Australia Cyber Security Act 2024 Requirements

The Australia Cyber Security Act 2024 does not impose a single blanket obligation. It establishes a chain of linked requirements across two core regulatory areas. Part 2 governs security standards for smart devices, requiring manufacturers to build compliant products and suppliers to ensure those products reach consumers accompanied by a valid statement of compliance. Part 3 governs ransomware payment reporting, requiring qualifying business entities to report payments made in response to cyber extortion within 72 hours.

Each set of requirements has its own commencement date. Part 2 smart device security standard requirements commenced on 29 November 2025 for the Act provisions, with the detailed rules under the Cyber Security (Security Standards for Smart Devices) Rules 2025 applying from 4 March 2026. Part 3 ransomware payment reporting requirements commenced on 29 May 2025. Businesses operating in Australia must identify which requirements apply to their operations and prepare compliance controls accordingly.

The Australia Cyber Security Act 2024 requirements apply to entities with a connection to Australia. For smart devices, the requirements apply where the manufacturer knows or could reasonably be expected to know that the products will be acquired in Australia. For ransomware reporting, the requirements apply to entities carrying on a business in Australia above the turnover threshold or to responsible entities for critical infrastructure assets.

The Cyber Security (Security Standards for Smart Devices) Rules 2025 prescribe mandatory password requirements for consumer grade relevant connectable products. These password requirements apply to hardware when not in factory default state, to software pre installed at point of supply when not in factory default state, and to software that must be installed for all manufacturer intended purposes. Manufacturers must ensure every product meets these password requirements before the product is supplied in Australia.

The password requirements under the Australia Cyber Security Act 2024 are designed to eliminate the use of default or easily guessable passwords that create security vulnerabilities in consumer smart devices. The requirements align with internationally recognised standards including ETSI EN 303 645 Provision 5.1, ensuring that Australian smart device password requirements are consistent with global security expectations.

Products covered by these password requirements include all consumer grade relevant connectable products that are internet connectable or network connectable. Products excluded from the requirements include desktop computers, laptops, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components. The password requirements apply to products intended for personal, domestic, or household use.

The Australia Cyber Security Act 2024 requirements include a mandatory vulnerability reporting obligation for smart device manufacturers. Under the Cyber Security (Security Standards for Smart Devices) Rules 2025, manufacturers must publish information on how security researchers and the public can report security issues affecting the product. This vulnerability disclosure requirement covers hardware, pre installed software, software that must be installed for manufacturer intended purposes, and software used for or in connection with any manufacturer intended purposes.

The published vulnerability reporting information must include at least one point of contact for reporting security issues to the manufacturer. It must also include when a person making a report will receive an acknowledgement of receipt and when they will receive status updates until the reported security issues are resolved. This requirement ensures manufacturers maintain an open and responsive channel for security issue reports.

These vulnerability reporting requirements under the Australia Cyber Security Act 2024 align with ETSI EN 303 645 Provision 5.2, establishing a consistent framework for coordinated vulnerability disclosure across smart devices sold to Australian consumers.

The Australia Cyber Security Act 2024 requirements mandate that smart device manufacturers publish a defined support period for security updates. The defined support period must be expressed as a period of time with an end date, specifying how long the manufacturer will provide security updates for the product. A security update is defined as a software update that protects or enhances the security of the product, including updates addressing discovered or reported security issues.

The support period and security update requirements apply to hardware capable of receiving security updates, pre installed software capable of receiving security updates, software that must be installed for manufacturer intended purposes and is capable of receiving security updates, and software developed by or on behalf of the manufacturer that is capable of receiving security updates and used for manufacturer intended purposes.

These support period requirements under the Australia Cyber Security Act 2024 align with ETSI EN 303 645 Provision 5.3, ensuring that consumers can make informed purchasing decisions based on how long a smart device will receive security updates. Manufacturers must present this information prominently alongside consumer decision making information on their website.

The Australia Cyber Security Act 2024 requirements include a mandatory statement of compliance that must accompany every relevant connectable product supplied in Australia. The statement must be prepared by or on behalf of the manufacturer. Manufacturers must provide the statement of compliance for the supply of the product, and suppliers must supply the product with the statement when they know or could reasonably be expected to know the product will be acquired in Australia.

The statement of compliance requirements serve as the formal attestation mechanism under the Australia Cyber Security Act 2024. Each statement creates an auditable record that the manufacturer has assessed the product against the prescribed security standard and confirmed compliance. The Secretary may request the statement during an independent examination under Section 23 of the Act, making completeness and accuracy essential.

Both manufacturers and suppliers must retain a copy of the statement of compliance for five years as prescribed by the Cyber Security (Security Standards for Smart Devices) Rules 2025. This retention requirement ensures that compliance evidence remains available for enforcement and audit purposes throughout the expected lifecycle of smart devices on the Australian market.

Part 3 of the Australia Cyber Security Act 2024 creates a mandatory ransomware payment reporting requirement. When a reporting business entity is impacted by a cyber security incident and a ransomware payment is made to the extorting entity, the reporting business entity must give the designated Commonwealth body a ransomware payment report within 72 hours. The 72 hour window starts from the time the payment is made or the time the entity becomes aware the payment has been made, whichever applies.

