Artifact GuideAPAC

Australia Cyber Security Act 2024 Compliance Checklist

A comprehensive, section referenced compliance checklist covering every obligation under the Australia Cyber Security Act 2024, including smart device security standards, statement of compliance preparation, ransomware payment reporting, enforcement readiness, and recordkeeping requirements.

This is written as a detailed implementation checklist for compliance professionals, not as a high level summary. Each item references the relevant Act section or Rules clause.

Back to main artifact Review sources

Author

Sorena AI

Published

Mar 4, 2026

Updated

Mar 4, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Mar 4, 2026

Updated Mar 4, 2026

Overview

The Australia Cyber Security Act 2024 (No. 98, 2024) creates three major compliance pillars: mandatory security standards for smart devices (Part 2), ransomware payment reporting obligations (Part 3), and voluntary information sharing for significant cyber security incidents (Part 4). Two subordinate instruments, the Cyber Security (Security Standards for Smart Devices) Rules 2025 and the Cyber Security (Ransomware Payment Reporting) Rules 2025, provide the operational detail. Splitting these obligations across disconnected teams is the fastest way to fail. This Australia Cyber Security Act 2024 compliance checklist is designed to be run as a single coordinated program, covering scope determination, product controls, evidence packs, incident reporting readiness, and enforcement preparation. Review this checklist at product launch, after every major update, and after every incident exercise.

Section 1

1. Scope and program setup checklist for the Australia Cyber Security Act 2024

Before you can comply with the Australia Cyber Security Act 2024, you must determine which entities, products, and incident scenarios fall within scope. The Act applies both within and outside Australia (section 5) and binds the Crown in each of its capacities (section 6). Part 2 covers relevant connectable products manufactured or supplied (other than as second hand goods) on or after commencement (section 13(1)). Part 3 applies to reporting business entities that make or become aware of a ransomware payment. Assign accountable owners who can close gaps and approve evidence. A checklist without clear ownership becomes a list of wishes.

Identify every legal entity in your corporate group that manufactures or supplies relevant connectable products in Australia. A relevant connectable product is any internet connectable product or network connectable product that is not exempted under the rules (section 13(2) of the Act).
Determine whether each product is a consumer grade relevant connectable product under Schedule 1 of the Smart Device Rules. A product is in scope if it is intended by the manufacturer for personal, domestic, or household use and is not a desktop computer, laptop, tablet, smartphone, therapeutic good, road vehicle, or road vehicle component (Rules section 8(1)(a) and (b)).
For each legal entity, determine whether it qualifies as a reporting business entity under section 26(2) of the Act: either (a) carrying on a business in Australia with annual turnover exceeding the $3 million threshold for the previous financial year, or (b) a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies.
For entities that carried on business for only part of the previous financial year, apply the prorated turnover threshold formula: $3 million multiplied by the number of days in the part divided by the number of days in the previous financial year (Ransomware Rules section 6(2)).
Name one accountable owner for smart device compliance under Part 2 of the Australia Cyber Security Act 2024, and a separate accountable owner for ransomware reporting readiness under Part 3.
Create an evidence folder structure for each product line (to support statement of compliance preparation) and for each incident reporting playbook (to support ransomware payment report readiness).
Define a review cadence tied to product launches, major firmware or software updates, annual assurance reviews, and post incident exercises.
Record and document every out of scope conclusion and the factual basis for each. Explain why each excluded product is not a relevant connectable product or not a consumer grade product, referencing section 13 of the Act and section 8 of the Rules.
Verify that your scope analysis addresses extraterritorial reach. The Australia Cyber Security Act 2024 applies both within and outside Australia (section 5), so overseas manufacturers and suppliers are covered if they are aware, or could reasonably be expected to be aware, that their products will be acquired in Australia.

Recommended next step

Turn Australia Cyber Security Act 2024 Compliance Checklist into an operational assessment

Assessment Autopilot can take Australia Cyber Security Act 2024 Compliance Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on Australia Cyber Security Act 2024 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for Australia Cyber Security Act 2024 Compliance Checklist

Start from Australia Cyber Security Act 2024 Compliance Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through Australia Cyber Security Act 2024

Review your current process, evidence gaps, and next steps for Australia Cyber Security Act 2024 Compliance Checklist.

