Australia Cyber Security Act penalties and fines

The Act does not create one broad cyber-security fine for every control failure. The grounded penalty pattern is narrower: an entity is liable to a 60-penalty-unit civil penalty when it misses a required ransomware payment report, improperly records, uses, or discloses protected information in specified circumstances, fails to comply with a Cyber Incident Review Board document-production notice, or improperly records, discloses, or uses a draft review report.

For ransomware payment reporting, the penalty attaches to contravening the section 27 obligation to give a ransomware payment report within 72 hours of making the payment or becoming aware that the payment was made. For protected information and Board material, the exposure depends on the specific information-use restrictions and exceptions in the relevant Part of the Act.

Smart-device enforcement under Part 2 is built around notices. If a relevant connectable product is subject to a prescribed security standard, sections 15 and 16 create manufacturer and supplier obligations for compliance with that standard and statements of compliance. The Secretary can then issue a compliance notice where an entity is not complying, or where information suggests possible non-compliance.

If the compliance notice is not met or remediation is inadequate, the Secretary can escalate to a stop notice. If a stop notice is not met or remediation remains inadequate, the Secretary can escalate to a recall notice. If the recall notice is not complied with, the Minister may publish information including the entity identity, product details, non-compliance details, and product risks; the Smart Devices Rules add recall-notice details and recommended consumer actions.

The ransomware payment penalty cannot be assessed without the Part 3 scope test. A report obligation can arise when a cyber security incident impacts a reporting business entity, an extorting entity makes a demand to benefit from the incident or its impact, and the reporting business entity provides, or becomes aware that another entity provided on its behalf, a payment or benefit directly related to that demand.

The 2025 Ransomware Payment Reporting Rules prescribe the ordinary turnover threshold as $3 million for the previous financial year, with a pro-rated formula where the business operated for only part of that previous financial year. A responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies can also fall within the reporting-business-entity test.

Penalty exposure records should be built around statutory triggers, not around a generic cyber incident ticket. Keep a separate record for each possible exposure: ransomware report failure, protected-information misuse, significant-incident information misuse, Board document notice failure, draft-review-report disclosure, or smart-device notice escalation.

Part 6 matters because the Act applies the Regulatory Powers Act framework. Civil penalty orders may be sought from a relevant court, infringement notices may be given for alleged contraventions, undertakings can be accepted for civil penalty provisions and sections 15 and 16, and injunctions can restrain or compel compliance. The Secretary is an authorised applicant for civil penalty and injunction purposes and is the relevant chief executive for infringement notices.