Artifact GuideAPAC

Australia Cyber Security Act 2024 Deadlines and Compliance Calendar

Every commencement date, backstop deadline, and recurring compliance checkpoint from the Australia Cyber Security Act 2024 and its subordinate Rules, organized into an operational compliance calendar your teams can follow for product launches, ransomware readiness, and governance.

The Australia Cyber Security Act 2024 deadlines spread across four distinct commencement dates from November 2024 through March 2026, followed by a PJCIS statutory review starting in December 2027. A practical compliance calendar converts those legal anchors into recurring planning cycles.

Back to main artifact Review sources

Author

Sorena AI

Published

Mar 4, 2026

Updated

Mar 4, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Mar 4, 2026

Updated Mar 4, 2026

Overview

The Australia Cyber Security Act 2024 (No. 98, 2024) uses a staged commencement model. Section 2 of the Act sets out six rows in a commencement table, each tied either to the day after Royal Assent or to a Proclamation with a backstop period of six or twelve months. Two sets of subordinate Rules, the Cyber Security (Security Standards for Smart Devices) Rules 2025 (F2025L00276) and the Cyber Security (Ransomware Payment Reporting) Rules 2025 (F2025L00278), add their own commencement dates on top of the Act. This page lists every Australia Cyber Security Act 2024 deadline, explains the commencement dates for each Part, and provides a compliance calendar that product teams, incident response teams, and legal and governance functions can follow.

Section 1

Royal Assent and immediate commencement on 30 November 2024

The Australia Cyber Security Act 2024 (No. 98, 2024) received Royal Assent on 29 November 2024. The day after Royal Assent, 30 November 2024, triggered the first wave of commencement dates. Part 1 (Preliminary), Part 4 (Coordination of significant cyber security incidents), and Parts 6 and 7 (Enforcement and Miscellaneous) all commenced on 30 November 2024. These are the earliest Australia Cyber Security Act 2024 deadlines and they brought the foundational definitions, the National Cyber Security Coordinator framework, and the enforcement machinery into force.

Part 1 of the Australia Cyber Security Act 2024 establishes core definitions that the rest of the Act relies on, including the meaning of cyber security incident (section 9), permitted cyber security purpose (section 10), relevant connectable product, reporting business entity, and ransomware payment. Part 4 created the framework for voluntary information sharing with the National Cyber Security Coordinator during significant cyber security incidents, together with safe harbour protections in Divisions 2 and 3 that limit secondary use and disclosure of shared information. Parts 6 and 7 activated the civil penalty provisions, enforceable undertakings, injunctions, monitoring and investigation powers, and infringement notices, meaning the enforcement apparatus was live from day one, even before the substantive obligations in Parts 2, 3, and 5 commenced.

29 November 2024: Royal Assent for the Australia Cyber Security Act 2024 (No. 98, 2024). This is the baseline date from which all backstop periods are calculated.
30 November 2024: Part 1 (Preliminary) commenced, bringing into force the definitions of cyber security incident, permitted cyber security purpose, relevant connectable product, reporting business entity, ransomware payment, and all other foundational terms in section 8.
30 November 2024: Part 4 (Coordination of significant cyber security incidents) commenced. The voluntary information sharing framework with the National Cyber Security Coordinator became active. Safe harbour protections under sections 38 through 43 became available to impacted entities that voluntarily share information.
30 November 2024: Parts 6 and 7 (Enforcement and Miscellaneous) commenced. Section 79 applies the Regulatory Powers (Standard Provisions) Act 2014 to civil penalty provisions, enforceable undertakings, and injunctions. Monitoring and investigation powers under Division 3 of Part 6 also became available. The Crown is not liable to a pecuniary penalty for breach of a civil penalty provision (subsection 79(8)).

