Australia Cyber Security Act 2024 Compliance Guide

The Australia Cyber Security Act 2024 is organised into seven Parts. Part 1 defines core terms including cyber security incident, relevant connectable product, reporting business entity, and permitted cyber security purpose. Part 2 establishes mandatory security standards for smart devices (relevant connectable products). Part 3 imposes ransomware payment reporting obligations on reporting business entities. Part 4 enables voluntary information sharing with the National Cyber Security Coordinator for significant cyber security incidents. Part 5 establishes the Cyber Incident Review Board. Part 6 provides regulatory powers including civil penalties, enforceable undertakings, injunctions, monitoring powers, investigation powers, and infringement notices. Part 7 covers miscellaneous provisions including delegations and rule-making powers.

Three legislative instruments work together. The Cyber Security Act 2024 itself provides the framework. The Cyber Security (Security Standards for Smart Devices) Rules 2025 (F2025L00276) prescribes the detailed security standard for consumer grade relevant connectable products and the requirements for the statement of compliance. The Cyber Security (Ransomware Payment Reporting) Rules 2025 (F2025L00278) sets the turnover threshold at $3 million and prescribes the information content requirements for ransomware payment reports. A compliance program under the Australia Cyber Security Act 2024 must address all three instruments.

The Act applies both within and outside Australia (Section 5) and binds the Crown in each of its capacities (Section 6). It operates concurrently with State and Territory laws (Section 7). This extraterritorial scope means that overseas manufacturers and suppliers whose products are acquired by consumers in Australia must comply with the security standards prescribed under Part 2 of the Australia Cyber Security Act 2024.

The Australia Cyber Security Act 2024 creates obligations for two distinct groups. The first group consists of manufacturers and suppliers of relevant connectable products that will be acquired by consumers in Australia. The second group consists of reporting business entities that make or become aware of a ransomware payment. Compliance professionals must determine whether their organisation falls into one or both groups.

A relevant connectable product is a product that is either an internet-connectable product (capable of connecting to the internet using a protocol from the internet protocol suite) or a network-connectable product (capable of sending and receiving data by electrical or electromagnetic transmission and meeting certain connectivity conditions). The Smart Devices Rules narrow the scope to consumer grade relevant connectable products intended for personal, domestic, or household use. Desktop computers, laptops, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components are explicitly excluded from the current security standard.

A reporting business entity is an entity that, at the time a ransomware payment is made, is either (a) carrying on a business in Australia with an annual turnover for the previous financial year exceeding $3 million, or (b) a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies. Commonwealth bodies and State bodies are excluded from category (a) but critical infrastructure entities are captured regardless of turnover.

An effective Australia Cyber Security Act 2024 compliance program is built around two control lanes that feed a single governance forum. Control Lane 1 covers smart device product security: security standard compliance, statement of compliance preparation and retention, public disclosure of support periods and vulnerability reporting mechanisms, and readiness for enforcement notices. Control Lane 2 covers ransomware incident response: reporting business entity threshold analysis, payment escalation procedures, 72-hour ransomware payment report preparation, and post-incident evidence retention.

Both control lanes should share a common risk register, a common exceptions process, and a common executive reporting cadence. This prevents compliance gaps from being hidden in separate teams and ensures that product security and incident response obligations are governed under a single accountability structure.

Australia Cyber Security Act 2024 compliance breaks down when ownership is shared in theory but not in practice. Each statutory obligation needs a named owner with the authority to stop a product release, request evidence, or trigger executive escalation. The following role assignments reflect the obligations in the Act and the Rules.

For product security, the manufacturer bears primary responsibility. Under Section 15 of the Australia Cyber Security Act 2024, the manufacturer must manufacture the product in compliance with the security standard and comply with all other requirements of the standard (publishing vulnerability reporting information, publishing the defined support period, and ensuring passwords meet the Rules). The supplier bears a secondary but independent obligation under Section 16: the supplier must not supply a non-compliant product and must supply the product with a statement of compliance. Both the manufacturer and the supplier must retain a copy of the statement of compliance for 5 years.

For ransomware reporting, the reporting business entity bears the obligation. But the reporting obligation depends on a payment decision, which means finance and executive leadership must be in the escalation path. The obligation is to report within 72 hours of making the payment or becoming aware that the payment has been made. This requires a clear chain of command that connects the cyber response team to the person who authorises payment and to the person who submits the report.

Schedule 1, Part 1 of the Smart Devices Rules prescribes three categories of security requirements for consumer grade relevant connectable products. Compliance with these requirements is mandatory for all manufacturers who are aware, or could reasonably be expected to be aware, that their product will be acquired by a consumer in Australia. These requirements form the core of the product security control lane under the Australia Cyber Security Act 2024.

The first category is password requirements (Clause 2). Passwords for use with a relevant connectable product must be either unique per product or defined by the user of the product. Passwords that are unique per product must not be based on incremental counters, must not be based on or derived from publicly available information, must not be based on or derived from unique product identifiers (such as serial numbers) unless done using an encryption method or keyed hashing algorithm accepted as part of good industry practice, and must not be otherwise guessable in a manner unacceptable as part of good industry practice. This applies to hardware passwords, pre-installed software passwords, and passwords for software that must be installed for all of the manufacturer's intended purposes.

The second category is vulnerability reporting requirements (Clause 3). The manufacturer must publish at least one point of contact for reporting security issues, the timeframes for acknowledgement of receipt, and status updates until resolution. This information must be accessible, clear, transparent, available in English, free of charge, available without prior request, and available without requesting personal information from the person reporting.

The third category is defined support period and security update requirements (Clause 4). The manufacturer must publish the defined support period, expressed as a period of time with an end date, for which security updates will be provided. The manufacturer must not shorten the defined support period after publication. If the manufacturer extends the period, the new period must be published as soon as is practicable. If the manufacturer offers to supply the product on its website, the defined support period information must be prominently published alongside the main product characteristics.

Section 16 of the Australia Cyber Security Act 2024 requires manufacturers to provide a statement of compliance for the supply of a relevant connectable product in Australia, and requires suppliers to supply the product with that statement. Rule 9 of the Smart Devices Rules prescribes the content requirements for the statement. Rule 10 sets the retention period at 5 years. The statement of compliance is the primary documentary evidence that the regulator will examine when assessing compliance under the Australia Cyber Security Act 2024.

The statement must be prepared by, or on behalf of, the manufacturer. It must include: the product type and batch identifier; the name and address of the manufacturer, an authorised representative of the manufacturer, and each other authorised representative of the manufacturer that is in Australia; a declaration that the statement was prepared by or on behalf of the manufacturer; a declaration that in the opinion of the manufacturer the product was manufactured in compliance with the security standard and the manufacturer has complied with all other obligations in the standard; the defined support period for the product at the date the statement is issued; the signature, name, and function of the signatory of the manufacturer; and the place and date of issue.

Part 3 of the Australia Cyber Security Act 2024 requires a reporting business entity that makes a ransomware payment, or becomes aware that another entity has made a ransomware payment on its behalf, to submit a ransomware payment report to the designated Commonwealth body within 72 hours. Failure to report is a civil penalty of 60 penalty units. The Ransomware Payment Reporting Rules 2025 prescribe the content requirements for the report.

The 72-hour clock starts when the payment is made or when the entity becomes aware that the payment has been made, whichever is applicable. Information is only required to be given to the extent that the reporting business entity knows or is able, by reasonable search or enquiry, to find out within the 72-hour period. This means the compliance program must be designed to gather report-ready information quickly and under pressure.

The report must contain the entity's ABN (if any) and address; the contact and business details of any other entity that made the payment on behalf of the reporting business entity; detailed information about the cyber security incident (when it occurred, when it was detected, the impact on infrastructure, the impact on customers, the ransomware or malware variants used, the vulnerabilities exploited, and any information that could assist Commonwealth or State body response); the amount or quantum of the demand, the method of provision demanded; the amount or quantum of the payment, the method of provision; and the nature, timing, and description of communications with the extorting entity, including any pre-payment negotiations.

The Australia Cyber Security Act 2024 provides a graduated enforcement escalation pathway for smart device obligations. The Secretary may issue a compliance notice (Section 17) if reasonably satisfied that an entity is not complying with Section 15 or 16, or if aware of information suggesting possible non-compliance. If the compliance notice is not complied with, or actions taken are inadequate, the Secretary may issue a stop notice (Section 18). If the stop notice is not complied with or remediation is inadequate, the Secretary may issue a recall notice (Section 19). If the entity fails to comply with the recall notice, the Minister may publicly notify the failure on the Department's website (Section 20).

Before issuing any notice, the Secretary must notify the entity of the intention to issue the notice and give the entity at least 10 days to make representations. Only one notice of each type may be issued for a particular instance of non-compliance. Notices may be varied or revoked under Section 21. An entity may apply for internal review of a notice decision within 30 days (Section 22). The decision-maker must complete the review and affirm, vary, or revoke the decision within 30 days of receiving the application.

The Secretary may also engage an independent expert to examine a product to determine whether it complies with the security standard or whether the statement of compliance meets the requirements (Section 23). The Secretary may request the manufacturer or supplier to provide the product and the statement of compliance for examination. The entity is entitled to reasonable compensation for complying with such a request.

Part 6 of the Australia Cyber Security Act 2024 provides additional regulatory powers. Each civil penalty provision is enforceable through civil penalty orders (Part 4 of the Regulatory Powers Act), enforceable undertakings (Part 6), and injunctions (Part 7). Sections 15 and 16 are also subject to enforceable undertakings. Monitoring powers (Section 80) allow authorised persons to enter non-residential premises with a magistrate's warrant. Investigation powers (Section 81) allow investigation of evidential material related to civil penalty provisions. Infringement notices (Section 82) may be issued for alleged civil penalty contraventions.

The regulator can test the product, request the statement of compliance, and examine whether the statutory requirements were met. This means evidence under the Australia Cyber Security Act 2024 must be versioned, retrievable, and linked to the exact product release or incident event. The best approach is to build an evidence index for each product line and for each incident drill or real incident.

For smart device compliance, the evidence pack should demonstrate compliance with each requirement in Schedule 1 of the Smart Devices Rules. For ransomware reporting compliance, the evidence pack should demonstrate that the organisation has a functioning reporting capability that can meet the 72-hour deadline. Both evidence packs feed into a single audit-ready compliance file for the Australia Cyber Security Act 2024.

The Australia Cyber Security Act 2024 does not reward annual policy reviews. It rewards current, usable controls. The compliance program should be reviewed when products change, when support periods move, when new product lines enter scope, and after incidents or exercises reveal new failure points. The following review cadence keeps the program alive and audit-ready.

The Act itself requires a statutory review before the fifth anniversary of commencement (Section 88), and the Rules may be amended over time. Compliance professionals should monitor the Federal Register of Legislation for amendments to the Act, the Smart Devices Rules, and the Ransomware Payment Reporting Rules.

Part 4 of the Australia Cyber Security Act 2024 enables impacted entities to voluntarily share information about significant cyber security incidents with the National Cyber Security Coordinator. A significant cyber security incident is one that poses a material risk to the social or economic stability of Australia, the defence of Australia, or national security, or that is or could reasonably be expected to be of serious concern to the Australian people (Section 34). The information sharing is voluntary and carries strong protections: information provided under Part 4 may only be used for permitted cyber security purposes, cannot be used for civil or regulatory enforcement against the impacted entity (except for Part 4 contraventions or criminal offences), and is not admissible in evidence against the entity in most proceedings (Section 42).

Part 5 establishes the Cyber Incident Review Board, which conducts reviews of significant cyber security incidents and makes recommendations to government and industry. The Board may request information from entities and may require certain entities to produce documents (with a civil penalty of 60 penalty units for non-compliance). Draft review reports must not be disclosed (Section 59). Final review reports must redact sensitive review information (Section 53). Compliance professionals should understand the Board's powers and prepare for the possibility that their organisation's incidents may be subject to review.

Proactive regulator engagement can reduce the risk of enforcement escalation under the Australia Cyber Security Act 2024. The enforcement pathway is graduated: compliance notice, then stop notice, then recall notice, then public notification. At every stage, the Secretary must give the entity at least 10 days to make representations before issuing a notice. Effective engagement during these representation windows can shape the outcome.

The Australia Cyber Security Act 2024 also provides for enforceable undertakings under Part 6 of the Regulatory Powers Act. An entity can proactively offer undertakings to comply with Sections 15 and 16, or with any civil penalty provision. This mechanism allows an entity to negotiate a structured remediation plan with the Secretary rather than face enforcement proceedings.

For ransomware reporting, the Act includes a good faith liability shield (Section 28). An entity is not liable to an action or other proceeding for damages for an act done or omitted in good faith in compliance with Section 27. This protection extends to officers, employees, and agents of the entity. Legal counsel should ensure that reporting decisions and report content are documented as good faith actions.