Cybersecurity · Australia
Cybersecurity regulation in Australia (2026)
Australia shaded by its cybersecurity status
Australia has a comprehensive, multi-layered cybersecurity regime anchored by the Cyber Security Act 2024 (Royal Assent 29 November 2024), its first dedicated national cyber security statute, which introduced mandatory ransomware/cyber-extortion payment reporting, minimum security standards for smart devices, a limited-use protection for information shared with the National Cyber Security Coordinator, and a Cyber Incident Review Board. This sits alongside long-standing critical-infrastructure obligations under the SOCI Act 2018 and the economy-wide Notifiable Data Breaches scheme administered by the OAIC. Distinct incident-reporting and breach-notification duties apply under each regime depending on the entity and asset type.
Key points
The Cyber Security Act 2024 (Cth) received Royal Assent on 29 November 2024 as Australia's first dedicated cyber security law, delivering on the 2023–2030 Cyber Security Strategy. It establishes mandatory smart-device standards, ransomware payment reporting, a limited-use obligation, and a Cyber Incident Review Board.
Entities with annual turnover above AU$3 million and responsible entities for critical infrastructure assets must report any ransomware or cyber-extortion payment to the Department of Home Affairs/ASD within 72 hours of payment, with no minimum threshold. Rules began 30 May 2025 (education-first phase), with enforcement from 1 January 2026; failure to report attracts civil penalties (up to 60 penalty units).
Under the Security of Critical Infrastructure Act 2018, responsible entities must report cyber security incidents to the ACSC within 12 hours of a 'significant impact' or 72 hours of a 'relevant impact', with written follow-up. Positive security obligations also require a Critical Infrastructure Risk Management Program (CIRMP).
Under the Privacy Act 1988, entities covered by the NDB scheme (government agencies, businesses/NFPs over AU$3m turnover, health providers, credit and TFN recipients) must notify affected individuals and the OAIC of an eligible data breach likely to cause serious harm, and must assess suspected breaches within 30 days.
The Act creates a 'limited use' protection restricting how the National Cyber Security Coordinator and National Office of Cyber Security can record, use or disclose information voluntarily shared during a significant incident, so it cannot be used for regulatory or law-enforcement action against the affected entity — encouraging early engagement.
The Cyber Security (Security Standards for Smart Devices) Rules 2025 set minimum security requirements for internet-connectable consumer products; most relevant devices manufactured for personal/domestic use from 4 March 2026 must comply and carry a statement of compliance.
Timeline - major decisions & events
The Australian Information Commissioner commenced civil penalty proceedings alleging Optus failed to take reasonable steps to protect 9.5 million customers' data, with potential penalties of up to A$2.22 million per contravention. It is the first major test of the Privacy Act's serious-interference provisions against a large breach.
OAIC ↗Part 3 of the Cyber Security Act 2024 took effect, requiring entities with turnover above A$3 million or operating critical infrastructure to report ransom/extortion payments to cyber.gov.au within 72 hours. It establishes Australia's first mandatory ransomware-payment reporting regime.
Department of Home Affairs ↗The Act progressed 23 reforms from the Privacy Act Review, including a new statutory tort for serious invasions of privacy (effective by 10 June 2025) and stronger enforcement powers. It marks the most significant overhaul of Australian privacy law since the Privacy Act 1988.
OAIC ↗The government published its roadmap to make Australia a 'world leader in cyber security by 2030', built on six cyber 'shields' and delivered across three horizons, backed by A$586.9 million in new funding. It set the policy direction for the Cyber Security Act and SOCI/Privacy reforms that followed.
Department of Home Affairs ↗Health insurer Medibank disclosed a breach in which attackers exfiltrated ~520GB of data on 9.7 million current and former members; after Medibank refused a ~US$10 million ransom, data was published on the dark web. The incident, alongside Optus, catalysed Australia's cyber and privacy law overhaul.
OAIC ↗Optus disclosed a breach exposing personal data—including driver licence, passport and Medicare numbers—of around 9.5 million Australians, accessed via an unprotected API. The breach prompted emergency government data-sharing regulations and a national rethink of cyber obligations.
Queensland Government ↗The Security Legislation Amendment (Critical Infrastructure Protection) Act received Royal Assent, requiring responsible entities to adopt and maintain a Critical Infrastructure Risk Management Program and introducing enhanced cyber-security obligations for systems of national significance. It completed the two-part SOCI reform package.
Department of Home Affairs ↗The Security Legislation Amendment (Critical Infrastructure) Act commenced, extending the SOCI Act to 11 critical sectors and mandating reporting of significant cyber incidents to the ACSC (within 12 hours for critical impacts) plus government 'last resort' intervention powers. It transformed SOCI into a broad cyber-resilience regime.
Cyber and Infrastructure Security Centre ↗The mandatory prudential standard required APRA-regulated banks, insurers and superannuation funds to maintain information-security capability, clarify board accountability, and notify APRA of material security incidents within 72 hours. It established baseline cyber obligations for the financial sector.
APRA ↗The original SOCI Act created a register of critical infrastructure assets and information-gathering and ministerial directions powers across electricity, gas, water and ports. It laid the foundation for Australia's later critical-infrastructure cyber-security obligations.
Cyber and Infrastructure Security Centre ↗Amendments to the Privacy Act 1988 made breach notification mandatory, requiring covered entities to notify affected individuals and the OAIC of eligible data breaches likely to cause serious harm. It introduced Australia's first economy-wide mandatory breach-reporting obligation.
OAIC ↗The Act inserted modern computer-related offences (unauthorised access, modification and impairment of data) into the Criminal Code, aligning Australia with the Council of Europe Convention on Cybercrime. It remains the foundational criminal-law basis for prosecuting cyber intrusions.
Federal Register of Legislation ↗Australia - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →