Article 1Facing domestic and foreign changes such as the intensification of threats against cybersecurity on a worldwide scale, and with the progression of the Internet and other advanced information and telecommunications networks, the use of information and telecommunications technologies, and the given situation of the urgent issue to ensure the free flow of information and the protection of cybersecurity simultaneously, the purpose of this Act is to comprehensively and effectively promote the cybersecurity policy by: stipulating basic principles of national the cybersecurity policy; clarifying the responsibilities of the national government, local governments, and other concerned public parties; stipulating essential matters for cybersecurity-related policies such as the cybersecurity strategy formulation; and establishing the Cybersecurity Strategic Headquarters and so forth, together with the Basic Act on the Formation of an Advanced Information and Telecommunications Network Society (Act. No. 144 of 2000), and as a result, attempting to enhance economic and social vitality, sustainable development and realizing social conditions where the people can live with a sense of safety and security, and contributing to the protection of international peace and security as well as national security.

Article 2For the purposes of this Act, the term "Cybersecurity" means the necessary measures that are needed to be taken to safely manage information, such as prevention against the leak, disappearance, or damage of information which is stored, sent, in transmission, or received by electronic, magnetic, or other means unrecognizable by natural perceptive functions (hereinafter in this section referred to as "Electronic or Magnetic Means"); and to guarantee the safety and reliability of information systems and information and telecommunications networks (including necessary preventive measures against malicious activities toward electronic computers through information network or storage media for information created by electronic or magnetic means (hereinafter referred to as "Electronic or Magnetic Storage Media")), and that those states are appropriately maintained.

Article 3(1)Given that ensuring the free flow of information through maintaining the Internet and other advanced information and telecommunications networks, the utilization of information and telecommunications technologies are critical to enjoying benefits through the freedom of expression, enabling the creation of innovation, improving economic and social vitality, and so forth, the promotion of the Cybersecurity policy must be carried out with the intent to produce active responses to threats against Cybersecurity through coordination among multiple stakeholders, including the national government, local governments, and critical information infrastructure CII Operators (referring to operators of businesses that provide infrastructure which is the foundation of the people's living conditions and economic activities and the functional failure or deterioration of which would risk enormous impacts to them; hereinafter, the same is to apply).

(2)The promotion of the Cybersecurity policy must be carried out with the intent to raise awareness to each member of the public about Cybersecurity and encourage each member of the public to take voluntary actions to prevent any damage caused by threats against Cybersecurity, and to positively promote actions to establish resilient systems which can quickly recover from damage or failure.

(3)The policy to promote Cybersecurity must proactively be carried out with the intent to implement on maintaining the Internet and other advanced information, telecommunications networks and actions toward the establishment of a vital economy and society through the utilization of information and telecommunications technologies.

(4)Given the fact that combatting threats against Cybersecurity is a common concern of the international community, and with recognition that Japan's economic and social activities are characterized by close international interdependence, the promotion of the Cybersecurity policy must be required to be carried out with intent to play a leading role in an internationally-coordinated effort for the creation and development of an international normative framework for Cybersecurity.

(5)The promotion of the Cybersecurity policy must be required to be carried out in consideration of the basic principles of the Basic Act on the Formation of an Advanced Information and Telecommunications Network Society.

(6)The promotion of the Cybersecurity policy is required to be carried out with due consideration not to wrongfully impinge upon the peoples' rights.

Article 4In accordance with the basic principles prescribed under the preceding article, (hereinafter referred to as the "Basic Principles"), the national government bears the responsibility to formulate and implement comprehensive Cybersecurity policies.

Article 5In accordance with the Basic Principles, local governments bear the responsibility to formulate and implement independent Cybersecurity policies in consideration of the appropriate division of roles with the national government.

Article 6In accordance with the Basic Principles and for the purpose of stable and appropriate provision of their services, CII Operators are to make an effort to: deepen their awareness and understanding of the critical value of Cybersecurity; ensure Cybersecurity voluntarily and proactively; and cooperate with the measures on Cybersecurity taken by the national government or local governments.

