Article 1In consideration of the fact that ensuring cybersecurity while securing the free flow of information is an urgent issue, due to the increasing severity of threats to cybersecurity and other changes in internal and external circumstances that are arising on a global scale, as the internet and other advanced information and telecommunications networks develop, and the use of information and communications technologies (referred to below as "information and communications technologies") prescribed in Article 2 of the Basic Act on Forming a Digital Society (Act No. 35 of 2021) expands, the purpose of this Act is to set basic principles for Japan's cybersecurity policies, clarify the responsibilities and other aspects of the national government and local governments, and provide for the formulation of a cybersecurity strategy and other matters that will become the foundation of cybersecurity policies, and also in conjunction with the same Act, comprehensively and effectively advance cybersecurity policies in ways such as establishing a Cybersecurity Strategic Headquarters, and by doing so, enhance economic and social vitality and achieve sustainable development and bring about a society which enables its people to live safely and free of anxiety, and also contribute to ensuring peace and safety in the international community and contribute to Japan's national security.

Article 2The term "cybersecurity" as used in this Act means that the necessary measures have been taken to prevent the leakage, loss, or damage of information that is recorded, sent, transmitted, or received in electronic form, magnetic form, or any other form that cannot be perceived by the human senses (referred to below as "electronic or magnetic form" in this Article) and to securely manage that information in other ways, and that the necessary measures have been taken to ensure the security and reliability of information systems and of information and communications networks (including the necessary measures to prevent damage from unauthorized activities directed at a computer through an information and communications network or through a storage medium associated with a record that has been created in electronic or magnetic form (referred to below as "electronic or magnetic recording medium"), and that these systems and networks are being properly maintained and managed.

Article 3(1)In view of the importance of ensuring the free flow of information through the development of the internet and other advanced information and telecommunications networks and through the use of information and communications technologies for activities including the enjoyment of freedom of expression, the creation of innovations, and the enhancement of economic and social vitality through the use of these networks and technologies, cybersecurity policy must be advanced based on the principle of proactively responding to cybersecurity threats, through coordination among a variety of entities, such as the national government and local governments and critical social infrastructure providers (meaning those engaged in business that provides infrastructure which is the foundation of the lives of the people and economic activities, and whose functional failure or deterioration would cause an enormous impact to them; the same applies below).

(2)The cybersecurity policy must be advanced based on the principle of raising the awareness of each individual member of the public regarding cybersecurity and encouraging each individual member of the public to take voluntary actions, and positively promoting actions to establish resilient systems which can prevent any damage caused by threats against cybersecurity and quickly recover from damage or failure.

(3)The cybersecurity policy must be advanced based on the principle of developing the internet and other advanced information and telecommunications networks, and positively promoting actions to establish a vital economy and society through the utilization of information and communications technologies.

(4)The cybersecurity policy must be advanced through international cooperation based on the principle of Japan assuming a leading role in formulating and developing an international cybersecurity framework, in consideration of the fact that responding to cybersecurity threats is a common issue throughout the international community, and that Japan's economy and society operate within the context of internationally close and interdependent relationships.

(5)The cybersecurity policy must be advanced taking into consideration the basic principles of the Basic Act on Forming a Digital Society.

(6)The cybersecurity policy must be advanced with due consideration to not unjustly infringing on the rights of the people.

Article 4The national government is responsible for formulating and implementing comprehensive cybersecurity policies in line with the basic principles prescribed in the preceding Article (referred to below as "basic principles").

Article 5Local governments are responsible for formulating and implementing independent cybersecurity policies in line with the basic principles, taking into consideration of the appropriate division of roles with the national government.

Article 6In line with the basic principles, a critical social infrastructure provider is to deepen their interest in and understanding of the importance of cybersecurity and to endeavor independently and actively to ensure cybersecurity, while also endeavoring to cooperate in the implementation of the cybersecurity policy that the national government or local governments implements, to provide their services in a stable and appropriate manner.

Article 7(1)In line with the basic principles, business entities related to cyberspace (meaning those engaged in business regarding the maintenance of the internet and other advanced information and telecommunications networks, the utilization of information and communications technologies, or business relating to cybersecurity; the same applies below) and other business entities are to endeavor independently and actively to ensure cybersecurity, while also endeavoring to cooperate with the cybersecurity policy that the national government or local governments implement, in the course of their business activities.

