Australia Cyber Security Act FAQ

Part 2 of the Cyber Security Act applies to a relevant connectable product manufactured on or after Part 2 commences, or supplied in Australia on or after that commencement other than as second-hand goods. A relevant connectable product is an internet-connectable product or a network-connectable product unless exempted by rules.

The 2025 Smart Devices Rules currently prescribe the security standard for consumer grade relevant connectable products: products intended by the manufacturer to be used, or likely to be used, for personal, domestic, or household use or consumption, where the product will be acquired in Australia by a consumer.

Manufacturers must manufacture covered relevant connectable products in compliance with the applicable security standard when they are aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in the specified circumstances. Suppliers must not supply a non-compliant covered product in Australia on the same awareness basis.

For consumer grade relevant connectable products, the Smart Devices Rules require password controls, a published security-issue reporting route, and a published defined support period for security updates. Manufacturers must provide a statement of compliance for supply in Australia, and suppliers must supply the product with that statement.

For consumer grade relevant connectable products covered by the Smart Devices Rules, manufacturers and suppliers must retain a copy of the statement of compliance for 5 years. The Act places the retention duty on both the manufacturer that provides the statement and the supplier that supplies the product with it.

The retained record should prove the specific product and batch covered by the statement, who prepared it, who signed it, the declared compliance position, the defined support period at the issue date, and the place and date of issue.

A ransomware payment report is required when a reporting business entity is impacted by a cyber security incident and has provided, or knows another entity has provided on its behalf, a ransomware payment to an entity seeking to benefit from the incident. The report must be given within 72 hours of making the payment or becoming aware that the payment has been made, whichever applies.

The Ransomware Payment Reporting Rules say an entity will generally be a reporting business entity if it is a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies, or if it carries on business in Australia and its annual turnover for the previous financial year exceeds $3 million. If the business operated for only part of the previous financial year, the threshold is prorated using the formula in the Rules.

For smart-device obligations under sections 15 and 16, the Secretary may issue a compliance notice when reasonably satisfied that an entity is not complying, or when aware of information suggesting possible non-compliance. Before giving a compliance notice, the Secretary must notify the entity and give a specified period of at least 10 days for representations.

If the entity has received a compliance notice and has not complied, or its rectification is inadequate, the Secretary may issue a stop notice. If the entity then has a stop notice and does not comply, or its rectification remains inadequate, the Secretary may issue a recall notice. If an entity fails to comply with a recall notice, the Minister may publish information about the failure.

The Act allows an impacted entity to voluntarily provide information to the National Cyber Security Coordinator about a significant cyber security incident. The Coordinator's statutory role is to lead whole-of-government coordination and triage of action in response to significant cyber security incidents.

The Act also establishes the Cyber Incident Review Board. The Board causes reviews to be conducted for certain cyber security incidents and makes recommendations to government and industry about actions that could prevent, detect, respond to, or minimise the impact of similar incidents in the future. The Board Rules add procedures for review prioritisation, terms of reference, timing to avoid interfering with investigations, and notification of reviews.