. 104 of 2014) (Article 2, Paragraph 1), which states that

measures necessary for the security management of information recorded, transmitted, or received in electronic form, magnetic form, or any other form not recognisable by human perception (hereinafter referred to as ‘electromagnetic form’ in this Article)and the prevention of leakage, loss, or damage of such information, as well as necessary measures to ensure the safety and reliability of information systems and information and communications networks (including necessary measures to prevent damage caused by unauthorised activities targeting electronic computers through information and communications networks or electromagnetic media)are implemented and maintained in an appropriate manner.

This is what we refer to as cybersecurity, but in theory, it would come down to whether ‘leakage, loss, or damage of information’ has occurred.

From a comparative law perspective, this is also mandated under the NIS Directive 2 (as mentioned in the blog: ‘Cybersecurity-related laws and regulations in the EU – European Solidarity Act (Solidarity Act) and NIS2 Directive, etc.’).

2.2.2 Establishment of a Council for Information Sharing and Countermeasures

This is Chapter 9, ‘Council,’ of the Cyber Response Capability Enhancement Act. This is Article 45.

1. Establishment of a Council for Information Sharing and Countermeasures to Prevent Damage Caused by Specific Unlawful Acts Targeting Important Electronic Computers (Abolishing and Strengthening/Establishing the Cyber Security Council) (Article 1)
2. Members (Article 2)
3. Sharing of Comprehensive Analysis Information and Other Information for Provision (Article 3)
4. Necessary Measures (Article 4)
5. Requiring the Submission of Materials, Expression of Opinions, Explanations, and Other Cooperation Regarding Necessary Information (Article 5)
6. Opinions at the Time of Material Submission (Article 6)
7. Confidentiality Obligations (Section 7)

and other provisions are established.

The Prime Minister shall establish a Council for Information Sharing and Countermeasures to Prevent Damage Caused by Specific Unlawful Acts Targeting Important Electronic Computers (hereinafter referred to as the ‘Council’ in this Article), composed of the Prime Minister and the heads of relevant administrative agencies, for the purpose of preventing damage caused by specific unlawful acts targeting important electronic computers.

This is stipulated in Article 45, Paragraph 1.

2.2.3 Strengthening Vulnerability Response

This is stipulated in ‘Information Provision to Suppliers of Electronic Computers, etc.’ (Article 42).

This has been criticised for appearing to be discussed independently of the Early Warning Partnership for Vulnerabilities, which is actually in place and being implemented, as discussed in the Expert Committee (blog).

The first point to note here is that ‘vulnerability’ is defined.

It refers to factors contained in electronic computers or programs incorporated into electronic computers that may harm the cybersecurity of electronic computers (excluding those arising from uses not reasonably foreseeable for the electronic computer in question). (Excluding those arising from uses not reasonably foreseeable for the electronic computer in question.) The same applies throughout this article.

The Ministry of Economy, Trade and Industry’s ‘Guidelines for the Handling of Vulnerability-Related Information for Software Products, etc.’ defines “vulnerability” as ‘safety issues that could cause damage to the functionality or performance of a computer system due to attacks such as computer viruses or unauthorised access to computers.

In the case of web applications, this includes situations where information that should be protected by access control functions is accessible to an unspecified or large number of users.’ This definition limits the scope to vulnerabilities that are triggered by external attacks.

From an interpretative perspective, the above definition may leave open the question of how to handle points that violate confidentiality even without external attacks.

Recognition

Under the provisions of the Act, the competent minister for the supply of electronic computers, etc., shall,

• based on ‘comprehensive analysis and other information,’

when recognising a vulnerability,

• provide ‘comprehensive analysis and other information for public notification regarding vulnerabilities,’
• disclose the information or the response measures for the vulnerability through public announcement or other appropriate means.

This is stipulated in Article 42, Paragraph 1.

However, there is the question of how to recognise vulnerabilities. Developers may recognise them themselves, or researchers may discover them. In the latter case, how can vulnerability information be smoothly communicated to developers so that countermeasures can be taken before the vulnerability is exploited by the general public? The framework for this is the ‘Vulnerability Early Warning Partnership.’ Another issue is how to address vulnerabilities in government-managed websites and applications.

Preventive Measures

• When a vulnerability is identified and
• it is deemed necessary to prevent damage caused by specific unlawful acts,

the relevant authority may request that necessary measures be taken to prevent such damage (Article 42, Paragraph 2).

