Artifact GuideAPAC

Australia Cyber Security Act 2024 Compliance Templates

Six Australia Cyber Security Act 2024 compliance templates covering every required field from the Act, the Cyber Security (Security Standards for Smart Devices) Rules 2025, and the Cyber Security (Ransomware Payment Reporting) Rules 2025.

Each Australia Cyber Security Act 2024 compliance template on this page lists every mandatory field, identifies the legal source, and provides practical guidance on how to fill every entry so your team can produce accurate records on the first attempt.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 4, 2026
Updated
Mar 4, 2026
Sections
7

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 4, 2026
Updated Mar 4, 2026
Overview

A useful Australia Cyber Security Act 2024 compliance template does two things at once: it removes friction from the compliance process and it enforces accuracy by listing every legally required field. This page provides six Australia Cyber Security Act 2024 compliance templates that together cover the full lifecycle of obligations under the Act and its subsidiary Rules. The first Australia Cyber Security Act 2024 compliance template addresses the statement of compliance required for smart devices under Section 9 of the Smart Devices Rules. The second covers the ransomware payment report required after a ransomware payment under Section 7 of the Ransomware Reporting Rules. The third provides the evidence pack structure that supports each statement of compliance. The fourth establishes the product classification register that tracks scope decisions across all product lines. The fifth sets out the vulnerability disclosure page that satisfies the security issue reporting requirement under Schedule 1 Clause 3. The sixth covers the support period publication that satisfies the defined support period requirement under Schedule 1 Clause 4. Each Australia Cyber Security Act 2024 compliance template below lists every required field, identifies the exact section or clause of the law, and provides practical guidance on how to fill the field correctly.

Section 1

Statement of compliance template (Smart Devices Rules Section 9)

The statement of compliance is the most formally prescribed document in the Australia Cyber Security Act 2024 compliance templates set. Section 9 of the Cyber Security (Security Standards for Smart Devices) Rules 2025 lists exactly seven categories of information that every statement must contain. Section 16 of the Act requires manufacturers to provide the statement and suppliers to supply the product with the statement. Both manufacturers and suppliers must retain copies for five years under Section 10 of the Rules. The statement must be prepared by, or on behalf of, the manufacturer of the product. Responsible entities operating across jurisdictions with similar frameworks, such as the UK Product Security and Telecommunications Infrastructure Regulations 2023, can use the same statement for the Australian market as long as all Section 9 requirements are met. Statements of compliance are not required to be provided with the product at the point of sale, but the regulator may request them at any time to verify compliance. The statement is for the use of the regulator to ensure the responsible entity has met its obligations under the Act and the Rules.

Below is every required field from Section 9(3) of the Smart Devices Rules, together with practical guidance on how to fill each field in your Australia Cyber Security Act 2024 compliance templates.

