SecurityPolicy.com.au
Home/ Australia/ Law and Obligations/ Cyber Security Act 2024
Australia Law and Obligations Law Reviewed 2026-07-12

Cyber Security Act 2024: A Plain-English Guide for Australian Businesses

72h
ransomware payment reporting window
A$3m
turnover threshold set by the reporting Rules
4
key measures in the Act
60 units
civil penalty for a late or missing payment report
Why this guide exists

Australian businesses most often ask whether the A$3 million threshold captures them, when the 72-hour clock starts, and whether one report satisfies every regulator. A high-demand question missing from the fixed 10 is whether making a ransomware payment is lawful, insurable or affected by sanctions in the particular circumstances.

What is the Cyber Security Act 2024, and does it apply to my business?

The Cyber Security Act 2024 is Australia's first standalone cyber security Act and received Royal Assent on 29 November 2024. It creates four distinct measures: ransomware and cyber-extortion payment reporting, minimum security standards for certain smart devices, limited-use protections for information voluntarily shared with the National Cyber Security Coordinator, and the Cyber Incident Review Board. It does not impose one identical compliance program on every Australian business; applicability depends on turnover, critical-infrastructure status, whether the business manufactures or supplies covered devices, and whether it becomes involved in a significant incident or Board review. The Act applies within and outside Australia, so overseas payments, group entities and service providers can still matter where an Australian reporting entity is involved.

How this differs by situation
  • previous-financial-year turnover exceeding A$3m — The ransomware payment reporting provisions can apply when the other statutory trigger elements are met.
  • critical-infrastructure responsible entity covered by SOCI Part 2B — The ransomware payment reporting provisions can apply irrespective of the ordinary turnover limb.
  • manufacturer or supplier of an in-scope smart device — Separate product-security and statement-of-compliance duties can apply without an A$3m turnover test.
  • business below the ransomware threshold with no smart-device role — The mandatory payment-reporting and product rules may not apply, but Privacy Act, SOCI, contract and sector duties may still apply, and significant-incident information may be shared voluntarily.
PUT THIS IN YOUR POLICY, EXACTLY

Cyber Security Act applicability. The Legal and Incident Leads must assess each cyber event against four separate Cyber Security Act 2024 pathways: ransomware-payment reporting, smart-device obligations, voluntary limited-use information sharing, and Cyber Incident Review Board engagement. The assessment must record the applicable entity, turnover period, critical-infrastructure status, product role, overseas or group involvement, decision-maker and any parallel legal duties.

Who exactly is covered — thresholds and entity types?

For ransomware payment reporting, the primary legislation covers an entity carrying on business in Australia whose previous-financial-year turnover exceeds the prescribed threshold, provided it is not a Commonwealth or State body and the other incident and payment elements are met. The Rules set that threshold at A$3 million and provide a pro-rata formula where the business operated for only part of the previous financial year. A responsible entity for a critical-infrastructure asset to which SOCI Part 2B applies is separately captured and does not rely on the ordinary turnover limb. The Home Affairs factsheet is internally inconsistent at exactly A$3 million: its first page says A$3 million or more, while its detailed coverage section, the Act and the Rules use exceeds A$3 million. Smart-device coverage is separate and turns on the product, manufacture date and the business's role as manufacturer or supplier rather than the ransomware turnover threshold.

How this differs by situation
  • more than A$3m in the previous financial year — The ordinary ransomware-reporting entity threshold is met, subject to all other statutory elements.
  • exactly A$3m in the previous financial year — The Act and Rules use 'exceeds', but the factsheet also says 'A$3 million or more'; obtain advice rather than relying on the inconsistent summary wording.
  • business operated for part of the previous financial year — Use the Rules formula: A$3m multiplied by days carried on, divided by days in the previous financial year.
  • SOCI Part 2B critical-infrastructure responsible entity — Covered by a separate limb and may have concurrent SOCI incident-reporting duties.
  • not-for-profit carrying on a business — Home Affairs states that not-for-profit organisations are not explicitly exempt; entity status and the statutory elements still need assessment.
PUT THIS IN YOUR POLICY, EXACTLY

Coverage check. Finance must record previous-financial-year turnover and any part-year calculation annually. Legal must record whether the entity carries on business in Australia, is a Commonwealth or State body, or is a responsible entity for an asset covered by SOCI Part 2B. An entity at exactly A$3 million turnover must obtain advice because Home Affairs guidance contains inconsistent boundary wording.

