Australia Cyber Security Act 2024 Applicability Test: Who Must Comply

Do not ask whether your business is generally in scope for the Australia Cyber Security Act 2024. Instead, ask which part of the Australia Cyber Security Act 2024 applies to which specific activity. A manufacturer may be in scope for the smart device rules under Part 2 without ever triggering the ransomware payment reporting obligation under Part 3. Conversely, a large operating company may trigger the Part 3 ransomware reporting duty without supplying any smart device product. Treat these as two distinct applicability questions.

Your output from this applicability test should be a dated decision note that names the legal entity being assessed, the specific product line or incident scenario under review, the source provisions of the Australia Cyber Security Act 2024 that were considered, and the conclusion reached. This note becomes part of your compliance evidence pack and should be signed off by a responsible officer.

Revisit this applicability test whenever your organisation changes its product portfolio, begins importing or distributing new product categories into Australia, crosses the $3 million annual turnover threshold, acquires or becomes responsible for a critical infrastructure asset, or experiences a cyber security incident involving a ransomware demand.

Part 2 of the Australia Cyber Security Act 2024 commenced on 29 November 2025. The Cyber Security (Security Standards for Smart Devices) Rules 2025 were registered on 4 March 2025, and the substantive obligations in Part 2 and Schedule 1 of those Rules commenced on 4 March 2026. From that date, manufacturers and suppliers of in scope products must comply with the security standard and the statement of compliance requirements.

The starting point is the definition of a relevant connectable product in section 13 of the Australia Cyber Security Act 2024. A relevant connectable product is a product that is either an internet connectable product or a network connectable product, and that is not exempted under the rules. An internet connectable product under section 13(4) is a product that is capable of connecting to the internet using a communication protocol that forms part of the internet protocol suite to send and receive data over the internet. A network connectable product under section 13(5) is a product that can send and receive data by means of electrical or electromagnetic energy, is not itself an internet connectable product, but is capable of connecting directly to an internet connectable product using the internet protocol suite, or is capable of connecting directly to two or more products simultaneously using a non internet protocol suite protocol and is also capable of connecting directly to an internet connectable product.

Once you have established that your product is a relevant connectable product, you must then check whether it falls within the consumer grade class defined in section 8 of the Smart Devices Rules 2025. This class covers all relevant connectable products that are intended by the manufacturer to be used, or are of a kind likely to be used, for personal, domestic, or household use or consumption, and that will be acquired in Australia by a consumer as defined by section 3 of the Australian Consumer Law.

Part 2 of the Australia Cyber Security Act 2024 applies only to relevant connectable products that are manufactured on or after the commencement of Part 2, or supplied other than as second hand goods on or after that commencement date. Products that were both manufactured and sold before the commencement date are not captured. However, if a product was manufactured before commencement but is being supplied as new goods after commencement, Part 2 applies to that supply.

Section 8 of the Cyber Security (Security Standards for Smart Devices) Rules 2025 explicitly excludes six product categories from the consumer grade class for the purposes of the security standard. Understanding these exclusions is important because they narrow the scope of the Australia Cyber Security Act 2024 Part 2 obligations. The exclusions are: (i) a desktop computer or a laptop, (ii) a tablet computer, (iii) a smartphone, (iv) therapeutic goods within the meaning of the Therapeutic Goods Act 1989, (v) a road vehicle within the meaning of the Road Vehicle Standards Act 2018, and (vi) a road vehicle component within the meaning of the Road Vehicle Standards Act 2018.

These exclusions exist because these product categories are already subject to other regulatory frameworks. Smartphones, tablets, laptops, and desktop computers are addressed by established industry security practices and other regulatory expectations. Therapeutic goods are regulated by the Therapeutic Goods Administration under the Therapeutic Goods Act 1989, which already includes cybersecurity considerations in its conformity assessment procedures. Road vehicles and their components are regulated under the Road Vehicle Standards Act 2018 and associated standards, including emerging cybersecurity requirements under UN Regulation No. 155.

The exclusion list does not cover accessories or peripherals that connect to excluded devices. For example, a smart keyboard that connects via Bluetooth to a tablet may still qualify as a network connectable product if it meets the conditions in section 13(5) to (9) of the Australia Cyber Security Act 2024. Similarly, a smart health monitoring wristband is not automatically excluded just because it pairs with a smartphone. The wristband itself is assessed on its own characteristics against the relevant connectable product definition.