Recommended next step

Turn Australia Cyber Security Act 2024 Deadlines and Compliance Calendar into an operational assessment

Assessment Autopilot can take Australia Cyber Security Act 2024 Deadlines and Compliance Calendar from planning deadlines, owners, and milestones from this page to a reusable workflow inside Sorena. Teams working on Australia Cyber Security Act 2024 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for Australia Cyber Security Act 2024 Deadlines and Compliance Calendar

Start from Australia Cyber Security Act 2024 Deadlines and Compliance Calendar and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through Australia Cyber Security Act 2024

Review your current process, evidence gaps, and next steps for Australia Cyber Security Act 2024 Deadlines and Compliance Calendar.

Explore next step

Section 2

Part 3 and Part 5 commencement on 29 May 2025

Part 3 (Ransomware reporting obligations) and Part 5 (Cyber Incident Review Board) of the Australia Cyber Security Act 2024 each used a conditional commencement model. Each Part was to commence on a single day fixed by Proclamation, but if no Proclamation was issued within 6 months of Royal Assent, both Parts would automatically commence on the day after the end of that period. Column 3 of the commencement table in section 2 records the backstop commencement date as 29 May 2025 for both Part 3 and Part 5.

Part 3 of the Australia Cyber Security Act 2024 introduced Australia's first mandatory ransomware payment reporting obligation. Section 26 defines who is a reporting business entity and what constitutes a ransomware payment. Section 27 requires the reporting business entity to give the designated Commonwealth body a ransomware payment report within 72 hours of making the payment or becoming aware that the payment was made. The civil penalty for failing to report within 72 hours is 60 penalty units (section 27(5)). Part 5 established the Cyber Incident Review Board, which conducts no fault reviews of significant cyber security incidents. The Board Chair can request information (section 48) or require certain entities to produce documents (section 49) under a civil penalty of 60 penalty units for noncompliance. These commencement dates are essential entries in any Australia Cyber Security Act 2024 compliance calendar.

29 May 2025: Part 3 (Ransomware reporting obligations) of the Australia Cyber Security Act 2024 commenced. The 72 hour reporting obligation under section 27(1) became enforceable from this date.
29 May 2025: Part 5 (Cyber Incident Review Board) of the Australia Cyber Security Act 2024 commenced. The Board's powers to conduct no fault reviews and compel document production became active.
29 May 2025: The Cyber Security (Ransomware Payment Reporting) Rules 2025 (F2025L00278) also commenced on this date because their commencement was tied to the later of registration (3 March 2025) and the commencement of Part 3 of the Act.
From 29 May 2025, any reporting business entity that makes a ransomware payment faces the 72 hour reporting deadline and a 60 penalty unit civil penalty for noncompliance.
From 29 May 2025, entities that receive a notice to produce documents from the Cyber Incident Review Board Chair under section 49 must comply or face a 60 penalty unit civil penalty.

Section 3

Part 2 commencement on 29 November 2025 for smart devices

Part 2 (Security standards for smart devices) of the Australia Cyber Security Act 2024 used a 12 month backstop. If no Proclamation fixed an earlier date, Part 2 would automatically commence on the day after the end of the 12 month period beginning on the day of Royal Assent. Column 3 of the commencement table records this backstop commencement date as 29 November 2025.

Part 2 of the Australia Cyber Security Act 2024 is the legislative foundation for the smart device security standard. Section 14 gives the rules the power to prescribe security standards for specified classes of relevant connectable products. Section 15 requires manufacturers to comply with the security standard and prohibits suppliers from supplying noncompliant products. Section 16 requires manufacturers to provide a statement of compliance and suppliers to supply the product with that statement. Both manufacturers and suppliers must retain the statement of compliance for the period specified in the rules (5 years under section 10 of the Smart Device Rules). The enforcement tools in Division 3 of Part 2, including compliance notices (section 17), stop notices (section 18), and recall notices (section 19), also became available from the 29 November 2025 commencement date. The compliance calendar should note that the enforcement escalation path runs from compliance notice to stop notice to recall notice to public notification of failure to comply with a recall notice (section 20).