Article 7In accordance with the Basic Principles, Cyberspace-Related Business Entities (referring to those engaged in business regarding the maintenance of the Internet and other advanced information and telecommunications networks, the utilization of information and telecommunications technologies, or involved in business related to Cybersecurity; hereinafter, the same is to apply) and other business entities are to make an effort to ensure Cybersecurity voluntarily and proactively in their businesses and to cooperate with the measures on Cybersecurity taken by the national government or local governments.

Article 8In accordance with the basic principles, universities and other educational and research organizations are to make an effort to ensure Cybersecurity voluntarily and proactively, develop human resources specialized for Cybersecurity, disseminate research and the results of research on Cybersecurity, and cooperate with measures taken by the national government or local governments.

Article 9In accordance with the Basic Principles, the people are to make an effort to deepen their awareness and understanding of the critical value of Cybersecurity and pay necessary attention to ensuring Cybersecurity.

Article 10The national government must take necessary measures for the implementation of Cybersecurity policies including legislative, financial, or taxation measures.

Article 11In providing Cybersecurity policies, the national government is to make an effort to develop administrative organizations and to improve administrative management.

Article 12(1)The national government must establish a basic plan for Cybersecurity (hereinafter referred to as the "Cybersecurity Strategy") with the aim of the comprehensive and effective promotion of the Cybersecurity policy.

(2)The Cybersecurity Strategy addresses the following:

(3)The Prime Minister must request a cabinet decision on the proposed Cybersecurity Strategy.

(4)When establishing the Cybersecurity Strategy, the national government must report it to the Diet without delay and to announce it publicly through the use of the Internet and other appropriate means.

(5)The provisions prescribed under the preceding two paragraphs apply in the case of amendments to the Cybersecurity Strategy.

(6)With the aim of ensuring necessary funds regarding the expenses to enable the implementation of the Cybersecurity Strategy, the national government must make an effort to provide necessary measures for the smooth implementation of the Cybersecurity Strategy, such as appropriating the necessary funds in its budget every fiscal year, to the extent permitted within national fiscal limitations.

Article 13With regard to Cybersecurity at national administrative organs, Incorporated Administrative Agencies (referring to Incorporated Administrative Agencies prescribed under Article 2, paragraph (1) of the Act on General Rules for Incorporated Administrative Agencies (Act No. 103 of 1999); hereinafter, the same is to apply), Quasi-governmental Agencies; (referring to a corporation directly incorporated by acts or a corporation incorporated by a special act pursuant to a special incorporation procedure and subject to the provision of Article 4 (xv) of the Act for Establishment of the Ministry of Internal Affairs and Communications (Act No. 91 of 1999); hereinafter, the same is to apply), and so forth, the national government is to provide necessary measures including: the formulation of common standards of Cybersecurity measures for national administrative organs and Incorporated Administrative Agencies; the collaborative use of interoperable information systems among national administrative organs; monitoring and analysis of malicious activities against information systems of national administrative organs through information and communications networks or Electronic or Magnetic Storage Media; Cybersecurity exercises and training at national administrative organs; responses to Cybersecurity threats in cooperation, communication and coordination with relevant domestic and foreign parties; the sharing of information regarding Cybersecurity among national administrative organs, Incorporated Administrative Agencies, Special Corporations, and so forth.

Article 14With regard to Cybersecurity at CII Operators and Other Related Entities, the national government is to provide necessary measures, including the formulation of standards, exercises and training, the promotion of information sharing, and other voluntary activities.

Article 15(1)Given the fact that information on intellectual property owned by private enterprises such as small and medium-sized enterprises, educational and research organizations such as universities are critical for the enhancement of Japan's international competitiveness, and in order to promote their voluntary activities for Cybersecurity, the national government is to provide necessary measures, including increasing awareness and understanding about the critical value of Cybersecurity, offering consultation on Cybersecurity, and providing necessary information and advice.

(2)Given the fact that it is important for each member of public to make an effort to voluntarily ensure Cybersecurity, the national government is to provide necessary measures, including offering consultation on Cybersecurity and providing necessary information and advice on actions such as, appropriate choices about products and services in the daily use of electronic computers or the Internet and other advanced information and telecommunications networks.

