Australia Cyber Security Act 2024 Penalties and Fines

The Australia Cyber Security Act 2024 penalties are expressed in penalty units, not dollar amounts. The value of one Commonwealth penalty unit is set by section 4AA of the Crimes Act 1914 and equals AUD 330 for contraventions occurring on or after 7 November 2024. The Cyber Security Act 2024 received Royal Assent on 29 November 2024, so every contravention under this Act uses the AUD 330 rate. That value is subject to indexation and may increase from 1 July 2026.

The Act contains six express civil penalty provisions, all set at 60 penalty units. At AUD 330 per unit, 60 penalty units equals AUD 19,800 per contravention for an individual. Under section 82(5) of the Regulatory Powers (Standard Provisions) Act 2014, if the triggering legislation does not specify a separate body corporate penalty, the maximum for a body corporate is five times the stated amount. This multiplier raises the effective maximum to 300 penalty units or AUD 99,000 per contravention for a body corporate. These are maximum penalties. A court determines the actual amount based on circumstances, conduct, and harm.

Section 87(2)(a) of the Act expressly prevents the rules from creating additional offences or civil penalties. Only the primary legislation can establish penalty provisions, so these six are the complete set. The penalty unit value applies to both civil penalty order proceedings and infringement notice calculations. An infringement notice penalty is typically one fifth of the maximum court penalty, meaning approximately 12 penalty units (AUD 3,960) for an individual per contravention.

For Part 2 product obligations, the Secretary operates a staged enforcement path. Each stage escalates the response and the consequences. Businesses that treat early notices as routine correspondence, rather than serious escalation events, risk finding themselves at the recall stage faster than expected.

The Act limits each notice type to one per particular instance of non-compliance. This means the Secretary cannot issue multiple compliance notices for the same problem. But each new product or each new standard failure can start its own enforcement chain independently.

The most significant Australia Cyber Security Act 2024 penalty for day-to-day operations is the 60 penalty unit fine for failure to submit a ransomware payment report within 72 hours (section 27). At the current rate, this penalty equals AUD 19,800 for an individual and up to AUD 99,000 for a body corporate. The reporting obligation applies to reporting business entities, which are entities carrying on business in Australia with annual turnover exceeding AUD 3 million in the previous financial year, or entities that are responsible for a critical infrastructure asset under Part 2B of the Security of Critical Infrastructure Act 2018.

The Ransomware Payment Reporting Rules 2025 prescribe the AUD 3 million threshold. For partial-year businesses, the threshold is pro-rated using the formula: AUD 3 million multiplied by the number of days in operation divided by the total days in the financial year. The 72-hour clock starts from the moment the ransomware payment is made or the moment the reporting business entity becomes aware that the payment has been made, whichever is applicable.

Importantly, section 27(6) disapplies subsection 93(2) of the Regulatory Powers Act for this contravention. This means the standard reasonable steps defence is not available for ransomware reporting failures under the Australia Cyber Security Act 2024. The entity cannot argue that it took reasonable steps to prevent the contravention. Section 28 provides a good faith safe harbour: an entity is not liable for damages for acts done or omitted in good faith in compliance with the reporting obligation, but this does not reduce the civil penalty itself.

The Act creates civil penalties for unauthorized use or disclosure of protected information across three separate Parts. Each provision targets non-Commonwealth officers who handle sensitive, confidential, or commercially sensitive information obtained under the Act. Commonwealth officers who misuse protected information face criminal offences under the Criminal Code, not civil penalties.

These civil penalty provisions are triggered when the information is sensitive information about an individual disclosed without consent, confidential or commercially sensitive information, or information whose disclosure would damage Commonwealth security, defence, or international relations. Understanding these categories is essential because the trigger is about the nature of the information, not just the act of disclosure.

The civil penalty provisions sit inside the Regulatory Powers (Standard Provisions) Act 2014, which gives enforcement authorities a toolkit well beyond the penalty amount itself. The Secretary and appointed SES employees can pursue civil penalty orders through the Federal Court of Australia, the Federal Circuit and Family Court (Division 2), and State or Territory courts with appropriate jurisdiction.

Enforcement also extends to enforceable undertakings for all civil penalty provisions and for sections 15 and 16 (smart device security standards). This means the Secretary can accept formal compliance commitments even where no civil penalty has been imposed. Monitoring powers under Part 2 of the Regulatory Powers Act apply to all civil penalty provisions and smart device standards, but cannot be exercised against residential premises.