(2)Suppliers of the information systems, or computers or programs that constitute a part of those systems, information and communications networks, or electronic or magnetic recording medium (referred to below as "information systems, etc." in this paragraph) are to endeavor, in order to prevent damage to the information systems, etc. that they have supplied due to threats to cybersecurity, to support the measures taken by the users of information systems, etc. to ensure cybersecurity, including designing and developing information systems, etc. that take into consideration the measures taken by the users to ensure their security and reliability, and continuously providing the necessary information for their proper maintenance and management.

Article 8In line with the basic principles, universities and other educational and research organizations are to independently and actively endeavor to ensure cybersecurity, foster human resources related to cybersecurity, carry out research on cybersecurity, and disseminate the results, while endeavoring to cooperate with the cybersecurity policy that the national government or local governments implement.

Article 9In line with the basic principles, the people are to endeavor to deepen their interest in and understanding of the importance of cybersecurity and pay necessary attention to ensuring cybersecurity.

Article 10The national government must take legislative, financial, or tax measures or any other measures that are necessary to implement the cybersecurity policy.

Article 11In implementing the cybersecurity policy, the national government is to endeavor to develop administrative organizations and to improve administrative management.

Article 12(1)The national government must establish a basic plan for cybersecurity (referred to below as the "cybersecurity strategy") to comprehensively and effectively promote the cybersecurity policy.

(2)The cybersecurity strategy is to provide for the following matters:

(3)The Prime Minister must request a cabinet decision on the proposed cybersecurity strategy.

(4)When the cybersecurity strategy is established, the national government must report it to the Diet without delay and make it public through the use of the internet and other appropriate means.

(5)The provisions of the preceding two paragraphs apply mutatis mutandis in the case of amendments to the cybersecurity strategy.

(6)The national government must endeavor to take necessary measures for implementing the cybersecurity strategy smoothly, such as appropriating the necessary funding in the budget each fiscal year, to the extent that national finances allow, to ensure necessary funding for the costs needed to implement the cybersecurity strategy.

Article 13Regarding cybersecurity at national administrative organs, incorporated administrative agencies (meaning incorporated administrative agencies prescribed in Article 2, paragraph (1) of the Act on General Rules for Incorporated Administrative Agencies (Act No. 103 of 1999); the same applies below), special corporations (meaning a corporation directly incorporated by law or incorporated by a special law through a special incorporation procedure which is subject to Article 4, paragraph (1), item (viii) of the Act for Establishment of the Ministry of Internal Affairs and Communications (Act No. 91 of 1999); the same applies below), etc., the national government is to provide necessary measures including: formulating common standards regarding cybersecurity measures for national administrative organs, incorporated administrative agencies and designated corporations (special corporations and authorized corporations (meaning a corporation incorporated by a special law which needs the approval of a governmental entity for their incorporation and associated matters; the same applies in Article 33, paragraph (1)) which are designated by the Cybersecurity Strategic Headquarters as ones for which the national government needs to further enhance measures which it is providing to ensure cybersecurity, in consideration of the impact on the people's living conditions and economic activities accrued in the case in which cybersecurity in the corporations is not ensured; the same applies below); the collaborative use of information systems among national administrative organs; monitoring and analysis of malicious activities against information systems of national administrative organs, incorporated administrative agencies or designated corporations through information and communications networks or electronic or magnetic recording media; cybersecurity exercises and training at national administrative organs, incorporated administrative agencies and designated corporations; responses to cybersecurity threats in cooperation, communication and coordination with relevant domestic and foreign parties; the sharing of information regarding cybersecurity among national administrative organs, incorporated administrative agencies, special corporations, etc.

Article 14Regarding cybersecurity at critical social infrastructure providers and other related entities, the national government is to organize and analyze information to prevent damage to computers associated with their important facilities, and is to take necessary measures including the formulation of standards, exercises and training, the promotion of information sharing and other voluntary efforts.

Article 15(1)In view of the fact that the information related to the intellectual property of private enterprises such as small and medium-sized enterprises or of educational and research organizations such as universities is critical for enhancing Japan's international competitiveness, the national government is to provide necessary measures, including promoting their voluntary activities for cybersecurity by increasing interest in and understanding of the importance of cybersecurity, offering consultation on cybersecurity, and providing necessary information and advice.

(2)Considering that it is important for each member of the public to voluntarily endeavor to ensure cybersecurity, the national government is to provide necessary measures, including offering consultation on cybersecurity and providing necessary information and advice on actions such as appropriate choices concerning products and services in the daily use of computers, the internet or other advanced information and telecommunications networks.