Explore next step

Section 2

2. Smart device password security checklist under Schedule 1 of the Smart Device Rules

The Cyber Security (Security Standards for Smart Devices) Rules 2025, Schedule 1, clause 2 prescribes mandatory password requirements for all consumer grade relevant connectable products. These requirements apply to passwords for hardware not in the factory default state, software pre-installed at the point of supply, and software that must be installed for all of the manufacturer's intended purposes. Every product that ships to Australia must meet these Australia Cyber Security Act 2024 password controls before it reaches the consumer.

Verify that all passwords for hardware, pre-installed software, and required installable software are either (a) unique per product, or (b) defined by the user of the product (Schedule 1, clause 2(2)(a) and (b)).
Confirm that unique per product passwords are not based on incremental counters such as 'password1' and 'password2' (Schedule 1, clause 2(3)(a)).
Confirm that unique per product passwords are not based on or derived from publicly available information (Schedule 1, clause 2(3)(b)).
Confirm that unique per product passwords are not based on or derived from unique product identifiers such as serial numbers, unless this is done using an encryption method or keyed hashing algorithm that is accepted as part of good industry practice (Schedule 1, clause 2(3)(c)).
Confirm that unique per product passwords are not otherwise guessable in a manner unacceptable as part of good industry practice (Schedule 1, clause 2(3)(d)).
Document your password generation method and retain evidence that passwords meet good industry practice standards. If you rely on the encryption or keyed hashing exception for serial number based passwords, document the algorithm used and why it qualifies as good industry practice.
Test a sample of products from each production batch to verify that passwords are unique per product and that none are guessable or based on prohibited derivation methods.

Section 3

3. Security issue reporting channel checklist under Schedule 1 of the Smart Device Rules

Schedule 1, clause 3 of the Cyber Security (Security Standards for Smart Devices) Rules 2025 requires manufacturers to publish information on how a person can report security issues. This obligation covers hardware, pre-installed software, required installable software, and software used for or in connection with any of the manufacturer's intended purposes. The Australia Cyber Security Act 2024 mandates that this reporting channel be accessible without barriers.

Publish at least one point of contact to allow a person to report security issues to the manufacturer (Schedule 1, clause 3(2)(a)).
Publish the timing for when a person who reports a security issue will receive an acknowledgement of receipt (Schedule 1, clause 3(2)(b)(i)).
Publish the timing for when a person who reports a security issue will receive status updates until the resolution of the reported security issues (Schedule 1, clause 3(2)(b)(ii)).
Verify that the published reporting information is accessible, clear, and transparent (Schedule 1, clause 3(3)).
Verify that the reporting information is available without any prior request for the information (Schedule 1, clause 3(3)(a)).
Verify that the reporting information is published in English (Schedule 1, clause 3(3)(b)).
Verify that the reporting information is available free of charge (Schedule 1, clause 3(3)(c)).
Verify that accessing the reporting information does not require the person to provide personal information (Schedule 1, clause 3(3)(d)).
Conduct a user test: have someone outside the product team attempt to find the reporting channel, submit a test report, and confirm they receive an acknowledgement within the stated timing.

Section 4

4. Defined support period and security update checklist under Schedule 1 of the Smart Device Rules

Schedule 1, clause 4 of the Cyber Security (Security Standards for Smart Devices) Rules 2025 requires manufacturers to publish the defined support period for security updates and to comply with strict publication and prominence rules. The Australia Cyber Security Act 2024 compliance checklist must verify that every in scope product has a published support period that a non-technical consumer can understand, and that the manufacturer has not shortened it after publication.