Article 16The national government is to aim at the enhancement of coordination among relevant ministries and is to provide necessary measures to enable multiple stakeholders, such as the national government, local governments, CII Operators, and Cyberspace-related Business Entities, to work on Cybersecurity policies in mutual coordination.

Article 17The national government is to provide necessary measures to crackdown on cybercrime and prevent the spread of damage.

Article 18The national government is to provide necessary measures with the intention to: improve and strengthen systems to respond to Cybersecurity concerns at relevant bodies; strengthen the mutual coordination among relevant bodies; and clarify the division of roles among relevant bodies, as actions to address threats which may critically affect the country's safety with respect to Cybersecurity-related incidents.

Article 19Given that it is critical for Japan to have self-reliant capabilities to ensure Cybersecurity, and in order to create new business opportunities, develop sound businesses ', and improve international competitiveness, and so as to make the Cybersecurity sector a "growth industry" which is able to create employment opportunities, the national government is to provide necessary measures related to Cybersecurity, including the promotion of advanced research and development, technological advancements, the development and recruitment of human resources, the strengthening of the market environment and the development of new businesses through the improvement of competitive conditions, and the internationalization of technological safety and reliability standards and the participation in such frameworks on the basis of mutual recognition.

Article 20Given that it is critical for Japan to maintain self-reliant technological Cybersecurity capabilities, in order to promote research and development for Cybersecurity as well as the technological and other relevant demonstrations of Cybersecurity, and to expand the distribution of relevant Cybersecurity outcomes, the national government is to provide necessary measures related to Cybersecurity for: the improvement of the environment of Cybersecurity research; the promotion of basic research on technological safety and reliability as well as the promotion of research and development for core technologies; the development of skilled researchers and engineers; the strengthening of coordination among national research institutes, universities, the private sector, and other relevant parties; and international coordination for research and development.

Article 21(1)In close coordination and cooperation with universities, colleges of technology, technical schools, private enterprises, and other relevant entities, the national government is to provide necessary measures to ensure appropriate assignments and employment conditions or treatment of the workforce in the field of Cybersecurity, thereby enabling their functions and work environments to become attractive enough to meet their professional values.

(2)In close coordination and cooperation with universities, technical schools, specialized training colleges, private enterprises, and other relevant entities, for the purposes of recruitment, development, and quality improvement of Cybersecurity-related human resources, the national government is to provide necessary measures, including the utilization of a qualification scheme and training of young technical experts.

Article 22(1)For the purpose of extensive public awareness raising and understanding about Cybersecurity among the people, the national government is to provide necessary measures including the promotion of education and learning, public awareness activities, and the dissemination of knowledge in the field of Cybersecurity.

(2)In order to promote the measures prescribed under the preceding paragraph, the national government is to provide necessary measures, including the implementation of events for public awareness and the dissemination of information on Cybersecurity and the designation of a specific, focused campaign period to effectively promote Cybersecurity activities.

Article 23In the field of Cybersecurity, to actively carry out Japan's role in the international community and to promote Japan's interests in the community, the national government is to promote: active participation in an international norm setting; confidence building and the promotion of information sharing with foreign countries; international technical cooperation such as active support for Cybersecurity capacity building in developing countries; international cooperation such as crackdowns on cybercrime; and is to provide necessary measures to deepen other countries' understanding of Japan's Cybersecurity.

Article 24For the purpose of effectively and comprehensively promoting Cybersecurity policies, the Cybersecurity Strategic Headquarters (hereinafter referred to as the "Headquarters") are to be established under the Cabinet.

Article 25(1)The Headquarters will carry out the following functions:

(2)In preparing the draft of the Cybersecurity Strategy, the Headquarters must be required to hear the opinions of the Strategic Headquarters for the Promotion of an Advanced Information Telecommunications Network Society, and the National Security Council in advance.