Article 16The national government is to enhance coordination among relevant administrative organs, and is to take necessary measures to enable diverse entities, such as the national government, local governments, critical social infrastructure providers, and business entities related to cyberspace, to work on cybersecurity policies in mutual coordination.

Article 17The national government is to take necessary measures to control crimes related to cybersecurity and prevent the spread of damage caused by these crimes.

Article 18The national government is to take necessary measures to improve and strengthen systems at the relevant bodies, and to strengthen mutual coordination and clarify the division of roles among the relevant bodies for responding to incidents related to cybersecurity that might critically affect Japan's safety.

Article 19In consideration of the fact that it is critical for Japan to have self-reliant capabilities to ensure cybersecurity, the national government is to take necessary measures related to cybersecurity, including the promotion of advanced research and development, technological advancements, the development and recruitment of human resources, the strengthening of the market environment and the development of new businesses through the improvement of competitive conditions, the internationalization of technological safety and reliability standards and the participation in frameworks for mutual recognition of those standards, to create new business opportunities, develop sound businesses, and enhance international competitiveness, so that the cybersecurity sector can become a "growth industry" which creates employment opportunities.

Article 20In consideration of the fact that it is critical for Japan to maintain self-reliant technological cybersecurity capabilities, the national government is to take necessary measures related to cybersecurity, including the improvement of the cybersecurity research environment, the promotion of basic research on technological safety and reliability, the promotion of research and development for core technologies, the development of skilled researchers and engineers, the strengthening of coordination among national research institutes, universities, the private sector, and other relevant parties, and international coordination for research and development, to promote research and development for cybersecurity and its technological and other relevant demonstrations, and to have the relevant cybersecurity results publicized.

Article 21(1)In close coordination and cooperation with universities, colleges of technology, specialized training colleges, private enterprises, and other relevant entities, the national government is to take necessary measures to ensure appropriate employment conditions and treatment of the workforce in the field of cybersecurity, and by doing so, enabling their duties and work environments to become attractive enough to match their importance.

(2)In close coordination and cooperation with universities, colleges of technology, specialized training colleges, private enterprises, and other relevant entities, for the purposes of recruitment, development, and quality improvement of cybersecurity-related human resources, the national government is to take necessary measures, including the utilization of a qualification scheme and training of young technical experts.

Article 22(1)The national government is to take necessary measures, including the promotion of education and learning, public awareness activities, and the dissemination of knowledge in the field of cybersecurity, to deepen interest and understanding regarding cybersecurity among the people on a broad scale.

(2)The national government is to take necessary measures, including the implementation of events for public awareness and the dissemination of information on cybersecurity, and the designation of the period to promote cybersecurity activities in a focused and effective manner, to contribute to the promotion of the measures referred to in the preceding paragraph.

Article 23In order for Japan to play an active role in the international community in the field of cybersecurity and promote Japan's international interests, the national government is to advance international cooperation relating to cybersecurity, including through independent participation in the formulation of international rules, by building relationships of trust and promoting information-sharing on an international level, by providing active support for capacity building in developing regions' cybersecurity response and other such international technological cooperation, and through crime control; and is also to take the necessary measures for deepening other countries' understanding of cybersecurity in Japan.

Article 24The Cybersecurity Strategic Headquarters (referred to below as the "Headquarters") is established under the Cabinet to effectively and comprehensively advance cybersecurity policies.

Article 25(1)The Headquarters is responsible for the following affairs:

(2)In preparing a draft of the cybersecurity strategy, the Headquarters must hear the opinions of the National Security Council in advance.

(3)In the following cases, the Headquarters must hear the opinions of the Cybersecurity Promotion Expert Council in advance:

(4)The Headquarters is to work in close coordination with the National Security Council on critical issues concerning cybersecurity in the context of national security.

Article 26The Headquarters consists of the Chief of the Cybersecurity Strategic Headquarters, the Deputy Chief of the Cybersecurity Strategic Headquarters, and the members of the Cybersecurity Strategic Headquarters.

Article 27(1)The person in charge of the Headquarters is referred to as the Chief of the Cybersecurity Strategic Headquarters (referred to below as the "Chief"), and the Prime Minister serves in that capacity.

(2)The Chief engages in the overall management of the Headquarters' affairs and directs and supervises personnel at the Headquarters.

(3)If the Chief finds it necessary based on the evaluation provided for in Article 25, paragraph (1), items (ii) through (v), or the materials, data, etc. provided pursuant to the provisions of Article 32 or 33, the Chief may make recommendations to the head of the relevant administrative organ.

(4)After making the recommendations pursuant to the provisions of the preceding paragraph, the Chief may request a report from the heads of the relevant administrative organs regarding the measures taken based on the recommendations.

Article 28(1)The Deputy Chief of the Cybersecurity Strategic Headquarters (referred to below as the "Deputy Chief") is assigned to the Headquarters, and a Minister of State serves in that capacity.

(2)The Deputy Chief assists the Chief's duties.

Article 29(1)The members of the Cybersecurity Strategic Headquarters are assigned to the Headquarters (referred to as "members" in the following paragraph).

(2)All Ministers of State other than the Chief and the Deputy Chief serve as members.

Article 30(1)The Cybersecurity Promotion Expert Council (referred to below as the "Expert Council" in this Article) is established in the Headquarters.

(2)The Expert Council takes charge of the following affairs:

(3)The members of the Expert Council are appointed by the Prime Minister from among persons with relevant expertise in cybersecurity.

Article 31(1)The Headquarters may entrust a part of its affairs to the persons specified in each of the items according to the category of affairs stated in the following items:

(2)An officer or employee of a corporation that has been entrusted with affairs pursuant to the provisions of the preceding paragraph or a person who had been in that position, must not divulge or misappropriate any secrets learned in connection with those affairs under that entrustment, without justifiable grounds.

(3)An officer or employee of a corporation entrusted with affairs pursuant to the provisions of paragraph (1) who engages in the affairs under the entrustment, is deemed to be an official engaged in public services pursuant to laws and regulations, regarding the application of the Penal Code (Act No. 45 of 1907) or other penal provisions.

Article 32(1)The heads of relevant administrative organs must provide the Headquarters with materials or information related to cybersecurity that is beneficial to the performance of the affairs under its jurisdiction in a timely manner, as prescribed by Headquarters.

(2)Beyond what is provided for in the preceding paragraph, as requested by the Chief, the heads of the relevant administrative organs must cooperate with the Headquarters, by activities such as providing materials or information related to cybersecurity that is necessary for the performance of the affairs under its jurisdiction, or by explaining those materials or information.

Article 33(1)If the Headquarters finds it necessary for carrying out the functions under its jurisdiction, in relation to the measures which the Headquarters takes in coordination with the national government, or other cybersecurity measures for preventing the spread of damage caused by threats against cybersecurity and promoting a quick recovery from any damage, it may request the submission of the necessary materials, presentation of the necessary opinions, provision of the necessary explanations or any other cooperation from the following persons: the heads of local governments or incorporated administrative agencies; the deans or the presidents of national university corporations (meaning national university corporations prescribed in Article 2, paragraph (1) of the National University Corporation Act (Act No.112 of 2003)); the heads of inter-university research institute corporations (meaning inter-university research institute corporations provided for in Article 2, paragraph (3) of that Act); the president of the Japan Legal Support Center (meaning the Japan Legal Support Center provided for in Article 13 of the Comprehensive Legal Support Act (Act No. 74 of 2004)); the representatives of special corporations or authorized corporations designated by the Headquarters; and the representatives of the relevant entity facilitating cybersecurity-related communication and coordination with related domestic and foreign parties. In this case, the relevant person must respond to the request, unless there is a justifiable reason for not doing so.

(2)If the Headquarters finds it necessary for carrying out the functions under its jurisdiction, the Headquarters may ask for the cooperation referred to in the preceding paragraph from the representatives of the critical social infrastructure providers and the associations that they have organized. In this case, the persons that have been requested to do so are to endeavor to meet that request.

(3)If the Headquarters finds it particularly necessary for carrying out the functions under its jurisdiction, it may request the cooperation referred to in paragraph (1) from persons other than those prescribed in the preceding two paragraphs.

Article 34(1)If a local government finds it necessary for formulating or implementing the policy prescribed in Article 5, it may request the Headquarters to provide information and other cooperation.

(2)If the Headquarters is requested to provide cooperation under the preceding paragraph, it is to endeavor to meet the request.

Article 35Administrative affairs concerning the Headquarters are processed by the Cabinet Secretariat and administered by the Cabinet Cyber Officer.

Article 36The competent minister under the Cabinet Act (Act No. 5 of 1947) for matters related to the Headquarters is the Prime Minister.

Article 37Beyond what is provided for in this Act, Cabinet Order prescribes the necessary matters relating to the Headquarters.

Article 38A person who has violated the provisions of Article 31, paragraph (2) is punished by imprisonment for not more than one year or a fine of not more than 500,000 yen.