Additionally, the Prime Minister or the Minister in charge of special social infrastructure facilities has the authority to provide opinions (paragraph 3). Furthermore, the same ministers may request reports or the submission of materials from computer equipment suppliers (paragraph 4), and suppliers are obligated to make efforts to respond (paragraph 5). These provisions also apply to foreign suppliers (paragraph 6).

Recognition Framework

The Minister in charge of computer equipment supply is responsible for recognising vulnerabilities, but the framework for such recognition is to be established under Article 7, Paragraph 2 of the Cyber Security Basic Act. This is Article 12 of the ‘Bill on the Revision of Related Laws in Connection with the Enforcement of the Law on the Prevention of Damage Caused by Unauthorised Acts Against Important Computers (Cyber Response Capability Enhancement Act Revision Bill).’

(Amendment to the Cyber Security Basic Act)

Article 12 The Cyber Security Basic Act (Act No. 104 of 2014) shall be amended as follows:

2. In order to prevent damage to information systems or other systems supplied by oneself due to threats against information systems or their components, such as electronic computers or programs, information and communications networks, or other systems, efforts shall be made to design and develop such systems with consideration for measures taken by users of such systems to ensure their safety and reliability, to provide necessary information on an ongoing basis for appropriate maintenance and management, and to support other measures taken by users of such systems to ensure cybersecurity.

This means that suppliers shall endeavour to support users in taking measures to ensure security.

PSIRT is becoming more widespread. For an explanation of ‘What is PSIRT? Differences from CSIRT’ (by Hitachi Solutions Create), please click here. In the future, such regulations and the EU’s Cyber Resilience Act are likely to further promote the widespread adoption of PSIRT.This is a very large topic, so I will leave it for another opportunity.

Providing Analysis Information

‘Comprehensive Organised and analysed information’ refers to information that has been organised or analysed in accordance with the provisions of Article 37 and provided to national administrative agencies.

Article 37 states:

‘The organised and analysis of information, including report information, selected communication information (including information deemed to be selected communication information under the preceding article; the same applies hereinafter), selected information for provision, information obtained through the council, and other information, shall be conducted to effectively utilise such information for the prevention of damage caused by specific unauthorised acts against important electronic computers.’

Therefore, ‘comprehensive organised and analysed information’ refers to ‘reporting information, selected communication information (including information deemed to be selected communication information under the provisions of the preceding article; the same applies hereinafter), selected information for provision, information obtained through consultations, and other information that is handled in a manner that enables it to be effectively utilised for the prevention of damage caused by specific unauthorised acts targeting important electronic computers.’

Effect on overseas providers

Regarding the handling of vulnerability information, even if the supplier of the programme is located overseas, if the impact extends to Japan, cooperation must be sought. Article 42, Paragraph 6 clarifies this point.

6. The provisions of the preceding paragraphs shall also apply to cases where an overseas supplier of electronic computers, etc., provides electronic computers, etc., to persons located in Japan.

The Early Warning Partnership also states in the ‘Regulations on the Handling of Vulnerability-Related Information for Software Products, etc.’ (2024 revised edition)

(1)4 Scope of Application of These Regulations

These regulations apply to vulnerabilities in software products used within Japan or in web applications operated on websites primarily accessed from within Japan, where the impact of such vulnerabilities may affect an unspecified or large number of persons.

This was clearly stated, and in that sense, it should be evaluated as having foresight as a framework. (Originally, this was established in 2004.)

2.3 Use of Communication Information

This is stated in the summary as follows:

To understand the actual state of cyber attacks against Japan, communication information is used and analysed. These are checked by an independent agency. In designing the system, sufficient consideration is given to ‘communication privacy.’

According to the summary,

• Acquisition of communication information based on agreements (consent) with core infrastructure operators, etc.
• Acquisition of communication information without consent
• Implementation of automatic selection of mechanical information
• Organisational measures

are discussed separately. We will now examine each of these.

The key point of the mechanism is that a 24/7 cyber information analysis system has been established.

2.3.1 Concept of communication information

The key concept in the above discussion is ‘communication information.’ This is defined in Article 2, Paragraph 6 as follows:

(i) Information transmitted or received through communications mediated by telecommunications services provided by a telecommunications operator (as defined in Article 2, Item 5 of the Telecommunications Business Act (Law No. 86 of 1984); the same applies hereinafter) in the course of its telecommunications business (as defined in Article 2, Item 4 of the same Act; the same applies in Article 17, Paragraph 1);The same applies hereinafter.)

