-- NicholasHodgkinson - 05 June 2025

Cyber Security Act 2024 (Cth)

Overview

In late 2024, the Australian Government passed a significant package of legislation to reform Australia's cyber security framework, responding to proposals in the 2023-2030 Australian Cyber Security Strategy. The package, which received Royal Assent on 29 November 2024, consists of three separate Acts:

1. the Cyber Security Act 2024 (Cth);
2. the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (ERP Act), whcich makes key amendments to theSecurity of Critical Infrastructure Act 2018 (Cth) (see Security of Critical Infrastructure page, and below);
3. the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth), which amends the Intelligence Services Act 2001 (Cth) to protect information shared with the Australian Signals Directorate (ASD). It introduces a 'limited use' obligation, restricting how information voluntarily provided to, or acquired by, the ASD during an incident response can be used (this complements the similar protections for information shared with the National Cyber Security Coordinator under the Cyber Security Act, see below).

Cyber Security Act Background and Objectives

• The Act introduces measures including mandatory ransomware payment reporting (Part 3), security standards for smart devices (Part 2), voluntary reporting to the National Cyber Security Coordinator (Part 4), and the establishment of a Cyber Incident Review Board (Part 5).
• It seeks to strengthen Australia's cyber security foundations and improve cyber security maturity across the economy (see s 3).

Commencement (s 2)

• Parts 1 (Preliminary), Part 6 (Regulatory Powers), and Part 7 (Miscellaneous) commenced on 30 November 2024.
• Ransomware Reporting Obligations (Part 3) and Cyber Incident Review Board provisions (Part 5) are scheduled to commence on a date to be proclaimed or 6 months after Royal Assent, whichever occurs first. The Cyber Security (Ransomware Reporting) Rules 2025 (Cth) and Cyber Security (Cyber Incident Review Board) Rules 2025 (Cth) commenced on 30 May 2025.
• Security Standards for Smart Devices (Part 2) provisions are scheduled to commence on a date to be proclaimed or 12 months after Royal Assent, whichever occurs first.
• The Cyber Security (Security Standards for Smart Devices) Rules 2025 (Cth) are expected to commence on 4 March 2026.

Key Provisions

Part 2 - Security Standards for Relevant Connectable Products (Smart Devices)

Scope and Application

• Part 2 of the Act applies to "relevant connectable products," (s 13(1)) which are devices that can directly or indirectly connect to the internet or a network (s 13(2)(a), see definitions of "internet-connectable product" in s 13(4) and "network-connectable product" in s 13(5)) (e.g., 'smart' white goods, network-connected baby monitors, robot vacuum cleaners, home assistants, smart watches).
• The provisions apply if the manufacturer could reasonably be expected to be aware that the product will be acquired in Australia in specified circumstances (s 15(1)(b)).
• The Minister for Cyber Security can mandate security standards for these smart devices through Ministerial rules (s 14(1); s 87).
• These rules can be tailored for specific subsets, types, or classes of smart devices (s 14(1), s 14(2)) (e.g., different standards for health-related devices versus smart home devices).
• As noted above, the Cyber Security (Security Standards for Smart Devices) Rules 2025 (Cth) are expected to commence on 4 March 2026.
• The aim is to ensure these IoT devices meet basic security standards (i.e., similarly to safety standards for cars or baby seats) (see s 12).

Obligations for Manufacturers and Suppliers

• Manufacturers must ensure products are made in accordance with the security standards if they are aware (or ought to be aware) the product will be acquired in Australia in specified circumstances (s 15(1)). They must also comply with other requirements of the security standard applicable to manufacturers (s 15(2)).
• An entity must not supply a product in Australia that was not manufactured in compliance with the security standards if aware (or ought to be aware) it will be acquired in Australia in specified circumstances (s 15(3)).
• Suppliers must comply with any other requirements of the security standard applicable to suppliers (s 15(4)).
• Suppliers may seek to incorporate warranties for compliance in agreements with manufacturers and distributors.
• Manufacturers of relevant connectable products must provide a statement of compliance with the security standard for supply in Australia (s 16(1)).
  • Suppliers of such products in Australia must supply the product with that statement of compliance (s 16(3)).
  • Both manufacturers and suppliers must retain copies of the statement for a period specified in the rules (s 16(2), s 16(4)).
  • The statement of compliance must meet requirements provided by the rules (s 16(5)).