What does it actually require me to do?

A covered reporting business must lodge a ransomware payment report when a cyber incident directly or indirectly affects it, an extorting entity makes a related demand, and the business makes or becomes aware of a payment or benefit made on its behalf. The report must include reasonably discoverable information about the parties, incident and impact, demand, payment and communications. Manufacturers and suppliers of covered smart devices have different duties: products must meet the prescribed standards, including password, vulnerability-reporting and security-support requirements, and be supplied with a statement of compliance. Information sharing with the National Cyber Security Coordinator is voluntary and protected for limited uses; it is not a substitute for mandatory reports. CIRB participation begins with post-incident review processes, where an initial information request is voluntary but a later statutory document-production notice can be compulsory.

How this differs by situation
  • reporting business that pays an extortion demand — Submit the prescribed payment report through the approved channel with the required incident, demand, payment and communication information.
  • third party, insurer or related entity pays on the business's behalf — The covered business remains responsible once it makes or becomes aware of the on-behalf payment.
  • smart-device manufacturer — Manufacture in-scope products to the prescribed standard and prepare the required statement of compliance.
  • smart-device supplier — Do not supply a product required to comply if it is non-compliant, and supply it with the required statement of compliance.
  • entity affected by a significant cyber incident — May share information voluntarily with the National Cyber Security Coordinator and may later be involved in a no-fault CIRB review.
PUT THIS IN YOUR POLICY, EXACTLY

Trigger actions. A ransom demand alone must be recorded and assessed, but the Part 3 report is triggered when a covered entity makes or becomes aware of a related payment or benefit made on its behalf. The Incident Lead must preserve the required incident, demand, payment and communication information, lodge the approved report, assess parallel reports, and separately decide whether voluntary NCSC or ASD sharing is appropriate.

What are the deadlines and reporting clocks?

The Cyber Security Act payment-reporting clock is 72 hours from when the covered business makes the ransomware payment or becomes aware that a payment was made on its behalf, not automatically from incident discovery or receipt of a demand. The report only needs information the entity knows or can find through reasonable search or enquiry within that period. A CIRB document-production notice must provide at least 14 days for compliance, while an ordinary section 48 request is voluntary. Separate laws may start different clocks for the same event: Privacy Act-covered entities generally have up to 30 calendar days to complete a suspected eligible-breach assessment and must then notify as soon as practicable, while SOCI responsible entities can face 12-hour and 72-hour incident-reporting clocks. The practical answer is a clock register that identifies each trigger independently.

How this differs by situation
  • Cyber Security Act ransomware payment report — 72 hours from payment or awareness of an on-behalf payment.
  • CIRB compulsory document notice — The notice period must not be less than 14 days.
  • Privacy Act suspected eligible data breach — Take all reasonable steps to complete the assessment within 30 calendar days, then notify required parties as soon as practicable once eligibility is established.
  • SOCI critical incident — Report within 12 hours of awareness of significant impact; relevant-impact incidents are reported within 72 hours.
PUT THIS IN YOUR POLICY, EXACTLY

Reporting clock register. For every cyber incident, the Legal Lead must record each law, regulator, contract and insurer trigger separately, including the trigger event, awareness time, due time, report owner, approval path and submission evidence. A 72-hour Cyber Security Act clock starts from payment or awareness of an on-behalf payment and must not be confused with clocks starting from incident discovery.

What are the penalties for getting it wrong?

Failing to provide a required ransomware payment report carries a maximum civil penalty of 60 penalty units. At the Commonwealth penalty-unit value applying from 1 July 2026, that equals A$21,840; for contraventions between 30 May 2025 and 30 June 2026, 60 units equalled A$19,800. Failing to comply with a compulsory CIRB document-production notice also carries 60 penalty units. Smart-device enforcement is structured around compliance, stop and recall notices, monitoring, enforceable undertakings and injunctions; Home Affairs may publicly identify a failure to comply with a recall notice. Reporting a payment does not make the payment lawful, advisable or immune from sanctions, criminal law, contractual or other regulatory consequences.