The ransomware payment reporting requirements under the Australia Cyber Security Act 2024 apply only when all five statutory conditions are met simultaneously. There must be a cyber security incident, the incident must impact a reporting business entity, an extorting entity must make a demand seeking to benefit from the incident, and the reporting business entity must make or become aware of a ransomware payment to that extorting entity. If any of these conditions is not present, the reporting obligation does not arise.

Failure to comply with the ransomware payment reporting requirements carries a civil penalty of 60 penalty units. The ransomware payment report must be given in the approved form issued by the Secretary and in the manner prescribed by the rules.

The Cyber Security (Ransomware Payment Reporting) Rules 2025 prescribe six categories of information that a ransomware payment report must contain. The reporting business entity must provide this information to the extent that it knows the details or can discover them through reasonable search or enquiry within the 72 hour reporting window. This practical limitation means that the report must be as complete as possible given the circumstances, but incomplete information does not create a separate contravention if the entity acted reasonably.

The ransomware payment report requirements under the Australia Cyber Security Act 2024 are designed to give the designated Commonwealth body enough information to assist the affected entity, understand the threat landscape, and coordinate a response. The report contents cover the identity and contact details of the affected entity, the nature and timing of the incident, the details of the extortion demand, the details of the payment itself, and the communications between the entity and the extorting party.

Ransomware payment reports may only be used or disclosed for permitted purposes as defined in Section 29 of the Act. These purposes include assisting the reporting entity to respond to the incident, performing regulatory functions, national security purposes, and informing the Minister. The information must not be used for investigating or enforcing any civil or regulatory contravention other than a contravention of Part 3 itself or a criminal offence.

The ransomware payment reporting requirements under the Australia Cyber Security Act 2024 apply only to reporting business entities. An entity qualifies as a reporting business entity through one of two routes. The first route applies to entities carrying on a business in Australia with an annual turnover for the previous financial year exceeding 3 million dollars, provided the entity is not a Commonwealth body, a State body, or a responsible entity for a critical infrastructure asset. The second route applies to responsible entities for critical infrastructure assets to which Part 2B of the Security of Critical Infrastructure Act 2018 applies.

The 3 million dollar turnover threshold is set by Section 6 of the Cyber Security (Ransomware Payment Reporting) Rules 2025. For businesses that operated for only part of the previous financial year, the threshold is prorated using the formula: 3 million dollars multiplied by the number of days the business operated, divided by the total number of days in the financial year. This prorating mechanism ensures that newer businesses are not excluded from the reporting requirements based solely on a short operating history.

Determining whether your entity is a reporting business entity is the first step in assessing your ransomware payment reporting requirements under the Australia Cyber Security Act 2024. The turnover assessment should be completed before an incident occurs so that the entity can respond within the 72 hour window without needing to resolve threshold questions under time pressure.

The Australia Cyber Security Act 2024 gives the Secretary escalating enforcement powers for smart device requirements. The enforcement pathway follows a three stage escalation: compliance notice, then stop notice, then recall notice. Each stage requires the previous stage to have been issued and found insufficient before the next stage can be activated. Before issuing any notice, the Secretary must notify the entity and give at least 10 days for the entity to make representations.

A compliance notice under Section 17 may be issued when the Secretary is reasonably satisfied that an entity is not complying with its smart device obligations, or is aware of information suggesting possible non compliance. The compliance notice must specify the action the entity must take and a reasonable period for taking that action. Only one compliance notice may be issued for a particular instance of non compliance.

If a compliance notice proves inadequate, the Secretary may issue a stop notice under Section 18. If the stop notice also proves inadequate, the Secretary may issue a recall notice under Section 19 requiring the entity to prevent the product from being acquired or supplied in Australia and to arrange for returns. If the entity fails to comply with the recall notice, the Minister may publicly notify the entity identity, product details, non compliance details, and risks posed by the product. The Secretary may also commission an independent examination under Section 23, where a qualified expert can open, operate, test, and analyse products to verify compliance with the security standards.

The Australia Cyber Security Act 2024 provides important liability protections for entities that report ransomware payments in good faith. Section 28 provides that an entity is not liable to an action or other proceeding for damages for acts done or omitted in good faith in compliance with the reporting obligation. This protection extends to officers, employees, and agents of the reporting entity. The entity bears an evidential burden when seeking to rely on this safe harbour provision.

Information provided in a ransomware payment report receives strong admissibility protections under Section 32 of the Act. The information is not admissible against the reporting business entity in criminal proceedings, civil penalty proceedings, proceedings for breach of other laws, or tribunal proceedings. Narrow exceptions exist for false or misleading information offences and obstruction of Commonwealth officials. These protections are designed to encourage honest and complete reporting without fear of self incrimination.

Legal professional privilege is also preserved under the Australia Cyber Security Act 2024 requirements. Section 31 provides that the fact of reporting does not affect any claim of legal professional privilege that anyone may make in relation to the reported information. The combination of liability protection, admissibility safeguards, and privilege preservation creates a framework that incentivises timely and complete ransomware payment reporting.