If you rely on an exclusion to take a product out of scope, document the specific exclusion category, the product characteristics that place it within that category, and the regulatory reference. The exclusion list in the Rules may be expanded or narrowed in future amendments, so monitor the Federal Register of Legislation for updates to the Cyber Security (Security Standards for Smart Devices) Rules 2025.

The Australia Cyber Security Act 2024 uses two separate definitions to capture the full range of devices that can directly or indirectly reach the internet. Under section 13(4), an internet connectable product is one that is capable of connecting to the internet using a communication protocol that forms part of the internet protocol suite to send and receive data over the internet. In practical terms, this covers any device with a Wi-Fi adapter, an Ethernet port, or a cellular modem that uses TCP/IP or UDP/IP to communicate over the internet. Common examples include smart speakers, smart TVs, IP cameras, smart thermostats, smart lighting hubs, and connected home appliances.

Under section 13(5), a network connectable product is a product that can send and receive data by means of electrical or electromagnetic energy, is not itself an internet connectable product, but meets one of two connection conditions. The first condition (section 13(6)) is that the product is capable of connecting directly to an internet connectable product using the internet protocol suite. The second condition (section 13(7)) is that the product is capable of connecting directly to two or more products simultaneously using a non internet protocol suite protocol (such as Bluetooth or Zigbee), and is also capable of connecting directly to an internet connectable product using such a protocol.

Section 13(8) provides a carve out for simple wires or cables used merely to connect one product to another. Section 13(9) addresses input peripherals designed to be used together with a computer: if one device in a set (the linking product) connects to an internet connectable product via a non internet protocol suite protocol, and the other devices (input products) connect wirelessly to the linking product via a non internet protocol suite protocol, then the input products also meet the network connectable product condition.

When assessing whether a product is an internet connectable product or a network connectable product under the Australia Cyber Security Act 2024, focus on the product's capabilities at the time of supply, not on whether the consumer chooses to connect the product. A smart device that ships with Wi-Fi capability is an internet connectable product even if a particular consumer never connects it to a Wi-Fi network.

Part 2 of the Australia Cyber Security Act 2024 places obligations on two categories of entity: manufacturers and suppliers. Under section 15(1), a manufacturer must manufacture a relevant connectable product in compliance with the security standard if the product is included in the specified class and the manufacturer is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia by a consumer. Under section 15(2), the manufacturer must also comply with any other requirements of the security standard, such as publishing a vulnerability disclosure contact point and a defined support period for security updates.

Under section 15(3), a supplier must not supply a product in Australia that was not manufactured in compliance with the security standard, if the product is included in the specified class and the supplier is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia by a consumer. The term 'supplier' has the same meaning as in the Australian Consumer Law, which covers any entity that supplies goods in trade or commerce, including distributors, importers, and retailers.

Under section 16 of the Australia Cyber Security Act 2024, manufacturers must provide a statement of compliance for each relevant connectable product, and suppliers must supply the product accompanied by that statement of compliance. Both manufacturers and suppliers must retain a copy of the statement of compliance for 5 years, as specified in section 10 of the Smart Devices Rules 2025. The statement must include the product type and batch identifier, the manufacturer name and address, an authorised representative in Australia, a declaration of compliance, the defined support period, and the signature of an authorised signatory.

The 'manufacturer' definition follows the Australian Consumer Law, which means it can include the entity whose brand appears on the product, the entity that holds itself out as the manufacturer, or the entity that actually manufactures the product. The 'aware or could reasonably be expected to be aware' knowledge threshold means that a manufacturer or supplier cannot avoid obligations simply by claiming ignorance of the Australian market if the product is available through Australian retail channels or online marketplaces that serve Australian consumers.

Part 3 of the Australia Cyber Security Act 2024 commenced on 29 May 2025. The Cyber Security (Ransomware Payment Reporting) Rules 2025 were registered on 3 March 2025 and commenced at the same time as Part 3. From that date, any reporting business entity that makes a ransomware payment, or becomes aware that a ransomware payment has been made on its behalf, must report the payment to the designated Commonwealth body within 72 hours.

The reporting duty under section 26 of the Australia Cyber Security Act 2024 only arises when all of the following elements exist together: (a) an incident has occurred, is occurring, or is imminent, (b) the incident is a cyber security incident as defined in section 9 of the Act, (c) the incident has had, is having, or could reasonably be expected to have a direct or indirect impact on a reporting business entity, (d) an extorting entity makes a demand in order to benefit from the incident or its impact, and (e) the reporting business entity provides, or is aware that another entity has provided on its behalf, a ransomware payment to the extorting entity that is directly related to the demand.

