Two bills related to so-called ‘active cyber defence’ (‘Law on the Prevention of Damage Caused by Unauthorised Acts Against Important Electronic Computers’ and ‘Law on the Enforcement of the Law on the Prevention of Damage Caused by Unauthorised Acts Against Important Electronic Computers and the Revision of Related Laws’) were passed by the House of Councillors on 16 May 2025 and became law (News article: ‘Law passed to prevent cyber attacks; government to monitor communications and require companies to report incidents’).

Of these, we examined public-private partnerships, the use of communications information, and organisational structure improvements in our previous blog post, ‘Reading the ’Bill on the Prevention of Damage Caused by Unauthorised Acts Against Important Electronic Computers‘ (Use of Communications Information, etc.).(Japanese)’

Here, we will examine the measures related to ‘access and neutralisation.’ The relevant legislation is the ‘Law on the Revision of Related Laws in Connection with the Enforcement of the Law on the Prevention of Damage Caused by improper Acts Against Important Electronic Computers’ (draft text).

The main contents of this law include revisions to the Police Officers’ Duties Act and the Self-Defence Forces Act.

1 Revisions to the Police Officers’ Duties Act

We will examine the amendments to the Police Officer Duties Enforcement Act. The Police Officer Duties Enforcement Act consists of Article 4 (Measures for Evacuation, etc.), Article 5 (Prevention and Suppression of Crimes), Article 6 (Entry), and Article 7 (Use of Weapons).

The Police Duties Execution Act translation is here.

Article 6-2 will be added, titled ‘Measures by Cyber Threat Prevention Officers.’

From an academic perspective, there was some discussion about whether cyber-related measures could be taken under Article 5, and personally, I thought that if Article 4 (Evacuation, etc.) were based on necessity, it could be handled there, but it has been placed under Article 6-2.

(Measures by Cyber Threat Prevention Measures Enforcement Officers)

Article 6-2

Paragraph 1 designates Cyber Threat Prevention Measures Enforcement Officers.

The Commissioner of the National Police Agency shall designate police officers from among those of the National Police Agency or prefectural police who are deemed to possess the necessary knowledge and ability to appropriately take the measures specified in the following paragraph as Cyber Threat Prevention Measures Enforcement Officers.

Paragraph 2 states that when

• electronic communications used for acts that harm cybersecurity or other unlawful acts using information technology (hereinafter referred to as ‘information technology-related unlawful acts’ in this paragraph) or electronic communications suspected of being used for such acts (hereinafter referred to as ‘harm-related electronic communications’ in this paragraph and the proviso of Paragraph 4)

or

• electromagnetic records (meaning records created in electronic, magnetic, or other forms not perceivable by human senses, and intended for use in information processing by computers; the same applies hereinafter in this paragraph) used for information technology-related unlawful acts, or electromagnetic records suspected of being used for such acts (hereinafter referred to as ‘harm-related electromagnetic records’ in this paragraph)

and

where

• there is an urgent need because leaving such acts unchecked would pose a serious threat to human life, bodily safety, or property,

the administrator or other relevant party of the electronic computer that is the source or destination of the harmful telecommunications or the electronic computer on which the harmful electromagnetic records are stored (hereinafter collectively referred to as ‘harmful electronic computers’ in this article) shall be ordered to take

to take measures deemed necessary to prevent harm, such as the deletion of harmful electronic records stored on the harmful electronic computer, provided that such measures are carried out through telecommunications lines and are deemed necessary to prevent harm, including, to the extent necessary to appropriately prevent harm, connecting to the harmful electronic computer through telecommunications lines to confirm the electronic records related to its operations stored on the harmful electronic computer. and/or

take such measures themselves.

Additionally, Paragraph 3 establishes provisions for consultation with the Minister of Foreign Affairs in cases involving entities outside Japan.

Paragraph 4 sets forth provisions regarding the approval of the Cyber Communications Information Management Committee.

Here, the Minister of Justice may order the administrator or other relevant parties to

take measures deemed necessary to prevent harm, such as the deletion of harmful electronic records,

and, if they comply, that is acceptable; however, in practice, they are unlikely to comply voluntarily, so the authority must take such measures itself.

The issue here is what specific measures should be taken and what rules should govern their implementation.

