Australia Cyber Security Act 2024 Timeline and commencement dates

The Australia Cyber Security Act 2024 received Royal Assent on 29 November 2024. According to the commencement table in section 2 of the Act, Part 1 and anything not elsewhere covered commenced the day after Royal Assent, which was 30 November 2024. Part 4 (Coordination of significant cyber security incidents) also commenced on 30 November 2024 under the same trigger. Parts 6 and 7, which cover miscellaneous provisions and consequential amendments, likewise commenced on 30 November 2024.

This means that from 30 November 2024 onward, the definitions in Part 1 of the Australia Cyber Security Act 2024 have been operative. Section 8 definitions, the meaning of cyber security incident under section 9, and the meaning of permitted cyber security purpose under section 10 all became binding from that date. Part 4 activated the voluntary information sharing framework with the National Cyber Security Coordinator, including the information protection provisions in sections 38 through 43.

For compliance teams, the immediate commencement of Part 4 meant that any organisation experiencing a significant cyber security incident from 30 November 2024 onward could voluntarily share information with the National Cyber Security Coordinator and receive the statutory protections against secondary use and disclosure set out in Division 3 of Part 4. The simultaneous commencement of Part 6 on 30 November 2024 also activated the full enforcement toolkit, including monitoring powers under section 80, investigation powers under section 81, civil penalty provisions under section 79, enforceable undertakings, injunctions, and infringement notices under section 82. These enforcement mechanisms apply across the Act, so they were ready to support any obligation that commenced later in the Australia Cyber Security Act 2024 timeline.

Part 3 of the Australia Cyber Security Act 2024 covers ransomware reporting obligations. According to the commencement table, Part 3 starts on a single day to be fixed by Proclamation. If no proclamation commenced Part 3 within six months of Royal Assent, the provisions automatically commence the day after that six month period ends. With Royal Assent on 29 November 2024, the six month backstop date was 29 May 2025.

Once Part 3 commenced, section 27(1) of the Australia Cyber Security Act 2024 required reporting business entities to give the designated Commonwealth body a ransomware payment report within 72 hours of making a ransomware payment or becoming aware that a ransomware payment had been made. Section 26 defines which entities fall within scope: the application test considers the annual turnover of the entity, with a threshold of $3 million for the previous financial year as prescribed by the Ransomware Payment Reporting Rules 2025.

The Part 3 commencement also activated the information protection provisions in Division 3, including section 29 (permitted purpose limitation), section 30 (secondary use and disclosure restrictions), section 31 (legal professional privilege preservation), and section 32 (admissibility restrictions against the reporting entity). These protections were designed to encourage reporting by reducing the risk that disclosed information would be used against the reporting entity in enforcement or litigation.

The ransomware payment report must contain seven categories of information as prescribed by section 7 of the Ransomware Payment Reporting Rules 2025: the reporting business entity's ABN and address; the other entity's ABN and address; when the incident occurred or is estimated to have occurred and when the entity became aware of it; the impact on the entity's infrastructure and customers; variants of ransomware or other malware used; vulnerabilities exploited; the amount or quantum of the demand and the method of provision demanded; the amount or quantum of the payment and the method of provision; and the nature, timing, and description of communications with the extorting entity including any pre-payment negotiations. All of these report fields became required from 29 May 2025, making that commencement date a critical deadline in the Australia Cyber Security Act 2024 timeline for incident response teams.

Part 5 of the Australia Cyber Security Act 2024 establishes the Cyber Incident Review Board (CIRB). Like Part 3, Part 5 starts on a day fixed by Proclamation with a six month backstop. Because Royal Assent was 29 November 2024, the backstop date for Part 5 was also 29 May 2025.

The CIRB is an independent body with the function of causing reviews to be conducted into significant cyber security incidents under section 46 of the Act. The Board comprises a Chair appointed under section 64, standing members appointed under section 66, and an Expert Panel constituted under section 70. Section 63 requires the Board to perform its functions independently of the Minister and the Department.

Once Part 5 commenced, the Board gained the power to require certain entities to produce documents under section 49, with a civil penalty for non compliance under section 50. Review reports follow a draft and final process under sections 51 and 52, with mandatory redaction of sensitive information under section 53 and protection of review reports under section 54. For organisations that may be subject to a CIRB review, the Part 5 commencement date marks the point at which document retention and incident record keeping become directly relevant to a statutory review process.

Part 2 of the Australia Cyber Security Act 2024 addresses security standards for smart devices. The commencement table provides that Part 2 starts on a day fixed by Proclamation, with a twelve month backstop. Because Royal Assent was 29 November 2024, the fallback date for Part 2 was 29 November 2025.

Part 2 contains four Divisions. Division 1 sets out the preliminary application rules under section 13. Division 2 establishes the power to make security standards for relevant connectable products under section 14, the compliance requirement under section 15, and the obligation to provide and supply products with a statement of compliance under section 16. Division 3 provides the enforcement toolkit: compliance notices under section 17, stop notices under section 18, recall notices under section 19, and public notification of recall failures under section 20. Division 4 covers internal review under section 22 and examination powers under section 23.

The Part 2 commencement date is the point at which the Secretary gains the power to make security standards and the enforcement mechanism becomes available. However, the operative security requirements that product teams must meet are specified in the Smart Devices Rules rather than in the Act itself. This means that even after Part 2 commences, the practical compliance burden depends on the separate commencement schedule of the Smart Devices Rules.

Section 13 of the Act specifies that Part 2 applies to a relevant connectable product that is manufactured on or after the commencement of Part 2, or supplied (other than as second hand goods) on or after the commencement of Part 2. This means the commencement date of 29 November 2025 marks the product manufacture and supply date threshold in the Australia Cyber Security Act 2024 timeline. Products manufactured before 29 November 2025 that are not supplied after that date fall outside Part 2 scope. Products manufactured before 29 November 2025 but supplied for the first time after that date are within scope.

The Cyber Security (Security Standards for Smart Devices) Rules 2025 were registered on the Federal Register of Legislation on 4 March 2025 as instrument F2025L00276. The commencement table in the Rules specifies a two stage activation. Part 1 and anything not elsewhere covered commenced on the day of registration, 4 March 2025. Part 2 and Schedule 1 commence the day after the end of 12 months from registration, which is 4 March 2026.

Schedule 1 of the Smart Devices Rules defines the security standards that relevant connectable products must meet. The 12 month delay between registration and the operative date for Part 2 and Schedule 1 was designed to give manufacturers time to redesign products, update firmware, and build the statement of compliance workflow required by section 16 of the Australia Cyber Security Act 2024.

Two obligations became binding from registration on 4 March 2025. First, section 10 of the Rules requires manufacturers to retain statements of compliance for a period of 5 years. Second, Schedule 1 clause 4(4) provides that a manufacturer must not shorten a published defined support period for security updates. If a manufacturer extends a defined support period, the new period must be published as soon as is practicable under clause 4(5). These obligations apply from 4 March 2025, well before the operative security standard takes effect on 4 March 2026.

The Schedule 1 security standard that became enforceable on 4 March 2026 contains three core requirements. Clause 2 requires that passwords for hardware and software of the product be either unique per product (not based on incremental counters, not based on or derived from publicly available information, not based on unique product identifiers unless encrypted using good industry practice, and not otherwise guessable in a manner unacceptable as part of good industry practice) or defined by the user. Clause 3 requires manufacturers to publish at least one contact point for reporting security issues, with timelines for acknowledgement and status updates, in English, free of charge, without requiring personal information, and without requiring a prior request. Clause 4 requires manufacturers to publish a defined support period for security updates expressed as a time period with an end date, and prohibits shortening that period after publication.

The consumer grade relevant connectable products covered by the Schedule 1 security standard are those intended for personal, domestic, or household use that will be acquired in Australia by a consumer. Section 8 of the Smart Devices Rules excludes desktop computers, laptops, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components from the Schedule 1 standard. For product teams, the 4 March 2026 commencement date in the Australia Cyber Security Act 2024 timeline is the hard deadline for ensuring that all in scope products comply with these three requirements. Teams should work backward from 4 March 2026 to allow time for password redesign, vulnerability disclosure channel publication, defined support period publication, firmware update processes, and statement of compliance automation.

The Cyber Security (Ransomware Payment Reporting) Rules 2025 were registered on 3 March 2025 as instrument F2025L00278. The commencement table in the Rules provides that the whole instrument commences on the later of: (a) the start of the day after registration, and (b) the same time that Part 3 of the Australia Cyber Security Act 2024 commences. Because Part 3 commenced on 29 May 2025 under its six month backstop, the Ransomware Reporting Rules also commenced on 29 May 2025.

Section 6 of the Ransomware Reporting Rules prescribes the turnover threshold at $3 million for the previous financial year. This threshold determines whether an entity is a reporting business entity under section 26(3)(b) of the Act. Section 7 of the Rules specifies the information required in a ransomware payment report, with a note clarifying that information is only required to the extent the reporting entity knows or can find through reasonable search within the 72 hour reporting window.

Section 6(2) of the Rules also provides a pro rata formula for businesses that operated for only part of the previous financial year. The threshold is calculated as $3 million multiplied by the number of days in the part year divided by the number of days in the full financial year. This ensures that newly established businesses are subject to a proportionate threshold rather than the full $3 million amount.

The linkage between the Rules commencement and Part 3 commencement means that the operational reporting obligation and the threshold definition activated simultaneously. Organisations did not face a gap where the Act obligation existed but the Rules threshold had not yet commenced. In addition to the turnover test, an entity is a reporting business entity if it is a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies, regardless of turnover. This means critical infrastructure operators were captured by the ransomware reporting obligation from 29 May 2025 in the Australia Cyber Security Act 2024 timeline even if their turnover fell below $3 million.

The Cyber Security (Cyber Incident Review Board) Rules 2025 were registered on 3 March 2025 as instrument F2025L00277. The commencement table provides that the whole instrument commences on the later of: (a) the start of the day after registration, and (b) the same time that Part 5 of the Australia Cyber Security Act 2024 commences. Because Part 5 commenced on 29 May 2025, the CIRB Rules also commenced on that date.

The CIRB Rules underwent public consultation before registration as required by subsection 87(3) of the Act. The Explanatory Statement records that draft Rules were published on the Department of Home Affairs website on 16 December 2024, with submissions closing on 14 February 2025. The Department received 37 submissions, the majority of which were broadly supportive. The Department also hosted 7 deep dive sessions in January and February 2025 for all three rule sets, with over 900 attendees cumulatively and an average of 130 attendees per session. The CIRB deep dive sessions specifically drew over 180 attendees across two sessions. The Rules were then registered on 3 March 2025.

Section 11(1) of the Rules requires the Board to publish notification of a review as soon as practicable after deciding to conduct one. This operational timing requirement became binding on 29 May 2025. For organisations that operate critical infrastructure or handle significant volumes of personal data, the CIRB Rules commencement date is the point from which a statutory review of a significant cyber security incident can be initiated and document production powers can be exercised.

Section 88 of the Australia Cyber Security Act 2024 requires the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to begin a statutory review of the Act as soon as practicable after 1 December 2027. This review will examine the operation, effectiveness, and scope of the Act approximately three years after Royal Assent.

The statutory review is significant for compliance planning because it may result in amendments to the Act, changes to penalty levels, expansion of scope to additional product categories, or modifications to the ransomware reporting threshold. Organisations should expect that any evidence of compliance gaps identified between commencement and the review period may inform the PJCIS recommendations.

For compliance teams maintaining ongoing assurance programs, the 1 December 2027 date serves as a planning horizon. Records of compliance activities, incident reports, and enforcement interactions from the commencement period through to the review will form the evidence base that the PJCIS uses to evaluate whether the Act has achieved its stated objects under section 3. Those objects include improving cyber security of internet connectable products through mandatory security standards, encouraging ransomware payment information sharing through reporting obligations, facilitating whole of Government response to significant incidents through the National Cyber Security Coordinator, preventing and minimising the impact of incidents through the Cyber Incident Review Board review and recommendation process, and encouraging voluntary information sharing through statutory use and disclosure protections. The Australia Cyber Security Act 2024 timeline therefore extends from 29 November 2024 Royal Assent through to the PJCIS review after 1 December 2027 and any resulting legislative amendments.

The following summary consolidates every commencement date in the Australia Cyber Security Act 2024 timeline, covering the Act itself, all three subordinate rule sets, and the statutory review trigger. Teams can use this consolidated schedule to align internal project milestones, board reporting dates, and assurance review cycles with the legal commencement sequence.

The commencement schedule spans more than three years, from 30 November 2024 through to 1 December 2027. Within that window, the most operationally significant dates for product teams are 4 March 2026 (smart device operative standard) and for incident response teams are 29 May 2025 (ransomware reporting activation). Governance teams should plan for ongoing assurance from mid 2025 onward and prepare documentation for the statutory review starting from late 2027.

Each commencement date in the Australia Cyber Security Act 2024 timeline corresponds to a set of operational obligations that compliance, product, and incident response teams should have completed before that date. Planning backward from each hard date ensures that internal processes are tested and operational before the legal obligation activates.

For the 29 May 2025 ransomware reporting milestone, incident response teams should have completed a reporting entity assessment (confirming whether the $3 million turnover threshold is met or whether the entity is a responsible entity for a critical infrastructure asset under the Security of Critical Infrastructure Act 2018), mapped all seven categories of information required in a ransomware payment report under section 7 of the Ransomware Payment Reporting Rules 2025 (entity details and ABN, incident timing and discovery date, infrastructure and customer impact, malware variants, exploited vulnerabilities, demand amount and method, payment amount and method, and communications timeline), established a reporting workflow with the designated Commonwealth body, and conducted a tabletop exercise simulating a 72 hour reporting scenario. For the 4 March 2026 smart device operative date, product teams should have completed default credential elimination and unique per product password implementation (or user defined password flows), published a vulnerability disclosure contact point meeting the accessibility requirements of Schedule 1 clause 3, published a defined support period for security updates with an end date meeting the requirements of Schedule 1 clause 4, prepared statement of compliance templates containing all fields required by section 9 of the Smart Devices Rules (product type and batch identifier, manufacturer details, authorised representative details, manufacturer declaration, defined support period, signatory details, and place and date of issue), and conducted a pre market compliance audit against all three Schedule 1 requirements.

After all commencement dates have passed, the compliance program should transition from project mode to recurring assurance mode. This includes scheduled reviews of compliance status, periodic tabletop exercises for ransomware reporting readiness, firmware update process audits, and evidence packaging for the eventual PJCIS statutory review.