---
title: "How do notices and recalls work under the Australia Cyber Security Act?"
canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls"
source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls"
author: "Sorena AI"
description: "FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "Australia Cyber Security Act notices"
  - "Australia Cyber Security Act recalls"
  - "smart device recall notice"
  - "compliance notice"
  - "stop notice"
  - "Australia Cyber Security Act"
  - "Smart device notices"
  - "Recall notices"
  - "Compliance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# How do notices and recalls work under the Australia Cyber Security Act?

FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing.

*FAQ* *Australia* *Notices and recalls*

## Australia Cyber Security Act notices and recalls

The Australia Cyber Security Act uses compliance notices, stop notices, and recall notices to enforce smart-device obligations under sections 15 and 16.

Use this FAQ to identify the trigger, actor, required notice fields, response window, evidence fields, and public-notification risk without mixing the issue with ransomware reporting or Security of Critical Infrastructure Act duties.

Notices and recalls under the Australia Cyber Security Act are smart-device enforcement tools. They apply to entities that must comply with section 15 or 16 obligations for relevant connectable products, including manufacturer compliance with a security standard and supplier statement-of-compliance duties.

## What triggers Australia Cyber Security Act compliance, stop, and recall notices?

A compliance notice can be issued by the Secretary when an entity that must comply with section 15 or 16 is not complying, or when information suggests possible non-compliance. A response record should start with the product, the relevant connectable product class, the security-standard requirement, the manufacturer or supplier role, and the specific section 15 or 16 obligation at issue.

A stop notice is the next escalation. It depends on a prior compliance notice and the Secretary being reasonably satisfied that the compliance notice was not met or that attempted remediation was inadequate.

A recall notice is a further escalation after a stop notice. It can be issued where the stop notice was not met or remediation remains inadequate for the same section 15 or 16 non-compliance.

- Responsible actor: the entity that must comply with the section 15 or 16 obligation, usually the manufacturer or supplier for the affected smart device.
- Trigger evidence: the non-compliance or possible non-compliance, the applicable security-standard requirement, and any compliance-notice or stop-notice history.
- Grounded timing: before giving a compliance, stop, or recall notice, the Secretary must give the entity a representation period that is not shorter than 10 days.

Sources for this answer:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Sections 17, 18, and 19 establish the compliance-notice, stop-notice, and recall-notice escalation path for section 15 or 16 smart-device obligations.
- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Section 8 and the simplified outline identify the consumer-grade relevant connectable products covered by the security standard and the manufacturer and supplier obligations that enforcement notices can attach to.

## What can an Australia Cyber Security Act recall notice require?

A recall notice must identify the entity, give brief details of the non-compliance, and specify the action the entity must take. The action can require the entity to stop the product being acquired in Australia, stop the product being supplied to suppliers for supply in Australia, or arrange return of the product to the entity or to the manufacturer.

The notice must also specify a reasonable period for the action. If the Secretary considers it appropriate, the notice can also specify a reasonable period for the entity to provide evidence that the action was taken. The notice must explain what may happen if the entity does not comply and how the entity may seek review.

- Assign the recall response to a product owner who can stop Australian acquisition or supply, plus a manufacturer or supplier contact who can arrange product return.
- Track the notice fields exactly: entity name, product details, non-compliance, required action, action period, evidence period if included, consequences, and review route.
- Keep the recall scope tied to the particular instance of non-compliance because the Act says only one recall notice may be given for a particular instance.

Sources for this answer:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Section 19 lists the mandatory recall-notice contents, the available recall actions, evidence period language, review explanation, and one-notice-per-instance limit.

## What becomes public if an entity fails to comply with a recall notice?

If an entity fails to comply with a recall notice, the Minister may publish information on the Department's website or another way the Minister considers appropriate. The Act lists the identity of the entity, product details, non-compliance details, and risks posed by the product relating to the non-compliance.

The 2025 Smart Devices Rules add that the public notification may include details of the recall notice and actions consumers are recommended to consider, such as destroying the product or taking extra precautions when using it.

