Loading

Cyber Security Act

​​ ​ ​
 
Cyber Security Act 2024

Lieutenant General Michelle McGuinness CSC, Australia’s National Cyber Security Coordinator and Hamish Hansford, Deputy Secretary of Cyber and Infrastructure Security Group, discuss the four key measures of Australia’s first Cyber Security Act.


Michelle McGuiness CSC:

The Australian Government has introduced Australia’s first Cyber Security Act – a key step forward in uplifting Australia’s cyber security and the resilience of our critical infrastructure.

This is a large part of implementing the Cyber Security Strategy, addressing gaps in previous legislation to bring us in line with international best practice and ensure Australia is on track to become a global leader in cyber security by 2030.

Hamish Hansford:

So the Cyber Security Act does four things. Firstly it mandates minimum cyber security standards for smart devices and connectable products. So what are they? They are everything from baby monitors to smart watches, and manufacturers and suppliers of these products will be responsible for complying with the minimum standards and then be able to provide a statement of compliance to supply these goods in the Australian economy. So that’s a really big and important change. And it’s an important change because it will better protect Australian consumers and make us rely on secure products.

The second thing that the Act will do is establish mandatory ransomware reporting for certain businesses. And this is really because we don’t understand the true nature and quantum of payment to criminals and for people who are victims of cybercrime and this reporting requirement really does get us to understand the basis of the quantum in the economy and but also who is reporting, so we can better help you, better help understand the threat landscape and tailor advice back to you so that we can be continuously improving and disrupting the ransomware business model.

Michelle McGuiness CSC:

The third aspect is a limited use obligation that has been established under the Cyber Security Act for me and my team, as the National Cyber Security Coordinator, is to clarify and control how information provided voluntarily during a cyber incident may be shared or used.

This Limited Use provision will better enable me to lead whole-of-Government coordination in response particularly to significant cyber security incidents by providing assurance to impacted entities that information they share won’t be used for civil or regulatory action. It will improve my team’s ability to assist entities particularly early in their days of an incident response.

The final key feature of the Cyber Security Act is the establishment of the Cyber Incident Review Board. The Board will be empowered to conduct independent, no-fault, post-incident reviews of significant cyber security incidents.

The Board will issue findings and make concrete recommendations to aid in the prevention, detection, response and minimisation of future cyber incidents across our economy.

Independent in the performance of its functions and exercise of power, the Board will not interfere with ongoing incident response or regulatory, operational or law enforcement processes that will be surrounding the same incident.

Hamish Hansford:

And so through the efforts of government, and industry and indeed the community working together, we’re going to be really well positioned to try and prevent and respond to some of the threats that we will face over the coming years, and the Cyber Security Act is a really important component in this work.

Michelle McGuiness CSC:

You can find out more about the Cyber Security Act, including some really helpful factsheets at our website: homeaffairs.gov.au/cybersecurity.


​​

On 29 November 2024, the Cyber Security Act 2024 received Royal Assent and became Law.

The Cyber Security Act implements 4 initiatives under the 2023-2030 Australian Cyber Security Strategy, informed by an extensive consultation process.

The Act addresses legislative gaps to bring Australia in line with international best practice, ensuring Australia is on track to become a global leader in cyber security.

The Cyber Security Act includes measures to:

  • mandate minimum cyber security standards for smart devices
  • introduce a mandatory ransomware and cyber extortion reporting obligation for certain businesses to report ransom payments
  • introduce a Limited Use obligation for the National Cyber Security Coordinator to encourage industry engagement with the government following cyber incidents
  • establish a Cyber Incident Review Board to conduct reviews of significant cyber incidents and share lessons learned

Cyber Security Rules

Subordinate legislation in the form of Rules is required to give effect to some of the measures under the Cyber Security Act 2024.

Security Standards for Smart Devices

The first Security Standards for Smart Devices Rules covering consumer-grade smart devices will take effect 12 months from the registration of the Rules. This will allow for industry to become familiar with their obligations under the legislation. Over this period, government will also develop and publish other guidance materials for industry and consumers. These will raise awareness about the Rules and cyber security for smart devices more broadly.

Ransomware payment reporting

For practical guidance on how to use the new reporting form on the Australian Signals Directorate’s (ASD’s) ReportCyber, see How to make a report - Ransomware and cyber extortion payment reporting.​

The Ransomware payment reporting rules start from 30 May 2025.

These rules specify:

  • the annual turnover threshold that applies
  • the formula to use when an entity operates only in part of a financial year
  • what information must be included in a report.

You can watch the Town Hall hosted on 22 May 2025 about the start of the ransomware payment reporting obligation at Town halls and awareness sessions.

Cyber Incident Review Board

The Minister for Cyber Security will appoint members to the Cyber Incident Review Board. This will happen after the beginning of the Cyber Security (Cyber Incident Review Board) Rules 2025, on 30 May 2025. After the Board is set, the department will begin an expression of interest process to form an Expert Panel. This will include industry professionals with strong experience in cyber security, legal or sector specific areas.

You can register your interest in recruitment activities for the Expert Panel by emailing: CIRB.Enquiries@homeaffairs.gov.au.

Limited use


pop-up content starts
pop-up content ends