2. Information transmitted or received through communications mediated by the telecommunications equipment of the parties (meaning telecommunications equipment used by the parties to the communication (meaning telecommunications equipment as defined in Article 2, Item 2 of the Telecommunications Business Act; the same applies hereinafter).Information transmitted from party equipment to telecommunications equipment related to business telecommunications services, or information transmitted to party equipment via communications mediated by business telecommunications services, or information related to the transmission or reception of such information (meaning telecommunications as defined in Item 1 of the same Article; the same applies hereinafter), and information related to the communication history of such telecommunications, which is managed by the parties to the communication (referred to as ‘party-managed telecommunications information’ in the next item and Article 13)

3. Information that is a copy of communication information in transit or party-managed communication information that has been provided to the Prime Minister (including copies or processed versions of all or part thereof, excluding information selected for provision as specified in Article 29; hereinafter referred to as ‘obtained communication information’)

There is a slide (Cyber Response Capability Enhancement Bill※1 and Related Legislation※2) in the legislative commentary. According to that slide, based on the structure of the data, an explanation of the ‘essential content of communication’ within communication information related to email is provided as follows:

 

Even when distinguishing between content and non-content, there is the question of how to handle the “subject” portion, so the term ‘essential content of communication’ was used to specifically refer to ‘Communication.’

#‘Communication’ in English refers to the content of the transmission of meaning, and the concept of ‘privileged communication’ does not extend to formal facts such as when, at what time, and with whom a lawyer met. In that sense, Japan’s interpretation, which expands the ‘secrecy of communication’ to include external facts, is likely to be seen as overly broad on a global scale. This has been my position for the past 20 years. It took 20 years to acknowledge such an obvious point.No one seems to praise the alignment with my theory, though.

2.3.2 Acquisition of Communication Information Based on Agreements (Consent) with Core Infrastructure Operators

This is

explained as follows: The Prime Minister may acquire communication information (including analysis conducted using communication information related to external communications and provision of necessary analysis results to the relevant operator) based on agreements with core infrastructure operators.

(Summary)

This is referred to as ‘consent,’ but traditionally, ‘consent’ in communications has been understood to require the consent of both parties.

#For example, in the Yoshiten-chan incident, during the House of Representatives Local Administration Committee meeting on 7 May 1963, a question was raised regarding whether reverse tracing was possible (Item 71). In response, it was stated that ‘the so-called wiretapping methods used in the United States and other countries are not permitted under the Constitution of Japan, and we do not adopt such investigative methods’ (Item 72).Regarding the investigation at that time, it merely involved recording and monitoring telephone conversations from the telephone terminals. Later, when the investigation was made public, the recordings were also disclosed. Additionally, during the deliberations, it was noted that regarding the consent of the parties involved for the police to obtain communications in transit, the principle is that consent from both parties is required, but in unavoidable cases, consent from one party may also be acceptable (Item 21).

However, at present, if authorised by the parties to the device, various responses are possible (e.g., DDoS response services). Therefore, in the context of legal interpretation, we understand that the theory of one party has been clarified in the law. (I have not yet analysed the explanation.)

According to the ‘Guidelines on Countermeasures Against Cyber Attacks and the Protection of Communication Privacy by Telecommunications Operators,’

However, in cases where the use of IP addresses or URLs for warning against access to malware distribution sites, which is an effective measure to prevent malware infection, or the use of FQDNs to block access to malware-infected devices and C&C servers, which is an effective measure to prevent damage caused by malware infection, is necessary, such consent may be considered valid under certain conditions, even if it is based on prior general consent in contract terms and conditions, in addition to individual consent.

However, these are listed as exceptions.

Let us examine the actual draft legislation.

Chapter 3 Provisions on Agreements Between Parties

• Conclusion of Agreements with Special Social Infrastructure Operators (Article 11)
• Conclusion of Agreements with Users of Telecommunications Services Other Than Special Social Infrastructure Operators (Article 12)
• Request for Consultation with Telecommunications Operators (Article 13)
• Notification to the Cyber Communications Information Management Committee upon Conclusion of Agreements Between Parties (Article 14)
• Acquisition of communication information (Article 15)
• Measures to be taken by the Prime Minister upon receiving communication information (Article 16)

are proposed.