Publish the defined support period for security updates for hardware capable of receiving security updates (Schedule 1, clause 4(1)(a)).
Publish the defined support period for security updates for pre-installed software capable of receiving security updates (Schedule 1, clause 4(1)(b)).
Publish the defined support period for security updates for required installable software capable of receiving security updates (Schedule 1, clause 4(1)(c)).
Publish the defined support period for security updates for software developed by or on behalf of the manufacturer that is capable of receiving security updates and used for any of the manufacturer's intended purposes (Schedule 1, clause 4(1)(d)).
Express the defined support period as a period of time with a clear end date (Schedule 1, clause 4(3)).
Verify that the published support period information is accessible, clear, and transparent (Schedule 1, clause 4(6)(a)).
Verify that the information is available without prior request, in English, free of charge, without requiring personal information, and in a way that is understandable by a reader without prior technical knowledge (Schedule 1, clause 4(6)(b)(i) through (v)).
If the manufacturer offers to supply the product on its own website or another website under its control, verify that the support period information is prominently published alongside other information that informs consumer buying decisions (Schedule 1, clause 4(7)(a)).
If the manufacturer publishes the main characteristics of the product on its website, verify that the support period is published alongside or given equal prominence to those main characteristics (Schedule 1, clause 4(7)(b)).
Confirm that the manufacturer has not shortened the defined support period after it was first published. The manufacturer must not shorten the defined support period (Schedule 1, clause 4(4)).
If the manufacturer extends the defined support period, verify that the new period is published as soon as is practicable (Schedule 1, clause 4(5)).
Document the support period for each product model and version. Retain a record of the original publication date and every subsequent change.

Section 5

5. Statement of compliance preparation checklist under the Australia Cyber Security Act 2024

The statement of compliance is the formal, market facing artifact for the smart device security regime. Manufacturers must provide a statement of compliance for the supply of each in scope product in Australia (section 16(1) of the Act), and suppliers must supply the product accompanied by that statement (section 16(3)). The requirements for the statement are prescribed in section 9 of the Cyber Security (Security Standards for Smart Devices) Rules 2025. Treat this as a controlled release document with evidence gates and retention rules.

Confirm that the statement is prepared by, or on behalf of, the manufacturer of the product (Rules section 9(2)).
Include the product type and batch identifier in the statement (Rules section 9(3)(a)).
Include the name and address of the manufacturer of the product (Rules section 9(3)(b)(i)).
Include the name and address of an authorised representative of the manufacturer (Rules section 9(3)(b)(ii)).
Include the name and address of each (if any) of the manufacturer's other authorised representatives that are in Australia (Rules section 9(3)(b)(iii)).
Include a declaration that the statement has been prepared by, or on behalf of, the manufacturer of the product (Rules section 9(3)(c)).
Include a declaration that, in the opinion of the manufacturer, the product has been manufactured in compliance with the requirements of the security standard (Rules section 9(3)(d)(i)).
Include a declaration that, in the opinion of the manufacturer, the manufacturer has complied with any other obligations relating to the product in the security standard (Rules section 9(3)(d)(ii)).
Include the defined support period for the product at the date the statement of compliance is issued (Rules section 9(3)(e)).
Include the signature, name, and function of the signatory of the manufacturer (Rules section 9(3)(f)).
Include the place and date of issue of the statement of compliance (Rules section 9(3)(g)).
Verify that every field is complete before the signatory signs. An incomplete statement of compliance is a compliance risk under the Australia Cyber Security Act 2024.

Section 6

6. Recordkeeping and evidence retention checklist for the Australia Cyber Security Act 2024

Both manufacturers and suppliers must retain a copy of the statement of compliance for the period specified in the rules (section 16(2) and 16(4) of the Act). The Cyber Security (Security Standards for Smart Devices) Rules 2025 set a 5 year retention period (Rules section 10). Effective recordkeeping is essential because the Secretary may request the product and/or the statement of compliance for independent examination at any time (section 23 of the Act).

Configure document retention for at least 5 years from the date each statement of compliance is issued (Rules section 10).
Test that you can retrieve any statement of compliance within a reasonable period if requested by the Secretary under section 23(3) of the Act.
Retain evidence supporting each declaration in the statement of compliance, including password testing results, security issue reporting channel screenshots, and defined support period publication records.
Maintain a version controlled archive of every statement of compliance issued. Track which product batches each statement covers.
If the manufacturer uses an authorised representative to prepare or manage statements, confirm that the representative retains a copy for the same 5 year period.
Retain records of any changes to the defined support period, including the original publication date, the date of any extension, and the updated end date.
If the manufacturer supplies through a website, retain periodic screenshots or captures showing that the support period information is displayed with equal prominence to main product characteristics, as evidence of compliance with Schedule 1, clause 4(7).
Store evidence in a manner that supports potential independent examination. The Secretary may engage an expert to open, operate, test, analyse, photograph, or video record the product (section 23(2) of the Act).