  • Field 1 as required by Section 9(3)(a): Product type and batch identifier. Record the formal product type name and the batch identifier that uniquely identifies the specific group of products manufactured or processed together. Use the same product type name that appears on packaging and marketing materials. The batch identifier should allow traceability back to manufacturing records for the specific production run.
  • Field 2 as required by Section 9(3)(b)(i): Name and address of the manufacturer of the product. Provide the full legal entity name and registered business address of the manufacturer. If the manufacturer is a sole trader, note that the personal information of the individual (name and address) will appear on the statement. The Explanatory Statement to the Rules acknowledges this privacy limitation as reasonable and necessary to ensure accountability for compliance with the security standard.
  • Field 3 as required by Section 9(3)(b)(ii): Name and address of an authorised representative of the manufacturer. Provide the full legal entity name and registered business address of the authorised representative designated by the manufacturer to act on their behalf. If the manufacturer is based outside Australia, this field identifies the representative who can receive regulatory correspondence.
  • Field 4 as required by Section 9(3)(b)(iii): Name and address of each of the manufacturer's other authorised representatives that are in Australia. List every additional authorised representative located in Australia with the full legal entity name and address. If there are no additional authorised representatives in Australia, state that fact explicitly so the field is not left ambiguous.
  • Field 5 as required by Section 9(3)(c): Declaration that the statement has been prepared by, or on behalf of, the manufacturer of the product. Include a declaration in controlled wording such as: 'This statement of compliance has been prepared by [or on behalf of] [manufacturer name].' Keep the wording consistent across all products to reduce the risk of accidental omission.
  • Field 6 as required by Section 9(3)(d): Declaration that, in the opinion of the manufacturer, (i) the product has been manufactured in compliance with the requirements of the security standard in Part 1 of Schedule 1 to the Rules, and (ii) the manufacturer has complied with any other obligations relating to the product in the security standard. This is a dual declaration. The first part covers product manufacturing compliance. The second part covers the manufacturer's process obligations including the obligation to publish security issue reporting information under Schedule 1 Clause 3 and the obligation to publish the defined support period under Schedule 1 Clause 4.
  • Field 7 as required by Section 9(3)(e): The defined support period for the product at the date the statement of compliance is issued. State the defined support period as a period of time with an explicit end date. For example, write 'Security updates will be provided until no later than 30 June 2031.' The end date format recommended by the Explanatory Statement is a specific calendar date. The manufacturer must not shorten this period after publication under Schedule 1 Clause 4(4).
  • Field 8 as required by Section 9(3)(f): The signature, name, and function of the signatory of the manufacturer. Record the handwritten or electronic signature, the full name of the signatory, and the job function or title of the signatory within the manufacturer organisation. The signatory should have authority to bind the manufacturer. The Explanatory Statement notes that including signatory details provides the regulator with a point of contact if there are concerns with the statement.
  • Field 9 as required by Section 9(3)(g): The place and date of issue of the statement of compliance. Record the city and country where the statement was signed and the calendar date of issue. Use an unambiguous date format such as DD Month YYYY to prevent confusion between date conventions.
  • Document control fields (operational best practice for your Australia Cyber Security Act 2024 compliance templates). Although not required by Section 9, add an internal document number, a revision history table, and a storage location reference. These fields make it easier to demonstrate version control during the five year retention period under Section 10 and to manage updates when the defined support period is extended.
Recommended next step

Keep Australia Cyber Security Act 2024 Compliance Templates in one governed evidence system

SSOT can take Australia Cyber Security Act 2024 Compliance Templates from reusing this material inside a governed evidence system to a reusable workflow inside Sorena. Teams working on Australia Cyber Security Act 2024 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Evidence system
Open SSOT for Australia Cyber Security Act 2024 Compliance Templates

Start from Australia Cyber Security Act 2024 Compliance Templates and keep documents, evidence, and control records in one governed system.

Explore next step
Talk to Sorena
Talk through Australia Cyber Security Act 2024

Review your current process, evidence gaps, and next steps for Australia Cyber Security Act 2024 Compliance Templates.

Explore next step
Section 2

Ransomware payment report template (Ransomware Reporting Rules Section 7)

Part 3 of the Australia Cyber Security Act 2024 requires a reporting business entity to give the designated Commonwealth body a ransomware payment report within 72 hours of making the payment or becoming aware that the payment was made. Section 7 of the Cyber Security (Ransomware Payment Reporting) Rules 2025 prescribes exactly what information the report must contain. Information is only required to the extent that the reporting business entity knows or is able, by reasonable search or enquiry, to find out within the 72 hour window. A reporting business entity is one that is either a responsible entity for a critical infrastructure asset under Part 2B of the Security of Critical Infrastructure Act 2018 or is carrying on a business in Australia with annual turnover exceeding $3 million in the previous financial year under Section 6 of the Rules. If the business operated for only part of the previous financial year, the threshold is prorated using the formula: $3 million multiplied by the number of days in the part divided by the number of days in the previous financial year. The report must be given in the form approved by the Secretary (if any) and in the manner prescribed by the rules under Section 27(4) of the Act.

Below is every required field from Section 7 of the Ransomware Reporting Rules, mapped to the corresponding paragraph of Section 27(2) of the Act, together with practical guidance for your Australia Cyber Security Act 2024 compliance templates. Preparing this template in advance is critical because 72 hours is too short to build a reporting process during an active incident.