How this differs by situation
  • missing or late ransomware payment report — Maximum civil penalty is 60 Commonwealth penalty units.
  • failure to comply with CIRB section 49 notice — Maximum civil penalty is also 60 penalty units.
  • smart-device non-compliance — Regulatory responses can include compliance, stop and recall notices, public notification, monitoring, enforceable undertakings and injunctions rather than one universal fixed fine for every breach.
  • parallel legal breach — Privacy, SOCI, sanctions, criminal, consumer, contractual and sector consequences remain separate.
PUT THIS IN YOUR POLICY, EXACTLY

Penalty control. The Incident Lead must escalate any possible ransom payment before it is made, preserve evidence of the payment decision and time, and ensure the statutory report is submitted within 72 hours. Legal must separately assess sanctions, criminal law, privacy, critical-infrastructure, consumer, contract and insurance consequences; filing a Cyber Security Act report is not an approval or safe harbour for the payment.

What has changed recently, and what's coming?

The Act became law on 29 November 2024, with different Parts commencing on different dates. Mandatory ransomware payment reporting began on 30 May 2025; Home Affairs used an education-first phase through 31 December 2025 and moved to a more active compliance-and-education phase from 1 January 2026. The consumer smart-device Rules commenced on 4 March 2026 after a 12-month transition and apply mainly to in-scope products manufactured from that date. The Cyber Incident Review Board was appointed on 1 May 2026 and is now operational as an independent no-fault advisory body. The Parliamentary Joint Committee on Intelligence and Security may review the Act's operation, effectiveness and implications, with that review to begin as soon as practicable after 1 December 2027.

How this differs by situation
  • ransomware payment reporting — Commenced 30 May 2025; active compliance focus applies from 1 January 2026.
  • smart-device standards — Commenced 4 March 2026 for most in-scope devices manufactured from that date.
  • Cyber Incident Review Board — Board appointments were announced on 1 May 2026; reviews occur after immediate response activity has ended.
  • future statutory review — PJCIS may commence its Act review as soon as practicable after 1 December 2027.
PUT THIS IN YOUR POLICY, EXACTLY

Regulatory change control. The Policy Owner must review this policy whenever Cyber Security Act Rules, Home Affairs guidance, penalty-unit values or related Privacy Act and SOCI obligations change, and at least annually. The obligations register must record commencement dates, product manufacture dates, current thresholds, enforcement phase and the source version relied upon.

What do I need to have in place to comply?

A potentially covered business needs an incident response plan that can identify a ransom-payment trigger, calculate the correct turnover test, capture payments made by insurers, negotiators or related entities, preserve required information and lodge a report within 72 hours. It also needs a live reporting matrix for the Privacy Act, SOCI, contracts, insurers and sector regulators, because the Act does not consolidate every obligation. Smart-device manufacturers and suppliers need product-scope decisions, compliant password design, a vulnerability-reporting channel, a published security-support period and controlled statements of compliance. Significant-incident procedures should distinguish voluntary ASD and NCSC sharing, the protections attached to each pathway, legal privilege, public statements and mandatory reports. Document preservation and a named response owner are necessary in case the CIRB later requests or compels relevant records.

How this differs by situation
  • business exposed to ransomware — Maintain a payment decision process, turnover record, third-party payment notification clause, 72-hour report workflow and evidence register.
  • insurer, broker, incident responder or negotiator acting for a client — Contracts and playbooks should require immediate notice to the covered client when a payment is made or authorised on its behalf.
  • smart-device manufacturer or supplier — Maintain product classifications, security-standard evidence, vulnerability contacts, support-period publications and statements of compliance.
  • organisation likely to share with government during a significant incident — Pre-authorise who can share, under which ASD or NCSC pathway, with what legal review and recordkeeping.
PUT THIS IN YOUR POLICY, EXACTLY

Readiness requirements. The business must maintain: an annual turnover and entity-status record; a ransom-payment decision and third-party notification workflow; a 72-hour ReportCyber procedure; a multi-regulator reporting matrix; an evidence and privilege protocol; named ASD and NCSC sharing authorities; and, where relevant, smart-device product classifications, vulnerability-reporting contacts, published support periods and statements of compliance.

How does it interact with the Privacy Act, SOCI and other obligations?

The Act is additive, not a single replacement reporting channel. Section 44 expressly says information supplied under the significant-incident coordination Part does not affect other requirements to provide that information, naming the Act's own payment-reporting Part, SOCI Part 2B and the Telecommunications Act as examples. A ransomware incident can therefore trigger the 72-hour payment report only if a payment is made, while independently triggering Privacy Act notification if personal information is likely to cause serious harm and SOCI reporting if a critical-infrastructure asset suffers the required impact. Limited-use protections restrict specified government use and admissibility, but regulators and law-enforcement bodies can seek the same information through their own powers, and Privacy Act restrictions continue to apply to government handling. Contracts, insurers, APRA, ASX and state or territory laws may add further triggers, so one submission should never be assumed to discharge them all without confirmation.

