Australia has taken a significant step forward in safeguarding its digital landscape with the introduction of the Cyber Security Act 2024, the nation’s first standalone cybersecurity law. Passed in November 2024, this landmark legislation aims to address the growing threats posed by cybercrime, ransomware attacks, and vulnerabilities in smart devices. The Act is a key component of the Australian Government’s broader 2023-2030 Cyber Security Strategy, which seeks to bolster the nation’s resilience against cyber threats.
The Cyber Security Act 2024 is structured into several parts, each targeting specific areas of concern. Part 2 introduces mandatory security standards for smart devices, ensuring that manufacturers and suppliers comply with stringent requirements to protect consumers. Part 3 establishes mandatory reporting obligations for entities that pay ransom following a cyber incident, aiming to curb the rising trend of ransomware attacks. Part 4 creates a framework for voluntary information sharing with the National Cyber Security Coordinator (NCSC) during significant cyber incidents, while Part 5 establishes the Cyber Incident Review Board (CIRB) to analyse and recommend improvements following major cyber events.
One of the Act’s most notable features is its ransomware reporting requirements. Entities with an annual turnover exceeding AUD 3 million or those responsible for critical infrastructure must report ransomware payments within 72 hours. Failure to comply can result in significant penalties, though the government has emphasised an “education-first” approach to enforcement. Additionally, the Act limits the use of reported information to specific purposes, such as national security and incident response, though concerns remain about potential regulatory overreach.
The Act also empowers the Minister for Cyber Security to set tailored security standards for smart devices, with enforcement mechanisms including compliance notices, stop notices, and recall notices. Non-compliance can lead to public notifications, potentially damaging the reputations of manufacturers and suppliers.
The establishment of the NCSC and CIRB further strengthens Australia’s cyber security framework. The NCSC will coordinate government responses to cyber incidents, while the CIRB will provide independent recommendations to prevent future attacks.
Overall, the Cyber Security Act 2024 represents a proactive approach to addressing modern cyber threats, balancing regulatory oversight with practical measures to protect businesses and consumers in an increasingly digital world.
