Home Affairs describes the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act) as the first tranche of reforms to the SOCI Act, commencing from 2 December 2021.

Australia - SLACI Act 2021 commences (SOCI reforms  -  tranche 1)

Home Affairs records an exposure-draft consultation period for the SLACIP Bill and accompanying draft Explanatory Document running from 15 December 2021 until Tuesday 1 February 2022.

Australia - SLACIP Bill exposure-draft consultation window

Home Affairs notes a final Town Hall was held on 4 February 2022 following the closure of submissions on the SLACIP Bill exposure draft.

Australia - SLACIP Bill exposure-draft: final Town Hall held

Home Affairs records that the Minister for Home Affairs introduced the SLACIP Bill to Parliament and referred it to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on 10 February 2022.

Australia - SLACIP Bill introduced and referred to PJCIS

Home Affairs notes that the PJCIS published its advisory report on the SLACIP Bill on 25 March 2022.

Australia - PJCIS advisory report published (SLACIP Bill)

The Federal Register of Legislation entry for the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (C2022A00033) shows a date of 1 April 2022 (as-made Act entry).

Australia - SLACIP Act 2022 made (Federal Register date)

Home Affairs records that the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) came into effect on 2 April 2022.

Australia - SLACIP Act 2022 comes into effect (SOCI reforms  -  tranche 2)

Draft Risk Management Program Guidance states that the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 came into effect on 8 April 2022, outlining asset classes required to comply with Mandatory Cyber Incident Reporting and certain Register reporting requirements.

Australia - SOCI Application Rules (LIN 22/026) come into effect

Draft Risk Management Program Guidance notes that telecommunications assets comply with Cyber Reporting from 7 July 2022 under the Telecommunications Act 1997.

Australia - Telecommunications assets: Cyber Reporting compliance date (Telecommunications Act context)

Protected Information Guidance Material for industry is marked as a consultation draft (v1) and states it is current "as at 9 September 2022".

Australia - Protected Information guidance (consultation draft v1)

Draft Risk Management Program Guidance states the consultation period for the draft risk management program (RMP) rules was 45 days, from 5 October 2022 to 18 November 2022.

Australia - RMP Rules consultation window (SOCI reforms)

Draft Risk Management Program Guidance notes that telecommunications assets comply with the Register from 7 October 2022 under the Telecommunications Act 1997.

Australia - Telecommunications assets: Register compliance date (Telecommunications Act context)

Draft Risk Management Program Guidance is marked as a consultation draft (v2) and states it is current "as at 03 November 2022".

Australia - Draft Risk Management Program Guidance (consultation draft v2)

Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 appear on the Federal Register of Legislation as an as-made version dated 16 February 2023 (F2023L00112).

Australia - CIRMP Rules (LIN 23/006) as made (F2023L00112)

Smart Devices Rules Explanatory Statement references the Australian Government consultation on the 2023-2030 Australian Cyber Security Strategy running from 27 February 2023 to 15 April 2023.

Australian Cyber Security Strategy consultation window

Impact Analysis Addendum for smart device standards states that the Department of Home Affairs published an Impact Analysis on mandatory security standards and an industry-led voluntary cyber security labelling scheme on 22 November 2023.

Australia - Smart device standards: Impact Analysis published

Smart Devices Rules Explanatory Statement records that, on 19 December 2023, the Minister released the "Australian Cyber Security Strategy: Cyber Security Legislative Reforms Consultation Paper" and that consultation remained open until 1 March 2024.

Australia - Cyber Security legislative reforms consultation window

The Act records that the Minister's second reading speech was made in the House of Representatives on 9 October 2024.

Australia - Minister's second reading speech (House of Representatives)

The Act records that the Minister's second reading speech was made in the Senate on 25 November 2024.

Australia - Minister's second reading speech (Senate)

Cyber Security Act 2024 (No. 98, 2024) receives Royal Assent on 29 November 2024.

Australia - Cyber Security Act 2024 receives Royal Assent

Commencement table: Part 1 (and provisions not otherwise covered), Part 4 (coordination of significant cyber security incidents), and Parts 6-7 (regulatory powers and miscellaneous) commence the day after Royal Assent (30 November 2024).