29 November 2025: Part 2 (Security standards for smart devices) of the Australia Cyber Security Act 2024 commenced. The power to prescribe security standards under section 14 became active.
29 November 2025: Manufacturer and supplier compliance obligations under sections 15 and 16 commenced. Manufacturers must manufacture products in compliance with the security standard and provide a statement of compliance. Suppliers must not supply noncompliant products and must supply the product with a statement of compliance.
29 November 2025: The enforcement tools in Division 3 of Part 2 became available to the Secretary: compliance notices (section 17), stop notices (section 18), recall notices (section 19), and public notification of recall noncompliance (section 20).
29 November 2025: Internal review rights under section 22 became available. An entity that receives a compliance, stop, or recall notice may apply for internal review within 30 days of receiving the notice.
29 November 2025: The Secretary's power to examine products and statements of compliance under section 23 to assess compliance with the security standard became active.

Section 4

Smart Device Rules full commencement on 4 March 2026

The Cyber Security (Security Standards for Smart Devices) Rules 2025 (F2025L00276) were signed by the Minister for Home Affairs on 27 February 2025 and registered on 4 March 2025. The Rules have their own two stage commencement table. Part 1 (Preliminary) commenced on the day the instrument was registered (4 March 2025). Part 2 (Security standards for smart devices) and Schedule 1 (Security standards) commence on 4 March 2026, which is the day after the end of the 12 month period beginning on the registration date.

The 12 month gap between registration and the commencement of Part 2 and Schedule 1 of the Smart Device Rules was designed to give manufacturers time to update product designs, build password compliance into firmware, set up vulnerability disclosure channels, publish defined support periods, and prepare statements of compliance. The commencement date of 4 March 2026 is the most operationally significant of all Australia Cyber Security Act 2024 deadlines for manufacturers and suppliers of consumer grade relevant connectable products. From this date, all three security standard requirements in Part 1 of Schedule 1 and the statement of compliance obligation become enforceable.

4 March 2025: Part 1 (Preliminary) of the Smart Device Rules commenced on registration day. This brought the definitions, authority provisions, and instrument name into force.
4 March 2026: Part 2 and Schedule 1 of the Smart Device Rules commence. The full security standard for consumer grade relevant connectable products becomes enforceable.
4 March 2026: Clause 2 of Schedule 1 requires that passwords be unique per product or defined by the user. Passwords must not be based on incremental counters, publicly available information, or unencrypted serial numbers.
4 March 2026: Clause 3 of Schedule 1 requires manufacturers to publish at least one contact point for reporting security issues, along with timelines for acknowledgement and status updates. The information must be accessible, clear, transparent, in English, free of charge, and must not require personal information from the reporter.
4 March 2026: Clause 4 of Schedule 1 requires manufacturers to publish the defined support period for security updates, expressed as a period of time with an end date. The manufacturer cannot shorten the defined support period after publication.
4 March 2026: Section 9 of the Rules requires every statement of compliance to include the product type and batch identifier, manufacturer and representative details, compliance declarations, the defined support period at the date of issue, and the signatory's name, function, place, and date.
Section 10 of the Rules sets a 5 year retention period for statements of compliance. Both manufacturers and suppliers must retain copies under subsections 16(2) and 16(4) of the Act.
The security standard applies to consumer grade relevant connectable products only. Section 8 of the Rules excludes desktops, laptops, tablets, smartphones, therapeutic goods, road vehicles, and road vehicle components.

Section 5

Ransomware payment reporting deadlines under the Australia Cyber Security Act 2024

The 72 hour ransomware payment reporting obligation under section 27(1) of the Australia Cyber Security Act 2024 is event driven. The reporting clock starts when a reporting business entity makes a ransomware payment or becomes aware that a ransomware payment has been made on its behalf. The report must be submitted to the designated Commonwealth body within 72 hours of that trigger. This is one of the most demanding Australia Cyber Security Act 2024 deadlines because it can strike at any time and leaves minimal room for preparation.

The Ransomware Reporting Rules 2025 (F2025L00278) define which businesses are caught by this obligation and what information the report must contain. Section 6 of the Rules sets the annual turnover threshold at $3 million. For businesses that operated for only part of the previous financial year, the threshold is prorated using the formula: $3 million multiplied by the number of days the business operated, divided by the total number of days in the financial year. Any responsible entity for a critical infrastructure asset under Part 2B of the Security of Critical Infrastructure Act 2018 is also a reporting business entity regardless of turnover. Section 7 of the Rules clarifies that information is only required to the extent that the reporting business entity knows or can discover through reasonable search or enquiry within the 72 hour period.

72 hours: Maximum time allowed between making or becoming aware of a ransomware payment and submitting the ransomware payment report to the designated Commonwealth body under section 27(1) of the Act.
$3 million: Annual turnover threshold that determines whether a business qualifies as a reporting business entity under section 6 of the Ransomware Reporting Rules 2025. The threshold is prorated for partial year operations.
Critical infrastructure entities: Any responsible entity for a critical infrastructure asset under Part 2B of the Security of Critical Infrastructure Act 2018 is a reporting business entity regardless of annual turnover (section 26(2)(b) of the Act).
Report contents under section 7 of the Rules: the entity's ABN and address, the other entity's ABN and address, incident timing and impact on infrastructure and customers, ransomware variant and vulnerability details, demand amount and payment method, and a description of communications with the extorting entity including pre-payment negotiations.
Civil penalty for late reporting: 60 penalty units under section 27(5) of the Act. However, section 28 provides that a reporting entity is not liable for damages arising from good faith compliance with section 27.
Safe harbour: Information in a ransomware payment report may only be used or disclosed for permitted purposes (section 29). The report cannot be used against the reporting entity in most enforcement proceedings (section 32).

Section 6

PJCIS statutory review deadline in December 2027

Section 88 of the Australia Cyber Security Act 2024 requires the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to review the operation of the Act. The PJCIS must begin this review as soon as practicable after 1 December 2027. This review will evaluate how well the Act and its subordinate rules are working and may recommend amendments to the security standard, the reporting thresholds, or the enforcement powers.

Organizations should anticipate that the PJCIS review may result in changes to the Australia Cyber Security Act 2024 deadlines, the scope of the smart device security standard, the ransomware reporting turnover threshold, or the enforcement model. Start documenting compliance evidence, incident response metrics, and product compliance outcomes now so that your organization can contribute meaningfully to any consultation process and be prepared for regulatory changes that may follow the review.

1 December 2027: Earliest date for the PJCIS to begin its statutory review of the Australia Cyber Security Act 2024 under section 88.
The review will assess the operation of the entire Act, including smart device security standards, ransomware reporting obligations, the Cyber Incident Review Board, and the National Cyber Security Coordinator framework.
Regulatory changes may follow the PJCIS review. Organizations should maintain complete compliance records from 2025 onward to support any submission and to be prepared for amended obligations.
Start preparing submission material, compliance metrics, and lessons learned at least 6 months before December 2027.

Section 7

Complete Australia Cyber Security Act 2024 compliance calendar

The following compliance calendar consolidates every statutory commencement date from the Australia Cyber Security Act 2024 and its subordinate Rules into chronological order. This is the master list of Australia Cyber Security Act 2024 deadlines. Use it as the foundation for your internal compliance tracking and add your own operational milestones for product launches, incident readiness exercises, and governance reviews.

Organizations building an Australia Cyber Security Act 2024 compliance calendar should record each of these commencement dates and map them to the specific obligations that become enforceable on that day. The timeline shows four distinct waves of obligations spreading across approximately 16 months from Royal Assent to the Smart Device Rules commencement, plus the PJCIS review date approximately three years after Royal Assent.

29 November 2024: Royal Assent for the Australia Cyber Security Act 2024 (No. 98, 2024). Baseline date for all backstop period calculations.
30 November 2024: Part 1 (Preliminary definitions), Part 4 (National Cyber Security Coordinator), Parts 6 and 7 (Enforcement and Miscellaneous) commenced.
3 March 2025: Ransomware Reporting Rules (F2025L00278) registered on the Federal Register of Legislation.
4 March 2025: Smart Device Rules (F2025L00276) registered. Part 1 (Preliminary) of the Smart Device Rules commenced.
29 May 2025: Part 3 (Ransomware reporting obligations) commenced with the 6 month backstop date. The 72 hour reporting obligation under section 27 became enforceable. The Ransomware Reporting Rules also commenced on this date.
29 May 2025: Part 5 (Cyber Incident Review Board) commenced with the 6 month backstop date. The Board's powers to conduct reviews and compel document production became active.
29 November 2025: Part 2 (Security standards for smart devices) commenced with the 12 month backstop date. The enforcement tools (compliance notices, stop notices, recall notices) became available.
4 March 2026: Part 2 and Schedule 1 of the Smart Device Rules commenced. The three security standard requirements (passwords, vulnerability reporting, defined support periods) and the statement of compliance obligation became enforceable for consumer grade relevant connectable products.
1 December 2027: PJCIS statutory review of the Australia Cyber Security Act 2024 begins under section 88.

