Artifact GuideAustraliaCompliance

Australia Cyber Security Act Compliance

Use this guide to separate the Cyber Security Act 2024 compliance workstreams that affect connected products, ransomware payment reports, significant cyber incidents, and review-board evidence.

The page focuses on grounded statutory and rules-based requirements. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

The Cyber Security Act 2024 is not a single one-size-fits-all cyber checklist. It creates separate compliance work for relevant connectable products, ransomware payment reports, voluntary significant-incident information sharing, and Cyber Incident Review Board interactions. Start by classifying which workstream is triggered, then assign the owner, evidence record, and source-linked action for that workstream.

Section 1

Classify the compliance workstream first

A useful Cyber Security Act compliance plan starts with scope classification. The Act covers mandatory security standards for certain internet-connectable products, reporting after ransomware payments, voluntary information sharing with the National Cyber Security Coordinator for significant cyber security incidents, and Cyber Incident Review Board reviews of certain incidents.

Treat those as separate workstreams. Product teams should not run the ransomware reporting checklist for a smart-device launch, and incident teams should not treat a ransomware payment as only a general security incident if the reporting-business-entity criteria are met.

  • For connected products, identify whether the item is a relevant connectable product that will be acquired in Australia and whether the smart-device rules apply.
  • For ransomware, check whether the entity is a reporting business entity, whether a cyber security incident affected it, and whether it made or became aware of a ransomware payment made on its behalf.
  • For significant incidents, separate voluntary information sharing with the National Cyber Security Coordinator from mandatory reports under other regimes.
  • For post-incident review readiness, preserve incident, response, remediation, and governance records that could support a Cyber Incident Review Board request or referral.
Sources for this answer
Cyber Security Act 2024
Supports the page's workstream split: product standards, ransomware reporting, significant-incident coordination, Cyber Incident Review Board reviews, and regulatory powers.
Cyber Security (Ransomware Payment Reporting) Rules 2025
Supports the ransomware scope test for reporting business entities, affected incidents, and payments made by or on behalf of the entity.
Section 2

Product compliance: smart-device standards and statements

For consumer-grade relevant connectable products, compliance work should produce a product-scope record, security-standard evidence, and a statement of compliance record before supply in Australia. The smart-device rules prescribe security standards for products intended or likely to be used for personal, domestic, or household use or consumption, with listed exclusions such as desktops, laptops, tablets, smartphones, therapeutic goods, road vehicles, and road vehicle components.

The operating record should show who prepared the statement, the product type and batch identifier, manufacturer and authorised-representative details, the compliance declaration, the defined support period, the signatory, and the place and date of issue. Keep the statement record for the prescribed 5-year period.

  • Confirm whether the product is consumer-grade and whether one of the listed excluded product categories applies.
  • Verify password controls: passwords must be unique per product or user-defined, and unique passwords must not be based on incremental counters or otherwise guessable in an unacceptable way.
  • Publish a clear point of contact for security-issue reports and explain when reporters receive acknowledgement and status updates.
  • Publish the defined support period for security updates as a period with an end date, and do not shorten it after publication.
  • Supply the product with a statement of compliance that meets the smart-device rules and retain it for 5 years.
Sources for this answer
Cyber Security (Security Standards for Smart Devices) Rules 2025
Supports smart-device scope, exclusions, statement-of-compliance contents, 5-year retention, password requirements, vulnerability-reporting contact requirements, and support-period publication.
Cyber Security Act 2024
Supports the Act-level duty for manufacturers and suppliers to comply with security standards and provide or supply products with statements of compliance.
Section 3

Incident compliance: ransomware payment reports

A ransomware payment report is not triggered by every cyber incident. The rules describe the reporting obligation where the entity is a reporting business entity, is impacted by a cyber security incident, and has provided a ransomware payment or knows another entity provided one on its behalf.

The rules set the turnover threshold at $3 million for the previous financial year, with a pro-rated formula for businesses carried on for only part of that year. They also limit the required report content to information the entity knows or can find out by reasonable search or enquiry within the 72-hour reporting period.

  • Record the basis for reporting-business-entity status: responsible entity for a Part 2B SOCI critical infrastructure asset, or Australian business turnover above the rules threshold.
  • Capture entity contact and business details, including ABN if any and address.
  • Capture incident facts: when the incident occurred or is estimated to have occurred, when the entity became aware, infrastructure and customer impacts, malware variants, exploited vulnerabilities, and information that could assist Commonwealth or State response.
  • Capture demand and payment facts: demanded amount or non-monetary benefit, demanded method of provision, actual payment amount or non-monetary benefit, and actual method of provision.
  • Capture extorting-entity communications, including timing, nature, brief description, and any pre-payment negotiations.
Sources for this answer
Cyber Security (Ransomware Payment Reporting) Rules 2025
Supports the reporting trigger, $3 million turnover threshold, 72-hour reasonable-search boundary, and the required report content categories.
Security of Critical Infrastructure Act 2018
Supports the SOCI cross-reference for responsible entities of critical infrastructure assets when assessing ransomware reporting-business-entity status.
Section 4

Governance evidence for significant incidents and reviews

The Act allows impacted entities to voluntarily provide information to the National Cyber Security Coordinator for significant cyber security incidents, while also limiting how certain information provided under the Act may be used or disclosed. Keep that information-sharing decision separate from mandatory notices under privacy, SOCI, prudential, or customer-contract processes.

