Cyberattacks no longer happen only inside screens. They reach airline reservations, port logistics, hospital systems, electricity grids, bank payments, municipal services and defense networks. As society’s nervous system becomes digital, the target is no longer just data. The target is life as it functions each day. That is why the memorandum of understanding between NEC and Britain’s BAE Systems matters.
On June 15, NEC and BAE Systems announced that they had signed an MoU to combine expertise for the implementation of active cyber defense, or ACD, solutions for the Japanese government. According to the companies, the cooperation will support Japan’s cybersecurity posture through joint development, implementation and delivery of ACD solutions. BAE Systems brings experience in cyber and digital capabilities for government organizations. NEC brings Japanese technology, deployment experience and a deep understanding of Japan’s ACD policy and operational environment.
That is the corporate version. The larger story is about Japan’s movement from reactive cyber defense toward a more proactive model: detecting hostile activity earlier, reading threat patterns, protecting critical infrastructure before damage spreads, and building the legal and industrial architecture to support that shift.
The core of the MoU: what ACD means
Active cyber defense is a difficult phrase because it sits between ordinary cybersecurity and national security. It does not simply mean building thicker walls. It means gathering threat intelligence, detecting preparations for attacks, identifying hostile infrastructure and reducing the chance that serious damage occurs in the first place. Different countries define the boundary differently, but the direction is clear: defense is moving upstream.
Japan has approached that move cautiously. The country’s constitution, protections for the secrecy of communications, privacy concerns, police authority, the role of the Self-Defense Forces and the fact that much critical infrastructure is privately owned all make ACD a sensitive subject. Japan’s 2022 National Security Strategy stated that the country would introduce active cyber defense to eliminate in advance the possibility of serious cyberattacks that could raise national security concerns. Legislation then began moving the policy from concept to implementation.
Why Britain?
The United Kingdom has treated cyber defense as a meeting point of intelligence, diplomacy, national security and industrial policy. BAE Systems Digital Intelligence has long served governments and companies in cyber, data and digital capabilities. In the NEC announcement, BAE Systems is positioned as a long-standing provider of cyber and digital capability to government organizations.
The diplomatic context is just as important. The 2023 Hiroshima Accord described the UK and Japan as each other’s closest security partners in Europe and Asia and tied together defense industry, GCAP, joint exercises, outer space, cyber and economic security. The Japan-UK Reciprocal Access Agreement, signed in 2023, made cooperation between the Self-Defense Forces and the British Armed Forces easier by setting procedures for visits and joint activities. In January 2026, the two governments upgraded their cyber cooperation into a Strategic Cyber Partnership built around threat intelligence, critical infrastructure protection, supply chains, cyber workforces and emerging technologies.
So the NEC-BAE MoU is not an isolated vendor deal. It is an industrial implementation layer on top of a rapidly deepening UK-Japan security relationship.
What it means for NEC
NEC was founded in 1899 as Nippon Electric Company, a joint venture with Western Electric. From telephones and switching systems to computers, networks, government systems and digital infrastructure, NEC’s history is deeply tied to Japan’s communications architecture. That makes this MoU symbolically powerful. A company born in the age of modern communications is now helping defend the communications age from attack.
NEC’s advantage is not simply that it is Japanese. It understands Japanese systems. Government procurement, ministries, local governments, telecom operators, financial institutions, transport operators, manufacturers, energy providers and healthcare organizations all have different operational cultures and constraints. Active cyber defense cannot be imported as a generic product. It has to fit Japan’s legal, bureaucratic and technical environment.
What it means for BAE Systems
BAE Systems is one of the United Kingdom’s major defense, aerospace and security companies. The NEC announcement describes it as employing around 110,000 people in more than 40 countries and working on military capability, national security and the protection of critical information and infrastructure. It has also been active in Japan for more than 50 years, including naval guns, electronic warfare capability, amphibious armored vehicles and today the Global Combat Air Programme.
BAE’s role in cyber reflects a larger reality: modern defense platforms are software platforms. Aircraft, ships, missiles, radars, satellites and command systems all rely on networks, sensors, encryption, data links, AI and secure supply chains. A fighter aircraft program and a cyber defense program are not separate worlds anymore. They are parts of the same security architecture.
Japan’s cyber policy evolution
Japan’s cyber policy once grew mainly out of information-system management, administrative IT, privacy, and critical infrastructure protection. The Basic Act on Cybersecurity created the basic framework for national policy, responsibilities and strategy. NISC, and later the reorganized national cybersecurity structure, became the government’s coordinating function.
The 2020s changed the scale of the problem. Ransomware, supply-chain attacks, state-backed cyber espionage, attacks on hospitals and public services, AI-enabled phishing and the digital dimension of war all pushed cybersecurity into the center of national security. Russia’s invasion of Ukraine showed how cyber operations, drones, information warfare, missiles and critical infrastructure attacks can become part of one conflict environment.