Enforcement

• The Secretary of the Department of Home Affairs can commission independent audits to ensure compliance (s 23(1)). If there is a failure to comply with an obligation under ss 15 or 16, the Secretary can issue:
  • A compliance notice, requiring specified steps to address non-compliance (s 17).
  • A stop notice, if a compliance notice is not complied with or actions are inadequate (s 18).
  • A recall notice, if a stop notice is not complied with or actions are inadequate (s 19).
• The Secretary may publicly notify failures to comply with a recall notice, potentially on the Department's website, which can include product risks and supplier identity (s 20).
• Non-compliance may result in a prohibition on selling relevant connectable products in Australia.

Part 3 - Ransomware Reporting Obligations

"Reporting Business Entities"

(see s 8 (definition of "reporting business entity") and s 26)

• Mandatory reporting applies to "reporting business entities" (defined in s 26(2)) that make a ransomware payment (defined in s 26(1)(e)) after a cyber security incident (s 27) ("cyber security incident" is broadly defined in s 9 and includes incidents like ransomware attacks, denial-of-service attacks, and malware attacks).
  
• A "reporting business entity" (s 26(2)) includes:
  • Entities carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold (s 26(2)(a)(i)), and is not a Commonwealth or State body (s 26(2)(a)(ii)), nor a responsible entity for a critical infrastructure asset (s 26(2)(a)(iii)). The rules are expected to set this at $3 million (turnover threshold defined in s 26(3)), aligning with the Privacy Act 1988 (Cth) small business exception (for more, see Privacy Law page).
  • Responsible entities for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) applies (s 26(2)(b)) (see also Security of Critical Infrastructure page).
• The obligation also applies if another entity (e.g., a cyber security expert, accountant, or lawyer) makes a ransomware payment on behalf of the affected entity (s 26(1)(e)).
• The obligation does not apply to Commonwealth or State bodies (s 26(2)(a)(ii)).

Reporting Requirements (s 27)

• A report (a "ransomware payment report" ) must be made within 72 hours of making the ransomware payment or becoming aware that it has been made (s 27(1)).
• Reports are to be made to the "designated Commonwealth body" (s 27(1); defined in s 8), which may be the Australian Signals Directorate (ASD).
• The report must include information the entity knows or can reasonably find out (s 27(2)), such as:
  • Contact and business details of the entity that made the payment (or on whose behalf it was made) (s 27(2)(a), (b)).
  • Facts of the cyber security incident, including its impact on the reporting business entity (s 27(2)(c)).
  • Details of the demand made by the extorting entity (s 27(2)(d)).
  • The ransomware payment amount (s 27(2)(e)).
  • Communications with the extorting entity relating to the incident, demand, and payment (s 27(2)(f)).
• The Act anticipates that reports may also include other relevant information (s 27(3)).
• The report must be in the approved form (if any) and manner prescribed by rules (if any) (s 27(4)).

Penalties for Non-Compliance

• Failure to make a mandatory ransomware payment report can result in a civil penalty (s 27(5)).
• The civil penalty is 60 penalty units (s 27(5)). This (as of December 2024) equated to AUD $19,800 for an individual or $99,000 for a corporation.
• The Department of Home Affairs has indicated an "education first approach to regulation" before pursuing civil penalties, especially for small and medium enterprises.

Limited Use Provisions

• Information in a ransomware payment report may only be used or disclosed by a designated Commonwealth body for permitted purposes (s 29(1)). Permitted purposes include:
  • Assisting the reporting entity (and those acting on its behalf) to respond to, mitigate, or resolve the incident (s 29(1)(a)).
  • Performance of functions by Commonwealth bodies (s 29(1)(e)) and State bodies (s 29(1)(f)) relating to incident response.
  • Performance of functions of the NCSC (s 29(1)(g)).
  • Informing and advising Ministers about the incident (s 29(1)(h)).
  • Performance of functions of an intelligence agency (s 29(1)(i)).
  • Limited enforcement activities (e.g. this Part, certain Criminal Code Act 1995 (Cth) offences) (s 29(1)(b),(c),(d); s 29(2)(b)).
• These provisions are intended to encourage businesses to share information without fear it will be used against them (see s 3(e)).
• However, the designated Commonwealth body must not use or disclose the information for investigating or enforcing contraventions by the reporting business entity of other laws, unless it is a contravention of this Part or a law imposing a criminal penalty (s 29(2)).
• While section 32(1) limits admissibility against the reporting entity in some contexts (s 32(2)), it is argued that information in a report could be used for the investigation and enforcement of laws imposing criminal penalties (as allowed by s 29(2)(b)), even if not admissible as direct evidence against the reporter. The Explanatory Memorandum suggests it may be used as evidence of a criminal offence.

Interaction with Other Laws, Considerations

• The mandatory reporting obligation under the Cyber Security Act does not override but rather coexists with other reporting obligations (see s 7).
• Paying ransoms may trigger breaches of sanctions laws (Australian or international), anti-money laundering (AML), and counter-terrorism financing (CTF) laws.
• Organisations should exercise due diligence regarding the identity of the payee. A "duress" defence for a sanctions offence is situation-dependent.
• An entity is not liable to an action for damages for acts done in good faith in compliance with s 27 (s 28). The fact that information was provided in a ransomware report does not otherwise affect a claim of legal professional privilege (s 31), though this section does not apply to certain proceedings like coronial inquiries or Royal Commissions (s 31(2)).
• Individuals involved in a corporate decision to pay a ransom could be liable as accessories if the payment breaches a Commonwealth law.

Part 4 - Coordination of Significant Cyber Security Incidents (National Cyber Security Coordinator (NCSC))

• The NCSC is defined in s 8.
• The NCSC's role includes leading across the whole of Government the coordination and triaging of action in response to a significant cyber security incident (s 37(a); see also s 33). Additional responsibilities include informing and advising the Minister and the whole of Government regarding this response (s 37(b)).
• Entities impacted by a "significant cyber security incident" (defined in s 34) may voluntarily provide information about the incident to the NCSC (s 35(2)). This is intended to encourage businesses to share information with the Government for the benefit of the wider community (see s 3(e)). Information may also be provided regarding other incidents or cyber security incidents (s 36).
• An incident is "significant" if (s 34):
  • There is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice: the social or economic stability of Australia or its people; the defence of Australia; or national security (s 34(a)); or
  • it is, or could reasonably be expected to be, of serious concern to the Australian people (s 34(b)).
• Information voluntarily provided to the NCSC under s 35(2) may only be recorded, used, or disclosed by the NCSC for assisting the impacted entity or for a "permitted cyber security purpose" (defined in s 10) (s 38(1)).
• The NCSC must not use or disclose such information for investigating or enforcing contraventions by the impacted entity of other laws, unless it is a contravention of this Part or a law imposing a criminal penalty (s 38(2)). Similar restrictions apply to information shared about other incidents (s 39(3)) and for secondary use and disclosure by other entities (s 40(3)).
• The Act aims to limit the admissibility of voluntarily provided information against the impacted entity in certain proceedings (s 42).
• The provision of information to the NCSC under s 35(2) or as referred to in s 39(1) does not otherwise affect a claim of legal professional privilege (LPP) (s 41(1)), though this section does not apply to certain proceedings like coronial inquiries or Royal Commissions (s 41(2)). There is a risk that privilege over any voluntarily provided document could be jeopardised.
• Organisations should be mindful that privilege may be lost through voluntary disclosure.
• Amendments were made to the Freedom of Information Act 1982 (Cth) to ensure information provided to the NCSC is not subject to a Freedom of Information (FOI) request.
• While information provided may be inadmissible against the providing business (s 42(2)), it could potentially be obtained by third parties via subpoena—inadmissibility is not a defence to a subpoena. The NCSC is also not compellable as a witness in certain circumstances regarding this information (s 43).

