Applicability TestAustraliaCyber Security Act 2024

Australia Cyber Security Act Applicability Test

Use this test to decide whether the Cyber Security Act 2024 applies because of a consumer-grade relevant connectable product, a statement-of-compliance duty, or a ransomware payment report.

The test separates product scope, actor role, statutory exclusions, ransomware payment thresholds, and SOCI overlap so teams can record a defensible in-scope or out-of-scope decision.

Back to main artifact Review sources

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published May 9, 2026

Updated May 9, 2026

Overview

The Australia Cyber Security Act 2024 does not apply through one generic cyber trigger. Run the applicability test in two tracks: Part 2 smart-device product duties and Part 3 ransomware payment reporting. If neither track is satisfied, record the reason and check whether another regime, such as SOCI, privacy breach notification, APRA CPS 234, or contract obligations, applies instead.

Section 1

Step 1: test whether the product is a relevant connectable product

Start with the product, not the company. Part 2 applies to a relevant connectable product that is manufactured on or after Part 2 commencement, or supplied in Australia, other than as second-hand goods, on or after that commencement.

A product is a relevant connectable product if it is an internet-connectable product or a network-connectable product and is not exempted under the rules. The Act defines an internet-connectable product as one capable of connecting to the internet using a protocol in the internet protocol suite to send and receive data. A network-connectable product can send and receive data by electrical or electromagnetic transmission, is not internet-connectable, and meets the Act's direct-connection tests.

In scope for the product track: products that directly connect to the internet, or indirectly connect through another internet-connectable product, unless an exemption applies.
Out of scope for this product track: products that are not internet-connectable or network-connectable under the Act, products exempted by rules, and second-hand goods supply where the Act's Part 2 supply trigger is not met.
Evidence to keep: product connectivity specification, supported protocols, companion-app or gateway architecture, manufacture date, supply path into Australia, and whether the item is new or second hand.
Decision output: relevant connectable product, exempt product, or no Part 2 product trigger.

Sources for this answer

Cyber Security Act 2024

Supports the Part 2 product trigger, the definition of relevant connectable product, and the internet-connectable and network-connectable product tests.

Section 2

Step 2: test the consumer-grade smart-device class and exclusions

The current smart-device security standard does not cover every relevant connectable product. The Cyber Security (Security Standards for Smart Devices) Rules 2025 prescribe the security standard for consumer-grade relevant connectable products: products intended by the manufacturer to be used, or of a kind likely to be used, for personal, domestic or household use or consumption.

The specified acquisition circumstance is acquisition in Australia by a consumer. The Rules also carve out six product groups from this class: desktop computers or laptops, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components.

In scope for the current smart-device standard: a relevant connectable product intended or likely for personal, domestic, or household use or consumption, acquired in Australia by a consumer, and not in an excluded product group.
Excluded from the current smart-device standard: desktop computers, laptops, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components.
Do not decide on marketing labels alone: record the manufacturer's intended purpose, labels, instructions, promotional material, customer segment, and likely household or consumer use.
Decision output: consumer-grade relevant connectable product, excluded product, or relevant connectable product with no currently prescribed standard identified.

Sources for this answer

Cyber Security (Security Standards for Smart Devices) Rules 2025

Supports the consumer-grade relevant connectable product class, consumer acquisition circumstance, and six express product exclusions.

Explanatory Statement to the Smart Devices Rules 2025

Explains that examples of consumer-grade products include smart TVs, smart watches, home assistants, baby monitors, and consumer energy resources.

Section 3

Step 3: map the product role to manufacturer and supplier duties

If a security standard applies, the Act splits duties by role. A manufacturer must manufacture the product in compliance with the security standard when it is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in the specified circumstances. The manufacturer must also meet other obligations in the standard, such as publishing product security information.

A supplier must not supply a non-compliant product in Australia if it is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in the specified circumstances. A supplier must also supply the product with a statement of compliance that meets the rules.

Manufacturer duty check: was the entity the manufacturer, and did it know, or should it reasonably have known, the product would be acquired in Australia by a consumer?
Supplier duty check: is the entity supplying the product in Australia, and does it know, or should it reasonably have known, the product would be acquired in Australia by a consumer?
Statement check: for in-scope consumer-grade relevant connectable products, the statement must be prepared by or on behalf of the manufacturer and include product type, batch identifier, manufacturer and authorised representative details, declarations of compliance, the defined support period, signatory details, and place and date of issue.
Retention check: manufacturers and suppliers must retain statements of compliance for the five-year period specified in the Smart Devices Rules.

Sources for this answer

Cyber Security Act 2024

Supports the manufacturer and supplier duty split in sections 15 and 16 of the Act.

Cyber Security (Security Standards for Smart Devices) Rules 2025

Supports the required contents and five-year retention period for statements of compliance.

Section 4

Step 4: test whether the smart-device security controls are triggered

For in-scope consumer-grade relevant connectable products, the Rules make the applicability decision operational: the product must meet password requirements, the manufacturer must publish a way to report security issues, and the manufacturer must publish the defined support period for security updates.

The defined support period must be expressed as a period of time with an end date. Once published, the manufacturer must not shorten it; if the period is extended, the new period must be published as soon as practicable.