Section 7

7. Ransomware payment reporting readiness checklist under the Australia Cyber Security Act 2024

Part 3 of the Australia Cyber Security Act 2024 requires reporting business entities to provide a ransomware payment report to the designated Commonwealth body within 72 hours of making a ransomware payment or becoming aware that a payment has been made (section 27(1)). Failure to report carries a civil penalty of 60 penalty units (section 27(5)). The reporting clock is short and the information burden is front loaded, so the only workable model is to prebuild the report pack and escalation paths before you need them.

Prepare a reporting business entity determination memo for each major legal entity. Document whether each entity (a) carries on a business in Australia with annual turnover exceeding $3 million, or (b) is a responsible entity for a critical infrastructure asset to which Part 2B of the SOCI Act applies (section 26(2) of the Act and Ransomware Rules section 6).
Identify who in the organisation decides whether a payment has been made and when the 72 hour reporting clock starts under section 27(1) of the Act.
Confirm the designated Commonwealth body that will receive the report. The default is the Department and ASD unless rules specify otherwise (section 8 definition of designated Commonwealth body).
Prebuild a report template that captures the reporting business entity's ABN (if any) and address (Ransomware Rules section 7(2)).
If another entity made the payment on behalf of the reporting business entity, ensure the template captures that entity's ABN (if any) and address (Ransomware Rules section 7(3)).
Include fields for when the incident occurred or is estimated to have occurred (Ransomware Rules section 7(4)(a)).
Include fields for when the reporting business entity became aware of the incident (Ransomware Rules section 7(4)(b)).
Include fields for the impact of the incident on the reporting business entity's infrastructure (Ransomware Rules section 7(4)(c)).
Include fields for the impact of the incident on the reporting business entity's customers (Ransomware Rules section 7(4)(d)).
Include fields for what variants (if any) of ransomware or other malware were used (Ransomware Rules section 7(4)(e)).
Include fields for what vulnerabilities (if any) in the reporting business entity's system were exploited (Ransomware Rules section 7(4)(f)).
Include fields for information that could assist the response to, mitigation, or resolution of the incident by a Commonwealth body or State body (Ransomware Rules section 7(4)(g)).
Include fields for the amount or description of the ransomware payment demanded, and the method of provision demanded (Ransomware Rules section 7(5)(a) and (b)).
Include fields for the amount or description of the ransomware payment actually made, and the method of provision (Ransomware Rules section 7(6)(a) and (b)).
Include fields for the nature and timing of any communications with the extorting entity, a brief description of those communications, and a brief description of any pre-payment negotiations (Ransomware Rules section 7(7)(a), (b), and (c)).
Map evidence sources for each report field. Information is only required to the extent the entity knows or is able, by reasonable search or enquiry, to find out within the 72 hour reporting window (Ransomware Rules section 7(1) note).
Confirm that outside counsel, insurance brokers, insurers, and any third party negotiators are included in the escalation path and are aware of the 72 hour reporting obligation.
Run a tabletop exercise on a ransomware payment scenario at least once every 12 months. Verify that the team can populate and submit the report within 72 hours.

Section 8

8. Legal protections and admissibility checklist for ransomware reporting

The Australia Cyber Security Act 2024 provides important protections for entities that report ransomware payments in good faith. Understanding these protections is part of the compliance checklist because they affect legal strategy, board reporting, and the willingness of incident teams to cooperate with the reporting obligation.

Confirm that legal counsel has reviewed the good faith liability protection: an entity is not liable to an action or other proceeding for damages for acts done or omitted in good faith in compliance with section 27 (section 28(1) of the Act).
Note that this protection extends to officers, employees, and agents of the entity who act in good faith in connection with the report (section 28(2)).
Review the restriction on use and disclosure: the designated Commonwealth body must not use information in a ransomware payment report to investigate or enforce any civil or regulatory contravention by the reporting entity, except for a contravention of Part 3 itself or a criminal offence (section 29(2)).
Review the admissibility protection: information from a ransomware payment report is not admissible in evidence against the reporting entity in criminal proceedings (other than for false or misleading information), civil penalty proceedings (other than under Part 3), or proceedings before a tribunal (section 32(2)).
Note the exceptions to admissibility protection: coronial inquiries, Royal Commissions, and federal court proceedings for writs of mandamus, prohibition, or injunction are not covered (section 32(3)).
Confirm that legal professional privilege is preserved. Providing information in a ransomware payment report does not affect any claim of legal professional privilege (section 31(1)).
Document these protections in the incident response playbook so that decision makers understand the legal framework when deciding whether to pay and report.

