Cybersecurity - Australia

The Cyber Security Act 2024 (Cth) received Royal Assent on 29 November 2024 as Australia's first dedicated cyber security law, delivering on the 2023–2030 Cyber Security Strategy. It establishes mandatory smart-device standards, ransomware payment reporting, a limited-use obligation, and a Cyber Incident Review Board.

Entities with annual turnover above AU$3 million and responsible entities for critical infrastructure assets must report any ransomware or cyber-extortion payment to the Department of Home Affairs/ASD within 72 hours of payment, with no minimum threshold. Rules began 30 May 2025 (education-first phase), with enforcement from 1 January 2026; failure to report attracts civil penalties (up to 60 penalty units).

Under the Security of Critical Infrastructure Act 2018, responsible entities must report cyber security incidents to the ACSC within 12 hours of a 'significant impact' or 72 hours of a 'relevant impact', with written follow-up. Positive security obligations also require a Critical Infrastructure Risk Management Program (CIRMP).

Under the Privacy Act 1988, entities covered by the NDB scheme (government agencies, businesses/NFPs over AU$3m turnover, health providers, credit and TFN recipients) must notify affected individuals and the OAIC of an eligible data breach likely to cause serious harm, and must assess suspected breaches within 30 days.

The Act creates a 'limited use' protection restricting how the National Cyber Security Coordinator and National Office of Cyber Security can record, use or disclose information voluntarily shared during a significant incident, so it cannot be used for regulatory or law-enforcement action against the affected entity — encouraging early engagement.

The Cyber Security (Security Standards for Smart Devices) Rules 2025 set minimum security requirements for internet-connectable consumer products; most relevant devices manufactured for personal/domestic use from 4 March 2026 must comply and carry a statement of compliance.