Looking at Article 11,

The Prime Minister may, after receiving communication information from a special social infrastructure operator, use such communication information that falls under external communication information (omitted) toto ensure the cybersecurity of specific important electronic computers or other electronic computers used by the special social infrastructure operator, and to provide the special social infrastructure operator with the results of such analysis and related information (referred to as ‘individual analysis information’ in Article 2 and Article 16) through an agreement that includes the following matters:

The key point here is likely the ‘external communications information.’‘External communication information’ refers to communication information related to telecommunications transmitted from overseas facilities to domestic facilities, as determined by IP addresses, etc.

This agreement involves providing the results of analyses and related information regarding such external communication information to the relevant special social infrastructure operator. A diagram illustrating this would look something like the following.

Under this agreement, the Prime Minister is authorised to obtain external communication information.

2.3.3 Acquisition of communication information without consent

Measures for Transmission for Overseas Communication Purposes

Chapter 4 is titled ‘Measures for Transmission for Overseas Communication Purposes.’ The specific provisions are as follows:

• Measures for Transmission for Overseas Communication Purposes (Article 17)
• Approval by the Cyber Communication Information Management Committee (Article 18)
• Extension of the Measures Period (Article 19)
• Request for Cooperation from Telecommunications Carriers (Article 20)

Here, the key term ‘measures for transmission for overseas communication purposes’ refers to:

• Overseas communication that is
• committed against important electronic computers,
• and involves the use of electronic computers, instructions or other information necessary to operate such electronic computers, where the actual circumstances of such foreign communication-related specific unlawful acts are unclear, making it extremely difficult to prevent damage to important electronic computers caused by such acts, and where it is extremely difficult to ascertain such circumstances by means other than the measures provided for in this paragraph.
• When there is sufficient reason to suspect that the foreign-related communications include communications mediated by business telecommunications services provided using specific foreign-related telecommunications equipment

When deemed necessary,

• Establish criteria for determining the selection conditions specified in Article 22, paragraph 2, regarding the specified unlawful acts related to foreign communications (referred to as ‘foreign-to-foreign communications selection criteria’ in the same paragraph),
• obtain approval from the Cyber Communications Information Management Commission,
• take measures to ensure that a portion of the intermediary communication information transmitted or received through such foreign-related communications (limited to 30% of the transmission capacity of the relevant foreign-related telecommunications equipment) is replicated and transmitted to the equipment established by the Prime Minister (referred to as ‘receiving equipment’ in Article 32, Paragraph 1 and Article 33, Paragraph 1)

The Prime Minister may take such measures.

A portion of the intermediate telecommunications information (which is reproduced and transmitted to the equipment established by the Prime Minister) will be transmitted. In essence, this would function as a communication tracing device, correct? Additionally, the cooperation of telecommunications operators is also of interest. Specifically,

The Prime Minister may request telecommunications operators that have established telecommunications facilities abroad (hereinafter referred to as ‘foreign telecommunications operators’ in this Article, Article 32, paragraph 1, and Article 33, paragraph 1) to provide information regarding such facilities, connect equipment necessary for the implementation of the measures, or provide other necessary cooperation. In such cases, the foreign telecommunications operators shall not refuse such requests unless there is a valid reason.

In practice, it is more likely that the operator will detect through network monitoring that there is suspicion of ‘specific unlawful acts,’ and based on that, the Prime Minister will request the transfer of information to the equipment, cooperation, and the operator will comply with such requests, as outlined in the guidelines. Let us illustrate this with a diagram. The target of acquisition is part of the communication information being transmitted during ‘external communications.’

In that case, how will operators share information indicating that ‘suspected specific unlawful acts’ exist with the Prime Minister? I believe this will be clarified in guidelines.

2.3.4 Measures for the Transmission of Specific Overseas Communications and Measures for the Transmission of Specific Domestic Communications

Chapter 6 covers measures for the transmission of specific overseas communications and measures for the transmission of specific domestic communications.

The relevant provisions are:

• Measures for the Transmission of Specific Overseas-Domestic Communications (Article 32)
• Measures for the Transmission of Specific Domestic-Overseas Communications (Article 33)

Measures for the Transmission of Specific Overseas-Domestic Communications (Article 32)

The structure of the measures for the transmission of specific overseas-domestic communications is the same as that of the ‘measures for the transmission of overseas-domestic communications’ mentioned above. The first part states, ‘communications between overseas and domestic entities.’