  • Field group A: Reporting business entity contact and business details, required by Section 7(2) and mapping to Section 27(2)(a) of the Act. The Rules require the entity's ABN (if any) and address. In your Australia Cyber Security Act 2024 compliance templates, also capture the entity name, primary contact person name, phone number, and email address. These fields should be filled in advance and reviewed quarterly so they are ready during a crisis.
  • Field group B: Other paying entity contact and business details, required by Section 7(3) and mapping to Section 27(2)(b) of the Act. If another entity made the ransomware payment on behalf of the reporting business entity, the Rules require that other entity's ABN (if any) and address. If the reporting business entity made the payment directly, record that fact and mark this section as not applicable.
  • Field group C1: Date and time when the incident occurred or is estimated to have occurred, required by Section 7(4)(a) and mapping to Section 27(2)(c) of the Act. Provide the best available estimate of when the cyber security incident began. Use UTC timestamps where possible and note any uncertainty in the estimate.
  • Field group C2: Date and time when the reporting business entity became aware of the incident, required by Section 7(4)(b). Record the exact date and time, or the best estimate, when the entity first became aware that a cyber security incident had occurred.
  • Field group C3: Impact of the incident on the reporting business entity's infrastructure, required by Section 7(4)(c). Describe which systems, networks, or infrastructure components were affected. Include the number and type of endpoints compromised, the operational impact, and any service disruptions.
  • Field group C4: Impact of the incident on the reporting business entity's customers, required by Section 7(4)(d). Describe how customers were affected. Include estimates of the number of customers impacted, the types of customer data potentially exposed, and any service outages visible to customers.
  • Field group C5: Ransomware or malware variants used, required by Section 7(4)(e). Identify which variants of ransomware or other malware were used in the incident. If the variant is unknown at the time of reporting, state that fact and provide any available indicators of compromise such as file hashes or network signatures.
  • Field group C6: Vulnerabilities exploited in the reporting business entity's system, required by Section 7(4)(f). Identify which vulnerabilities were exploited. Use CVE identifiers where available. If the vulnerability is not yet identified, describe the attack vector to the extent known within the 72 hour window.
  • Field group C7: Information to assist response, mitigation, or resolution by a Commonwealth body or State body, required by Section 7(4)(g). Provide any additional information that could assist a Commonwealth body or State body in responding to, mitigating, or resolving the cyber security incident. This may include indicators of compromise, threat actor tactics, techniques, and procedures, or network diagrams. Note that ransomware payment reports may only be used or disclosed for permitted purposes under Section 29 of the Act, and the information must not be disclosed to a State body unless a Minister of the State or Territory has consented under Section 11 of the Act.
  • Field group D1: Amount or quantum of the ransom demanded, required by Section 7(5)(a) and mapping to Section 27(2)(d) of the Act. Record the amount of the ransomware payment demanded. If the demand was for a benefit that is not monetary, provide a description of that benefit. Include the currency and any cryptocurrency wallet addresses if applicable.
  • Field group D2: Method of provision demanded by the extorting entity, required by Section 7(5)(b). Record the method of payment demanded, for example cryptocurrency transfer, wire transfer, or another mechanism.
  • Field group E1: Amount or quantum of the payment actually made, required by Section 7(6)(a) and mapping to Section 27(2)(e) of the Act. Record the amount of the ransomware payment actually provided. If the payment was a benefit that is not monetary, describe it. Include transaction identifiers and cryptocurrency wallet addresses where available.
  • Field group E2: Method of provision of the payment, required by Section 7(6)(b). Record how the payment was actually made, including the payment platform, transaction reference, and date and time of the transfer.
  • Field group F1: Nature and timing of communications with the extorting entity, required by Section 7(7)(a) and mapping to Section 27(2)(f) of the Act. Record the nature of each communication (email, chat, voice, or other channel) and the date and time it occurred.
  • Field group F2: Brief description of those communications, required by Section 7(7)(b). Provide a factual summary of each communication between the reporting business entity and the extorting entity. Keep descriptions brief as required by the Rules.
  • Field group F3: Brief description of any negotiations before the payment, required by Section 7(7)(c). Provide a factual summary of any negotiations that took place before the ransomware payment was made, including any changes to the original demand amount or method of provision.
  • Submission method and timestamp (operational best practice for your Australia Cyber Security Act 2024 compliance templates). Record the method used to submit the report to the designated Commonwealth body, the exact submission date and time, the name of the person who authorised the submission, and retain a copy of the submitted report. Section 27(4) of the Act requires the report to be given in the form approved by the Secretary if one has been issued, so check for an approved form before submission.
Section 3

Smart device evidence pack template (operational support for the statement of compliance)

The statement of compliance declares that the product meets the security standard, but the evidence pack is what proves it. The evidence pack is the Australia Cyber Security Act 2024 compliance template that collects all supporting evidence for a single product model or controlled version. Build one evidence pack per product model or per controlled firmware version. The pack should contain test results, screenshots, process records, and approval sheets that support each requirement of the security standard in Part 1 of Schedule 1 to the Smart Devices Rules 2025. During an examination under Section 23 of the Act, the Secretary may request the manufacturer or supplier to provide the product and the statement of compliance for the purposes of an audit. The evidence pack will be the foundation of your response to any such request.

Below are the evidence categories to include in your Australia Cyber Security Act 2024 compliance templates evidence pack, mapped to the relevant Schedule 1 clauses.

  • Product identity record. Record the product type name, model number, internal product code, hardware revision, firmware version, batch identifiers covered by this evidence pack, manufacturing location, and the date range of manufacture. These details must match the product type and batch identifier recorded in Field 1 of the statement of compliance under Section 9(3)(a).
  • Password design evidence supporting Schedule 1 Clause 2. For each password category identified in Clause 2(1), document whether the password is unique per product under Clause 2(2)(a) or defined by the user under Clause 2(2)(b). The three password categories are: hardware of the product when the product is not in the factory default state (Clause 2(1)(a)), software that is installed on the product at the point of supply when the product is not in the factory default state (Clause 2(1)(b)), and software that is not installed at supply but must be installed for all of the manufacturer's intended purposes (Clause 2(1)(c)). If passwords are unique per product, provide evidence that they are not based on incremental counters (Clause 2(3)(a)), not based on or derived from publicly available information (Clause 2(3)(b)), not based on or derived from unique product identifiers such as serial numbers unless encrypted or hashed using a method accepted as good industry practice (Clause 2(3)(c)), and not otherwise guessable in a manner unacceptable as part of good industry practice (Clause 2(3)(d)). Include cryptographic design documents, test reports showing password uniqueness across a sample batch, and penetration test results.
  • Security issue reporting page evidence supporting Schedule 1 Clause 3. Capture a dated screenshot or PDF archive of the published page that provides at least one point of contact for reporting security issues (Clause 3(2)(a)). Confirm the page states when a reporter will receive an acknowledgement of receipt (Clause 3(2)(b)(i)) and when they will receive status updates until resolution (Clause 3(2)(b)(ii)). Verify that the published information meets the quality requirements: accessible, clear, and transparent (Clause 3(3)(a)), available without prior request (Clause 3(3)(b)), published in English (Clause 3(3)(c)), free of charge (Clause 3(3)(d)), and does not require the provision of personal information to access (Clause 3(3)(e)). Record the URL, the capture date, and the name of the person who verified compliance.
  • Defined support period publication evidence supporting Schedule 1 Clause 4. Capture a dated screenshot or PDF archive of each location where the defined support period is published. The period must be expressed as a period of time with an explicit end date under Clause 4(3), for example 'Security updates will be provided until no later than 30 June 2031.' Verify that the publication meets the quality requirements: accessible, clear, transparent, available without prior request, in English, free of charge, does not require personal information, and is understandable by a reader without prior technical knowledge (Clause 4(6)). If the manufacturer offers to supply the product on its own website or another website under its control, capture evidence that the support period is prominently published with information intended to inform consumer purchasing decisions and is published alongside or given equal prominence to the main characteristics of the product (Clause 4(7)). This may require screenshots from multiple locations including product information pages, product purchase pages, and product comparison pages. Record each URL, the support period stated, the end date, and the verification date.
  • Security update delivery evidence supporting the ongoing obligation under Schedule 1 Clause 4. Document how security updates are delivered during the defined support period. Include release notes for each security update issued, the date the update was made available, and the delivery mechanism. This evidence demonstrates that the manufacturer is meeting the ongoing obligation to provide security updates as far as practicable and in line with good industry practice.
  • Final approval sheet. Record the name and function of the person who reviewed the evidence pack, the date of approval, the assessment conclusion for each clause of the security standard (pass or fail with reasons), and the document reference number of the statement of compliance that was issued on the basis of this evidence pack. This sheet closes the loop between evidence and declaration in your Australia Cyber Security Act 2024 compliance templates.
Section 4

Product classification register template (scope tracking for all product lines and entities)

The product classification register is the Australia Cyber Security Act 2024 compliance template that records the scope decision for every product and legal entity. The register tracks which products are relevant connectable products under Section 13 of the Act, which fall within the specified class of consumer grade products under Section 8 of the Smart Devices Rules, which are exempt under Section 8(1)(b), and which trigger the obligation to prepare a statement of compliance under Section 16 of the Act. The register also captures the turnover and critical infrastructure assessment for ransomware reporting obligations under Part 3 of the Act. Without a register, organisations risk missing products that enter scope when hardware revisions change or when new software is added.