For Cyber Incident Review Board readiness, preserve a review-quality record after major incidents: the incident chronology, response decisions, remediation status, external communications, legal privilege handling, and records showing which other investigations or proceedings are active. The Board rules require review timing to avoid interference with investigations or proceedings, and require published notification once a review is to be conducted.

  • Create one register entry per significant incident that distinguishes voluntary Coordinator information sharing from any mandatory report elsewhere.
  • Track what was shared, who approved it, the permitted cyber security purpose, and any confidentiality or admissibility assumptions that legal reviewers relied on.
  • For potential Board matters, preserve response and remediation evidence without rewriting it into a public-facing narrative before legal and incident leaders review it.
  • Watch for written referrals or information/document requests and route them to legal, security leadership, and the incident owner immediately.
  • Keep SOCI, privacy, prudential, customer, and Cyber Security Act evidence linked but not merged, because each regime may ask different questions about the same incident.
Sources for this answer
Cyber Security Act 2024
Supports voluntary significant-incident information sharing with the National Cyber Security Coordinator and Act-level protections and limitations on use, disclosure, and admissibility.
Cyber Security (Cyber Incident Review Board) Rules 2025
Supports review-board purpose, referral consideration, prioritisation factors, terms of reference, non-interference timing, and public notification of reviews.
Recommended next step

Turn Cyber Security Act compliance into assigned work

Use this guide to scope the relevant Cyber Security Act workstream, assign product or incident owners, and collect the evidence needed for smart-device statements, ransomware reports, or review-board readiness.

Assessment workflow
Open Assessment Autopilot for Cyber Security Act

Turn product and incident scope into assigned questions, evidence fields, and review tasks.

Explore next step
Research workflow
Review Cyber Security Act source evidence

Use Research Copilot to answer follow-up questions against cited source material.

Explore next step
Talk to Sorena
Talk through implementation

Review scope, owners, evidence gaps, and next compliance actions with Sorena.

Explore next step
Primary sources

References and citations

Cyber Security (Cyber Incident Review Board) Rules 2025
legislation.gov.au
Referenced sections
  • Supports review-board purpose, referral consideration, prioritisation factors, terms of reference, non-interference timing, and public notification of reviews.
"A review must not be conducted"
Cyber Security Act 2024
legislation.gov.au
Referenced sections
  • Supports voluntary significant-incident information sharing with the National Cyber Security Coordinator and Act-level protections and limitations on use, disclosure, and admissibility.
"Information may be voluntarily provided"
Security of Critical Infrastructure Act 2018
legislation.gov.au
Referenced sections
  • Supports the SOCI cross-reference for responsible entities of critical infrastructure assets when assessing ransomware reporting-business-entity status.
"Meaning of critical infrastructure asset"
Related guides

Explore more topics

Australia Cyber Security Act 2024 scope and definitions
Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap.
Australia Cyber Security Act and SOCI Act overlap
How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records.
Australia Cyber Security Act Applicability Test
Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario.
Australia Cyber Security Act Compliance Checklist
Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks.
Australia Cyber Security Act Deadlines and Compliance Calendar
Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review.
Australia Cyber Security Act FAQ
Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review.
Australia Cyber Security Act penalties and fines
Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records.
Australia Cyber Security Act recordkeeping FAQ
What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks.
Australia Cyber Security Act Requirements
Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records.
Australia Cyber Security Act Statement of Compliance Evidence
Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness.
Australia Cyber Security Act templates
Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records.
Australia Cyber Security Act Timeline And Commencement Guide
Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations.
Australia Cyber Security Act vs EU Cyber Resilience Act
Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes.
Australia Cyber Security Act vs UK PSTI Act Guide
Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime.
Australia ransomware payment reporting 72-hour duty
Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain.
Australia Smart Device Security Standards under the Cyber Security Act
Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records.
Australia Smart Device Statement of Compliance Evidence Workflow
Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules.
CSA 2024 Ransomware Payment Reporting Workflow
Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources.
CSA 2024 Ransomware Threshold & Report FAQ
FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence.
CSA 2024 Smart Device Applicability Test
Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules.
CSA 2024 Smart Device Statement of Compliance
What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination.
Cyber Security Act 2024 Smart Device Compliance Checklist
Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence.
Cyber Security Act 2024 Statements of Compliance FAQ
FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations.
Cyber Security Act vs EU CRA: scope and obligations comparison
Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes.
Cyber Security Act vs UK PSTI Act: device security obligations compared
Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime.
How do notices and recalls work under the Australia Cyber Security Act?
FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing.
How does the Australia Cyber Security Act overlap with the SOCI Act?
FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties.
Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024
Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations.
Smart Device Applicability: CSA 2024
A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep.
SOCI overlap triage workflow for Australia Cyber Security Act
Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks.
Which smart devices are in scope under Australia's Cyber Security Act 2024?
FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep.