--- title: "Australia Cyber Security Act FAQ" canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq" source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/items" author: "Sorena AI" description: "Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Australia Cyber Security Act" - "smart device security standards" - "ransomware payment reporting" - "statement of compliance" - "FAQ" - "Smart devices" - "Ransomware reporting" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Australia Cyber Security Act FAQ Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review. *FAQ* *Australia* *Cyber Security Act* ## Australia Cyber Security Act FAQ Direct answers on who is covered, what smart device controls are required, what goes into statements of compliance, and when ransomware payment reports are triggered. Use these answers to route product, supplier, incident-response, and legal review questions against the Act and its 2025 rules. The Cyber Security Act 2024 covers several different workflows: security standards for relevant connectable products, statements of compliance, ransomware payment reports, National Cyber Security Coordinator information sharing, and Cyber Incident Review Board reviews. This FAQ separates those workflows so teams can identify the rule, actor, trigger, required evidence, and official source. ## Browse sub-FAQ modules ### [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md) What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks. - 3 items ### [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md) FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence. - 3 items ### [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md) FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations. - 4 items ### [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md) FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing. - 3 items ### [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md) FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties. - 3 items ### [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md) Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations. - 3 items ### [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md) FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep. - 3 items Browse all indexed questions: [/artifacts/apac/australia-cyber-security-act/faq/items](/artifacts/apac/australia-cyber-security-act/faq/items.md) ## All FAQ items *Page 1 of 2. Showing 20 of 22 items.* ### [What records should teams keep under the Australia Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md#what-records-should-teams-keep-under-the-australia-cyber-security-act-2024) *Module: [Australia Cyber Security Act recordkeeping](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md)* For smart devices, keep the statement of compliance and the product evidence behind it for the rule-backed retention period. The Security Standards for Smart Devices Rules say the statement must identify the product type and batch, manufacturer and Australian authorised representatives, compliance declarations, defined support period, signatory details, and place and date of issue; the same rules set a five-year retention period for those statements. - Smart-device evidence: product and batch identifier, manufacturer details, authorised representatives in Australia, compliance declaration, defined support period, signatory, place and date of issue, and the retained statement. - Ransomware report evidence: reporting-entity analysis, incident timing and awareness timing, infrastructure and customer impact, ransomware or malware variant, exploited vulnerabilities, demand amount or benefit, payment amount or benefit, method of provision, and communications with the extorting entity. - Overlap evidence: record SOCI status only where the entity is a responsible entity for a Part 2B critical infrastructure asset, and record APRA status only where the organization is APRA-regulated under CPS 234. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Supports the smart-device statement contents and the five-year retention period for statements of compliance. - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/asmade/text?ref=sorena.io) - Supports the ransomware report content fields and the reasonable-search limit within the 72-hour reporting period. - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Supports the Cyber Security Act Part 3 duty to give a ransomware payment report within 72 hours. ### [What ransomware payment evidence should the record contain?](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md#what-ransomware-payment-evidence-should-the-record-contain) *Module: [Australia Cyber Security Act recordkeeping](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md)* The ransomware record should be built around the report fields, not around a generic incident summary. The Act requires the report to cover contact and business details for the reporting entity or another payer, the cyber security incident and its impact, the extortion demand, the ransomware payment, and communications with the extorting entity. - Keep a dated trigger note showing when the payment was made or when the organization became aware another entity paid on its behalf. - Preserve the facts that were known or reasonably searchable inside the 72-hour window, plus a later correction trail if more facts were found after submission. - Keep evidence of any SOCI reporting-business-entity limb separately from ordinary turnover analysis, because the rules identify responsible entities for Part 2B critical infrastructure assets as a distinct path into the ransomware duty. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Supports the ransomware payment trigger, 72-hour timing, and statutory report categories. - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/asmade/text?ref=sorena.io) - Supports the detailed report fields for incident, demand, payment, ABN/address, and communications evidence. - [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Supports SOCI scoping where the ransomware reporting test depends on whether an entity is responsible for a critical infrastructure asset. ### [How should teams handle SOCI and APRA overlap in recordkeeping?](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md#how-should-teams-handle-soci-and-apra-overlap-in-recordkeeping) *Module: [Australia Cyber Security Act recordkeeping](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md)* Do not merge every Australian cyber record into the Cyber Security Act file. SOCI overlap is supported where the ransomware rules refer to responsible entities for critical infrastructure assets to which Part 2B of the SOCI Act applies. APRA overlap is supported only for APRA-regulated entities, because CPS 234 separately requires notification to APRA for material information security incidents and material control weaknesses. - Mark SOCI overlap only when the affected entity or asset analysis shows a responsible entity for a Part 2B critical infrastructure asset. - Mark APRA overlap only when the incident involves an APRA-regulated entity subject to CPS 234; keep APRA notification evidence separate from the Cyber Security Act ransomware payment report. - Do not use a smart-device statement file as evidence for ransomware reporting unless it actually proves a required ransomware report fact. Sources for this answer: - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/asmade/text?ref=sorena.io) - Supports the SOCI overlap boundary in the ransomware reporting-business-entity test. - [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Supports the SOCI responsible-entity terminology used for critical-infrastructure overlap checks. - [APRA Prudential Standard CPS 234 Information Security](https://www.legislation.gov.au/Details/F2018L01745?ref=sorena.io) - Supports APRA overlap only for APRA-regulated entities with CPS 234 incident or control-weakness notification duties. ### [When does Australia's Cyber Security Act require a ransomware payment report?](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md#when-does-australias-cyber-security-act-require-a-ransomware-payment-report) *Module: [CSA 2024 Ransomware Threshold & Report](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md)* The trigger is not every ransomware incident. Part 3 applies where a cyber security incident has had, is having, or could reasonably be expected to have a direct or indirect impact on a reporting business entity; an extorting entity makes a demand to benefit from the incident or its impact; and the reporting business entity provides, or knows another entity has provided on its behalf, a payment or benefit directly related to that demand. - Scope evidence: entity status, whether it carries on business in Australia, prior-financial-year turnover, any partial-year calculation, and whether it is a responsible entity for a Part 2B critical infrastructure asset. - Incident evidence: why the event is treated as a cyber security incident and how it directly or indirectly impacted the reporting business entity. - Payment evidence: the extortion demand, who paid or provided the benefit, whether the payment was made on behalf of the reporting business entity, and when the entity made the payment or became aware it had been made. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Supports the ransomware-reporting trigger, 72-hour timing, and required report-content categories in sections 26 and 27. - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/asmade/versions?ref=sorena.io) - Supports the $3 million turnover threshold and the partial-year threshold formula for reporting business entities. - [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Supports the responsible-entity limb for critical infrastructure assets that are brought into the ransomware reporting test. ### [What must an Australian ransomware payment report contain within 72 hours?](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md#what-must-an-australian-ransomware-payment-report-contain-within-72-hours) *Module: [CSA 2024 Ransomware Threshold & Report](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md)* The reporting business entity must give the designated Commonwealth body a ransomware payment report within 72 hours of making the ransomware payment or becoming aware that the ransomware payment has been made, whichever applies. - Keep a 72-hour clock record showing whether time started from making the payment or from becoming aware that another entity made it on the reporting business entity's behalf. - Keep a reasonable-search log for report fields that were known, found, estimated, or unavailable within the 72-hour period. - Keep the filed report, submission confirmation, incident notes, payment authorization trail, extortion communications, and any later correction or supplemental information together. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Supports the 72-hour reporting trigger and the Act-level report categories in section 27. - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/asmade/versions?ref=sorena.io) - Supports the required ABN, address, incident, demand, payment, and communications details for section 27 reports. ### [Which evidence gaps create risk for this Australia ransomware payment FAQ?](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md#which-evidence-gaps-create-risk-for-this-australia-ransomware-payment-faq) *Module: [CSA 2024 Ransomware Threshold & Report](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md)* The risky pattern is answering the FAQ with only an incident-response policy or a payment approval note. The grounded answer needs the reporting-business-entity scope analysis, the threshold calculation, the 72-hour clock, and a report-content inventory tied to the Act and Rules. - Missing threshold proof: no previous-financial-year turnover record, no partial-year formula record, or no evidence for critical-infrastructure responsible-entity status. - Missing clock proof: no timestamp for payment, no timestamp for awareness of a payment made by another entity, or no record explaining why the 72-hour period started when it did. - Missing report-content proof: no ABN/address details, incident timing and awareness record, customer and infrastructure impact notes, malware and vulnerability findings, demand and payment method details, or extortion-communications log. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Supports the scope test for a reportable ransomware payment and the report obligation imposed on a reporting business entity. - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/asmade/versions?ref=sorena.io) - Supports the evidence checklist by prescribing the turnover threshold and detailed report-content requirements. ### [What should teams do about statements of compliance under the Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md#what-should-teams-do-about-statements-of-compliance-under-the-cyber-security-act-2024) *Module: [Cyber Security Act 2024 Statements of Compliance](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md)* For covered smart devices, the manufacturer must provide a statement of compliance for supply in Australia, and the supplier must supply the product in Australia with that statement. Both manufacturer and supplier must retain a copy for the period set by the rules. - Classify the product against the consumer-grade relevant connectable product scope and listed exclusions before drafting the statement. - Map the actor role: manufacturer prepares or authorises the statement; supplier supplies the product with the statement and retains its copy. - Tie the statement to the security-standard evidence for passwords, vulnerability-reporting information, and published defined support periods where those Schedule 1 duties apply. - Keep the statement available for regulator review because the Secretary may request the product, the statement of compliance, or both for an independent examination. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text/1/pdf?ref=sorena.io) - Section 16 establishes manufacturer and supplier statement-of-compliance duties for relevant connectable products supplied in Australia. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Section 8 defines the current covered class as consumer-grade relevant connectable products and lists exclusions. ### [What must an Australian smart-device statement of compliance contain?](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md#what-must-an-australian-smart-device-statement-of-compliance-contain) *Module: [Cyber Security Act 2024 Statements of Compliance](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md)* For statements of compliance with the security standard in Part 1 of Schedule 1 to the Smart Devices Rules, the statement must be prepared by, or on behalf of, the product manufacturer. It must identify the product and responsible parties, record manufacturer declarations, name the defined support period, and include execution details. - Product type and batch identifier. - Name and address of the manufacturer, an authorised representative of the manufacturer, and any other Australian authorised representatives. - Declaration that the statement was prepared by, or on behalf of, the manufacturer. - Manufacturer opinion that the product was manufactured in compliance with the security-standard requirements and that the manufacturer complied with other security-standard obligations for the product. - Defined support period for the product at the date the statement is issued. - Signature, name, and function of the manufacturer signatory, plus place and date of issue. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Schedule 1 defines the support-period concept that must appear in the statement. ### [What evidence and retention should teams keep for statements of compliance?](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md#what-evidence-and-retention-should-teams-keep-for-statements-of-compliance) *Module: [Cyber Security Act 2024 Statements of Compliance](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md)* Keep the statement for five years for the consumer-grade relevant connectable product security standard covered by the Smart Devices Rules. The retention file should allow a reviewer to connect the signed statement to the product batch, the manufacturer role, the supplier handoff, and the underlying security-standard controls. - Retain the issued statement version, date and place of issue, signatory details, product type, and batch identifier for five years. - Keep scope evidence showing why the product is covered or excluded, including consumer-grade use analysis and any exclusion relied on. - Keep control evidence for passwords, security-issue reporting, and defined support periods where those Schedule 1 requirements apply. - Keep supplier evidence showing the statement accompanied the product in Australia, plus records of any corrections or replacement statements. - Keep examination-readiness records so the product, statement, or both can be produced if requested in writing by the Secretary. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Section 10 sets the retention period for covered statements of compliance at five years. - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text/1/pdf?ref=sorena.io) - Section 23 supports keeping examination-ready product and statement records because the Secretary may request them for an independent examination. ### [Which mistakes create risk for statements of compliance?](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md#which-mistakes-create-risk-for-statements-of-compliance) *Module: [Cyber Security Act 2024 Statements of Compliance](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md)* The main risk is treating the statement as a broad cyber compliance memo rather than a product-specific statutory statement tied to the smart-device security standard. Another risk is relying on the manufacturer's statement but failing to retain supplier-side proof that the statement accompanied products supplied in Australia. - Using the statement for products outside the current covered class without recording the scope analysis. - Omitting the defined support period, signatory function, batch identifier, or Australian authorised-representative details required by the rules. - Keeping only engineering test evidence and not the actual issued statement. - Treating the five-year retention period as a manufacturer-only obligation when section 16 also gives suppliers a copy-retention duty. - Publishing or supplying product information that conflicts with the support period recorded in the statement. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text/1/pdf?ref=sorena.io) - Section 16 assigns statement supply and copy-retention duties to both manufacturers and suppliers. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Schedule 1 requires the defined support period to be published and prevents shortening after publication. ### [What triggers Australia Cyber Security Act compliance, stop, and recall notices?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md#what-triggers-australia-cyber-security-act-compliance-stop-and-recall-notices) *Module: [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md)* A compliance notice can be issued by the Secretary when an entity that must comply with section 15 or 16 is not complying, or when information suggests possible non-compliance. A response record should start with the product, the relevant connectable product class, the security-standard requirement, the manufacturer or supplier role, and the specific section 15 or 16 obligation at issue. - Responsible actor: the entity that must comply with the section 15 or 16 obligation, usually the manufacturer or supplier for the affected smart device. - Trigger evidence: the non-compliance or possible non-compliance, the applicable security-standard requirement, and any compliance-notice or stop-notice history. - Grounded timing: before giving a compliance, stop, or recall notice, the Secretary must give the entity a representation period that is not shorter than 10 days. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Sections 17, 18, and 19 establish the compliance-notice, stop-notice, and recall-notice escalation path for section 15 or 16 smart-device obligations. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Section 8 and the simplified outline identify the consumer-grade relevant connectable products covered by the security standard and the manufacturer and supplier obligations that enforcement notices can attach to. ### [What can an Australia Cyber Security Act recall notice require?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md#what-can-an-australia-cyber-security-act-recall-notice-require) *Module: [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md)* A recall notice must identify the entity, give brief details of the non-compliance, and specify the action the entity must take. The action can require the entity to stop the product being acquired in Australia, stop the product being supplied to suppliers for supply in Australia, or arrange return of the product to the entity or to the manufacturer. - Assign the recall response to a product owner who can stop Australian acquisition or supply, plus a manufacturer or supplier contact who can arrange product return. - Track the notice fields exactly: entity name, product details, non-compliance, required action, action period, evidence period if included, consequences, and review route. - Keep the recall scope tied to the particular instance of non-compliance because the Act says only one recall notice may be given for a particular instance. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Section 19 lists the mandatory recall-notice contents, the available recall actions, evidence period language, review explanation, and one-notice-per-instance limit. ### [What becomes public if an entity fails to comply with a recall notice?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md#what-becomes-public-if-an-entity-fails-to-comply-with-a-recall-notice) *Module: [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md)* If an entity fails to comply with a recall notice, the Minister may publish information on the Department's website or another way the Minister considers appropriate. The Act lists the identity of the entity, product details, non-compliance details, and risks posed by the product relating to the non-compliance. - Publication-risk evidence: entity identity, affected product identifiers, non-compliance description, product risk explanation, recall-notice details, and recommended consumer actions. - Consumer messaging owner: product, legal, and security teams should reconcile recall wording against the Secretary's notice and the Minister's possible public-notification fields. - Do not add unsupported deadlines. The grounded timing here is the notice's specified reasonable period and any evidence period set in the notice. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Section 20 identifies what the Minister may publish after failure to comply with a recall notice. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Section 11 adds recall-notice details and recommended consumer actions to the matters that may be published after recall-notice non-compliance. ### [How does the Australia Cyber Security Act overlap with the Security of Critical Infrastructure Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md#how-does-the-australia-cyber-security-act-overlap-with-the-security-of-critical-infrastructure-act) *Module: [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md)* The Cyber Security Act does not supersede the Security of Critical Infrastructure Act 2018 (SOCI Act). It imports SOCI concepts for a critical infrastructure asset and a responsible entity, and its ransomware payment reporting regime expressly covers a responsible entity for a critical infrastructure asset to which SOCI Act Part 2B applies. - Confirm whether the affected system is a critical infrastructure asset under SOCI Act materials. - Identify whether the organisation is the responsible entity for that asset. - If a ransomware payment was made by, or on behalf of, that entity, assess the Cyber Security Act ransomware report obligation alongside SOCI Part 2B incident notification. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest?ref=sorena.io) - Defines critical infrastructure asset and responsible entity by reference to the SOCI Act and sets when responsible entities for Part 2B assets are reporting business entities. - [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Primary SOCI source for the critical infrastructure asset, responsible entity, and Part 2B cyber security incident notification concepts referenced by the Cyber Security Act. - [Security of Critical Infrastructure (Application) Rules 2022](https://www.legislation.gov.au/F2022L00562/2022-04-06/text/original/word?ref=sorena.io) - Application Rules source for checking whether SOCI Act Part 2 or Part 2B applies before treating the organisation as in the critical-infrastructure overlap path. ### [What should be separated from SOCI overlap?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md#what-should-be-separated-from-soci-overlap) *Module: [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md)* Do not merge the smart-device product regime into the SOCI overlap analysis. Cyber Security Act Part 2 applies to relevant connectable products and product supply obligations. SOCI overlap for this FAQ is about critical infrastructure assets, responsible entities, SOCI Part 2B incident notification, and Cyber Security Act ransomware payment reporting. - Smart-device check: relevant connectable product, manufacture or supply in Australia, security standard, and statement of compliance. - SOCI overlap check: critical infrastructure asset, responsible entity, and whether SOCI Part 2B applies. - Ransomware check: cyber security incident, extortion demand, payment or benefit, reporting business entity status, and report content. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest?ref=sorena.io) - Primary legislation for the ransomware report-content categories: business details, cyber security incident impact, demand, payment, and communications. - [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Primary SOCI source for keeping critical infrastructure asset and responsible entity analysis separate from product-supply smart-device duties. ### [What evidence should support the SOCI overlap answer?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md#what-evidence-should-support-the-soci-overlap-answer) *Module: [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md)* Keep a short overlap record that proves the asset, entity, incident, and payment analysis. The useful record is factual: which asset was affected, why SOCI Part 2B was or was not relevant, who the responsible entity was, whether a ransomware payment was made, and which report-content fields could be completed within the reporting window. - Asset and role evidence: SOCI asset classification, responsible-entity reasoning, and any application-rule note used. - Incident evidence: incident timing, impact on the entity or asset, and the information known or reasonably findable when the report is made. - Payment evidence: demand, amount or non-monetary benefit, method of provision, communications, and whether another entity paid on the reporting business entity's behalf. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest?ref=sorena.io) - Primary legislation for the report content categories to preserve when a SOCI responsible entity is also a reporting business entity. - [Security of Critical Infrastructure (Application) Rules 2022](https://www.legislation.gov.au/F2022L00562/2022-04-06/text/original/word?ref=sorena.io) - Application Rules source for documenting whether the SOCI Part 2B overlap assumption was checked against the relevant application rule. ### [What do manufacturers, importers, and suppliers have to do under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md#what-do-manufacturers-importers-and-suppliers-have-to-do-under-australias-cyber-security-act-2024) *Module: [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md)* Manufacturers must make an in-scope relevant connectable product in line with the applicable security standard when the product is in the covered class and the manufacturer is aware, or could reasonably be expected to be aware, that it will be acquired in Australia in the specified circumstances. The Smart Device Rules target consumer-grade relevant connectable products, with listed exclusions for desktops and laptops, tablets, smartphones, therapeutic goods, road vehicles, and road vehicle components. - Manufacturer duty: confirm the product class, build against the password, vulnerability-reporting, and defined-support-period requirements, and provide a compliant statement of compliance for Australian supply. - Supplier duty: do not supply a known non-compliant covered product in Australia, supply it with the statement of compliance, and keep the retained statement record. - Importer triage: record whether the importer manufactures, supplies, or only handles logistics; apply the manufacturer or supplier duties only when the facts support that role. - Exception check: confirm whether the product is outside the Rules because it is not consumer-grade, will not be acquired by a consumer in Australia, or is one of the product exclusions listed in section 8 of the Smart Device Rules. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Official Act source for the manufacturer and supplier duties in sections 15 and 16, including compliance, non-supply, statement-of-compliance, and retention obligations. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Official Rules source for consumer-grade relevant connectable product scope, listed product exclusions, statement contents, and the five-year statement retention period. ### [What records should prove the manufacturer, importer, or supplier role?](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md#what-records-should-prove-the-manufacturer-importer-or-supplier-role) *Module: [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md)* Keep records that show why the product and actor were placed inside or outside the smart-device obligations. The useful evidence set is a product-scope file, a role file, a security-standard file, and a statement-of-compliance file, not a generic compliance memo. - Product-scope evidence: product type, batch identifier, intended use, consumer acquisition analysis, connection capability, and any section 8 exclusion relied on. - Role evidence: manufacturer identity, authorised representative details, Australian supplier or importer entity, contracts or purchase orders showing who supplies the product in Australia, and the basis for any out-of-scope conclusion. - Security-standard evidence: password design proof, security-issue reporting contact and acknowledgement/update process, published defined support period, and security-update publication records. - Statement evidence: issued statement of compliance, signatory name and function, issue date and place, defined support period at issue, retention owner, and retrieval path for regulator requests or independent examination. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Official Act source for statement-of-compliance duties, retention by manufacturers and suppliers, and the Secretary's power to request a product or statement for examination. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Official Rules source for the required statement fields and five-year retention period for statements of compliance. ### [Which edge cases should be escalated before supply in Australia?](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md#which-edge-cases-should-be-escalated-before-supply-in-australia) *Module: [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md)* Escalate cases where the supply-chain label does not match the legal role. An offshore OEM, Australian distributor, online marketplace seller, local importer, and reseller may each need a separate manufacturer-or-supplier assessment based on who manufactures, who supplies in Australia, and who knows or should know the product will be acquired in Australia by a consumer. - Do not call a product exempt just because it is sold to a business; the Rules use the Australian Consumer Law consumer concept and the specified circumstance of acquisition by a consumer. - Do not rely on a support-period statement hidden only in a regulatory page if product information or main characteristics are published elsewhere on a manufacturer-controlled website. - Do not ship without a statement record simply because the manufacturer is overseas; the supplier duty still turns on supply in Australia of a covered product with the required statement. - Do not shorten a published defined support period; if it is extended, publish the new period as soon as practicable. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Official Rules source for consumer-grade scope, excluded products, support-period publication requirements, and the rule that a published defined support period must not be shortened. - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Official Act source for the awareness standard attached to manufacturer and supplier duties when products will be acquired in Australia in specified circumstances. ### [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md#which-smart-devices-are-in-scope-under-australias-cyber-security-act-2024) *Module: [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md)* Start with the product. Under the Act, a relevant connectable product is an internet-connectable product or a network-connectable product that is not exempted under the rules. Internet-connectable means capable of connecting to the internet using a communication protocol in the internet protocol suite to send and receive data. Network-connectable covers products that can send and receive data by electrical or electromagnetic transmission, are not internet-connectable, and meet the Act's direct-connection tests. - In scope: an internet-connectable or network-connectable product, not exempted by rules, that fits the consumer-grade personal, domestic, or household class and will be acquired in Australia by a consumer. - Examples identified in the explanatory statement include smart TVs, smart watches, home assistants, baby monitors, and consumer energy resources. - Do not rely only on the product name. Record connectivity, manufacturer's intended purpose, likely household use, sales channel, and Australian consumer acquisition facts. - If the product is connectable but not consumer-grade, or the acquisition circumstance is missing, record that the current Smart Devices Rules scope has not been met rather than forcing the product into scope. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/Details/C2024A00098?ref=sorena.io) - Supports the relevant connectable product definition and the internet-connectable and network-connectable product tests. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Supports the consumer-grade class, Australian consumer acquisition circumstance, and product exclusions for the current smart-device security standard. - [Explanatory Statement to the Smart Devices Rules 2025](https://www.legislation.gov.au/Details/F2025L00276/Explanatory%20Statement/Text?ref=sorena.io) - Provides official examples of consumer-grade smart devices discussed for the Rules. ## FAQ Pagination - Canonical index (page 1): [/artifacts/apac/australia-cyber-security-act/faq/items](/artifacts/apac/australia-cyber-security-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 1 of 2 Pages: [1](/artifacts/apac/australia-cyber-security-act/faq/items.md) | [2](/artifacts/apac/australia-cyber-security-act/faq/items/page/2.md) [Next page](/artifacts/apac/australia-cyber-security-act/faq/items/page/2.md) *Recommended next step* *Placement: after the FAQ guidance* ## Turn Australia Cyber Security Act FAQ answers into assigned work Use these FAQ answers to assign smart-device scope checks, statement-of-compliance evidence, ransomware reporting intake, and incident-review response tasks inside Sorena. - [Open Assessment Autopilot for Australia Cyber Security Act](/solutions/assessment.md): Turn FAQ answers into scoped questions, evidence fields, and review tasks. - [Review Australia Cyber Security Act source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through Australia Cyber Security Act implementation](/contact.md): Review product scope, incident triggers, evidence, owners, and next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/items