Below are the fields to include in your product classification register as part of your Australia Cyber Security Act 2024 compliance templates.

  • Legal entity name, ABN, and business address. Identify the entity that manufactures or supplies the product. This field also supports the ransomware reporting threshold assessment because the turnover threshold under Section 6 of the Ransomware Reporting Rules is assessed at the entity level.
  • Product model name, internal product code, and current firmware version. Use the same naming convention that appears on packaging and on the statement of compliance.
  • Relevant connectable product assessment under Section 13 of the Act. Record whether the product can directly or indirectly connect to the internet. If yes, the product is a relevant connectable product and further classification is required.
  • Consumer grade classification under Section 8(1)(a) of the Smart Devices Rules. Record whether the product is intended by the manufacturer to be used, or is of a kind likely to be used, for personal, domestic, or household consumption under the Australian Consumer Law. Section 6 of the Rules defines consumer by reference to Section 3 of the Australian Consumer Law. If the product would be taken to have been acquired as a consumer under the ACL, it falls within the specified class.
  • Exemption assessment under Section 8(1)(b) of the Smart Devices Rules. Record whether the product falls into any of the six excluded categories: a desktop computer, a laptop, a tablet computer, a smartphone, a therapeutic good within the meaning of the Therapeutic Goods Act 1989, a road vehicle within the meaning of the Road Vehicle Standards Act 2018, or a road vehicle component within the meaning of the Road Vehicle Standards Act 2018. If the product matches an exemption, record the exemption category and the reasoning. The Explanatory Statement notes that these exemptions exist because of existing regulatory frameworks or because of the complexity of component supply chains.
  • Specified circumstance assessment under Section 8(2) of the Smart Devices Rules. Record whether the product could reasonably be expected to be acquired in Australia by a consumer. This is the circumstance that triggers the security standard in Part 1 of Schedule 1.
  • Final scope conclusion. Record whether the product is in scope or out of scope for the security standard. If in scope, record the date when the statement of compliance must be prepared and the date when compliance with the security standard is required. Part 2 and Schedule 1 of the Smart Devices Rules commenced 12 months after registration, which is 4 March 2026.
  • Ransomware reporting applicability assessment. For each legal entity, record whether the entity is a responsible entity for a critical infrastructure asset under Part 2B of the Security of Critical Infrastructure Act 2018 or whether it carries on a business in Australia with annual turnover exceeding the $3 million threshold under Section 6 of the Ransomware Reporting Rules. If the entity carried on business for only part of the previous financial year, calculate the prorated threshold using the formula in Section 6(2) of the Rules.
  • Review trigger and next reassessment date. Define the events that would trigger a reassessment of the classification, such as a new product release, a hardware revision, a change in supply market, a change in legal entity structure, or a change in annual turnover. Set a calendar date for the next scheduled review. This field ensures the register stays current as your Australia Cyber Security Act 2024 compliance templates are updated over time.
Section 5

Vulnerability disclosure page template (Schedule 1 Clause 3 of the Smart Devices Rules)

Schedule 1 Clause 3 of the Smart Devices Rules requires manufacturers to publish information on how a person can report security issues relating to the product. This publication requirement is one of the three core obligations in the security standard and is referenced in the compliance declaration within the statement of compliance (Section 9(3)(d)(ii)). A properly designed vulnerability disclosure page satisfies the legal requirement and also reduces the risk of uncoordinated public disclosure of security issues. The page must be accessible without prior request, published in English, free of charge, and must not require the provision of personal information for a person to access the reporting information. This template is a critical component of the Australia Cyber Security Act 2024 compliance templates set because the manufacturer's compliance with this requirement is part of the dual declaration in the statement of compliance.

Below are the required and recommended fields for your vulnerability disclosure page template as part of your Australia Cyber Security Act 2024 compliance templates.

