Feb 272026

Geopolitics and Cybersecurity: Japan and the UK Announce Strategic Cyber Partnership Among Growing Global Focus on Privacy and Cyber Risks Posed by Foreign Actors

John Woods and Cole R. Rianda
, , ,

On January 31, 2026, the governments of Japan and the United Kingdom announced they were strengthening their cybersecurity collaboration through a bilateral Strategic Cyber Partnership (Partnership).

The Partnership focuses on three priorities:

  • Detecting, deterring, and defending against cyber threats through cyber threat intelligence and assessment sharing, enhancement of cyber capabilities, international cooperation, and participation in deterrence campaigns, including through attribution.
  • Sharing and aligning best practices and standards for protecting critical infrastructure and supply chains.
  • Cooperating in the development of cyber workforces and emerging technologies, including through the countries’ industrial partnership.

Notably, the Partnership states that the countries reciprocally intend to share information and provide support when either country faces destructive, disruptive, or otherwise destabilizing malicious cyber incidents.

Why This Matters Now

Japan’s Renewed Efforts to Strengthen Its Cyber Capabilities

This announcement follows Japan’s passage, in May 2025, of the Cybersecurity Capability Enhancement Acts, also known as the “Active Cyber Defense Act.” These reforms reflect a move to: (i) strengthen public-private cooperation through cyber risk reporting and information-sharing (including with critical infrastructure operators); (ii) develop more robust mechanisms to collect and analyze cyber threat-related information, consistent with statutory authorities, in order to identify and respond to significant cyberattacks; and (iii) expand the authority of Japan’s National Police Agency (NPA) and Self-Defense Forces to respond more proactively to significant cyber threats.

Against that backdrop, a bilateral framework with the UK that emphasizes intelligence sharing, coordinated resilience efforts, and support during destabilizing incidents, is part of a more holistic approach to cyber defense. Japan is expanding domestic capabilities while deepening cooperation with close partners, especially in areas key to national security such as critical infrastructure protection, supply-chain security, and cyberattack response.

Although the Partnership is positioned as a two-nation resilience initiative, it emerges against a broader regional security backdrop. Japan’s strategic initiative continues to evolve amid mounting tensions between the island nation and the People’s Republic of China (PRC). In late December 2025, a PRC foreign ministry spokesperson publicly criticized Japan’s “active cyber defense” approach and related cyber strategy. The PRC’s criticism came after Japanese Prime Minister Sanae Takaichi’s indication that her country would not rule out military intervention if the PRC imposed military force against Taiwan. The PRC also imposed restrictions on travel to, and trade with, Japan.

Last year Japan also publicly attributed long-running cyberattacks affecting Japanese organizations to a PRC-linked threat actor. The NPA issued a public alert assessing that more than 200 cyberattacks against entities in Japan between 2019 and 2025 were likely conducted by “MirrorFace,” a threat actor linked to the PRC. According to the NPA, the attacks targeted data related to Japanese national security and advanced technology.

Growing Focus on Privacy and Cyber Risks Posed by Foreign Actors

Japan’s efforts also mirror a growing global trend: governments are increasingly treating data, technology, and cybersecurity dependencies as national security issues, not just operational concerns — especially pertaining to critical infrastructure and Information and Communications Technology (ICT) supply chains.

EU: De-risking ICT supply chains and strengthening ransomware resilience.

In January 2026, the European Commission announced a new cybersecurity package that includes a proposal to revise the EU Cybersecurity Act, with a stated goal of strengthening EU cybersecurity capabilities and enhancing the security of ICT supply chains. The proposed revisions would, if adopted, require mobile telecommunications networks to mitigate critical dependencies and de-risk supply chains involving high-risk third-country suppliers. The proposed revisions also include provisions designed to empower the European Union Agency for Cybersecurity (ENISA) to support companies in responding to, and recovering from, ransomware attacks.

China: Technology restrictions and tightening data controls.