Section 8

Operational compliance calendar for product teams

Product teams that manufacture or supply consumer grade relevant connectable products into Australia should build their compliance calendar around the 4 March 2026 commencement date for the Smart Device Rules. Treating 4 March 2026 as a single drop dead date is risky because the security standard requires changes to product design, firmware, manufacturing processes, website content, and supply chain documentation. The Australia Cyber Security Act 2024 deadlines are best managed by working backward from the commencement date and setting internal milestones at regular intervals.

The compliance calendar below assumes a product that is already in development or on the market. If the product has not yet entered development, shift the milestones further back. All milestone dates are illustrative; the key point is that each workstream needs its own lead time and that the milestones should be tracked against the Australia Cyber Security Act 2024 deadlines.

Six months before 4 March 2026 (by September 2025): Conduct a scope analysis to confirm whether each product is a consumer grade relevant connectable product under section 8 of the Smart Device Rules. Identify any excluded product categories: desktops, laptops, tablets, smartphones, therapeutic goods under the Therapeutic Goods Act 1989, road vehicles and road vehicle components under the Road Vehicle Standards Act 2018. Document the assessment and retain it for audit.
Five months before 4 March 2026 (by October 2025): Review every product model for password compliance under clause 2 of Schedule 1. Passwords must be unique per product or defined by the user. Remove any factory default passwords that are shared across products, based on incremental counters, derived from publicly available information, or derived from serial numbers without encryption or a keyed hashing algorithm accepted as good industry practice.
Four months before 4 March 2026 (by November 2025): Set up a public vulnerability reporting contact point for each product as required by clause 3 of Schedule 1. The published information must include at least one contact point, along with timelines for receipt acknowledgement and status updates. The information must be accessible, clear, transparent, available without a prior request, published in English, provided free of charge, and must not require personal information from the reporter.
Three months before 4 March 2026 (by December 2025): Determine and publish the defined support period for security updates for each product as required by clause 4 of Schedule 1. The support period must be expressed as a period of time with an end date. Once published, the defined support period cannot be shortened. It can only be extended, and any extension must be published as soon as practicable.
Two months before 4 March 2026 (by January 2026): Draft statements of compliance for each product class. Under section 9 of the Rules, the statement must include the product type and batch identifier, the names and addresses of the manufacturer and all authorised representatives (including those in Australia), declarations that the statement was prepared by or on behalf of the manufacturer and that the product complies with the security standard, the defined support period at the date of issue, and the signatory's name, function, place, and date of issue.
One month before 4 March 2026 (by February 2026): Run an internal audit against all three security standard requirements and the statement of compliance requirements. Test that the statement template is complete, that the defined support period is published on product pages, that the vulnerability reporting page is live and includes acknowledgement timelines, and that passwords have been updated across all product batches.
4 March 2026 (commencement day): All consumer grade relevant connectable products manufactured on or after this date, and all such products supplied (other than as second hand goods) on or after this date, must comply with the security standard. Every supply must include a statement of compliance. Begin the 5 year retention clock for each statement issued.
Quarterly after 4 March 2026: Review support period accuracy (no shortening; update the published end date if extended), confirm update delivery against the support period commitment, verify that the vulnerability reporting channel is operational and responding within published timelines, and archive copies of all statements of compliance for the 5 year retention period.

