- Cyber Security Leadership
- June 16, 2025
What New Expectations Does ACD Place on My Organisation — and on Me as a Business Leader?
The ACD Law makes cyber risk a board-level responsibility. Here is what Japan’s business leaders and executives must now prioritise to ensure compliance and resilience.
A New Era of Proactive Cyber Security Leadership
Japan’s new Active Cyber Defense (ACD) Law represents a national shift toward proactive cyber security.
For business leaders, this law introduces clear expectations that go beyond IT operations.
Executives are now directly responsible for ensuring their organisations can detect and respond to cyber threats before they escalate.
Key Expectations for Business Leaders Under ACD
- Executive Risk Ownership: The ACD Law reinforces that cyber security is no longer solely a technical issue. Boards and senior management must treat cyber resilience as a core business risk.
- Timely Incident Reporting: Designated critical infrastructure operators must report cyber incidents within 24 hours. Executive teams must ensure governance structures support this rapid escalation and response.
- Proactive Risk Management: Organisations are expected to shift from reactive security postures to proactive defence. This includes pre-notification before deploying critical systems and sharing metadata with national detection centres.
- Supply Chain Oversight: Business leaders must verify that contractors and suppliers meet new ACD-aligned cyber standards, extending risk management beyond internal operations.
Frequently Asked Questions (FAQ)
Deep Dive for Business Leaders Navigating ACD Compliance
Q: Am I personally accountable under the ACD Law?
While the law does not impose personal liability, it elevates board-level accountability for cyber risk management. Directors and executives must ensure appropriate oversight and resourcing.
Q: Does ACD only apply to IT systems?
No — ACD requirements impact operational technology (OT), critical business processes, and extended supply chains. Business leaders must take a holistic, enterprise-wide approach.
Q: How fast must we report incidents?
ACD requires notification within 24 hours of identifying a significant cyber incident. This demands clearly defined escalation paths and leadership involvement in incident management.
Q: What is expected of us around proactive defence?
Leaders must support investment in early detection, continuous monitoring, and sharing relevant data with national defence centres, moving beyond traditional perimeter defences.
Toshio Nawa
Chief Technology Officer (CTO)
After military and JPCERT/CC experience, Nawa joined Nihon Cyber Defence in 2018, specializing in CSIRT and threat intelligence advisory.
Cyber Maturity Assessment
Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.
Cyber Security Framework (NIST)
National Institute of Standards and Technology
Cyber Assessment Framework (CAF)
National Cyber Security Centre
Explore more of the NCD suite: Cyber Security Consultancy, Protective Services, Network Monitoring & Security Operations, SIEM, Incident Management
Explore how AI is transforming the battlefield, from autonomous drones to cyberwarfare tactics. Understand key trends shaping the future of global defense...
North Korean hackers from Lazarus stole $1.4B in crypto from Bybit, exploiting cold wallet security flaws. Learn how the attack happened & what it means...
Japan faces a cyber security talent shortage of 110,000 experts. Explore the challenges, impacts, and solutions to bridge this critical skills gap...
Japan’s Active Cyber Defense (ACD) policy is set to transform cyber security, requiring critical infrastructure operators to comply with new reporting mandates. Ret. Adm. Akira Ichida explores the...
The collaboration combines Fivecast’s advanced AI-powered OSINT technology with NCD’s expertise in cyber threat intelligence and Japanese cyber security needs, delivering actionable intelligence...
Unprepared cyber incident response can lead to prolonged damage. Learn practical strategies to strengthen resilience, improve decision-making speed, and build a proactive response framework in this...
Japan's energy and food security depend on resilient supply chains, but cyber threats to critical infrastructure are rising. Discover strategies to safeguard OT systems and protect vital industries in...
Cyber resilience is a strategic necessity. Discover five key strategies to minimize cyber incident impacts and strengthen long-term security, based on insights from Dr. Jamie Saunders and the World...
Cyber security is a boardroom issue. John Noble shares essential non-technical questions that leaders must ask to strengthen cyber resilience and governance in today’s digital landscape...