Under section 26(2) of the Australia Cyber Security Act 2024, an entity is a reporting business entity if, at the time the ransomware payment is made, it either: (a) is carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the $3 million turnover threshold, is not a Commonwealth body or State body, and is not a responsible entity for a critical infrastructure asset, or (b) is a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies. These two routes into reporting business entity status are mutually exclusive in the statute: route (a) expressly excludes critical infrastructure responsible entities, because route (b) captures them separately.

The $3 million turnover threshold is set by section 6 of the Ransomware Payment Reporting Rules 2025. If the business has been carried on for only part of the previous financial year, the threshold is calculated on a pro rata basis using the formula: $3 million multiplied by the number of days the business was carried on in the previous financial year, divided by the total number of days in that financial year. This means a business that started operating on 1 January of a financial year (approximately 181 days into the year) would have a pro rata threshold of approximately $1.51 million for that partial year. Annual turnover is determined in accordance with the Income Tax Assessment Act 1997 definition of business.

The $3 million annual turnover threshold is the primary gateway for private sector organisations into the ransomware payment reporting obligation under Part 3 of the Australia Cyber Security Act 2024. Section 6(1) of the Cyber Security (Ransomware Payment Reporting) Rules 2025 sets the turnover threshold at $3 million for the previous financial year. The concept of annual turnover follows the meaning of 'business' in the Income Tax Assessment Act 1997, which means you should use the same turnover figure that appears in your tax reporting.

For businesses that have been carried on for only part of the previous financial year, section 6(2) of the Rules prescribes a pro rata formula. The threshold for a partial year equals $3 million multiplied by the number of days in the part of the previous financial year during which the business was carried on, divided by the number of days in the previous financial year. This prevents a newly established business from avoiding the reporting obligation simply because it has not yet completed a full financial year. For example, a business that commenced on 1 October and ended its first financial year on 30 June (273 days of operation out of 365 days) would have a threshold of approximately $2.24 million.

When assessing turnover, count the aggregate annual turnover of the entity that is the reporting business entity under the Australia Cyber Security Act 2024. If your organisation operates through a corporate group structure, the turnover test applies to the specific entity that made or authorised the ransomware payment, not to the consolidated group revenue. However, if the entity is a partnership or trust, the turnover of the business carried on by the partnership or trust is the relevant figure.

Note that the $3 million threshold is assessed at the time the ransomware payment is made, using the turnover for the previous financial year. If your turnover has fluctuated near the threshold, you should check whether the entity exceeded $3 million in the financial year immediately before the payment was made, not the current financial year. Keep auditable records of your turnover calculations and the financial year to which they relate.

The Australia Cyber Security Act 2024 deliberately interfaces with the Security of Critical Infrastructure Act 2018 (the SOCI Act) in two significant ways. First, the definition of 'cyber security incident' in section 9 of the Australia Cyber Security Act 2024 draws on the meaning of that term in the SOCI Act, covering acts, events, or circumstances of a kind covered by the SOCI Act definition, as well as unauthorised impairment of electronic communication to or from a computer. This means the same incident may trigger obligations under both the SOCI Act and the Australia Cyber Security Act 2024.

Second, the reporting business entity definition in section 26(2)(b) of the Australia Cyber Security Act 2024 provides a separate route into scope for entities that are responsible entities for critical infrastructure assets to which Part 2B of the SOCI Act applies. Part 2B of the SOCI Act covers cyber security obligations for critical infrastructure assets, including the requirement to adopt and maintain a critical infrastructure risk management program and to report cyber security incidents to the Australian Signals Directorate. If your entity is a responsible entity under the SOCI Act and Part 2B applies to your critical infrastructure asset, you are automatically a reporting business entity under the Australia Cyber Security Act 2024 for the purposes of ransomware payment reporting, regardless of your turnover.

This means critical infrastructure operators may face dual reporting obligations following a ransomware incident: a cyber security incident report to the Australian Signals Directorate under the SOCI Act, and a ransomware payment report to the designated Commonwealth body under Part 3 of the Australia Cyber Security Act 2024. The timelines, reporting bodies, and content requirements are different for each obligation, so you should maintain separate reporting workflows and not assume that filing one report satisfies the other.