China also appears to be stepping up its data protection efforts. For example, it has been reported that in January 2026 Chinese authorities directed domestic companies to stop using cybersecurity-related software developed by certain U.S. and Israeli firms because of national security concerns. This follows the PRC’s inclusion of certain U.S. companies on its “Unreliable Entities List” on national security grounds, which began in February 2025. Chinese laws, including the Personal Information Protection Law, Human Genetic Resources Regulation, Cybersecurity Law, and National Security Law, also increasingly limit data exports from China, require data localization, and provide regulators with authorities, under specified legal processes, to access or inspect certain categories of data held by companies.

United States: Restricting certain bulk-data transactions tied to “countries of concern.”

In the United States, the Department of Justice’s Data Security Program Rule (Rule) (implementing Executive Order 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern) went into effect on April 8, 2025. The Rule prohibits or restricts certain data transactions involving bulk sensitive personal data and U.S. government-related data with “countries of concern,” including China, Russia, Iran, North Korea, Cuba, and Venezuela. The Rule is centered around national security concerns and focuses on certain categories of transactions involving bulk sensitive data and designated “countries of concern,” reflecting a framework that assesses risk in part based on jurisdictional nexus rather than individualized conduct.

Conclusion

Japan’s efforts to strengthen its cyber capabilities will likely continue to grow in the coming years — and is likely to serve as a reference model for other U.S. allies evaluating more operational forms of cyber cooperation, particularly where domestic legal reforms are expanding defensive authorities.

More broadly, the Partnership entered into by Japan and the UK underscores a trend that many organizations are already encountering; cybersecurity and data governance are increasingly intertwined with economic security, supply-chain resilience, and geopolitical risk, which can create additional compliance obligations (and operational constraints) that reach well beyond any single jurisdiction.

Practical Action Items.

  • Monitor international legal developments, even if you do not have direct operations abroad.

Measures aimed at supply-chain “de-risking,” vendor restrictions, and cross-border data controls can affect customers, vendors, and counterparties — creating indirect obligations and practical constraints for organizations that are otherwise domestic.

  • Consider your supply chain and potential disruptions due to changes in legal requirements.

Identify and document reliance on third-party service providers, such as cloud providers, managed security service providers, telecommunications vendors, and security software providers, and evaluate single-vendor or single-jurisdiction concentration risk.

  • Conduct proactive de-risking analyses and implement de-risking measures to reduce the potential impact of legal developments.

Such de-risking activities should map operations, dependencies, and exposures; assess risks; and mitigate potential legal exposure by making proactive contractual changes (audit rights, notification triggers, and continuity commitments), integrating incident preparation (playbooks, communications paths, and practice exercises), and evaluating whether certain sensitive data sets and systems should be regionally segmented, subject to enhanced access controls, or architected to enable rapid isolation in response to regulatory or geopolitical disruption.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

John Woods

Washington, D.C.

jwoods@sidley.com

Cole R. Rianda

Washington, D.C.

crianda@sidley.com

You might also like
UK Data Privacy and Cybersecurity Outlook for 2026: What Financial Services Firms Need To Know

Last year saw many developments across the international data privacy and cybersecurity landscape, and this momentum shows no sign of slowing.

The 12th Edition of Lexology In-Depth: Privacy, Data Protection and Cybersecurity is now available

The 12th edition of Lexology In-Depth: Privacy, Data Protection and Cybersecurity (formerly The Privacy, Data Protection and Cybersecurity Law Review) provides an incisive global overview of the legal and regulatory regimes governing data privacy and security. With a focus on recent developments, it covers key areas such as data processors’ obligations; data subject rights; data transfers and localisation; best practices for minimising cyber risk; public and private enforcement; and an outlook for future developments. A number of lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the chapters below for a closer look at this developing area of law.

FINRA Issues 2026 Regulatory Oversight Report

On December 9, 2025, the Financial Industry Regulatory Authority (FINRA) released its 2026 Annual Regulatory Oversight Report (2026 Report). The nearly 90-page report highlights emerging risks — including cybersecurity, data privacy, and generative AI (GenAI) — and offers tools and best practices for member firms. It also reemphasizes the perennial focus areas of Regulation Best Interest (Reg BI) compliance, third-party vendor management, best execution, consolidated audit trail (CAT), and compliance with the financial responsibility rules. Below are key takeaways, followed by a deeper dive into notable areas of focus, for some of the topics most relevant for broker-dealers.