• Communications from overseas that are suspected of being used for specific unlawful acts against important electronic computers
• or containing specific mechanical information (omitted) that is suspected to be used for such specific foreign communication-related unlawful acts
• When it is deemed necessary to prevent damage to important electronic computers caused by such specific foreign communication-related unlawful acts through analysis, and when analysis of such specific foreign-domestic communication is deemed significantly difficult by means other than the measures prescribed in this paragraph (excluding the measures prescribed in the first paragraph of the next article),

When deemed necessary,

• Establish criteria for determining the selection conditions specified in Article 35, paragraph 2, in cases where communication information is obtained through measures under this paragraph (referred to as ‘specific domestic and foreign communication selection criteria’ in the same paragraph)
• With the approval of the Cyber Communication Information Management Committee
• Measures to ensure that communication information transmitted during the mediation of foreign-related communications is replicated and transmitted to receiving equipment (hereinafter referred to as ‘measures for transmitting communications for specific foreign-related communication purposes’)
• Measures to ensure that communication information transmitted during the mediation of foreign-related communications is replicated and transmitted to receiving equipment (hereinafter referred to as ‘measures for transmitting communications for specific foreign-related communication purposes’)

It is stated that the Prime Minister may take such measures. Let us illustrate this as well.

Specific Domestic-Foreign Communication Purpose Transmission Measures (Article 33)

The scope of application here is also ‘domestic-foreign communications.’

• Domestic-foreign communications (omitted) that
• are suspected of being used for specific foreign communication-related unlawful acts targeting important electronic computers, and
• or contain specific mechanical information suspected of being used for such acts, and
• it is significantly difficult to prevent damage to important electronic computers caused by the specified foreign communication-related unlawful acts, and
• it is significantly difficult to analyse the specified domestic and foreign communications by means other than the measures provided for in this paragraph,

when deemed necessary,

• establish criteria for determining the selection conditions specified in paragraph 2 of the same article (referred to as ‘specific domestic and foreign communications selection criteria’ in the same paragraph) for obtaining communication information through the measures,
• and obtain the approval of the Cyber Communications Information Management Committee,
• measures may be taken to ensure that communication information transmitted during the mediation of foreign communications by specific foreign-related telecommunications equipment installed by foreign-related telecommunications operators, which are suspected to include the specified domestic and foreign communications, is replicated and transmitted to receiving equipment (hereinafter referred to as ‘measures for transmission for the purpose of specified domestic and foreign communications’).

 

2.3.5 Handling of Acquired Communication Information Obtained Through Party Agreements or Overseas Communication Purpose Transmission Measures

Chapter 5 pertains to the ‘Handling of Acquired Communication Information Obtained Through Party Agreements or Overseas Communication Purpose Transmission Measures.’ The relevant provisions are as follows:

• Definitions (Article 21)
• Implementation of Automatic Screening (Article 22)
• Restrictions on Use and Provision (Article 23)
• De-identification Measures, etc. (Article 24)
• Retention Period for Sorted Communication Information (Article 25)
• Security Measures (Article 26)
• Cooperation with Relevant Administrative Agencies in Analysis (Article 27)
• Providing Sorted Communication Information to Foreign Governments, etc. (Article 28)
• Creation of Sorted Information for Provision (Article 29)
• Notification to the Cyber Communication Information Oversight Committee (Article 30)
• Handling of Sorted Communication Information by Communication Information Holding Agencies (Article 31)

.

Information is considered at the stages of acquisition, handling, and provision (corresponding to the prohibited acts of communication secrecy, which include active acquisition, theft, and leakage). There is also deletion and disposal, but these are omitted. (Incidentally, Professor Yoko Konishi’s ‘Modern Intelligence and Investigation and the Constitution: A Comparative Study of Freedom and Security in Japan and Germany’

The key point is the automatic selection, which is

a measure to record, by automatic means (referred to as ‘automatic means’ in Article 35, paragraph 1), only the mechanical information that meets the following criteria from the acquired communication information, and such recording is conducted in a manner that prevents the acquired communication information from being viewed or otherwise accessed by any person before the selection is completed (Article 22, paragraph 1). The specific requirements are as follows:

1. The acquired communication information obtained in accordance with the provisions of Article 15 must have been transmitted or received through external communications.
2. For communication information obtained through external communication transmission measures, it must have been transmitted or received through external communication.
3. The communication information must be deemed to be related to the targeted unlawful act.