The Act builds in multiple procedural protections. Before issuing any enforcement notice (compliance, stop, or recall), the Secretary must notify the entity of the intent to issue the notice and provide at least 10 days for the entity to make representations. This pre-notice representation right applies to notice variations as well.

Entities can apply for internal review of compliance, stop, and recall notices, and of notice variations. The application must be made in writing within 30 days of the notice being given. The reviewing decision-maker must decide within 30 days and can affirm, vary, or revoke the original decision. A written statement of reasons must be provided as soon as practicable after the decision.

A major policy feature of the Australia Cyber Security Act 2024 is the set of non-admissibility protections designed to encourage reporting. Information in ransomware payment reports (section 32), information voluntarily provided to the National Cyber Security Coordinator (section 42), and information provided to the Cyber Incident Review Board (section 58) is not admissible against the reporting entity in criminal proceedings, civil penalty proceedings, or tribunal proceedings.

Entities and their officers, employees, and agents also benefit from a liability safe harbour (section 28). They are not liable for damages for acts done in good faith in compliance with ransomware reporting obligations. The same protection extends under section 74 to entities complying with Board document production notices. Additionally, providing information under the Act does not waive legal professional privilege in proceedings, except for coronial inquiries and Royal Commissions.

Section 85 of the Australia Cyber Security Act 2024 extends penalty exposure to non-legal persons such as partnerships, trusts, and unincorporated associations. When an entity that is not a legal person contravenes the Act, the contravention is attributed to each accountable person who did the relevant act, aided or abetted the act, counselled or procured the act, or was in any way knowingly concerned in the act. This means that Australia Cyber Security Act 2024 fines and penalties can reach individuals who stand behind non-corporate structures.

The definition of accountable person depends on the entity type. For a partnership with individual partners, the accountable person is the individual partner. For a partnership with body corporate partners, the accountable person is a director of that body corporate. For a trust with an individual trustee, the accountable person is the trustee. For a trust with a body corporate trustee, the accountable person is a director of that body corporate. For an unincorporated association, the accountable person is a member of the governing body.

Organisations that are responsible entities for critical infrastructure assets may face penalties under both the Australia Cyber Security Act 2024 and the Security of Critical Infrastructure Act 2018 (SOCI Act). Understanding the relationship between these two penalty regimes is essential for enforcement risk planning. The SOCI Act carries penalties of up to 200 penalty units (AUD 66,000 at the current rate) for failures relating to critical infrastructure risk management programs, 150 penalty units (AUD 49,500) for annual reporting failures, and 50 penalty units (AUD 16,500) for failure to notify the regulator about a cyber security incident.

The Australia Cyber Security Act 2024 penalties for ransomware reporting failures (60 penalty units) are separate from and additional to any SOCI Act reporting obligations. A responsible entity for a critical infrastructure asset that makes a ransomware payment must comply with the 72-hour ransomware payment reporting obligation under the Cyber Security Act 2024 and may also need to report the underlying cyber security incident under Part 2B of the SOCI Act within 12 hours for critical incidents or 72 hours for other reportable incidents. Dual-regulated entities face penalty exposure under both Acts simultaneously.

While the per-contravention penalty amounts under the Australia Cyber Security Act 2024 are lower than the highest SOCI Act penalties, the Cyber Security Act enforcement framework is broader in several respects. The Regulatory Powers Act integration gives the regulator monitoring, investigation, infringement notice, enforceable undertaking, and injunction powers for every civil penalty provision. Both Acts use the Regulatory Powers (Standard Provisions) Act 2014 for enforcement, so dual-regulated entities should map both penalty regimes against their operations and ensure that reporting workflows satisfy both Acts.

The strongest defence against enforcement action is a current evidence trail that demonstrates diligence, control, and responsiveness. If your team can show how the product met the standard, how the statement of compliance was issued, how the ransomware reporting decision was handled, and how protected information is controlled, you are in a significantly better position than a business reconstructing facts after a notice arrives.

Design your evidence model around the six civil penalty provisions and the three-stage smart device enforcement path. Assign owners to each obligation, define evidence collection points in your existing workflows, and test retrieval before a regulator asks.