On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024. The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.[1]
The Cyber Security Legislative Package 2024 comprised the following Acts:
- Cyber Security Act 2024 (Cth);
- Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth); and
- Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth).
Overview of the Cyber Security Act 2024 (Cth)
The Cyber Security Act 2024 (Cth) (CSA) contains the substantive provisions to give effect to the Cyber Security Legislative Package. It mandates security standards for Internet of Things (IoT) devices, requiring reporting of ransomware payments and coordinating government responses to major cyber incidents.
Part 2 – Security standards for smart devices
This part establishes mandatory security standards for internet-connectable products, called relevant connectable products loT.
Key definitions in the CSA
Section 9: Defines “cyber security incident” as an incident that involves a critical infrastructure asset, activities of a corporation subject to the Constitution’s paragraph 51(xx), or a telegraphic, telephonic, or similar service under paragraph 51(v).
Section 10: Defines “permitted cyber security purpose” for a cyber security incident, including responding to, mitigating, or resolving the incident by Commonwealth and State bodies and intelligence agencies.
Section 15: Outlines compliance with security standards for relevant connectable products.
Section 16: Outlines the obligation to provide products with a statement of compliance.
Part 3 – Ransomware reporting obligations
This part imposes reporting obligations on entities impacted by cybersecurity incidents and who have made, or are aware of, ransomware payments.
Section 27: Requires reporting business entities to report ransomware payments to a designated Commonwealth body within 72 hours of making the payment or becoming aware it was made.
Sections 29 and 30: Limit the use and disclosure of ransomware payment reports to specific permitted purposes, including cybersecurity incident response, and prohibits use for civil or regulatory action against the reporting entity (unless it involves a criminal offense).
Section 32: Makes information provided in ransomware payment reports inadmissible in evidence against the reporting business entity in most legal proceedings.
Part 4 – Coordination of significant cyber security incidents
This part enables entities to voluntarily share information with the National Cyber Security Coordinator about significant cyber security incidents.
Section 21: Defines the National Cyber Security Coordinator as the officer of the Department known as the National Cyber Security Coordinator, along with their staff.
Section 35: Allows impacted entities to voluntarily provide information about potential significant cyber security incidents to the National Cyber Security Coordinator.
Section 37: Outlines the National Cyber Security Coordinator’s role as leading government-wide coordination and response to significant cybersecurity incidents.
Sections 38 and 39: Outline the permitted uses of information voluntarily provided to the National Cyber Security Coordinator, including incident response, and prohibit its use for civil or regulatory action against the impacted entity (unless it involves a criminal offense).
Part 5 – Creation of the Cyber Incident Review Board
This part establishes the Cyber Incident Review Board to conduct reviews of certain cybersecurity incidents and provide recommendations for improvement.
Section 46: Outlines the Board’s function to cause reviews of significant cyber security incidents, potentially at the referral of impacted entities, the Minister, or the National Cyber Security Coordinator.
Section 48: Allows the Chair of the board to request information or documents relevant to an ongoing review.
Section 50: Establishes civil penalties for failing to comply with a notice to produce documents.
Section 53: Outlines the types of information that must be redacted from final review reports, including information that could prejudice an ongoing investigation, is prohibited from disclosure, or is unreasonably commercially sensitive.
To ensure consistency across government agencies, the data use and regulatory restrictions outlined in the CSA are also mirrored in the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth).
This article does not discuss the provisions of the:
- Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth), which amends the Intelligence Services Act 2001 (Cth); and
- Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth).
The implementation of the Cyber Security Legislative Package 2024 forms part of the broader cyber security strategy framework outlined in the Australian Government’s 2023-2030 Cyber Security Strategy.
Links and further references
Legislation
Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth)
Further information about cyber security compliance
If you need advice on cyber security compliance, contact us for a confidential and obligation-free discussion:
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
[1] Parliamentary Business, Bills Digest: 2024-25, 25BD28 (Department of the Parliamentary Library, 2024) https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd2425/25bd028 accessed 13 February 2025.
Related insights about cyber security law
-
Federal parliament passes cyber security laws
On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024. The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.
-
The Digital ID Bill 2023 (Cth)
On 30 November 2023, the Digital ID Bill 2023 (Cth) and the Digital ID (Transitional and Consequential Provisions) Bill 2023 (Digital ID Bills) were introduced in the Australian Senate. Digital IDs are designed to provide individuals with a convenient way to verify their identity when completing certain online transactions and dealing with government and certain…
-
Misinformation and Disinformation Bill 2023 – exposure draft
The Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2023 (Cth) (Misinformation Bill) was announced by the Department of Infrastructure, Transport, Regional Development, Communication and the Arts (DITRDCA) in January 2023. The Misinformation Bill is aimed at restricting the flow of misinformation and disinformation by providing the Australian Communications and Media Authority (ACMA) with increased…
-
What are adequate cyber security measures?
The adequacy of cyber security measures was considered in the case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (ASIC v Ri Advice Group). One of the issues raised was whether the respondent had adequate cyber security and cyber resilience in place across its network of financial advisors. …
-
Cryptocurrency and hacking offences introduced to Parliament
The Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 is set to revolutionize the way cybercrime is prosecuted. Learn more about the changes it brings and the implications they have.
-
Ransomware Payments Bill 2021 (Cth)
Australian government proposed the Ransomware Payments Bill 2021 (Cth) (Bill) to enforce mandatory reporting of ransomware payments. Penalties of up to $110,000 for non-compliance.
-
International companies can be bound by Australian privacy laws
Australian Intelligence Community (AIC) Commissioner Falk determined how the Office of the Australian Information Commissioner (OAIC) will assess if international entities have an Australian Link to Privacy Act 1988 (Cth).
-
Swiss company provides its users’ personal information
A Court order in Switzerland raises questions about Australian law enforcement’s ability to access encrypted data. This article explores the legislative perspective on accessing private or business communications, and the steps taken to protect transmitted information.
-
The Australian Cyber Law Map
The Australian Cyber Law Map provides clarity on ever-changing legal landscape, covering commercial enterprises, cyber offences, infrastructure, international law, national security and personal rights. A source for understanding laws and providing safety/security in the digital age.