Australia - Act commences: Parts 1, 4, 6 and 7

Explanatory Statements record that the draft Rules package was published on the Department's website on 16 December 2024 and closed for submissions on 14 February 2025.

Australia - Draft Cyber Security Act Rules consultation window

The three Cyber Security Act Rules instruments are dated 27 February 2025 (Smart Devices Rules; Cyber Incident Review Board Rules; Ransomware Payment Reporting Rules). Registration dates follow in early March 2025.

Australia - Cyber Security Act Rules are made (dated)

Cyber Security (Cyber Incident Review Board) Rules 2025 are registered on 3 March 2025. The instrument commences later of the day after registration and the commencement of Act Part 5.

Australia - CIRB Rules registered (F2025L00277)

Cyber Security (Ransomware Payment Reporting) Rules 2025 are registered on 3 March 2025. The instrument commences later of the day after registration and the commencement of Act Part 3.

Australia - Ransomware Payment Reporting Rules registered (F2025L00278)

Cyber Security (Security Standards for Smart Devices) Rules 2025 are registered on 4 March 2025. The commencement table provides that Part 1 commences on registration, while Part 2 and Schedule 1 have a delayed commencement (4 March 2026).

Australia - Smart Devices Rules registered; Part 1 commences (F2025L00276)

The smart device standards Impact Analysis (Supplementary Explanatory Statement) is an authorised version registered on 27 March 2025 in connection with F2025L00276.

Australia - Smart device standards: Supplementary Explanatory Statement registered

The Federal Register of Legislation page for F2023L00112 shows the as-made version dated 16 February 2023 and indicates it is superseded, with the as-made version running until 3 April 2025.

Australia - CIRMP Rules: as-made version end date (superseded)

The Federal Register metadata for the SOCI Application Rules references an April 2025 compilation (F2025C00404) and links to a 4 April 2025 version in the legislation history/amendment history.

Australia - SOCI Application Rules: April 2025 compilation/version date

Commencement table provides for commencement by proclamation, with an automatic commencement if not commenced within 6 months of Royal Assent. The published commencement table includes 29 May 2025 as the backstop date for Part 3. Part 3 imposes the 72-hour ransomware payment reporting obligation for reporting business entities; the 2025 Rules specify (among other details) the $3 million turnover threshold and report content requirements.

Australia - Act commences: Part 3 (ransomware payment reporting) (backstop date)

Commencement clause: the whole instrument commences later of the day after registration and the commencement of Act Part 3; the backstop commencement date for Part 3 is 29 May 2025.

Australia - Ransomware Payment Reporting Rules commence (F2025L00278) (aligned to Part 3)

Commencement table provides for commencement by proclamation, with an automatic commencement if not commenced within 6 months of Royal Assent. The published commencement table includes 29 May 2025 as the backstop date for Part 5.

Australia - Act commences: Part 5 (Cyber Incident Review Board) (backstop date)

Commencement clause: the whole instrument commences later of the day after registration and the commencement of Act Part 5; the backstop commencement date for Part 5 is 29 May 2025.

Australia - CIRB Rules commence (F2025L00277) (aligned to Part 5)

Commencement table provides for commencement by proclamation, with an automatic commencement if not commenced within 12 months of Royal Assent. The published commencement table includes 29 November 2025 as the backstop date for Part 2 (security standards for smart devices).

Australia - Act commences: Part 2 (smart device security standards framework) (backstop date)

The Act text indicates a replaced authorised version was registered on 28 January 2026 (compiled version reference).

Australia - Compiled Act: replaced authorised version registered

Commencement table: Part 2 and Schedule 1 of the Smart Devices Rules commence on 4 March 2026 (12-month delayed commencement). This is when the mandatory security standards, statement-of-compliance requirements (including 5-year retention period), and defined support-period rules take effect for covered products.

Australia - Smart Devices Rules substantive obligations commence (Part 2 and Schedule 1)

The Parliamentary Joint Committee on Intelligence and Security may review the operation, effectiveness and implications of the Act, so long as it begins the review as soon as practicable after 1 December 2027.

Australia - Statutory review can begin (PJCIS)

ETSI publishes GR SAI 004 V1.1.1 (2020-12), outlining the problem space and baseline considerations for securing AI.

EU-AI-ACT - ETSI GR SAI 004 published (problem statement)

CEN-CENELEC Joint Technical Committee 21 (JTC 21) is established to develop European AI standards, including harmonised standards supporting the AI Act.

EU-AI-ACT - CEN-CENELEC JTC 21 established

ETSI publishes GR SAI 009 V1.1.1 (2023-02), providing an AI computing platform security framework.

EU-AI-ACT - ETSI GR SAI 009 published (AI platform security framework)

ETSI publishes GR SAI 013 V1.1.1 (2023-03), providing a framework for proofs of concepts related to securing AI.

EU-AI-ACT - ETSI GR SAI 013 published (Proofs of Concepts framework)

In May 2023, the Commission adopted a standardisation request (Mandate M/593), accepted by CEN-CENELEC, to develop standards supporting AI Act compliance (date recorded as 1st of month).

EU-AI-ACT - Commission standardisation request M/593 adopted (month-only)

ETSI announces three reports by ISG SAI, covering explicability/transparency, an AI computing platform security framework, and a proofs-of-concepts framework.

EU-AI-ACT - ETSI press release: three ISG SAI reports

ETSI announces the transition from ISG SAI to Technical Committee SAI, scaling work on securing AI through standards.

EU-AI-ACT - ETSI ISG SAI becomes Technical Committee (TC SAI)

ETSI notes that the inaugural meeting of TC SAI is scheduled for 4 December 2023.

EU-AI-ACT - Inaugural ETSI TC SAI meeting (scheduled)

Commission press materials reference the political agreement on the AI Act reached on 9 December 2023.

EU-AI-ACT - Commission welcomes political agreement on the AI Act

Commission Decision establishing the European AI Office is published (24 January 2024).

EU-AI-ACT - Commission Decision establishing the European AI Office

Commission press materials reference the AI Office being unveiled on 29 May 2024.

EU-AI-ACT - Commission unveils the AI Office

Regulation (EU) 2024/1689 (Artificial Intelligence Act) is adopted by the European Parliament and the Council.

EU-AI-ACT - AI Act adopted

Commission press materials reference the amended EuroHPC JU Regulation entering into force on 9 July 2024, enabling the set-up of AI factories.

EU-AI-ACT - Amended EuroHPC JU Regulation enters into force (AI factories)

Regulation (EU) 2024/1689 is published in the Official Journal of the European Union (OJ L, 12 July 2024).

EU-AI-ACT - AI Act published in the Official Journal

The AI Act enters into force on the twentieth day following publication in the Official Journal (published 12 July 2024, enters into force 1 August 2024).

EU-AI-ACT - AI Act enters into force

ETSI publishes TR 104 225 V1.1.1 (2024-04) on privacy aspects of AI/ML systems (date recorded as 1st of month).

EU-AI-ACT - ETSI TR 104 225 published (privacy aspects) (month-only)

JRC publishes a Science for Policy brief describing the role and status of harmonised standards for AI Act implementation.

EU-AI-ACT - JRC/AI Watch brief published: harmonised standards for the AI Act

Chapters I and II start applying (including the prohibited AI practices framework), ahead of the main application date.

EU-AI-ACT - Prohibitions and general provisions start applying

ETSI publishes TS 104 224 V1.1.1 (2025-03) on explicability and transparency of AI processing (date recorded as 1st of month).

EU-AI-ACT - ETSI TS 104 224 published (explicability & transparency) (month-only)

ETSI publishes TS 104 223 V1.1.1 (2025-04) defining baseline cybersecurity requirements for AI models and systems (date recorded as 1st of month).

EU-AI-ACT - ETSI TS 104 223 published (baseline cybersecurity) (month-only)

Codes of practice for GPAI obligations (Arts. 53 and 55) must be ready at the latest by 2 May 2025.

EU-AI-ACT - Deadline: GPAI codes of practice ready

ETSI publishes TR 104 065 V1.1.1 (2025-05) mapping AI Act provisions to ETSI work items (date recorded as 1st of month).

EU-AI-ACT - ETSI TR 104 065 published (AI Act mapping & gap analysis) (month-only)

ETSI publishes TR 104 128 V1.1.1 (2025-05) guiding stakeholders in implementing AI cybersecurity provisions (date recorded as 1st of month).

EU-AI-ACT - ETSI TR 104 128 published (cyber security guidance) (month-only)

The Commission publishes the voluntary General-Purpose AI Code of Practice (three chapters: Transparency, Copyright, Safety & Security).

EU-AI-ACT - General-Purpose AI Code of Practice published

Commission adopts Guidelines on the scope of obligations for providers of general-purpose AI models (Brussels, 18.7.2025).

EU-AI-ACT - Commission Guidelines on GPAI obligations (C(2025) 5045 final)

Commission publishes an explanatory notice and template for the public summary of training content for general-purpose AI models.

EU-AI-ACT - Training content public summary: template published

Chapter V (GPAI obligations, including Arts. 53-56) starts applying from 2 August 2025.

EU-AI-ACT - GPAI obligations start applying

Key governance provisions and the conformity assessment/notified body-related section start applying from 2 August 2025, ahead of the main application date.

EU-AI-ACT - Governance and notified body provisions start applying

Member States' penalties framework under the AI Act applies from 2 August 2025 (including administrative fines, per Chapter XII).

EU-AI-ACT - Penalties provisions start applying

Member States must publicly provide contact details for competent authorities/single points of contact and notify the Commission by 2 August 2025.

EU-AI-ACT - Member States designate/communicate competent authorities

The Commission must issue dedicated guidance to facilitate compliance with serious incident reporting obligations by 2 August 2025.

EU-AI-ACT - Commission guidance due for serious incident reporting

Chapter VII governance provisions start applying, including the legal basis for the EU database for high-risk AI systems (Art. 71).

EU-AI-ACT - EU database provisions start applying

Commission launches/hosts a consultation linked to serious incident reporting for general-purpose AI models with systemic risk (consultation dated 26 September 2025; feedback referenced until 7 November 2025).

EU-AI-ACT - Consultation: serious incidents reporting (GPAI systemic risk)

Commission notes that prEN 18286 (AI quality management system for AI Act purposes) enters public enquiry on 30 October 2025.

EU-AI-ACT - prEN 18286 reaches public enquiry (AI QMS standard)

Commission publishes a reporting template for serious incidents involving general-purpose AI models with systemic risk (publication: 4 November 2025).

EU-AI-ACT - Reporting template published: serious incidents (GPAI systemic risk)

Kick-off plenary for the Code of Practice on marking and labelling of AI-generated content, supporting Article 50 transparency obligations.

EU-AI-ACT - Kick-off plenary: Article 50 transparency code of practice

First working group meetings for the Code of Practice on marking and labelling of AI-generated content (17-18 November 2025).

EU-AI-ACT - 1st working group meetings (Article 50 code of practice)

Commission communication (C(2025) 8311 final) for the public summary of training content is dated Brussels, 5.12.2025.

EU-AI-ACT - Explanatory Notice & training content summary template dated

The first draft of the Code of Practice on transparency of AI-generated content is published (17 December 2025).

EU-AI-ACT - First draft published (Article 50 code of practice)

Working group meetings for the Article 50 Code of Practice take place on 12 & 14 January 2026, starting the second drafting round.

EU-AI-ACT - Working group meetings (second drafting round)

Workshops for working groups 1 & 2 take place on 21-22 January 2026 as part of the Article 50 Code of Practice process.

EU-AI-ACT - Workshops (working groups 1 & 2)

The AI Act applies from 2 August 2026 (with earlier application dates for specific chapters as set out in Art. 113).

EU-AI-ACT - Main application date of the AI Act

Commission notes that, from 2 August 2026, its enforcement powers for GPAI provider obligations enter into application.

EU-AI-ACT - Commission enforcement powers for GPAI apply

Member States must ensure at least one AI regulatory sandbox is operational by 2 August 2026.

EU-AI-ACT - AI regulatory sandboxes must be operational

Article 6(1) and the corresponding obligations in the AI Act apply from 2 August 2027.

EU-AI-ACT - Article 6(1) and corresponding obligations apply

Providers of general-purpose AI models placed on the market before 2 August 2025 must take steps to comply by 2 August 2027.

EU-AI-ACT - Deadline: pre-2 Aug 2025 GPAI models must comply

The AI Act text references the European Parliament position of 13 March 2024 in the legislative procedure.

EU-AI-ACT - European Parliament position adopted

The AI Act text references the Council decision of 21 May 2024 in the legislative procedure.

EU-AI-ACT - Council decision referenced in legislative procedure

The AI Office timeline indicates a consultation (and call for expression of interest) in September 2025 to develop guidelines and a Code of Practice on transparent AI systems (date recorded as 1st of month; indicative/TBC).

EU-AI-ACT - Consultation opens for Article 50 guidelines & code of practice (month-only)

The Article 50 Code of Practice timeline indicates eligibility checks and selection of chairs/vice-chairs in October 2025 (date recorded as 1st of month; indicative/TBC).

EU-AI-ACT - Eligibility checks and chair selection (month-only)

The Commission standardisation page notes that the Digital Omnibus proposal (19 November 2025) suggested linking high-risk AI rules' entry into application to the availability of support tools (including standards).

EU-AI-ACT - Digital Omnibus proposal references AI Act standardisation timing

The Article 50 Code of Practice timeline indicates publication of a second draft in March 2026 (TBC; date recorded as 1st of month).

EU-AI-ACT - Second draft planned (TBC) (month-only)

The Article 50 Code of Practice timeline indicates a closing plenary and publication of the final Code of Practice in May and June 2026 (indicative/TBC).

EU-AI-ACT - Final code of practice expected (indicative range)

ETSI publishes GR SAI 005 V1.1.1 (2021-03), a mitigation strategy report for threats arising from AI-based systems (date recorded as 1st of month).

EU-AI-ACT - ETSI GR SAI 005 published (mitigation strategy) (month-only)

ETSI publishes GR SAI 002 V1.1.1 (2021-08) on data supply chain security for AI systems (date recorded as 1st of month).

EU-AI-ACT - ETSI GR SAI 002 published (data supply chain security) (month-only)

ETSI publishes GR SAI 001 V1.1.1 (2022-01) on an AI threat ontology (date recorded as 1st of month).

EU-AI-ACT - ETSI GR SAI 001 published (AI threat ontology) (month-only)

ETSI publishes GR SAI 006 V1.1.1 (2022-03) on the role of hardware in the security of AI (date recorded as 1st of month).

EU-AI-ACT - ETSI GR SAI 006 published (hardware security for AI) (month-only)

ETSI publishes GR SAI 007 V1.1.1 (2023-03) on explicability and transparency of AI processing (date recorded as 1st of month).

EU-AI-ACT - ETSI GR SAI 007 published (explicability & transparency) (month-only)

ETSI publishes GR SAI 011 V1.1.1 (2023-06) on automated manipulation of multimedia identity representations (date recorded as 1st of month).

EU-AI-ACT - ETSI GR SAI 011 published (deepfakes / multimedia identity manipulation) (month-only)

Commission press materials reference a package of measures launched on 24 January 2024 to support European startups and SMEs developing trustworthy AI.

EU-AI-ACT - Commission launches package of measures to support startups and SMEs

ETSI publishes TR 104 031 V1.1.1 (2024-01) on security aspects of pervasive and collaborative AI (date recorded as 1st of month).

EU-AI-ACT - ETSI TR 104 031 published (collaborative AI) (month-only)

ETSI publishes TR 104 032 V1.1.1 (2024-02) studying traceability of AI models (date recorded as 1st of month).

EU-AI-ACT - ETSI TR 104 032 published (traceability of AI models) (month-only)

ETSI publishes TR 104 067 V1.1.1 (2024-04) describing a Proofs of Concepts (PoCs) framework for ETSI TC SAI (date recorded as 1st of month).

Regulatory Universal Timeline

Unified compliance timeline