The selection method involves using information such as IP addresses, command information, or information that is deemed sufficient to facilitate search.

Additionally, Article 31 discusses the provision of communication information after selection.

2.3.6 Handling of communication information obtained through specific external communication transmission measures or specific internal communication transmission measures

Chapter 7: Handling of communication information obtained through specific external communication transmission measures or specific internal communication transmission measures. The relevant provisions are as follows:

• Definitions (Article 34)
• Implementation of measures to select and record communication information obtained through automated methods (Article 35)
• Application of provisions concerning the handling of acquired communication information (Article 36)

In the above, the Prime Minister acquires communication information, but first, he must take measures to automatically select whether the communication is foreign or domestic, and whether it is related to the target unlawful act (Article 35, paragraph 1).Here, the definition of ‘targeted unlawful acts’ referred to above is relevant.

Furthermore, when the Prime Minister

• acquires communication information through measures for transmitting communication information for specific domestic communication purposes or measures for transmitting communication information for specific international communication purposes
• communication information acquired through measures for transmitting communication information for specific domestic communication purposes or measures for transmitting communication information for specific international communication purposes
• and the communication information obtained through the measures specified in the preceding paragraph, which are automatically selected, and the communication information obtained through such measures (including information created by replicating or processing such communication information, excluding information that has become selected information for provision)

shall be deemed to be selected communication information, and the provisions of Articles 23 to 31 shall apply.

2.3.7 Provision of Comprehensive Analysis Information, etc.

Chapter 8 concerns the provision of comprehensive analysis information, etc. The relevant provisions are as follows:

• Information  and Analysis by the Prime Minister (Article 37)
• Provision of Information to Administrative Agencies, etc. (Article 38)
• Provision of Information to Foreign Governments, etc. (Article 39)
• Provision of Information to Special Social Infrastructure Operators (Article 40)
• Notification to Persons Using Computers (Article 41)
• Provision of information to suppliers of electronic computers, etc. (Article 42)
• Considerations regarding the provision of information (Article 43)
• Security measures, etc. (Article 44)

The organisation and analysis of information is the authority of the Prime Minister.

• Reported information, selected communication information (including information deemed to be selected communication information pursuant to the provisions of the preceding article; the same shall apply hereinafter), selected information for provision, information obtained through the council, and other information
• shall be effectively utilized to prevent damage caused by specific unlawful acts targeting important electronic computers
• and shall be able to conduct the organisation and analysis of such information.

2.4 Establishment of an organisational framework for the analysis of cybersecurity information

Ultimately, the key point is how to analyse the information collected through the above mechanism and turn it into intelligence. The establishment of the organisational structure and other measures is addressed in the ‘Law on the Enforcement of the Law on the Prevention of Damage Caused by Unlawful Acts Against Important Electronic Computers and the Revision of Related Laws.’

The text of the law itself is available here. This law corresponds to the relevant portions of the overall diagram above, which are highlighted in red.

Looking specifically at the organisational and structural reforms, they consist of the following three elements:

This part is said to be aimed at:

Establishing a new organisation within the Cabinet Secretariat as a command centre to promote various initiatives, including proactive cyber defence, and to establish a framework to advance government-wide efforts (with the Cabinet Secretariat (command centre and overall coordination) and the Cabinet Office (implementation department) functioning in unison).

We will examine these in detail.

2.4.1 Strengthening the Cyber Security Strategy Headquarters

This involves reorganising the Cyber Security Strategy Headquarters and enhancing its functions.

The Cyber Security Strategy Headquarters will be reorganised into an organisation with the Prime Minister as the head and all ministers of state as members. The relevant provisions are as follows:

• (Article 12, Paragraph 3 of the Establishment Act) Article 28, Paragraph 1: Replace ‘Chief Cabinet Secretary’ with ‘Prime Minister.’ Article 28, Paragraph 3: Replace ‘Items 3 and 5’ with ‘Items 1 to 4 and Item 6.’ Delete Paragraph 5 of the same article.
• (Same) In Article 30, Paragraph 2, replace ‘the following persons (excluding those appointed as Deputy Headquarters Chief among those listed in Items 1 to 6)’ with ‘all ministers of state other than the Headquarters Chief and Deputy Headquarters Chief,’ delete all items in the same paragraph, and add the following article after the same article:

 

Additionally, as the ‘Cybersecurity Promotion Expert Meeting,’

Article 30-2 The Headquarters shall establish a Cyber Security Promotion Expert Meeting (hereinafter referred to as the ‘Expert Meeting’ in this Article).

