Australia Cyber Security Act Requirements

The Act and rules create separate requirement sets for connected products and ransomware payments. A product team should first test whether it manufactures or supplies a relevant connectable product that will be acquired in Australia in the specified consumer circumstances. An incident team should separately test whether a ransomware payment report is triggered by a cyber security incident, a demand, and a payment or benefit to the extorting entity.

Do not collapse these duties into a generic incident-response or product-security checklist. Smart-device compliance turns on product class, Australian acquisition circumstances, manufacturer and supplier awareness, security-standard controls, and a statement of compliance. Ransomware reporting turns on reporting business entity status, payment timing, report content, and limited-use protections for report information.

The Smart Devices Rules prescribe a security standard for consumer-grade relevant connectable products intended, or likely, to be used for personal, domestic, or household use or consumption and acquired in Australia by a consumer. The rules exclude desktops and laptops, tablets, smartphones, therapeutic goods, road vehicles, and road vehicle components from that security standard.

The Schedule 1 controls are concrete. Covered passwords must be unique per product or defined by the user, and unique-per-product passwords must not be based on incremental counters, public information, unprotected serial-number derivations, or other guessable methods outside good industry practice. Manufacturers must also publish a contact point and timing information for security-issue reports, and publish the defined support period for security updates.

For consumer-grade relevant connectable products subject to the Schedule 1 security standard, the statement of compliance must be prepared by, or on behalf of, the manufacturer. It must identify the product type and batch, manufacturer and authorised-representative details, compliance declarations, the defined support period at issue, the signatory's signature, name and function, and the place and date of issue.

The evidence record should connect the signed statement to the product build, batch, password design, vulnerability-reporting page, support-period publication, and Australian supply decision. The Smart Devices Rules specify a five-year retention period for statements of compliance, and the Act allows the Secretary to request the product, statement, or both for an independent examination.

Part 3 applies where a cyber security incident has a direct or indirect impact on a reporting business entity, an extorting entity makes a demand to benefit from the incident or impact, and the reporting business entity provides, or knows another entity has provided on its behalf, a directly related payment or benefit. The rules set the annual turnover threshold at $3 million, with a formula for businesses carried on for only part of the previous financial year. Responsible entities for critical infrastructure assets to which Part 2B of the SOCI Act applies can also be reporting business entities.

The report must be given within 72 hours after the payment is made or after the reporting business entity becomes aware the payment was made. The report must cover contact and business details, the cyber security incident and its impact, the extorting entity's demand, the payment, and communications with the extorting entity. The rules require details such as ABN and address where applicable, incident timing and awareness, infrastructure and customer impact, ransomware or malware variants, exploited vulnerabilities, payment amount or non-monetary benefit, method of provision, and communications or negotiations.

For smart-device non-compliance, the Act gives the Secretary a staged notice path: compliance notice, stop notice, then recall notice. Those notices can require action within the entity's control, set a reasonable period for action, and ask for evidence that the specified action was taken. If an entity fails to comply with a recall notice, the Minister may publish the entity identity, product details, non-compliance details, risks, recall-notice details, and recommended consumer actions.

The Act also applies regulatory-powers machinery for civil penalties, enforceable undertakings, infringement notices, investigations, and injunctions. Implementation evidence should therefore be organized for both operational delivery and regulator review: source-linked scope decisions, technical test records, public publication records, statements of compliance, supplier handoff records, ransomware report packs, and notice-response evidence.