Japan’s 2022 National Security Strategy marked a turning point. It connected cyber to defense, diplomacy, intelligence and economic security, and it called for a posture that could pre-empt serious cyberattacks. The NEC-BAE MoU belongs to that transition from strategy paper to operational design.
Who protects critical infrastructure?
The hard part is that much of what must be protected is privately operated. Electric utilities, telecom carriers, railways, airports, ports, banks, hospitals, cloud providers and industrial control systems are national foundations, but they are not all run directly by the state. Government cannot defend everything alone. Private companies cannot independently withstand state-level cyber campaigns.
That is why ACD is not only a technical problem. It is a trust problem. Which data can be shared? Who can see it? How is the secrecy of communications protected? What counts as hostile infrastructure? What do police, defense authorities, cabinet offices, regulators, telecom providers and overseas partners do, and where are the boundaries? Without answers, powerful capabilities can create political and social backlash.
The NEC-BAE pairing is potentially useful because it connects foreign operational experience with domestic implementation reality. British experience alone cannot simply be dropped into Japan. Japanese domestic deployment alone may not reach the full intelligence and operational lessons learned by a country with a longer ACD history. The bridge between those worlds is the real value of the MoU.
Active, not reckless
ACD will always invite concern. The word active can sound offensive, intrusive or militarized. In Japan, those concerns are intensified by constitutional history, privacy expectations and the postwar understanding of security. That means any ACD capability needs oversight, limits and public legitimacy.
Japan.co.jp sees three tests. The target must be clear. Oversight must be real. Public trust must not be sacrificed. A society can need stronger cyber defense and still need freedom from excessive surveillance. The phrase used in the UK-Japan Strategic Cyber Partnership — a free, fair and secure cyberspace — matters because security without freedom is not enough.
The industrial-policy layer
The MoU also points toward industry building. NEC and BAE Systems said they will explore a business collaboration framework connecting cybersecurity and national security stakeholders in both countries. That could mean talent, training, products, operations, standards and joint projects. Japan needs domestic cyber capacity not only to protect ministries and defense systems but to secure AI data centers, semiconductor plants, energy systems and logistics networks.
Cybersecurity is no longer a separate vertical. It is the base layer of Japan’s growth strategy. If AI infrastructure is insecure, AI policy fails. If semiconductor plants are compromised, supply-chain policy fails. If ports are frozen, trade policy fails. Cyber defense is industrial policy by another name.
Japan.co.jp view
The NEC-BAE Systems MoU may look small beside fighter jets and defense budgets. But it may prove more important than a headline suggests. It links UK-Japan security cooperation, Japan’s ACD legislation, critical infrastructure protection, defense industry and cyber workforce development into one practical announcement.
Japan cannot afford to be late in cyberspace. Attackers do not respect borders. Criminal groups do not wait for business hours. State-backed actors blur the line between peace and conflict. If defenders remain trapped by silos, time zones, procurement cycles and legal ambiguity, society’s digital nervous system will remain exposed.
But strong capability must be built with strong restraint. The success of this partnership will not be measured only by technical sophistication. It will depend on whether it fits Japanese law, earns the trust of critical infrastructure operators, can be explained to the public, and leaves skill and industry inside Japan rather than merely importing a foreign model.
The cyber-defense era is a quiet era of invisible conflict. Precisely because it is invisible, Japan has to design its institutions, ethics, industry, talent base and alliances carefully. The NEC and BAE Systems MoU is one part of that design.
Reader guide
| Question | How to read it |
|---|---|
| What happened? | NEC and BAE Systems signed an MoU to cooperate on active cyber defense solutions for the Japanese government. |
| Why does it matter? | Japan is moving from a reactive cyber posture toward proactive cyber defense, and industry implementation is now following policy. |
| Why the UK? | The MoU sits inside a broader UK-Japan security framework: the Hiroshima Accord, RAA, GCAP and the 2026 Strategic Cyber Partnership. |
| What are the risks? | ACD requires careful limits around privacy, communications secrecy, data sharing and oversight. |
| Japan.co.jp view | This is both a corporate partnership and an industrial-security story about protecting Japan’s critical infrastructure. |
Sources and references
This article used public materials from NEC, BAE Systems, the UK Government, Japan’s Ministry of Foreign Affairs, NCO/NISC, the Basic Act on Cybersecurity, Japan’s 2022 National Security Strategy and commentary on ACD implementation.
- NEC: BAE Systems and NEC sign MoU to strengthen Japan’s active cyber defence.
- BAE Systems: Official BAE Systems release on the NEC MoU.
- GOV.UK: UK-Japan Strategic Cyber Partnership.
- GOV.UK: The Hiroshima Accord.
- MOFA Japan: Signing of Japan-UK Reciprocal Access Agreement.
- Japanese Law Translation: The Basic Act on Cybersecurity.
- NEC: NEC corporate history.
- Cabinet Secretariat: National Security Strategy of Japan, 2022.