- Publication-risk evidence: entity identity, affected product identifiers, non-compliance description, product risk explanation, recall-notice details, and recommended consumer actions.
- Consumer messaging owner: product, legal, and security teams should reconcile recall wording against the Secretary's notice and the Minister's possible public-notification fields.
- Do not add unsupported deadlines. The grounded timing here is the notice's specified reasonable period and any evidence period set in the notice.

Sources for this answer:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Section 20 identifies what the Minister may publish after failure to comply with a recall notice.
- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Section 11 adds recall-notice details and recommended consumer actions to the matters that may be published after recall-notice non-compliance.

## Primary sources

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Primary source for sections 17 to 20: compliance notices, stop notices, recall notices, representation periods, recall actions, and public notification after failure to comply.
  - Quote: "Public notification of failure to comply with recall notice"
- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Primary source for the consumer-grade relevant connectable product security standard and the additional public-notification matters for recall-notice non-compliance.
  - Quote: "Matters to be published with notification of failure to comply with recall notice"

## Topic Guides

- [Australia Cyber Security Act 2024 scope and definitions](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap.
- [Australia Cyber Security Act and SOCI Act overlap](/artifacts/apac/australia-cyber-security-act/security-of-critical-infrastructure-act-overlap.md): How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records.
- [Australia Cyber Security Act Applicability Test](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario.
- [Australia Cyber Security Act Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks.
- [Australia Cyber Security Act Compliance Guide](/artifacts/apac/australia-cyber-security-act/compliance.md): A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness.
- [Australia Cyber Security Act Deadlines and Compliance Calendar](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review.
- [Australia Cyber Security Act FAQ](/artifacts/apac/australia-cyber-security-act/faq.md): Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review.
- [Australia Cyber Security Act penalties and fines](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records.
- [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md): What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks.
- [Australia Cyber Security Act Requirements](/artifacts/apac/australia-cyber-security-act/requirements.md): Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records.
- [Australia Cyber Security Act Statement of Compliance Evidence](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence.md): Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness.
- [Australia Cyber Security Act templates](/artifacts/apac/australia-cyber-security-act/templates.md): Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records.
- [Australia Cyber Security Act Timeline And Commencement Guide](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations.
- [Australia Cyber Security Act vs EU Cyber Resilience Act](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes.
- [Australia Cyber Security Act vs UK PSTI Act Guide](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime.
- [Australia ransomware payment reporting 72-hour duty](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain.
- [Australia Smart Device Security Standards under the Cyber Security Act](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records.
- [Australia Smart Device Statement of Compliance Evidence Workflow](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow.md): Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules.
- [CSA 2024 Ransomware Payment Reporting Workflow](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow.md): Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources.
- [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md): FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence.
- [CSA 2024 Smart Device Applicability Test](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope.md): Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules.
- [CSA 2024 Smart Device Statement of Compliance](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination.
- [Cyber Security Act 2024 Smart Device Compliance Checklist](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence.
- [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md): FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations.
- [Cyber Security Act vs EU CRA: scope and obligations comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes.
- [Cyber Security Act vs UK PSTI Act: device security obligations compared](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime.
- [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md): FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties.
- [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md): Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations.
- [Smart Device Applicability: CSA 2024](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-workflow.md): A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep.
- [SOCI overlap triage workflow for Australia Cyber Security Act](/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow.md): Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks.
- [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md): FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep.

*Recommended next step*

*Placement: after the FAQ answers*

## Prepare a grounded Australia Cyber Security Act notice response

Use Sorena to turn a compliance notice, stop notice, or recall notice into product scope, owners, evidence fields, response deadlines, and consumer-notification review tasks.

- [Open Assessment Autopilot for Australia Cyber Security Act](/solutions/assessment.md): Turn a notice or recall trigger into scoped questions, evidence fields, owners, and response tasks.
- [Review Australia Cyber Security Act source evidence](/solutions/research-copilot.md): Use Research Copilot to check the Act, Smart Devices Rules, and cited notice requirements.
- [Talk through implementation](/contact.md): Review notice scope, recall evidence, product owners, and next response actions with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls