What New Expectations Does ACD Place on My Organisation — and on Me as a Business Leader?

The ACD Law makes cyber risk a board-level responsibility. Here is what Japan’s business leaders and executives must now prioritise to ensure compliance and resilience.

A New Era of Proactive Cyber Security Leadership

Japan’s new Active Cyber Defense (ACD) Law represents a national shift toward proactive cyber security.

For business leaders, this law introduces clear expectations that go beyond IT operations.

Executives are now directly responsible for ensuring their organisations can detect and respond to cyber threats before they escalate.

Key Expectations for Business Leaders Under ACD

Executive Risk Ownership: The ACD Law reinforces that cyber security is no longer solely a technical issue. Boards and senior management must treat cyber resilience as a core business risk.
Timely Incident Reporting: Designated critical infrastructure operators must report cyber incidents within 24 hours. Executive teams must ensure governance structures support this rapid escalation and response.
Proactive Risk Management: Organisations are expected to shift from reactive security postures to proactive defence. This includes pre-notification before deploying critical systems and sharing metadata with national detection centres.
Supply Chain Oversight: Business leaders must verify that contractors and suppliers meet new ACD-aligned cyber standards, extending risk management beyond internal operations.

ACD Compliance FAQ

Frequently Asked Questions (FAQ)

Deep Dive for Business Leaders Navigating ACD Compliance

Q: Am I personally accountable under the ACD Law?

While the law does not impose personal liability, it elevates board-level accountability for cyber risk management. Directors and executives must ensure appropriate oversight and resourcing.

Q: Does ACD only apply to IT systems?

No — ACD requirements impact operational technology (OT), critical business processes, and extended supply chains. Business leaders must take a holistic, enterprise-wide approach.

Q: How fast must we report incidents?

ACD requires notification within 24 hours of identifying a significant cyber incident. This demands clearly defined escalation paths and leadership involvement in incident management.

Q: What is expected of us around proactive defence?

Leaders must support investment in early detection, continuous monitoring, and sharing relevant data with national defence centres, moving beyond traditional perimeter defences.

Edit Template

Cyber Maturity Assessment

Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.