Australia Cyber Security Act 2024 Scope and Definitions

Section 5 of the Australia Cyber Security Act 2024 states: 'This Act applies both within and outside Australia.' The Act also extends to every external Territory. This means that a manufacturer based overseas who manufactures products that will be acquired in Australia by consumers must comply with the security standards in Part 2. Similarly, a foreign entity that makes a ransomware payment following an incident that impacts a reporting business entity carrying on business in Australia is within scope of the Part 3 reporting obligation.

The extraterritorial reach of the Australia Cyber Security Act 2024 is important for global supply chains. If a manufacturer in Shenzhen or Seoul ships smart home devices to Australian retailers, that manufacturer has obligations under the Act as long as they are aware, or could reasonably be expected to be aware, that the product will be acquired in Australia. The Act also binds the Crown in each of its capacities (section 6), and operates concurrently with State and Territory laws (section 7), so there is no gap in coverage across jurisdictions.

The central scope term in Part 2 of the Australia Cyber Security Act 2024 is 'relevant connectable product.' Section 13(2) defines it as a product that is either an internet connectable product or a network connectable product, and that is not exempted under the rules. Part 2 applies to a relevant connectable product that is manufactured on or after the commencement of Part 2, or supplied (other than as second hand goods) on or after that commencement (section 13(1)).

The rules may specify that classes of products or particular products are exempted (section 13(3)). At the time of writing, the Cyber Security (Security Standards for Smart Devices) Rules 2025 focus the first security standard on consumer grade relevant connectable products, with a defined set of exclusions (see section below). Products that are not internet connectable and not network connectable are entirely outside the scope of Part 2 of the Australia Cyber Security Act 2024.

Section 13(4) of the Australia Cyber Security Act 2024 defines an 'internet connectable product' as a product that is capable of connecting to the internet using a communication protocol that forms part of the internet protocol suite to send and receive data over the internet. This covers any product with a TCP/IP stack (or equivalent) that can exchange data with internet hosts. Common examples include smart speakers, smart TVs, IP cameras, Wi-Fi routers, smart home hubs, and connected appliances.

The definition turns on capability, not on whether the product is always connected. A device that has a Wi-Fi module but ships in a disconnected state is still an internet connectable product under the Australia Cyber Security Act 2024 because it is 'capable' of connecting. Compliance professionals should map each product's connectivity features against this definition as the first step in a Part 2 scope assessment.

Section 13(5) of the Australia Cyber Security Act 2024 defines a 'network connectable product' as a product that (a) is capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy, (b) is not an internet connectable product, and (c) meets the condition in subsection (6) or (7). This second category captures devices that do not directly use the internet protocol suite but connect indirectly to the internet through other devices.

Under section 13(6), a product meets the condition if it is capable of connecting directly to an internet connectable product by means of a communication protocol that forms part of the internet protocol suite. Under section 13(7), a product meets the condition if it can connect directly to two or more products at the same time using a protocol outside the internet protocol suite, and can also connect directly to an internet connectable product through that protocol. This brings in hub devices that bridge between non-IP protocols and IP networks.

Section 13(8) excludes a product consisting of a wire or cable that is used merely to connect one product to another. Section 13(9) handles multi-product sets designed to facilitate the use of a computer, such as a wireless keyboard and mouse set connected through a USB dongle. Section 13(10) clarifies that a wired connection does not prevent a product from being regarded as connecting 'directly' to another product.

The Cyber Security (Security Standards for Smart Devices) Rules 2025 prescribe the first security standard under the Australia Cyber Security Act 2024. Section 8(1) of the Rules defines the covered class as all relevant connectable products that are intended by the manufacturer to be used, or are of a kind likely to be used, for personal, domestic or household use or consumption. This is the 'consumer grade' class.

Section 8(1)(b) of the Rules lists six product categories that are excluded from the consumer grade class even if they otherwise meet the definition: (i) a desktop computer or a laptop, (ii) a tablet computer, (iii) a smartphone, (iv) therapeutic goods within the meaning of the Therapeutic Goods Act 1989, (v) a road vehicle within the meaning of the Road Vehicle Standards Act 2018, and (vi) a road vehicle component within the meaning of the Road Vehicle Standards Act 2018. These exclusions recognise that those product types are already subject to other regulatory frameworks or have complexity that warrants separate treatment.

