Cyber Security Legislative Package – Consultation on Subordinate Legislation to the Cyber Security Act and Security of Critical Infrastructure Act 2018 (SOCI Act)

The Australian Government is committed to being a world-leader in cyber security by 2030, as outlined in the 2023-2030 Australian Cyber Security Strategy. As part of this commitment and following extensive consultation, the Cyber Security Legislative Package has received Royal Assent on 29 November 2024, meaning parts of the following acts are now law:

To give effect to some of the measures, subordinate legislation in the form of Rules is required.

The Proposed Rules include:

Cyber Security (Security Standards for Smart Devices) Rules 2024
Cyber Security (Ransomware Reporting) Rules 2024
Cyber Security (Cyber Incident Review Board) Rules 2024
Security of Critical Infrastructure (Critical infrastructure risk management program) Amendment (Data Storage Systems) Rules 2024 (Data Storage Systems Rules)
Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2024 (TSRMP Rules)
Security of Critical Infrastructure (Application) Amendment (Critical Telecommunications Assets) Rules 2024

There are 6 Rules in total, each with an explanatory document to provide additional information about the policy behind the measures.

Draft Rules and Explanatory Documents:

Formal consultation closed 5pm AEDT, Friday 14 February 2025.

Submissions to the Consultation Paper

The public consultation period for the Consultation Paper closed on Friday 14 February 2025. The Department of Home Affairs received over 30 submissions in response to the proposed Rules. Public submissions with consent to publish are available below.

During the consultation period, the department hosted a virtual town hall on Wednesday 12 March 2025.

The recording of the town hall sessions are available at Town hall and awareness sessions.

List of submissions to the Consultation Paper