The SOCI Act covers 11 critical infrastructure sectors: communications, data storage or processing, financial services and markets, water and sewerage, energy, health care and medical, higher education and research, food and grocery, transport, space technology, and defence industry. If your entity is a responsible entity for an asset in any of these sectors and Part 2B applies, you must include the Australia Cyber Security Act 2024 ransomware reporting obligation in your incident response plan alongside your SOCI Act obligations.

Section 27(1) of the Australia Cyber Security Act 2024 requires the reporting business entity to give the designated Commonwealth body a ransomware payment report within 72 hours of making the ransomware payment or becoming aware that the ransomware payment has been made on its behalf, whichever is applicable. The 72 hour clock starts from the moment of payment or awareness, not from the moment the cyber security incident began or was discovered.

The ransomware payment report must contain information that the reporting business entity knows or is able, by reasonable search or enquiry, to find out within the 72 hour reporting period (section 27(2)). This means you are not required to have complete forensic detail at the time of reporting. You are required to provide what you know and what you can reasonably ascertain within the window. Section 7 of the Ransomware Payment Reporting Rules 2025 specifies the required content: the reporting entity's contact and business details (including ABN and address), the other entity's details if a third party made the payment, information about the cyber security incident and its impact, the demand made by the extorting entity, the ransomware payment amount and method, and communications with the extorting entity.

The civil penalty for failing to report within 72 hours is 60 penalty units under section 27(5) of the Australia Cyber Security Act 2024. However, section 28 provides a safe harbour: an entity is not liable to an action or other proceeding for damages for an act done or omitted in good faith in compliance with section 27. This means the Act protects entities that report in good faith, even if the report later turns out to be incomplete or if the information provided was based on the best available evidence at the time.

The report must be given in the form approved by the Secretary (if any) and in the manner prescribed by the Rules (section 27(4)). Information in the ransomware payment report is protected under Division 3 of Part 3: it may only be used or disclosed for permitted cyber security purposes, and it cannot be used against the reporting entity in civil or regulatory proceedings (except for contraventions of Part 3 itself or criminal offences). This protection is designed to encourage timely and honest reporting.

Section 26(1)(e) of the Australia Cyber Security Act 2024 expressly captures situations where another entity has provided a ransomware payment on behalf of the reporting business entity. This means that if your cyber insurance provider, your incident response firm, your legal adviser, or any other third party makes a ransomware payment that is directly related to a demand arising from a cyber security incident that impacts your entity, the reporting obligation falls on your entity as soon as you become aware that the payment was made.

The trigger for the 72 hour reporting window in this scenario is the moment of awareness. Under section 27(1), if another entity makes the payment on your behalf, the timer starts when your entity becomes aware that the payment has been made. You should ensure that your contracts with incident response firms, cyber insurers, and legal advisers include notification clauses that require them to inform you immediately if a ransomware payment is made or is about to be made on your behalf. Without these contractual safeguards, you risk missing the 72 hour window because you were not told about the payment in time.

The Act does not define 'on behalf of' with a specific legal test, but the provision is intended to capture the practical reality of ransomware negotiations, where the entity that is impacted by the incident is not always the entity that physically transfers the payment. If a payment is made by a third party and is directly related to a demand arising from an incident that impacts your entity, assume the reporting obligation may apply and seek legal advice promptly.

Pre payment negotiations are also relevant. Section 7(7)(c) of the Ransomware Payment Reporting Rules 2025 requires a brief description of any pre payment negotiations undertaken in relation to the demand or the ransomware payment. This means your reporting obligations extend to documenting the negotiation process, not just the final payment.

The Australia Cyber Security Act 2024 contains several important scoping limitations and exemptions that may take your organisation or product outside the scope of one or both Parts. Understanding these boundaries is as important as understanding the positive scope criteria, because relying on an exemption without proper documentation can expose your organisation to enforcement risk if the exemption is later found not to apply.

For Part 2 (smart device security standards), the principal exclusion mechanism is the list of product categories excluded from the consumer grade class in section 8 of the Smart Devices Rules 2025: desktop computers, laptops, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components. In addition, section 13(2)(b) of the Australia Cyber Security Act 2024 allows the rules to exempt specific classes of products or particular products from the definition of relevant connectable product altogether. No such general exemptions have been made in the 2025 Rules, but the power exists and may be exercised in the future. Products that are not intended for personal, domestic, or household use (for example, industrial IoT sensors sold exclusively in business to business channels with no consumer market) fall outside the consumer grade class and are not currently captured.