Regarding cyber techniques, I have discussed this in my article ‘A Comparative Legal Analysis of Active Cyber Defence’ (InfoCom Review No. 72)

• Information Sharing
• Tar Pit Sandbox Honeypot
• Jamming and Deception
• Hunting
• Beacon
• Deep Web/Darknet Intelligence Gathering
• Botnet Take Down
• Coordinated Sanctions
• White Hat Ransomware
• Rescue Missions for Property Recovery

and other methods have been identified.

Among these, which ones

are considered necessary measures for harm prevention

? Additionally, what would be the rules of engagement (ROE) in such cases?

Regarding this point, I referred to Mr. Jinnai’s doctoral thesis, ‘Legal Issues in Cyber Operations Conducted by the Self-Defence Forces’ (link). In note 45 of that thesis, my work, ‘Continuation of the Concept of Active Cyber Defence’ (link), is cited, and it is stated that

From a purely military operational perspective, the means permitted in an operation are ultimately determined by the military based on the operational objectives and operational environment. Specifically, the Rules of Engagement (ROE), which are created for each operation and include political and legal elements, are issued as orders (in the case of the Self-Defense Forces, which are administrative agencies, these orders would correspond to administrative notices under administrative law). These orders then regulate the details of authority.It is important to understand that different means are not legally prescribed depending on the type of operation. In simple terms, the law establishes the broad framework for whether the military should conduct an operation, and it is generally not the case that the means used in an operation are regulated by law.

As stated above, ROE is the key point. However, even so, the question arises as to whether the ‘measures deemed necessary for the prevention of harm’ mentioned above encompass all specific operations, or only part of them, and if only part, what are the criteria for determining that part.

2. Amendment to the Self-Defence Forces Act

Article 4 is an amendment to the Self-Defence Forces Act.

‘Communication protection measures for important electronic computers’ will be added to Article 81-3.

The authority to take such measures includes:

Ordering the implementation of measures related to the operation of electronic computers necessary to prevent damage to the relevant important electronic computer, which are carried out through telecommunications lines (hereinafter referred to as ‘communication protection measures’ in this article and Article 91-3).

What is interesting is the requirement for such measures.

1. It must be determined that there is a significant risk that the specified unauthorised act will cause a specific major disruption (meaning a disruption to the functions of the important electronic computer that results in the cessation or degradation of such functions, and where such cessation or degradation would lead to a disruption that cannot be easily restored, thereby causing a situation that seriously jeopardises the safety of the state and the people) to the important electronic computer.
2. The special technical capabilities or information possessed by the Self-Defence Forces are indispensable for preventing the occurrence of a specific major disruption.
3. There is a request or consent from the National Public Safety Commission.

Specific major disruption

This concept refers to a situation that would result in a situation that would significantly impair the safety of the state and its citizens.

Within the framework of the Self-Defence Forces Act,

• Defence deployment (Article 76)
• Security deployment for the protection of Self-Defence Forces facilities, etc. (Article 81-2)

Public order deployment (Article 78)

and others, and within these, ‘communication protection measures for important electronic computers’ are permitted in cases of specific major disruptions.

The specific actions here are ‘measures related to the operation of electronic computers necessary to prevent damage to the relevant important electronic computers, which are carried out via telecommunications lines.’ However, what these measures will concretely entail, and the fact that ROE will likely be a key point in practice, are the same issues as those regarding the measures taken by the Cyber Threat Prevention Measures Enforcement Officer mentioned above. In fact, Article 91-3 stipulates the ‘authority for communication protection measures for important electronic computers’ as follows:

the provisions of Article 6-2, paragraphs 2 to 11 of the Police Officer Duties Enforcement Act shall apply mutatis mutandis to the performance of duties by self-defence force members of units or other entities ordered to take communication protection measures pursuant to the provisions of Article 81-3, paragraph 1.

Additionally, corresponding amendments have been established.

In Article 95-4, ‘Authority for the Protection of Specific Electronic Computers Used by the Self-Defence Forces,’

• ‘Specific electronic computers used by the Self-Defence Forces’
• ‘Specific electronic computers used by the armed forces of the United States of America stationed in Japan pursuant to the Treaty on Mutual Cooperation and Security between Japan and the United States of America’

the provisions regarding the execution of duties by Self-Defence Forces personnel tasked with protecting such systems from unauthorised acts using information technology are applied mutatis mutandis.