Section 9

Operational compliance calendar for ransomware incident readiness

The 72 hour ransomware payment reporting obligation under the Australia Cyber Security Act 2024 is event driven rather than calendar driven. However, the compliance calendar should still include recurring readiness checks. A 72 hour deadline is extremely tight for preparing a report that must include incident details, demand details, payment details, entity information, ransomware variant details, vulnerability details, and a description of all communications with the extorting entity. Organizations that do not rehearse their reporting workflow will almost certainly struggle to meet the Australia Cyber Security Act 2024 deadlines for ransomware payment reporting.

The compliance calendar for ransomware readiness should start from the commencement date of 29 May 2025 and continue indefinitely. The readiness activities below apply to any reporting business entity, meaning any entity carrying on a business in Australia with annual turnover exceeding $3 million (or the prorated amount for a partial year), and any responsible entity for a critical infrastructure asset under Part 2B of the Security of Critical Infrastructure Act 2018.

29 May 2025 (commencement of Part 3 and the Ransomware Reporting Rules): Confirm whether the organization meets the reporting business entity definition. Review ABN details, annual turnover against the $3 million threshold, and any critical infrastructure asset responsibilities under the Security of Critical Infrastructure Act 2018.
Within one month of 29 May 2025 (by June 2025): Prepare a standing ransomware payment report template that includes all fields required by section 7 of the Ransomware Reporting Rules. The template should cover the entity's ABN and address, the other entity's ABN and address, when the incident occurred or is estimated to have occurred, when the entity became aware, the impact on infrastructure and customers, ransomware variants and malware used, vulnerabilities exploited, information that could assist response or mitigation, demand amount and method, payment amount and method, and the nature, timing, and description of communications with the extorting entity including pre-payment negotiations.
Quarterly from July 2025: Review the reporting business entity analysis. Turnover may change year to year, and critical infrastructure asset designations may be updated. Keep the threshold analysis current so there is no ambiguity about whether the 72 hour obligation applies.
At least annually (starting by May 2026): Run a tabletop exercise that walks through the full 72 hour reporting path. The exercise should include the decision to pay or not pay, the evidence capture process, the report preparation workflow, the role of external legal advisers (noting that legal professional privilege is preserved under section 31), and the submission method in the form approved by the Secretary.
After any real ransomware event: Conduct a post incident review of the reporting process. Verify that the 72 hour clock was correctly calculated from the time of payment or awareness of payment. Review evidence capture quality and completeness of the report. Update the standing template if any fields were difficult to complete under pressure.
Ongoing: Maintain a current field owner list for each section of the report template. Designate who is responsible for providing entity details, incident details, demand details, payment details, and communication records so that the 72 hour window is not consumed by internal confusion about data ownership.

Section 10

Compliance calendar for the Cyber Incident Review Board

Part 5 of the Australia Cyber Security Act 2024 established the Cyber Incident Review Board with a commencement date of 29 May 2025. While Part 5 does not create recurring compliance deadlines for private sector entities in the same way as Parts 2 and 3, it does create the power for the Board Chair to request information (section 48) or require the production of documents (section 49). Failure to comply with a section 49 notice carries a civil penalty of 60 penalty units. Disclosure of information from a draft review report received under section 51 also carries a 60 penalty unit civil penalty (section 59). Organizations should include Board related readiness activities in their Australia Cyber Security Act 2024 compliance calendar.

The Board conducts no fault reviews of significant cyber security incidents. The reviews produce recommendations for government and industry about actions that could prevent, detect, respond to, or minimize the impact of similar incidents in the future. Draft review reports are shared with affected entities before final reports are issued. Certain information must be redacted from published final reports (section 53). The compliance calendar should ensure that the organization has an internal process for handling Board requests and protecting confidential review materials.