Part 5 - Cyber Incident Review Board (CIRB)

• The Act establishes the Cyber Incident Review Board (CIRB) (s 60(1)). The CIRB consists of a Chair and at least 2, not more than 6, other standing members (s 61). It is an independent advisory body (s 63). Its functions include (s 62(1)):
  • To cause reviews to be conducted by review panels in relation to cyber security incidents to identify factors that contributed to the incident (s 62(1)(a)(i)).
  • Make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, incidents of a similar nature in the future (s 62(1)(a)(ii)).
  • Report publicly on the review (s 62(1)(a)(iii)).
  • Any other functions conferred on the Board by this Act or the rules (s 62(1)(b)).
• It is not a function of the Board to apportion blame or determine liability (s 62(2)).
• The CIRB may cause a review to be conducted on written referral by the Minister, the NCSC, an impacted entity, or a member of the Board (s 46(1)).
• A review may only be conducted if the Board is satisfied the incident meets certain criteria (e.g., serious prejudice to stability, defence, national security; novel or complex methods; serious concern to Australian people) (s 46(2)(a), s 46(3)), after the incident and immediate response have ended (s 46(2)(b)), and if the Minister has approved the terms of reference (s 46(2)(c)).
• The Board may discontinue a review (s 47).

CIRB's Powers

• The Chair may request information or documents relevant to a review from entities, Commonwealth or State bodies, or their officers/employees (s 48).
• The Chair of the Board can, subject to qualifications, require certain entities (not Commonwealth/State bodies or their officers/employees) to produce documents if a request under s 48 has been made (s 49(1), (2)).
• Failure to comply with a notice to produce documents under s 49(2) is a civil penalty offence (s 50(1)).

Protection and Use of Information

• The Board may use or disclose information provided under s 48, s 49 or s 51 (draft reports) only for specified purposes, such as performing its functions, certain Criminal Code proceedings, or informing Ministers (s 55(1)).
• It must not use or disclose such information for investigating or enforcing contraventions by the providing entity of other laws, unless it is a contravention of this Part or a law imposing a criminal penalty (s 55(2)). Similar restrictions apply to secondary use (s 56(3)).
• Providing information to the Board under s 48, s 49 or s 51 does not otherwise affect a claim of legal professional privilege (s 57(1)), though this section does not apply to certain proceedings like coronial inquiries or Royal Commissions (s 57(2)).
• Information provided by an entity under s 48, s 49 or s 51 is not admissible in evidence against the entity in certain proceedings (s 58(2)).
• Disclosure of draft review reports (s 51) is prohibited except for limited purposes (s 59). Final review reports must redact "sensitive review information" (s 53) and be published (s 52(6)). A "protected review report" containing redacted information is provided to Ministers and may be shared further for limited purposes (s 54).

Summary — Implications

• Organisations, particularly those with an annual turnover exceeding $3 million or responsible for critical infrastructure assets, will need to understand and prepare for new mandatory ransomware payment reporting obligations.
• Incident response plans and procedures should be reviewed and updated to incorporate the 72-hour reporting timeframe and specific information requirements.
• Manufacturers and suppliers of smart devices (IoT products) must prepare for compliance with forthcoming security standards and requirements for statements of compliance.
• Businesses should consider the implications of voluntary information sharing with the NCSC, particularly concerning legal professional privilege.
• Organisations should stay informed about the developing rules and guidance associated with the Act.

See also:

• Cyber Security (Security Standards for Smart Devices) Rules 2025 (Cth).
• Cyber Security (Ransomware Reporting) Rules 2025 (Cth).
• Cyber Security (Cyber Incident Review Board) Rules 2025 (Cth).

Other Resources

• Magdalena Blanch-de Wilt, Cameron Whittfield and Annie Zhang, 'Australia’s 2024 Cyber Security Reforms', Herbert Smith Freehills Kramer (Web Page, 23 January 2025).
• Nitesh Patel and Anthony Ross, 'Bits, Bytes and Boards: Australia’s New Cyber Security Act 2024', Gilchrist Connell (Web Page, December 2024).
• 'Cyber Security Act', Department of Home Affairs (Web Page).
• 'Cyber Security Legislative Reforms', Cyber and Infrastructure Security Centre (Web Page).