The 'consumer' term itself is defined in section 6 of the Rules by reference to section 3 of the Australian Consumer Law. A person has acquired particular goods as a consumer if the person would be taken to have acquired the goods as a consumer under that provision. The specified circumstance for this class is that the products will be acquired in Australia by a consumer (section 8(2)).

Section 8 of the Australia Cyber Security Act 2024 defines 'manufacturer' as having the same meaning as in the Australian Consumer Law (ACL). Under the ACL, a manufacturer of goods includes the person who actually makes or assembles the goods, the person who holds themselves out as the manufacturer by applying their name or brand, a person who imports goods where the actual manufacturer has no place of business in Australia, and certain other parties. This broad ACL definition is critical because it determines who bears the obligation to manufacture products in compliance with the security standard (section 15) and to provide a statement of compliance (section 16).

Section 8 also defines 'supply' as having the same meaning as in the Australian Consumer Law, and 'supplied' and 'supplier' have corresponding meanings. Under the ACL, supply includes sale, exchange, lease, hire, and hire purchase. For the Australia Cyber Security Act 2024, the supplier obligation under section 15(3) is that an entity must not supply a product in Australia that was not manufactured in compliance with the security standard, if the entity is aware or could reasonably be expected to be aware that the product will be acquired in Australia in the specified circumstances. Suppliers must also supply the product with a statement of compliance (section 16(3)).

The awareness test is important. Both manufacturer obligations (section 15(1)(b)) and supplier obligations (section 15(3)(b)) turn on whether the entity 'is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia' in the specified circumstances. This constructive knowledge standard means that a manufacturer who sells through a global distribution network cannot claim ignorance if their products routinely appear in Australian retail channels.

Two terms from Part 2 of the Australia Cyber Security Act 2024 and the Smart Device Rules 2025 have direct operational impact. The 'statement of compliance' is the document that manufacturers must provide for the supply of in scope products in Australia, and that suppliers must supply with the product. Section 9 of the Rules specifies that the statement must be prepared by, or on behalf of, the manufacturer and must include: the product type and batch identifier, the name and address of the manufacturer and any authorised representatives (including any in Australia), a declaration that the statement was prepared by or on behalf of the manufacturer, a declaration that the product was manufactured in compliance with the security standard, the defined support period at the date of issue, the signature and function of the manufacturer's signatory, and the place and date of issue.

The 'defined support period' is defined in Schedule 1, clause 4(3) of the Rules as the period, expressed as a period of time with an end date, for which security updates will be provided by or on behalf of the manufacturer. The manufacturer must publish this defined support period. Clause 4(4) provides that the manufacturer must not shorten the defined support period after it is published. If the manufacturer extends the period, the new defined support period must be published as soon as is practicable (clause 4(5)). The defined support period information must be accessible, clear, transparent, available without prior request, in English, free of charge, and without requiring personal information from the reader (clause 4(6)).

The retention period for a statement of compliance is 5 years (Rules section 10). Manufacturers and suppliers should treat the statement of compliance as a controlled regulatory document, not as marketing material. The support period is a binding commitment that must be backed by engineering capacity to deliver security updates for the entire published duration.

The ransomware reporting obligation in Part 3 of the Australia Cyber Security Act 2024 does not apply to every victim of a cyber security incident. It applies only to a 'reporting business entity.' Section 26(2) defines two routes into this status. Under route (a), an entity is a reporting business entity if, at the time the ransomware payment is made, it is carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold, and it is not a Commonwealth body, a State body, or a responsible entity for a critical infrastructure asset. Under route (b), an entity is a reporting business entity if it is a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies.

The Cyber Security (Ransomware Payment Reporting) Rules 2025 set the turnover threshold at $3 million for the previous financial year (Rules section 6(1)). If a business has been carried on for only part of the previous financial year, the threshold is pro-rated using the formula: $3 million multiplied by the number of days in the part of the year, divided by the number of days in the full financial year (Rules section 6(2)). The 'business' term itself has the same meaning as in the Income Tax Assessment Act 1997 (section 8 of the Act).

This two-track structure means that most mid-size and large businesses operating in Australia are captured either through the turnover route or the critical infrastructure route. Commonwealth bodies and State bodies are explicitly excluded from the turnover route, but responsible entities for critical infrastructure assets covered by SOCI Part 2B are captured regardless of their turnover. The test is assessed at the time the ransomware payment is made, not at the time the incident occurs.