Section 9

9. Enforcement readiness checklist for the Australia Cyber Security Act 2024

The Australia Cyber Security Act 2024 provides the Secretary with a graduated enforcement toolkit for smart device non-compliance: compliance notices (section 17), stop notices (section 18), and recall notices (section 19). The Minister may publicly name entities that fail to comply with a recall notice (section 20). The Act also provides monitoring powers, investigation powers, infringement notices, and civil penalty provisions through the Regulatory Powers (Standard Provisions) Act 2014 (Part 6). Organisations should prepare for enforcement before it happens.

Understand the enforcement escalation path: the Secretary issues a compliance notice first (section 17), then a stop notice if the compliance notice is not satisfied (section 18), then a recall notice if the stop notice is not satisfied (section 19).
Note that before any notice is given, the Secretary must notify the entity of the intention and give at least 10 days for the entity to make representations (sections 17(3), 18(3), 19(3)).
Prepare a response process so that the entity can submit representations within the 10 day minimum period when notified of an intended compliance, stop, or recall notice.
Understand that the entity may apply for internal review of a decision to give a compliance, stop, or recall notice within 30 days (section 22(1) and (2)).
Prepare for independent examination: the Secretary may engage an appropriately qualified expert to examine the product by opening, operating, testing, analysing, photographing, or video recording it (section 23(1) and (2)).
If the Secretary requests the product or statement of compliance for examination, comply within the specified period. The entity is entitled to reasonable compensation for complying with such a request (section 23(5)).
Note that the Minister may publish the identity of the entity, product details, non-compliance details, and risk details if the entity fails to comply with a recall notice (section 20).
Monitor for changes to the rules that may prescribe additional matters to be included in enforcement notices or published with recall notice non-compliance (sections 17(2)(h), 18(2)(h), 19(2)(h), 20(e)).
For ransomware reporting, note the civil penalty of 60 penalty units for failure to submit a report within 72 hours (section 27(5)).
Confirm that your entity understands the civil penalty provisions, enforceable undertakings, and injunction powers in Part 6 of the Australia Cyber Security Act 2024 (sections 79 through 83).
Note that monitoring powers (section 80) and investigation powers (section 81) apply and are supported by the Regulatory Powers (Standard Provisions) Act 2014.

Section 10

10. Voluntary information sharing and significant incident readiness checklist

Part 4 of the Australia Cyber Security Act 2024 provides a framework for voluntary information sharing with the National Cyber Security Coordinator (NCSC) during significant cyber security incidents. While not mandatory, preparing for this voluntary process is a practical compliance readiness step because many entities that face ransomware scenarios will also face significant incidents. The Act provides strong protections for information shared voluntarily.

Understand the definition of a significant cyber security incident: a cyber security incident where there is a material risk that it has seriously prejudiced or could prejudice the social or economic stability of Australia, the defence of Australia, or national security, or is of serious concern to the Australian people (section 34).
Designate an internal point of contact for voluntary information sharing with the NCSC. Information may be provided at any time during the response to the incident (section 35(3)(a)).
Note that the NCSC may request information but there is no obligation on the entity to provide it (section 35 note after subsection (3)).
Review the NCSC's permitted use of voluntarily shared information: the NCSC may use it only for assisting the entity to respond to, mitigate, or resolve the incident, or for a permitted cyber security purpose (section 38(1)).
Review the restriction on civil or regulatory action: the NCSC must not use voluntarily shared information to investigate or enforce any civil or regulatory contravention by the impacted entity, except for a contravention of Part 4 itself or a criminal offence (section 38(2)).
Note the admissibility protection: voluntarily shared information is not admissible in evidence against the entity in criminal proceedings (other than for false information), civil penalty proceedings (other than under Part 4), or tribunal proceedings (section 42(2)).
Document these protections in the incident response playbook so that decision makers can quickly decide whether to share information voluntarily during a significant incident.
Confirm that voluntary information sharing under Part 4 does not affect any other requirement to provide information under the Act or another Commonwealth law (section 44).