29 May 2025 (commencement of Part 5): Confirm that the organization has a process for receiving and responding to document production requests from the Cyber Incident Review Board Chair.
Annually from 29 May 2025: Review the internal handling procedure for Board document requests. Verify that the designated contact person is current, that legal professional privilege claims can be made promptly under section 57, and that confidential review materials will be stored securely.
If the organization receives a notice to produce documents under section 49: Respond within the timeframe specified in the notice. The civil penalty for noncompliance is 60 penalty units. Exceptions exist if production would prejudice the security, defence, or international relations of the Commonwealth, or the capabilities of an intelligence agency.
If the organization receives a draft review report under section 51: Do not disclose any information in the draft report. The civil penalty for unauthorized disclosure is 60 penalty units under section 59. Use the information only for the purpose of preparing a submission to the Board in accordance with section 51.

Section 11

Building your Australia Cyber Security Act 2024 compliance calendar

An effective Australia Cyber Security Act 2024 compliance calendar combines all of the commencement dates listed above with recurring operational checkpoints. The commencement dates are the legal anchors, but the compliance calendar must also include internal milestones, periodic reviews, training refreshers, and governance reporting cycles. Without recurring reviews, governance meetings, and readiness exercises, the compliance program will decay between statutory deadlines.

The Australia Cyber Security Act 2024 compliance calendar should be owned by a designated compliance function and reviewed at least quarterly. Each entry should have a responsible owner, a due date, and a clear deliverable. Treat missed compliance calendar entries the same way you treat missed audit findings: escalate, remediate, and track to closure.

Statutory dates: Enter all commencement dates (30 November 2024, 4 March 2025, 29 May 2025, 29 November 2025, 4 March 2026) and the PJCIS review date (1 December 2027) as fixed milestones in your compliance calendar.
Product scope assessments: Complete the relevant connectable product classification for every product before the first Australian launch after 4 March 2026.
Password, vulnerability reporting, and defined support period compliance reviews: Schedule these quarterly after 4 March 2026.
Statement of compliance preparation and issuance: Track issuance for each product class and start the 5 year retention clock on each statement.
Ransomware payment report template reviews: Schedule quarterly from 29 May 2025 to keep the template current with organizational changes and any updates to the Rules.
Tabletop exercises for 72 hour ransomware reporting: Schedule at least one annually starting by May 2026.
Reporting business entity threshold analysis: Update at the start of each financial year using the previous year's turnover against the $3 million threshold.
Cyber Incident Review Board document production readiness: Review annually to ensure the contact person, legal privilege procedures, and confidential storage are current.
Enforcement notice response procedures: Document the 30 day internal review window under section 22 and refresh the procedure annually.
Legal refresh: Review the Federal Register of Legislation at least quarterly for amendments to the Act, new or amended Rules, and updated guidance from the Department of Home Affairs.
Governance reporting: Schedule annual board of directors or senior leadership briefings on Australia Cyber Security Act 2024 compliance calendar status, open items, and any enforcement actions or Board reviews affecting the organization.

Primary sources

References and citations

Cyber Security (Ransomware Payment Reporting) Rules 2025 (F2025L00278)

legislation.gov.au

Referenced sections

Primary source for the ransomware reporting commencement linkage to Part 3, the $3 million annual turnover threshold (section 6), the prorated threshold formula for partial year operations, and the detailed information requirements for ransomware payment reports (section 7). Authorised Version registered 3 March 2025.

Cyber Security (Security Standards for Smart Devices) Rules 2025 (F2025L00276)

legislation.gov.au

Referenced sections

Primary source for the 4 March 2025 and 4 March 2026 commencement dates, the three Schedule 1 security standard requirements (clause 2 passwords, clause 3 vulnerability reporting, clause 4 defined support periods), the statement of compliance requirements (section 9), the 5 year retention period (section 10), and the excluded product categories (section 8). Authorised Version registered 4 March 2025.

Cyber Security Act 2024 (Australia) official text

legislation.gov.au

Referenced sections

Primary source for the section 2 commencement table, Part 2 smart device obligations (sections 14-24), Part 3 ransomware reporting (sections 26-32 including the 72 hour deadline and 60 penalty unit civil penalty), Part 4 National Cyber Security Coordinator (sections 33-44), Part 5 Cyber Incident Review Board (sections 45-77), Part 6 enforcement powers (sections 78-83), and the PJCIS statutory review (section 88). Replaced Authorised Version registered 28 January 2026.

Related guides