How this differs by situation
  • Cyber Security Act Part 3 — Reports a covered ransomware or cyber-extortion payment; it is not a general incident or data-breach report.
  • Privacy Act NDB scheme — Focuses on eligible personal-information breaches likely to cause serious harm, whether or not a ransom is paid.
  • SOCI Part 2B — Focuses on relevant or significant impacts to covered critical-infrastructure assets and may require 12-hour or 72-hour reports.
  • ASD or NCSC limited-use sharing — Can support coordinated response but does not acquit mandatory reports to regulators.
  • state, territory, sector, contract or insurer duties — May operate concurrently and require additional notifications or approvals.
PUT THIS IN YOUR POLICY, EXACTLY

No single-report assumption. Submission to ASD, the National Cyber Security Coordinator or under one statutory scheme does not satisfy another reporting duty unless the receiving regulator confirms this in writing. The Legal Lead must assess the Cyber Security Act, Privacy Act, SOCI Act, Telecommunications Act, sector regulation, contracts, insurance and State or Territory law separately.

The common mistakes and misconceptions?

The most common mistake is calling Part 3 an incident-reporting rule: it is specifically a payment-reporting rule, so a demand alone does not trigger it and the 72-hour clock does not begin merely because malware is discovered. Businesses also assume the A$3 million boundary is clear, even though the factsheet conflicts with the Act and Rules at exactly A$3 million. Limited use is often mistaken for a broad safe harbour, immunity or substitute for regulatory reporting, but it only restricts specified use, disclosure and admissibility of protected information. Smart-device rules do not retrospectively regulate products manufactured before 4 March 2026 and exclude specified categories such as desktops, laptops, smartphones and tablets, while some products sold business-to-business can still be in scope if they are intended for personal, domestic or household use. The CIRB is a no-fault learning body and does not assign blame, although compulsory document powers can follow an initial voluntary request.

How this differs by situation
  • ransom demand with no payment — Not reportable under Part 3 solely because the demand was made, though other incident and breach duties may apply.
  • exactly A$3m — Do not assume the factsheet's 'or more' wording resolves the issue; primary legislation uses 'exceeds'.
  • limited-use information sharing — Not a safe harbour, not immunity, and not satisfaction of separate reports.
  • buyer or user of existing smart devices — The direct product regime focuses on manufacturers and suppliers of covered products manufactured from 4 March 2026; existing devices may remain a security risk without being retrospectively covered.
  • CIRB review — No-fault and post-incident, but relevant documents can become subject to a compulsory notice.
PUT THIS IN YOUR POLICY, EXACTLY

Interpretation safeguards. Staff must not describe the Act as requiring every cyber incident to be reported within 72 hours, as banning or approving ransom payments, as creating a legal safe harbour, or as replacing Privacy Act, SOCI or contractual reports. Any public or internal statement about coverage must identify the specific Part, trigger, entity, product, threshold and clock relied upon.

What's my next step?

