Artboard 1 copy 11

Nihon Cyber Defence

Menu
get in touch
/ Cyber Security Leadership / By

What New Expectations Does ACD Place on My Organisation — and on Me as a Business Leader?

The ACD Law makes cyber risk a board-level responsibility. Here is what Japan’s business leaders and executives must now prioritise to ensure compliance and resilience.

Japanese train conductor on platform, preparing for departure highlighting metro rail as part of Japan’s critical infrastructure.
Japan’s cyber law raises the bar for CNI board-level risk and governance.

A New Era of Proactive Cyber Security Leadership

Japan’s new Active Cyber Defense (ACD) Law represents a national shift toward proactive cyber security.

For business leaders, this law introduces clear expectations that go beyond IT operations.

Executives are now directly responsible for ensuring their organisations can detect and respond to cyber threats before they escalate.

Key Expectations for Business Leaders Under ACD

  1. Executive Risk Ownership: The ACD Law reinforces that cyber security is no longer solely a technical issue. Boards and senior management must treat cyber resilience as a core business risk.

  2. Timely Incident Reporting: Designated critical infrastructure operators must report cyber incidents within 24 hours. Executive teams must ensure governance structures support this rapid escalation and response.

  3. Proactive Risk Management: Organisations are expected to shift from reactive security postures to proactive defence. This includes pre-notification before deploying critical systems and sharing metadata with national detection centres.

  4. Supply Chain Oversight: Business leaders must verify that contractors and suppliers meet new ACD-aligned cyber standards, extending risk management beyond internal operations.
ACD Compliance FAQ

Frequently Asked Questions (FAQ)

Deep Dive for Business Leaders Navigating ACD Compliance

Q: Am I personally accountable under the ACD Law?
While the law does not impose personal liability, it elevates board-level accountability for cyber risk management. Directors and executives must ensure appropriate oversight and resourcing.
Q: Does ACD only apply to IT systems?
No — ACD requirements impact operational technology (OT), critical business processes, and extended supply chains. Business leaders must take a holistic, enterprise-wide approach.
Q: How fast must we report incidents?
ACD requires notification within 24 hours of identifying a significant cyber incident. This demands clearly defined escalation paths and leadership involvement in incident management.
Q: What is expected of us around proactive defence?
Leaders must support investment in early detection, continuous monitoring, and sharing relevant data with national defence centres, moving beyond traditional perimeter defences.
toshio-nawa
Toshio Nawa

Chief Technology Officer (CTO)

After military and JPCERT/CC experience, Nawa joined Nihon Cyber Defence in 2018, specializing in CSIRT and threat intelligence advisory.

Edit Template

Cyber Maturity Assessment

Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.

Cyber Security Framework (NIST)

National Institute of Standards and Technology

NIST Framework Graphic

Cyber Assessment Framework (CAF)

National Cyber Security Centre

CAF Framework Graphic

Explore more of the NCD suite: Cyber Security Consultancy, Protective Services, Network Monitoring & Security Operations, SIEM, Incident Management

Edit Template

More from NCD​

NCD Cyber Threat Intelligence: Gelsemium APT Group

NCD Cyber Threat Intelligence: Gelsemium APT Group

December 16, 2024 Threat Intelligence
The China-linked Gelsemium APT group poses a growing cyber threat to Japanese organizations, targeting sensitive data through advanced malware. Learn how to protect your business from espionage...
Read More
How Japanese Organizations Can Overcome Ransomware Challenges

How Japanese Organizations Can Overcome Ransomware Challenges

November 29, 2024 Risk Management
Ransomware attacks are exposing critical weaknesses in Japanese organizations. Learn how to overcome systemic security barriers, enhance resilience, and implement proactive cyber security strategies...
Read More
Beyond Dollars: The True Impact of Cyber Attacks

Beyond Dollars: The True Impact of Cyber Attacks

November 27, 2024 Cyber Resilience
Cyber attacks cause more than financial losses—they disrupt critical services, expose vulnerabilities, and threaten national security. Discover the true cost of cyber threats beyond dollars in this...
Read More
Edit Template
NCDLogoWhite@1x_1

Cyber Future Today

Company

Services

Associated sites

Social Link

Linkedin