Section 9(1) of the Australia Cyber Security Act 2024 defines a 'cyber security incident' as one or more acts, events or circumstances (a) of a kind covered by the meaning of cyber security incident in the Security of Critical Infrastructure Act 2018, or (b) involving unauthorised impairment of electronic communication to or from a computer, within the meaning of that phrase in that Act, but as if that phrase did not exclude the mere interception of any such communication. The cross-reference to the SOCI Act anchors the definition in the existing critical infrastructure framework while expanding it slightly to include interception.

Section 9(2) narrows the definition by requiring a constitutional nexus. An incident is only a cyber security incident for the purposes of the Australia Cyber Security Act 2024 if: (a) it involves a critical infrastructure asset, or (b) it involves the activities of a corporation to which paragraph 51(xx) of the Constitution applies, or (c) it is effected by means of a telegraphic, telephonic or other like service (including the internet), or (d) it is impeding or impairing the ability of a computer to connect to such a service, or (e) it has seriously prejudiced or is seriously prejudicing the social or economic stability of Australia, the defence of Australia, or national security.

For the ransomware reporting obligation, section 26(4) creates a presumption: an incident is presumed to be a cyber security incident if it was probably effected by internet means, or probably impeded a computer's ability to connect to such a service, or probably seriously prejudiced national security, social stability, or defence. This lowers the evidentiary burden on the reporting entity and means that most ransomware scenarios will satisfy the cyber security incident definition without detailed constitutional analysis.

Section 26(1)(d) and (e) of the Australia Cyber Security Act 2024 define the ransomware payment concept. The payment arises when an extorting entity makes a demand of the reporting business entity (or any other entity) in order to benefit from the incident or its impact on the reporting business entity, and the reporting business entity provides, or is aware that another entity has provided on their behalf, a payment or benefit that is directly related to the demand. The term 'benefit' is defined in section 8 to include any advantage and is not limited to property. This means that providing decryption keys, data restoration, or any other form of value to the extorting party counts.

The 72-hour reporting clock starts from when the ransomware payment is made or when the reporting business entity becomes aware that the payment has been made, whichever is applicable (section 27(1)). The report must be given to the designated Commonwealth body, which by default means the Department of Home Affairs and ASD (section 8). The report must contain information about: the reporting entity's contact and business details, the other entity's details if a third party made the payment, the cyber security incident and its impact, the demand, the payment, and the communications with the extorting entity (section 27(2)).

It is important that the reporting obligation is triggered even when another entity makes the payment on behalf of the reporting business entity. This means that if an insurer, a negotiation firm, or a parent company makes the payment, the reporting business entity must still file the report as long as it is aware the payment was made. The Australia Cyber Security Act 2024 thus prevents the reporting obligation from being circumvented through intermediaries.

Section 8 of the Australia Cyber Security Act 2024 defines 'designated Commonwealth body' as (a) a Department, or a body established by a law of the Commonwealth, specified in the rules, or (b) if no rules have been made for paragraph (a), the Department and ASD (the Australian Signals Directorate). As of the commencement of Part 3, no rules have been made specifying alternative bodies, so the designated Commonwealth body remains the Department of Home Affairs and ASD. This is the entity to which ransomware payment reports must be given under section 27.

The definition is designed to be flexible. If the Government decides in the future to designate a different or additional body (for example, a dedicated cyber security reporting agency), it can do so through rules without amending the primary legislation. Compliance teams should monitor the Federal Register of Legislation for any rules made under this provision.

The Australia Cyber Security Act 2024 defines 'entity' broadly in section 8 to include an individual, a body corporate, a partnership, an unincorporated association that has a governing body, a trust, and an entity that is a responsible entity for a critical infrastructure asset. This broad definition means that natural persons, companies, partnerships, trusts, and critical infrastructure operators can all be subject to the Act's obligations.

A 'Commonwealth body' means a Minister of the Commonwealth, a Department of State of the Commonwealth, or a body established for a public purpose by or under a law of the Commonwealth that is not an authority of the Crown. A 'State body' follows the same pattern for State and Territory Ministers, Departments, and statutory bodies. These definitions matter because Commonwealth bodies and State bodies are excluded from the turnover route into reporting business entity status (section 26(2)(a)(ii)).

The 'Commonwealth enforcement body' definition lists specific agencies: the Australian Federal Police, APRA, ASIC, the Inspector of the National Anti-Corruption Commission, the Office of the Director of Public Prosecutions, the National Anti-Corruption Commissioner, Sport Integrity Australia, and any other Commonwealth body responsible for administering a law that imposes a criminal penalty or sanction. This list determines which bodies may receive information from ransomware payment reports for enforcement functions under the permitted cyber security purpose framework.