Common misconceptions

  • Every Australian cyber incident must be reported under the Cyber Security Act within 72 hours. INFERRED
  • A ransomware or cyber-extortion demand alone triggers the mandatory Part 3 report even when nobody provides a payment or benefit. VERIFIED
  • The official guidance is unambiguous that a business with exactly A$3 million turnover is covered. INFERRED
  • Submitting information to ASD or the National Cyber Security Coordinator satisfies all Privacy Act, SOCI and sector reporting duties. VERIFIED
  • Limited use is a complete safe harbour that prevents regulatory, civil or criminal consequences arising from the incident. INFERRED
  • The Act either bans ransomware payments or grants permission to make them. INFERRED
  • All smart devices already in Australian homes and workplaces became retrospectively non-compliant on 4 March 2026. VERIFIED
  • Smartphones, laptops, tablets and desktop computers are covered by the current consumer smart-device Rules. VERIFIED
  • The Cyber Incident Review Board determines fault and imposes liability after a major incident. VERIFIED
  • Every request from the Cyber Incident Review Board is immediately compulsory. VERIFIED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Ransomware and cyber-extortion payment reporting Department of Home Affairs through the designated Commonwealth body and ASD ReportCyber A reporting business entity is directly or indirectly impacted by a cyber security incident, an extorting entity makes a related demand, and the reporting entity makes or becomes aware that another entity made on its behalf a related monetary or non-monetary payment or benefit. The ordinary business limb uses previous-financial-year turnover exceeding A$3 million; a separate limb covers responsible entities for SOCI Part 2B assets. Within 72 hours of making the payment or becoming aware that an on-behalf payment was made. The obligation commenced on 2025-05-30. 60 penalty units; A$21,840 for a contravention on or after 2026-07-01, and A$19,800 for a contravention from commencement through 2026-06-30.
Security standards for consumer-grade smart devices Technology Assessment and Regulation Office, Department of Home Affairs A manufacturer or supplier manufactures or supplies an in-scope relevant connectable product intended for personal, domestic or household use and manufactured on or after 2026-03-04, subject to the Rules and exemptions. The Rules commenced on 2026-03-04 after a 12-month transition; compliance applies through manufacture and supply, including supplying the product with a statement of compliance. Enforcement can include compliance, stop and recall notices, public notification of failure to comply with a recall, monitoring, enforceable undertakings and injunctions; no single universal direct dollar penalty applies to every base product breach.
Limited-use protection for voluntary significant-incident information National Cyber Security Coordinator; separate statutory protection also applies to ASD An impacted entity voluntarily provides protected information about a significant cyber security incident to the National Cyber Security Coordinator, or voluntarily collaborates with ASD under the separate Intelligence Services Act pathway. No mandatory filing deadline under the voluntary pathway; protection attaches according to the statutory conditions and does not replace any mandatory report.
Cyber Incident Review Board document production Cyber Incident Review Board During an approved post-incident review, the Chair first requests a relevant document under section 48 and then gives an eligible non-government entity a compulsory written notice under section 49. The section 49 notice must allow at least 14 days for production in the specified manner. 60 penalty units for failing to comply; A$21,840 for a contravention on or after 2026-07-01.
Privacy Act Notifiable Data Breaches scheme Office of the Australian Information Commissioner A Privacy Act-covered entity suspects an eligible personal-information breach or has reasonable grounds to believe an eligible breach likely to cause serious harm has occurred. Take all reasonable steps to complete the suspected-breach assessment within 30 calendar days; once an eligible breach is established, notify the OAIC and affected individuals as soon as practicable.
SOCI mandatory cyber incident reporting Cyber and Infrastructure Security Centre and ASD's ACSC A responsible entity becomes aware of a cyber security incident having a significant or relevant impact on a covered critical-infrastructure asset. Within 12 hours for a critical incident with significant impact and within 72 hours for an other incident with relevant impact; supplementary written reports apply where the initial report is oral. Failure may result in a civil penalty under sections 30BC or 30BD of the SOCI Act.

Sources

  1. Cyber Security Act primary
  2. Cyber Security Act 2024 primary
  3. Cyber Security Act 2024 — as made, full text primary
  4. Cyber Security (Ransomware Payment Reporting) Rules 2025 primary
  5. Ransomware Payment Reporting Rules 2025 — full text primary
  6. Ransomware Payment Reporting Guidance primary
  7. Report a cybercrime, incident or vulnerability primary
  8. Security Standards for Smart Devices primary
  9. Factsheet — Security standards for smart devices primary
  10. Frequently Asked Questions — Security standards for smart devices primary
  11. Limited Use primary
  12. The Cyber Incident Review Board primary
  13. SOCI Act regulatory obligations primary
  14. Notification of Cyber Security Incidents Guidance primary
  15. Part 4: Notifiable Data Breach Scheme primary
  16. Penalty units primary
  17. Redefining cyber readiness: Australia passes its first Cyber Security Act primary
  18. Cyber Security Legislative Package passes Parliament primary
  19. Navigating Australia's first standalone Cyber Security Act 2024 primary
  20. Business Council evidence on the Cyber Security Legislative Package forum
  21. Australia's Ransomware Payment Reporting Day forum
  22. Cyber Security Bill 2024 overview and discussion forum
  23. Cyber Security Act 2024 Australia compliance guide discussion forum
  24. Australian data-breach consequences discussion forum
  25. Cyber Security Act 2024: New Rules for Australian Businesses forum
  26. Australia's new ransomware reporting rules start 30 May 2025 forum
  27. Evolving cyber security coordination in Australia forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.