For Part 3 (ransomware payment reporting), Commonwealth bodies and State bodies are excluded from the turnover route into scope under section 26(2)(a)(ii). However, they may still be captured through the critical infrastructure route if they are responsible entities for assets to which Part 2B of the SOCI Act applies. The $3 million turnover threshold itself functions as a de facto exemption for smaller businesses, although the pro rata calculation for partial years means that even a newly established business can be in scope if its annualised revenue pace exceeds $3 million.

Section 15(5) of the Australia Cyber Security Act 2024 provides a constitutional exception: an entity is not required to comply with the Part 2 security standard to the extent that a requirement does not relate to internet connectivity or internet security measures, if the entity is neither a constitutional corporation nor engaged in interstate or international trade or commerce. In practice, this exception is narrow because most security standard requirements relate to internet connectivity, passwords, vulnerability disclosure, and security updates, all of which involve internet connection or internet security.

The following step by step process consolidates the applicability tests described above into a single decision workflow. Work through each step in order, recording your answer and the evidence supporting it. At the end, you will have a clear picture of which Parts of the Australia Cyber Security Act 2024 apply to your organisation and in what capacity.

For Part 2 (smart device security standards): (1) List every product your organisation manufactures, imports, distributes, or supplies in Australia. (2) For each product, determine whether it is an internet connectable product or a network connectable product under section 13 of the Australia Cyber Security Act 2024. (3) For each relevant connectable product, check whether it falls within the consumer grade class under section 8 of the Smart Devices Rules 2025 and is not in one of the six excluded categories. (4) For each product that is in the consumer grade class, confirm it will be acquired in Australia by a consumer and that your entity is aware or could reasonably be expected to be aware of that fact. (5) Determine whether your entity is the manufacturer, the supplier, or both, and map the obligations accordingly.

For Part 3 (ransomware payment reporting): (1) Determine whether your entity is a responsible entity for a critical infrastructure asset to which Part 2B of the SOCI Act applies. If yes, your entity is a reporting business entity regardless of turnover. (2) If not, determine whether your entity carries on business in Australia with annual turnover exceeding $3 million in the previous financial year (or the pro rata equivalent). (3) Confirm your entity is not a Commonwealth body or State body. (4) Document the conclusion and file it with your incident response plan so that the applicability question is already answered before an incident occurs.

Compile your findings into a dated applicability decision memo. The memo should include: the legal entity name and ABN, the date of assessment, the products or activities assessed, the provisions of the Australia Cyber Security Act 2024 considered, the conclusion for Part 2 and Part 3 separately, any exclusions relied upon with statutory references, and the name and role of the officer who approved the conclusion. Store the memo in your compliance evidence pack and schedule the next review.

Mixed hardware and software products can create false confidence about scope. If a product is sold as a household device but includes companion software, a mobile application, or cloud functionality, the applicability analysis under the Australia Cyber Security Act 2024 should cover the full intended use case, not just the hardware shell. The security standard in Schedule 1 of the Smart Devices Rules 2025 applies to hardware and to software that is pre installed on the product, software that must be installed for the manufacturer's intended purposes, and software developed by or on behalf of the manufacturer that is used for the product's intended purposes. All of these software components are in scope for the password, vulnerability disclosure, and security update requirements.

For ransomware payment reporting under Part 3 of the Australia Cyber Security Act 2024, do not wait for every technical detail before deciding whether the reporting duty is triggered. The Act and the Ransomware Payment Reporting Rules 2025 only require information that the entity knows or can find out by reasonable search or enquiry within the 72 hour reporting period. If your entity has made or authorised a ransomware payment, or has become aware that a payment was made on its behalf, start the reporting process immediately and supplement the report with additional details as they become available.

Group structures require careful analysis. Each legal entity in a corporate group is assessed separately under the Australia Cyber Security Act 2024. A subsidiary that manufactures smart devices is assessed independently from its parent company for Part 2 purposes. For Part 3 purposes, the turnover threshold applies to the specific entity that is the reporting business entity, not to the consolidated group. If an incident impacts multiple entities in a group and payments are made by or on behalf of more than one entity, each entity must independently assess its reporting obligation.

International supply chains add complexity to the Part 2 analysis. A manufacturer based outside Australia that sells consumer grade smart devices into the Australian market is subject to the security standard and statement of compliance obligations if it is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia by a consumer. The Australia Cyber Security Act 2024 applies both within and outside Australia under section 5 (extraterritoriality). Importers and distributors in Australia who are suppliers under the Australian Consumer Law are also independently obligated not to supply non compliant products.