2 The Expert Meeting shall handle the following matters:

(i) Providing opinions to the Director-General in accordance with the provisions of Article 26, paragraph 3.

(ii) In addition to the matters listed in the preceding item, to investigate and deliberate on important measures related to cybersecurity and, when deemed necessary, to provide opinions to the Director-General.

The functions of the Expert Meeting shall be added to the duties of the Cybersecurity Strategy Headquarters, as follows:

(i) The existing paragraph 1 shall be renumbered as paragraph 4, and the following item shall be added after paragraph 2 of the same paragraph.

3. Matters related to the creation of standards for measures implemented by national administrative agencies to ensure cybersecurity at important social infrastructure operators, etc. (including surveys on the status of cybersecurity at such operators for the purpose of creating such standards), and the evaluation of measures based on such standards and the promotion of the implementation of such measures.

This is stipulated in Article 12.

2.4.2 Establishment of the Cabinet Cyber Officer

A Cabinet Cyber Officer shall be newly established within the Cabinet Secretariat to oversee comprehensive coordination and other matters related to the assurance of cybersecurity. Specifically, the Cabinet Cyber Officer shall concurrently serve as the Deputy Director of the National Security Bureau, and the reorganization of the Cabinet Cyber Security Centre (NISC) is scheduled to be implemented by cabinet order. The relevant provision is Article 15 (Amendment of the Cabinet Act). Accordingly,

Article 19-2 The Cabinet Secretariat shall have one Cabinet Cyber Officer.

2 The Cabinet Cyber Officer shall assist the Chief Cabinet Secretary, the Deputy Chief Cabinet Secretary, and the Cabinet Crisis Management Officer, and shall be responsible for the following matters:

(i) Matters related to the assurance of cybersecurity (as defined in Article 2 of the Basic Act on Cybersecurity (Act No. 104 of 2014)) among the matters listed in Items (ii) to (v) of Paragraph 2 of Article 12 (excluding those under the jurisdiction of the National Security Bureau, the Cabinet Public Relations Officer, and the Cabinet Information Officer)

2. General affairs of the Cyber Security Council, which are to be handled by the Cabinet Secretariat pursuant to the provisions of Article 17, Paragraph 5 of the Cyber Security Basic Act.

3. Matters related to the Cyber Security Strategy Headquarters, which are to be handled by the Cabinet Secretariat pursuant to the provisions of Article 35 of the Cyber Security Basic Act.

3. The provisions of Article 15, Paragraphs 4 to 6 shall apply mutatis mutandis to the Cabinet Cyber Security Officer.

This is the result.

However, since the reorganization of the Cabinet Cyber Security Centre (NISC) is likely to be important for the above information analysis and provision, it is necessary to examine the relevant provisions in detail to fully understand the scope of this amendment.

2.4.3 Establishment of a Minister of State for Special Assignments at the Cabinet Office

Matters related to public-private collaboration and the use of communication information will be added to the responsibilities of the Cabinet Office, and a Cabinet Office Specially Appointed Minister responsible for these matters may be established. The relevant provisions are as follows:

• In Article 3, Paragraph 2, after ‘ensuring safety,’ add ‘conducting reviews and inspections to ensure the proper implementation of measures to prevent damage caused by unauthorised acts against important electronic computers, etc. of the national government and other entities.’
• In Article 4, Paragraph 1, the following is added: ‘37. Matters concerning basic policies for preventing damage caused by specific unauthorised acts (as defined in Article 4 of the same Article) against important electronic computers (as defined in Article 2, Paragraph 2 of the Act on the Prevention of Damage Caused by Unauthorised Acts Against Important Electronic Computers (Act No. ▼▼▼ of 2025); the same applies in Item 27-7 of Paragraph 3).’
• Add the following after ‘27-7 Matters concerning the prevention of damage caused by specific unauthorised acts against important electronic computers under the Act on the Prevention of Damage Caused by Unauthorised Acts Against Important Electronic Computers (excluding those under the jurisdiction of other ministries and the Financial Services Agency)’ in Article 4, Paragraph 3, Item 27-6.
• After ‘59-3’ in Article 4, Paragraph 3, Item 59, add the following: “59-4 Matters concerning the prevention of damage caused by unauthorized acts against important electronic computers as specified in Article 48 of the Law on the Prevention of Damage Caused by Unauthorized Acts Against Important Electronic Computers 37 Important electronic computers (as defined in Article 2, Paragraph 2 of the Law on the Prevention of Damage Caused by Unauthorized Acts Against Important Electronic Computers (Act No. ▼▼▼ of 2025). The same applies in Paragraph 3, Item 27-7.)‘ shall be added.