Section 10 of the Australia Cyber Security Act 2024 defines 'permitted cyber security purpose' for a cyber security incident. This concept controls how information from ransomware payment reports and voluntary information sharing can be used and disclosed. The permitted purposes are: (a) a Commonwealth body's functions relating to responding to, mitigating or resolving the incident, (b) a State body's equivalent functions, (c) the National Cyber Security Coordinator's Part 4 functions, (d) informing and advising the Minister and other Commonwealth Ministers, (e) preventing or mitigating material risks to social or economic stability, defence, or national security, (f) preventing or mitigating material risks to a critical infrastructure asset, (g) the functions of an intelligence agency, and (h) the functions of a Commonwealth enforcement body.

The use restriction in section 29(2) prevents the designated Commonwealth body from using ransomware report information to investigate or enforce any contravention of a Commonwealth, State, or Territory law against the reporting entity, except for a contravention of Part 3 itself or a criminal offence. Section 32 further provides that information in a ransomware payment report is not admissible in evidence in most civil proceedings against the reporting entity. These protections are designed to encourage honest reporting by reducing the legal risk that comes with disclosing a ransomware payment.

Part 4 of the Australia Cyber Security Act 2024 provides a separate framework for the coordination of significant cyber security incidents. Section 34 defines a 'significant cyber security incident' by reference to criteria set out in the Act and allows the National Cyber Security Coordinator to lead the whole of Government response. Under section 35, an entity impacted by a significant cyber security incident may voluntarily provide information to the National Cyber Security Coordinator. Section 36 also allows voluntary provision of information about other incidents or cyber security incidents more broadly.

The voluntary information sharing provisions in Part 4 carry strong protections. Information provided under section 35 is subject to use and disclosure restrictions in sections 38 through 43. Section 42 makes voluntarily given information generally inadmissible against the entity, and section 43 provides that the National Cyber Security Coordinator is not compellable as a witness in relation to information provided under Part 4. These protections are separate from and additional to the ransomware reporting protections in Part 3.

Part 2 of the Australia Cyber Security Act 2024 creates a three-tier enforcement framework for security standard non-compliance. If the Secretary is reasonably satisfied that an entity is not complying with its obligations under section 15 or 16, the Secretary may issue a compliance notice (section 17). If the entity fails to comply with the compliance notice, a stop notice may follow (section 18). If the entity fails to comply with the stop notice, a recall notice may follow (section 19). Each notice must give the entity at least 10 days to make representations before being issued.

If an entity fails to comply with a recall notice, the Minister may publicly notify the failure, including the entity's identity, product details, non-compliance details, risks posed by the product, and any other matters prescribed by the rules (section 20). Entities may seek internal review of the decision to issue any notice (section 22), and the Secretary may engage independent experts to examine products for compliance (section 23). Part 6 provides additional regulatory powers including civil penalties, enforceable undertakings, injunctions, monitoring powers, and investigation powers.

The civil penalty for failing to make a ransomware payment report under section 27 is 60 penalty units. However, section 28 provides that an entity is not liable for damages for acts done in good faith in compliance with section 27, giving legal shelter to entities that report honestly and promptly.

Several additional definitions in section 8 of the Australia Cyber Security Act 2024 are relevant for compliance work. 'Computer' has the same meaning as in the Security of Critical Infrastructure Act 2018. 'Critical infrastructure asset' also has the same meaning as in SOCI 2018, tying the Act's scope directly to the existing critical infrastructure register. 'Responsible entity' for an asset has the same meaning as in SOCI 2018. 'Personal information' and 'sensitive information' have the same meanings as in the Privacy Act 1988.

The Act establishes the Cyber Incident Review Board (CIRB) through section 60, with functions that include causing reviews of certain cyber security incidents and making recommendations to Government and industry (section 62). The Board operates independently (section 63) and produces draft review reports (section 51), final review reports (section 52), and protected review reports (section 54). Sensitive review information must be redacted from final reports (section 53). These definitions support the Part 5 framework for post-incident learning, which runs separately from the Part 3 reporting obligation.

The 'National Cyber Security Coordinator' is defined in section 8 as the officer of the Department known by that title, together with the APS employees and officers whose services are made available in connection with the Coordinator's functions and powers. This definition ensures that the Coordinator has a supporting team, not just an individual role, for incident coordination under Part 4.