  • Point of contact for reporting security issues, required by Schedule 1 Clause 3(2)(a). Publish at least one point of contact that allows any person to report security issues to the manufacturer. This could be a dedicated security email address (for example [email protected]), a web form, or both. The contact must cover security issues relating to the hardware of the product (Clause 3(1)(a)), software that is installed on the product at the point of supply (Clause 3(1)(b)), software that must be installed for the manufacturer's intended purposes (Clause 3(1)(c)), and software used for or in connection with any of the manufacturer's intended purposes (Clause 3(1)(d)).
  • Acknowledgement timeline, required by Schedule 1 Clause 3(2)(b)(i). State when a person who reports a security issue will receive an acknowledgement of receipt. Publish a specific timeframe, for example 'We will acknowledge receipt of your report within 5 business days.' The Explanatory Statement to the Rules confirms that the manufacturer must ensure the person receives an acknowledgement.
  • Status update policy, required by Schedule 1 Clause 3(2)(b)(ii). State when and how the reporter will receive status updates until the resolution of the reported security issues. Publish a specific cadence, for example 'We will provide status updates at least every 30 calendar days until the issue is resolved.'
  • Accessibility requirement, required by Schedule 1 Clause 3(3)(a). The published information must be accessible, clear, and transparent. Use plain language, avoid jargon, and ensure the page is reachable from the main website navigation or product support section.
  • Availability without prior request, required by Schedule 1 Clause 3(3)(b). The page must be available to any person without requiring a prior request. Do not place the reporting information behind a login, an account registration, or a support ticket.
  • English language requirement, required by Schedule 1 Clause 3(3)(c). The information must be published in English. Additional languages may be provided but the English version must be present.
  • Free of charge requirement, required by Schedule 1 Clause 3(3)(d). The information must be available free of charge. Do not require a purchase, subscription, or payment to access the reporting page.
  • No personal information requirement for access, required by Schedule 1 Clause 3(3)(e). Accessing the published reporting information must not require the person to provide personal information. Note that the Explanatory Statement clarifies the manufacturer may request reasonable contact information (such as an email address) from a person who actually submits a report, for the purpose of providing acknowledgement and status updates. Any collection of personal information remains subject to the Privacy Act 1988.
  • Covered products (operational best practice). List the product models and product families covered by this disclosure page. If a single page covers multiple products, group them by product family for clarity.
  • Safe harbor statement (operational best practice). Although not required by the Act, publishing a safe harbor statement encourages security researchers to report issues by assuring them that the manufacturer will not pursue legal action against researchers who act in good faith and follow responsible disclosure practices.
  • Page review and evidence capture schedule (operational best practice for your Australia Cyber Security Act 2024 compliance templates). Record the URL of the published page, the date it was last reviewed, and the next scheduled review date. Capture a dated screenshot or PDF archive for the evidence pack each time the page is created, reviewed, or updated.
Section 6

Support period publication template (Schedule 1 Clause 4 of the Smart Devices Rules)

Schedule 1 Clause 4 of the Smart Devices Rules requires manufacturers to publish the defined support period for security updates. The defined support period must be expressed as a period of time with an explicit end date under Clause 4(3) and must not be shortened after publication under Clause 4(4), although it may be extended under Clause 4(5). If the manufacturer offers to supply the product on its own website or another website under its control, the support period must be prominently published alongside information intended to inform consumer purchasing decisions and alongside the main characteristics of the product under Clause 4(7). A complete support period publication template is a required part of any Australia Cyber Security Act 2024 compliance templates set because the defined support period also appears as Field 7 of the statement of compliance under Section 9(3)(e).

The Explanatory Statement to the Rules provides detailed guidance on the prominence requirements. Product information pages, product purchase pages, and product comparison pages are examples of locations where the support period is likely required. Generic press releases, support articles, and accessory purchase pages are not likely to contain information intended to inform consumer purchasing decisions. Below are the required and recommended fields for your support period publication template as part of your Australia Cyber Security Act 2024 compliance templates.

