Making Sense of Australia’s New Cybersecurity Legislation – tripwire.com

Late last year, Australia’s Cyber Security Act 2024 received Royal Assent and became Law. It was a huge moment for cybersecurity legislation in Australia, serving as the country’s first-ever standalone cybersecurity law, addressing key legislative gaps, and bringing the country in line with international best practices. But what’s included in the Act? And what does it mean for businesses? Keep reading to find out.
Internet of Things (IoT) devices are a huge part of our daily lives. Most of us will either use or know someone who uses smart devices like internet-connected televisions, watches, or baby monitors. And, as with any device connected to the internet, these technologies are vulnerable to cyber threats.
The Cyber Security Act 2024 reflects this reality, mandating that all manufacturers and suppliers of smart devices available in Australia comply with strict security standards. While the standards themselves aren’t finalized, they will emulate the UK’s regulations for smart devices, which include a ban on universal default passwords, a requirement to implement a means to manage reports of vulnerabilities, and an obligation to provide information about how long the device will be supported.
Under the Act, suppliers and manufacturers will be expected to produce a statement of compliance confirming that the device meets these requirements. If a device fails to meet these standards, the Secretary of Home Affairs has the power to issue:
Manufacturers and suppliers will have a 12-month grace period to ensure devices comply with these standards.
The Cyber Security Act 2024’s mandatory ransomware payment reporting initiative is designed to help the Australian Government better understand the threat landscape and provide tailored advice to help organizations disrupt the ransomware business model, requiring relevant entities to report within 72 hours, among other details, the amount of the payment, the method of payment, and the identities of the attackers.
This initiative only applies to reporting business entities, which are organizations that do business in Australia with an annual turnover that exceeds $3 million, although this figure may be adjusted in the future. Failing to make a report within the specified period may result in a civic penalty fine of 60 penalty units, typically $19,800 for corporations.
Organizations must report ransomware payments on a yet-to-be-developed portal on the Australian Signals Directorate’s cyber.gov.au website. The initiative will come into force 6 months after the Act received Royal Assent on May 29, 2025.
This initiative limits how the National Cyber Security Coordinator (NCSC) (not to be confused with the UK’s National Cyber Security Center) and the National Office of Cyber Security can record, use, or disclose information entities voluntarily provide.
It aims to ensure that Australian organizations suffering a security incident feel comfortable engaging early and sharing information with the Australian government without having to worry about the NCSC passing on this information to regulators or law enforcement. Essentially, the initiative encourages open and honest reporting to improve response efforts.
The limited use initiative applies to information:
It’s important to understand, however, that limited use does not shield or immunize organizations from legal liability or replace mandatory obligations to report a cybersecurity incident.
Finally, the Cyber Security Act 2024 establishes the Cyber Incident Review Board (CIRB). The CIRB is an independent review body that will conduct no-fault, post-incident reviews of significant cyber security incidents in Australia.
Note that a “significant cyber security incident” is defined as one that is, or could reasonably be expected to be, of serious concern to the Australian people or one in which there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice:
The CIRB will have the power to compel information from organizations involved in a security incident, but only if voluntary requests for information have been unsuccessful.
The key takeaway for most businesses is that, in the wake of a security incident, the Australian Government will expect them to hand over as much relevant information as possible. As such, organizations doing business in Australia should set up reporting mechanisms and incident response plans to streamline this process and avoid non-compliance penalties.
To find out more about how Forta can help your organization meet these new standards, check out our suite of compliance reporting solutions here.

source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.