2.5 Legal Issues

What was interesting about this ’Draft Law on the Prevention of Damage Caused by Unauthorised Acts Against Important Electronic Computers” was that

1. it is not limited to emergency measures
2. Communications are treated as communication information other than the content itself
3. Communications are addressed from the perspective of domestic versus foreign.
4. It is surprising that there is no mention of the Telecommunications Business Act or related laws.
5. The authority of the Prime Minister is clearly defined.

I believe these points can be raised. Let me comment briefly.

Measures are not limited to emergencies

First, a key feature of this bill is that, in the National Security Strategy,

even if they do not amount to an armed attack, in cases where there is a serious risk of cyberattacks that could pose a security concern to the state, important infrastructure, etc., the bill aims to eliminate in advance the possibility of such cyberattacks or prevent the spread of damage in case of such attacks.

introduce active cyber defence.

It was anticipated that this would establish a legal framework for the government’s authority in specific situations. However, in practice, the framework adopted grants the Prime Minister the authority to analyse communications information 24/7.

• In the case of agreements, there are no specific restrictions on the situation.
• In other cases, the following conditions must be met: it is extremely difficult to prevent damage to important electronic computers caused by specific unlawful acts related to foreign communications, and it is extremely difficult to grasp the actual situation by means other than the measures provided for in this section, and there are grounds to suspect that the foreign communications in question are mediated by business telecommunications services provided using specific foreign telecommunications equipment.

In the latter case, while the analysis is similar to the above, the approach is fundamentally different. This point can be considered a characteristic of this framework.

Regarding communications, content other than the content itself is treated as communication information.

Whether based on the general interpretation of the Constitution (other than my view) or the interpretation of the Telecommunications Business Act,

the scope of protection of ‘communication secrecy’ is generally understood as follows: ‘The “all forms of communication” that are the subject of protection naturally extend beyond the content of the communication. This includes not only the names and addresses of the sender, transmitter, recipient, and receiver, but also all facts related to the communication, such as the date and time of delivery, the number of items sent by post or telegram, and so on.’

This is the general understanding. However, the ‘Bill on the Prevention of Damage Caused by Unlawful Acts Against Important Electronic Computers’ is particularly interesting in that it defines ‘communication information’ as anything other than the ‘substantive content of communication.’The term ‘communication’ itself merely refers to the content of the transmission of intent, and everything else is not protected as the secrecy of communication (which should have been translated as ‘secrecy of communication’ in the original). This raises the fundamental question of whether such information should be protected.

The bill introduces the distinction between foreign and domestic communications.

In previous constitutional and telecommunications law discussions, there was essentially no consideration of whether communications were international or domestic. However, this bill is interesting in that it applies different legal provisions depending on whether communications are between foreign countries, from foreign countries to domestic, or from domestic to foreign countries.

I am personally interested in how this issue will be addressed in the Constitution or the Telecommunications Act in the future.

It is surprising that the Telecommunications Business Act is not mentioned.

The protection of confidentiality in domestic communications is understood to be safeguarded by provisions such as Article 4 of the Telecommunications Business Act. However, the relationship with the Telecommunications Business Act is not discussed here. The Prime Minister’s authority to issue orders should, in itself, be subject to discussion regarding its relationship with the Telecommunications Business Act. I assume that it is structured as a special law that takes precedence over general laws, but I am personally curious why this is not explained.

The authority of the Prime Minister is organised as follows:

Ultimately, since the issue is being discussed as a matter of external authority, the Prime Minister is designated as the entity responsible for the aforementioned communication purpose transmission measures. The actual analysis for this purpose is likely to be carried out by the National Information Security Centre (NISC).