  • Product model name and identifier. Use the same naming convention as the statement of compliance and the evidence pack. Include the hardware and software components covered by the defined support period as described in Schedule 1 Clause 4(1): hardware capable of receiving security updates (Clause 4(1)(a)), software installed at the point of supply that is capable of receiving security updates (Clause 4(1)(b)), required installable software capable of receiving security updates (Clause 4(1)(c)), and software developed by or on behalf of the manufacturer that is capable of receiving security updates and used for any of the manufacturer's intended purposes (Clause 4(1)(d)).
  • Defined support period statement with explicit end date, required by Schedule 1 Clause 4(1) and Clause 4(3). State the period and the end date. For example, 'Security updates for [product name] will be provided until no later than 30 June 2031.' The Explanatory Statement specifies that the period should include a fixed end date rather than an open ended period of time.
  • Original publication date. Record the date the defined support period was first published. This date anchors the rule in Clause 4(4) that the manufacturer must not shorten the defined support period after publication.
  • Accessibility and quality requirements, required by Schedule 1 Clause 4(6). The published support period must be accessible, clear, and transparent (Clause 4(6)(a)). It must be made available without prior request (Clause 4(6)(b)(i)), in English (Clause 4(6)(b)(ii)), free of charge (Clause 4(6)(b)(iii)), without requiring personal information (Clause 4(6)(b)(iv)), and in a way that is understandable by a reader without prior technical knowledge (Clause 4(6)(b)(v)). Confirm compliance with each of these six requirements.
  • Website prominence requirements, required by Schedule 1 Clause 4(7) if the manufacturer offers to supply the product on its website or another website under its control. The defined support period must be prominently published with other information on the website that is intended to inform consumer decisions to acquire the product. The defined support period must also be published alongside or given equal prominence to the main characteristics of the product. This may require the support period to appear in multiple locations on the website, for example the product information page, the product purchase page, and any product comparison page.
  • Extension publication record, required by Schedule 1 Clause 4(5). If the manufacturer extends the defined support period, the new period must be published as soon as is practicable. Record the original period and end date, the extended period and new end date, the date the extension was published, and the URLs where the updated period was published.
  • Publication locations and URLs. List every URL where the support period is published. For each URL, record the date the content was last verified and capture a dated screenshot or PDF archive for the evidence pack.
  • Statement of compliance cross reference (operational best practice for your Australia Cyber Security Act 2024 compliance templates). Record the document reference number of the statement of compliance that contains the same defined support period in Field 7 under Section 9(3)(e). This cross reference ensures consistency between the published page and the regulatory statement. Any discrepancy between the two would undermine the dual declaration in the statement of compliance.
Section 7

How to implement Australia Cyber Security Act 2024 compliance templates so teams use them consistently

Australia Cyber Security Act 2024 compliance templates only reduce risk if teams actually use them for every product and every incident. The most common failure mode is optional adoption: one team uses the template while another team writes a document from scratch that misses required fields. The solution is to embed the templates into your tooling and workflow gates so that no statement, report, or evidence pack can be completed without filling every required field.

Below are practical steps for rolling out Australia Cyber Security Act 2024 compliance templates across your organisation.

  • Convert each Australia Cyber Security Act 2024 compliance template into a structured digital form with required fields, validation rules, and selection menus for enumerated values. Use a document management system or GRC platform rather than standalone word processing files.
  • Require a completed evidence pack link before the statement of compliance can be approved. The approval workflow should block signature until the evidence pack contains a passing assessment for every clause of the security standard in Schedule 1.
  • Fill in the ransomware payment report template with entity details (ABN, address, contact person) now, before any incident occurs. During a 72 hour reporting window, teams should spend their time on incident specific fields, not on looking up business details.
  • Schedule quarterly reviews of the product classification register. Use the review trigger field to flag products that need reassessment because of hardware revisions, new software integrations, changes in supply market, or changes in annual turnover.
  • Store all Australia Cyber Security Act 2024 compliance templates, completed records, and evidence captures in a single system of record with retention rules set to at least five years for statements of compliance under Section 10 of the Smart Devices Rules. Set a conservative baseline of at least seven years for ransomware payment reports.
  • Train every team member who touches an Australia Cyber Security Act 2024 compliance template on the purpose of each field and the legal source of the requirement. A trained team fills fields accurately on the first attempt, which reduces review cycles and the risk of incomplete submissions.
  • Monitor the Federal Register of Legislation at least quarterly for amendments to the Cyber Security Act 2024 (C2024A00098), the Smart Devices Rules (F2025L00276), and the Ransomware Reporting Rules (F2025L00278). Update all Australia Cyber Security Act 2024 compliance templates when the law changes. The Act includes a PJCIS statutory review under Section 88 beginning in December 2027, which may lead to amendments.
Primary sources

