Basic Act on Cybersecurity (Cybersecurity Basic Act)

Japan's Cybersecurity Basic Act (Act No. 104 of 2014, amended 2016 and 2018) establishes the foundational legal framework for national cybersecurity policy. The Act created the National center of Incident readiness and Strategy for Cybersecurity (NISC) and the Cybersecurity Strategy Headquarters under the Cabinet. It defines cybersecurity as a matter of national security and economic competitiveness. The Act imposes obligations on the national government, local governments, critical infrastructure operators, and cybersecurity-related businesses. Critical infrastructure sectors designated under the Act include information and communications, finance, aviation, railways, electric power, gas, government and administrative services, medical services, water, logistics, chemicals, credit, and petroleum. The Act requires these operators to implement cybersecurity measures commensurate with risk, participate in information sharing initiatives, and cooperate with government incident response. The 2018 amendment strengthened supply chain security requirements and expanded the scope of critical infrastructure protection.