Password control: passwords must be unique per product or defined by the user; unique per product passwords must not be based on incremental counters, public information, guessable serial-number derivations unless protected by accepted encryption or keyed hashing, or otherwise unacceptable guessable methods.
Security issue reporting control: the manufacturer must publish at least one contact point and say when reporters will receive acknowledgement and status updates until resolution.
Publication quality control: required security issue and support-period information must be accessible, clear, transparent, in English, free of charge, available without prior request, and available without requesting personal information.
Website prominence control: if the manufacturer offers the product on its own website, support-period information must be prominent with acquisition-decision information and given equal prominence where main product characteristics are published.

Sources for this answer

Cyber Security (Security Standards for Smart Devices) Rules 2025

Supports the password, vulnerability-reporting, defined-support-period, publication, and website-prominence controls.

Section 5

Step 5: test ransomware payment reporting separately

A ransomware payment scenario is a separate applicability track. Part 3 applies when an incident has occurred, is occurring, or is imminent; the incident is a cyber security incident; it has, is having, or could reasonably be expected to have a direct or indirect impact on a reporting business entity; an extorting entity makes a demand to benefit from the incident or impact; and the reporting business entity provides, or becomes aware that another entity has provided on its behalf, a payment or benefit directly related to the demand.

The entity must also be a reporting business entity at the time the ransomware payment is made. That means either a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies, or an entity carrying on business in Australia with annual turnover for the previous financial year exceeding the threshold and that is not a Commonwealth body, State body, or responsible entity for a critical infrastructure asset.

Turnover threshold: the Ransomware Payment Reporting Rules set the previous-financial-year turnover threshold at $3 million.
Part-year threshold: if the business operated for only part of the previous financial year, apply the Rules formula: $3 million multiplied by the number of days in that part divided by the number of days in the previous financial year.
Reporting clock: the report must be given within 72 hours of making the ransomware payment or becoming aware that the ransomware payment has been made.
Report content: collect the reporting entity's ABN if any and address, any other paying entity's ABN if any and address, incident timing and awareness timing, infrastructure and customer impact, ransomware or malware variants, exploited vulnerabilities, demand amount or non-monetary benefit, payment amount or benefit, method of provision, and communications with the extorting entity.

Sources for this answer

Cyber Security Act 2024

Supports the Part 3 ransomware payment trigger, reporting business entity definition, 72-hour reporting clock, and report categories.

Cyber Security (Ransomware Payment Reporting) Rules 2025

Supports the $3 million turnover threshold, part-year formula, and detailed report-content requirements.

Section 6

Step 6: record the decision and unresolved gaps

The decision record should be short but specific enough to re-run later. Use separate rows for product duties and ransomware reporting because the actor, trigger, threshold, evidence, and deadline are different.

Mark a decision as unresolved if the facts needed for a legal threshold are missing. Common unresolved facts include whether a product is second hand, whether it is likely to be used for personal, domestic, or household use, whether a product is an excluded tablet, smartphone, therapeutic good, road vehicle, or vehicle component, whether the supplier knew or should have known the Australian consumer acquisition circumstance, whether turnover exceeds the threshold, or whether the entity is a responsible entity for a Part 2B SOCI critical infrastructure asset.

Product record fields: product name, model or batch, connectivity route, manufacturer, supplier, acquisition circumstance, consumer-grade analysis, exclusion check, security-standard conclusion, statement-of-compliance status, and five-year retention owner.
Ransomware record fields: incident date or estimate, awareness date, affected entity, payer if different, turnover threshold evidence, SOCI responsible-entity analysis, demand details, payment details, 72-hour deadline, report status, and unresolved unknowns.
Escalation rule: ask for legal review before shipment, supply, payment approval, or report closure when an exclusion, SOCI status, turnover calculation, or role allocation cannot be supported by evidence.
Out-of-scope: a no-trigger decision under this page does not clear privacy breach notification, SOCI cyber incident reporting, APRA prudential obligations, sanctions, criminal law, insurance, or customer-contract reporting duties.

Sources for this answer

Cyber Security Act 2024

Supports keeping separate records for Part 2 product duties and Part 3 ransomware reporting because the Act sets different triggers and obligations.

Cyber Security (Security Standards for Smart Devices) Rules 2025

Supports product-scope, statement-of-compliance, and retention fields in the decision record.

Cyber Security (Ransomware Payment Reporting) Rules 2025

Supports ransomware-reporting threshold, timing, and report-content fields in the decision record.

Recommended next step

Turn the Australia Cyber Security Act applicability test into assigned work

Use this applicability test to split product-scope, statement-of-compliance, and ransomware-reporting decisions into owner-assigned evidence requests inside Sorena.

Assessment workflow

Open Assessment Autopilot for Australia Cyber Security Act

Convert product, supplier, and ransomware reporting triggers into scoped questions and evidence fields.

Explore next step

Research workflow

Review Australia Cyber Security Act source evidence

Use Research Copilot to validate unresolved product exclusions, turnover thresholds, and report-content questions.

Explore next step

Talk to Sorena

Talk through Australia Cyber Security Act implementation

Review scope, evidence, owners, and next compliance actions with Sorena.

Explore next step