(3)The Headquarters are to work in close coordination with the Strategic Headquarters for the Promotion of an Advanced Information Telecommunications Network Society with regard to critical issues concerning Cybersecurity.

(4)The Headquarters are to work in close coordination with the National Security Council with regard to critical issues concerning Cybersecurity in the context of national security.

Article 26The Headquarters are to consist of the Chief of Cybersecurity Strategy, the Deputy Chief of Cybersecurity Strategy, and the members of the Headquarters of Cybersecurity Strategy.

Article 27(1)The Chief Cabinet Secretary is to serve as the Chief of the Headquarters (hereinafter referred to as the "Chief")

(2)The Chief is to engage in the overall management of the Headquarters' functions and the oversight of personnel at the Headquarters.

(3)The Chief, where necessary, can make recommendations to the heads of relevant administrative organs, based on the evaluations prescribed under Article 25, paragraph (1), item (ii) to (iv), or the documents, information or other materials provided pursuant to the provisions under Articles 30 or 31.

(4)After making the recommendations as prescribed under the preceding paragraph, the Chief may request a report from the heads of the relevant administrative organs regarding the measures taken based on the recommendations.

(5)The Chief may, where particularly necessary in relation to the recommendations made in accordance with paragraph (3) of this article, present opinions for the Prime Minister to take an action for the matter, as prescribed under Article 6 of the Cabinet Law (Act No. 5 of 1947).

Article 28(1)A Minister of State is to be designated as the Deputy Chief of the Cybersecurity Strategic Headquarters (hereinafter referred to as the "Deputy Chief")

(2)The Deputy Chief is to assist the Chief's missions.

Article 29(1)The Headquarters are to establish the members of the Cybersecurity Strategic Headquarters (referred to in the succeeding paragraph as the "members").

(2)Those listed below are to be designated as the members (except in a case where someone listed in item (i) to (v) is designated as the Deputy Chief).

Article 30(1)As set by the Headquarters, the heads of the relevant administrative organs must have a duty to furnish the Headquarters timely with materials or information regarding Cybersecurity that are beneficial in fulfilling its functions.

(2)Beyond the provision under the preceding paragraph, when requested by the Chief, the heads of the relevant administrative organs have a duty to cooperate with the Headquarters for the fulfillment of its functions, by providing materials or information regarding Cybersecurity, explanation and other necessary cooperation.

Article 31(1)The Headquarters may, where necessary for the fulfillment of its functions, request the submission of materials, the presentation of opinion, explanation and any other necessary cooperation from: the heads of local governments and Incorporated Administrative Agencies; the deans of national university corporations (referring to national university corporations prescribed under Article 2, paragraph (1) of the National University Corporation Act (Act No.112 of 2003)); the heads of inter-university research institute corporations (referring to inter-university research institute corporations prescribed under Article 2, paragraph (3) of the Act); the President of the Japan Legal Support Center (referring to the Japan Legal Support Center prescribed under Article 13 of the Comprehensive Legal Support Act (Act No. 74 of 2004)); the representatives of Special Corporations and authorized corporations (referring to juridical persons incorporated by a special act and where the approval of a governmental entity is required for their incorporation and associated matters) designated by the Headquarters; and the representative of the relevant entity facilitating Cybersecurity-related communication and coordination with domestic and foreign parties concerned.

(2)In addition, the Headquarters may, where particularly necessary for the fulfillment of its functions, request necessary cooperation from a party other than the parties prescribed in the preceding paragraph.

Article 32(1)Local governments may, request the provision of information and other cooperation from the Headquarters where necessary, for the establishment and implementation of the policies prescribed under Article 5.

(2)When cooperation is requested pursuant to the preceding paragraph, the Headquarters are to make an effort to meet the request.

Article 33The functions of the Headquarters are to be performed by the Cabinet Secretariat and managed by a designated Assistant Chief Cabinet Secretary.

Article 34For matters pertaining to the Headquarters, the Prime Minister is to be the chief minister as prescribed in the Cabinet Act.

Article 35Beyond the provisions of this Act, necessary matters pertaining to the Headquarters are to be prescribed by Cabinet Order.