References and citations

Cyber Security (Ransomware Payment Reporting) Rules 2025 (F2025L00278)
legislation.gov.au
Referenced sections
  • Source for the $3 million annual turnover threshold (Section 6), the prorated threshold formula for partial year operations (Section 6(2)), and the detailed ransomware payment report field requirements (Section 7) including entity details, incident information, demand information, payment information, and communications with the extorting entity. Authorised Version registered 3 March 2025.
Cyber Security (Security Standards for Smart Devices) Rules 2025 (F2025L00276)
legislation.gov.au
Referenced sections
  • Source for the statement of compliance required fields (Section 9), the five year retention period (Section 10), the consumer grade product scope and exemptions (Section 8), and the three Schedule 1 security standard requirements: password compliance (Clause 2), security issue reporting (Clause 3), and defined support period publication (Clause 4). Authorised Version registered 4 March 2025.
Cyber Security Act 2024 (Australia) official text
legislation.gov.au
Referenced sections
  • Primary legislation establishing the statement of compliance obligation (Section 16), the ransomware payment reporting obligation (Section 27), the examination power (Section 23), the safe harbour protections (Sections 28 through 32), and the definitions of relevant connectable product, reporting business entity, and ransomware payment. Authoritative foundation for all Australia Cyber Security Act 2024 compliance templates on this page.
Explanatory Statement for the Cyber Security (Security Standards for Smart Devices) Rules 2025
legislation.gov.au
Referenced sections
  • Interpretive guidance on the statement of compliance requirements, the scope of consumer grade products, the six exemption categories, the website prominence requirements for defined support period publication, the privacy implications for sole trader manufacturers, and the alignment with UK PSTI Act requirements. Source for the Australia Cyber Security Act 2024 compliance templates design rationale.
Related guides

Explore more topics

Australia Cyber Security Act 2024 Applicability Test | Who Must Comply
Complete Australia Cyber Security Act 2024 applicability test covering smart device security standards, ransomware payment reporting obligations.
Australia Cyber Security Act 2024 Compliance Checklist
Comprehensive Australia Cyber Security Act 2024 compliance checklist covering smart device security standards, ransomware payment reporting.
Australia Cyber Security Act 2024 Compliance Guide | Implementation Playbook
A detailed Australia Cyber Security Act 2024 compliance guide covering smart device security standards, statement of compliance requirements.
Australia Cyber Security Act 2024 Deadlines and Compliance Calendar | Commencement Dates
Complete Australia Cyber Security Act 2024 deadlines and compliance calendar with all commencement dates: 30 November 2024 Royal Assent.
Australia Cyber Security Act 2024 FAQ | Frequently Asked Questions
Get detailed answers to frequently asked questions about the Australia Cyber Security Act 2024.
Australia Cyber Security Act 2024 Requirements | Smart Device and Ransomware Reporting Obligations
Complete guide to Australia Cyber Security Act 2024 requirements covering smart device password rules, vulnerability disclosure.
Australia Cyber Security Act 2024 Timeline and Commencement Dates | Full Schedule
Complete Australia Cyber Security Act 2024 timeline with every commencement date from Royal Assent on 29 November 2024.
Australia Cyber Security Act 2024 vs EU Cyber Resilience Act | Full CRA Comparison
Detailed comparison of the Australia Cyber Security Act 2024 and the EU Cyber Resilience Act covering scope, product categories, security requirements.
Australia Cyber Security Act 2024 vs UK PSTI Act | Product Security Comparison
Detailed product security comparison of the Australia Cyber Security Act 2024 and the UK PSTI Act covering scope, ETSI EN 303 645, password requirements.
Australia Smart Device Compliance Checklist | Cyber Security Act 2024 | Sorena
Complete Australia Cyber Security Act 2024 smart device compliance checklist covering Schedule 1 password security, vulnerability disclosure.
Penalties and fines | Australia Cyber Security Act 2024 | 60 Penalty Units, Smart Device Enforcement, Ransomware Reporting
Australia Cyber Security Act 2024 penalties explained: 60 penalty units (AUD 19,800) per contravention for individuals.
Ransomware Payment Reporting in 72 Hours | Australia Cyber Security Act 2024
Complete guide to the 72 hour ransomware payment reporting obligation under Part 3 of the Australia Cyber Security Act 2024.
Scope and Definitions | Australia Cyber Security Act 2024
Complete guide to the Australia Cyber Security Act 2024 scope and definitions.
Smart device security standards | Australia Cyber Security Act 2024
Complete technical guide to the three Australia Cyber Security Act 2024 smart device security standards: password security under Clause 2.
Statement of Compliance and Recordkeeping | Australia Cyber Security Act 2024 | Section 9, Section 10, 5 Year Retention
Australia Cyber Security Act 2024 statement of compliance explained: all mandatory fields under Section 9(3) of the Smart Device Rules 2025.