Section 11

11. Cyber Incident Review Board preparedness checklist

Part 5 of the Australia Cyber Security Act 2024 establishes the Cyber Incident Review Board (CIRB), which may cause reviews to be conducted in relation to cyber security incidents. While organisations cannot predict whether their incidents will be reviewed, understanding the process and protections helps with readiness. The CIRB will not apportion blame or provide the means to determine liability (section 62(2)), but it may request or require documents.

Note that the Board's function is to identify factors that contributed to an incident and make recommendations to government and industry about prevention, detection, response, and impact minimisation (section 62(1)(a)).
If the Chair requests information or documents under section 48, the entity is not obliged to comply. However, if the Chair requires document production under section 49 (which applies only to non-government entities involved in the incident), failure to comply carries a civil penalty of 60 penalty units (section 50(1)).
Understand the exceptions: production of documents is not required if it would prejudice the security or defence of the Commonwealth, intelligence agency capabilities, offence investigation, or the administration of justice (section 50(2)).
Note the good faith liability protection for complying with section 49 document production notices (section 74(1) and (2)).
Note the admissibility protection: information provided to the Board under section 48, 49, or 51 is not admissible against the entity in criminal, civil penalty, or tribunal proceedings, with exceptions for false information offences and federal court constitutional proceedings (section 58).
Confirm that legal professional privilege is preserved when providing information to the Board (section 57).
Include CIRB cooperation protocols in your incident response playbook so the entity can respond promptly if the Board selects one of your incidents for review.

Section 12

12. Testing, verification, and ongoing assurance checklist

Compliance with the Australia Cyber Security Act 2024 is not a one-time exercise. Products change, firmware updates ship, new legal entities enter the market, and incident response teams rotate. This section of the checklist covers the recurring verification activities that maintain compliance over time.

Schedule regular production sampling to verify that password uniqueness and non-guessability requirements remain met after firmware or software updates.
Periodically test the security issue reporting channel to confirm it is still accessible, in English, free of charge, and does not require personal information to access.
Monitor the published defined support period for each product. Confirm that it has not been inadvertently shortened and that any extension is published as soon as practicable.
Review and update statements of compliance whenever a new product batch is manufactured or a material change to the product is introduced.
Conduct an annual review of the reporting business entity determination for each legal entity, accounting for changes in turnover and changes to SOCI Act critical infrastructure asset status.
Run a full ransomware payment reporting tabletop exercise at least annually. Measure time to report completion and compare against the 72 hour window.
Update the pre-built ransomware payment report template whenever the Ransomware Payment Reporting Rules are amended.
Review the Australia Cyber Security Act 2024 rules register on the Federal Register of Legislation for any new or amended rules that change scope, thresholds, or reporting requirements.
Track the Secretary's annual report and the Cyber Incident Review Board's published final review reports for enforcement trends and recommended industry practices.
Review your enforcement response process and ensure it can handle a compliance notice, stop notice, or recall notice within the timelines specified by the Secretary.
Confirm that all compliance roles have designated alternates so that the program continues operating during leave, travel, or personnel changes.

Primary sources

References and citations

Cyber Security (Ransomware Payment Reporting) Rules 2025 (F2025L00278) official text

legislation.gov.au

Referenced sections

Specifies the $3 million annual turnover threshold for reporting business entities and the detailed information requirements for ransomware payment reports within the 72 hour reporting window.

Cyber Security (Security Standards for Smart Devices) Rules 2025 (F2025L00276) official text

legislation.gov.au

Referenced sections

Prescribes the security standard for consumer grade relevant connectable products, including password requirements, security issue reporting requirements, defined support period requirements, statement of compliance requirements, and the 5 year retention period.

Cyber Security Act 2024 (No. 98, 2024) official text

legislation.gov.au

Referenced sections

The primary legislation. Sets the smart device security standard framework (Part 2), ransomware payment reporting obligations (Part 3), voluntary information sharing with the NCSC (Part 4), the Cyber Incident Review Board (Part 5), and enforcement powers (Part 6).

Security of Critical Infrastructure Act 2018 official text

legislation.gov.au

Referenced sections

Relevant for determining whether an entity is a responsible entity for a critical infrastructure asset, which is one pathway to becoming a reporting business entity under Part 3 of the Australia Cyber Security Act 2024.

Related guides