cyber security consultants

Federal parliament enacts cyber security legislation

by

reviewed by

Malcolm Burrows

On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024.  The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.[1]

The Cyber Security Legislative Package 2024 comprised the following Acts:

Overview of the Cyber Security Act 2024 (Cth)

The Cyber Security Act 2024 (Cth) (CSA) contains the substantive provisions to give effect to the Cyber Security Legislative Package.  It mandates security standards for Internet of Things (IoT) devices, requiring reporting of ransomware payments and coordinating government responses to major cyber incidents.

Part 2 – Security standards for smart devices
This part establishes mandatory security standards for internet-connectable products, called relevant connectable products loT.

Key definitions in the CSA

Section 9: Defines “cyber security incident” as an incident that involves a critical infrastructure asset, activities of a corporation subject to the Constitution’s paragraph 51(xx), or a telegraphic, telephonic, or similar service under paragraph 51(v).

Section 10: Defines “permitted cyber security purpose” for a cyber security incident, including responding to, mitigating, or resolving the incident by Commonwealth and State bodies and intelligence agencies.

Section 15: Outlines compliance with security standards for relevant connectable products.

Section 16: Outlines the obligation to provide products with a statement of compliance.

Part 3 – Ransomware reporting obligations
This part imposes reporting obligations on entities impacted by cybersecurity incidents and who have made, or are aware of, ransomware payments.

Section 27: Requires reporting business entities to report ransomware payments to a designated Commonwealth body within 72 hours of making the payment or becoming aware it was made.

Sections 29 and 30: Limit the use and disclosure of ransomware payment reports to specific permitted purposes, including cybersecurity incident response, and prohibits use for civil or regulatory action against the reporting entity (unless it involves a criminal offense).

Section 32: Makes information provided in ransomware payment reports inadmissible in evidence against the reporting business entity in most legal proceedings.

Part 4 – Coordination of significant cyber security incidents
This part enables entities to voluntarily share information with the National Cyber Security Coordinator about significant cyber security incidents.

Section 21: Defines the National Cyber Security Coordinator as the officer of the Department known as the National Cyber Security Coordinator, along with their staff.

Section 35: Allows impacted entities to voluntarily provide information about potential significant cyber security incidents to the National Cyber Security Coordinator.

Section 37: Outlines the National Cyber Security Coordinator’s role as leading government-wide coordination and response to significant cybersecurity incidents.

Sections 38 and 39: Outline the permitted uses of information voluntarily provided to the National Cyber Security Coordinator, including incident response, and prohibit its use for civil or regulatory action against the impacted entity (unless it involves a criminal offense).

Part 5 – Creation of the Cyber Incident Review Board
This part establishes the Cyber Incident Review Board to conduct reviews of certain cybersecurity incidents and provide recommendations for improvement.

Section 46: Outlines the Board’s function to cause reviews of significant cyber security incidents, potentially at the referral of impacted entities, the Minister, or the National Cyber Security Coordinator.

Section 48: Allows the Chair of the board to request information or documents relevant to an ongoing review.

Section 50: Establishes civil penalties for failing to comply with a notice to produce documents.

Section 53: Outlines the types of information that must be redacted from final review reports, including information that could prejudice an ongoing investigation, is prohibited from disclosure, or is unreasonably commercially sensitive.

To ensure consistency across government agencies, the data use and regulatory restrictions outlined in the CSA are also mirrored in the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth).

This article does not discuss the provisions of the:

The implementation of the Cyber Security Legislative Package 2024 forms part of the broader cyber security strategy framework outlined in the Australian Government’s 2023-2030 Cyber Security Strategy.

Links and further references

Legislation

Cyber Security Act 2024 (Cth)

Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth)

Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth)

Further information about cyber security compliance

If you need advice on cyber security compliance, contact us for a confidential and obligation-free discussion:

[1]   Parliamentary Business, Bills Digest: 2024-25, 25BD28 (Department of the Parliamentary Library, 2024) https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd2425/25bd028 accessed 13 February 2025.


Related insights about cyber security law

  • Dundas Lawyers achieves SMB1001 gold level cyber security certification

    Dundas Lawyers achieves SMB1001 gold level cyber security certification

    On 14 November 2025 Dundas Lawyers achieved the Gold level of the SMB1001 cybersecurity standard.

    Read more …

  • Aust Clinical Labs fined $5.8mil for failing to report data breach

    Aust Clinical Labs fined $5.8mil for failing to report data breach

    On 8 October 2025, the Federal Court published the judgement of Justice Halley in the case of Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (AIC v ACL).  Australian Clinical Labs Limited (ACL) was ordered to pay $5.8 million in civil penalties in relation to a 2022 data breach.  This…

    Read more …

  • Australians soon facing age checks when viewing adult websites

    Australians soon facing age checks when viewing adult websites

    On 9 September 2025, the eSafety Commissioner, Mrs Julie Inman Grant (Commissioner), registered six (6) new codes (New Codes) under the Online Safety Act 2021(Cth) (Online Safety Act) aimed at protecting children from the “clear and present” dangers of harmful AI chatbots and other online adult content.  On 9 March 2026, these New Codes will…

    Read more …

  • Ransomware payment reporting obligations

    Ransomware payment reporting obligations

    A “Ransomware Attack” is a cyber security breach in which a malicious actor gains unauthorised access to a computer system or network and then encrypts, exfiltrates, or otherwise compromises data or functionality.[1]  Ransomware Attacks have become increasingly sophisticated, financially motivated, and disruptive across all sectors, prompting legislative intervention to regulate responses and improve national cyber…

    Read more …

  • Federal parliament enacts cyber security legislation

    Federal parliament enacts cyber security legislation

    On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024.  The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.

    Read more …

  • The Digital ID Bill 2023 (Cth) – key points

    The Digital ID Bill 2023 (Cth) – key points

    On 30 November 2023, the Digital ID Bill 2023 (Cth) and the Digital ID (Transitional and Consequential Provisions) Bill 2023 (Digital ID Bills) were introduced in the Australian Senate.  Digital IDs are designed to provide individuals with a convenient way to verify their identity when completing certain online transactions and dealing with government and certain…

    Read more …

  • Misinformation and Disinformation Bill 2023 – draft insights

    Misinformation and Disinformation Bill 2023 – draft insights

    The Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2023 (Cth) (Misinformation Bill) was announced by the Department of Infrastructure, Transport, Regional Development, Communication and the Arts (DITRDCA) in January 2023.  The Misinformation Bill is aimed at restricting the flow of misinformation and disinformation by providing the Australian Communications and Media Authority (ACMA) with increased…

    Read more …

  • What are adequate cybersecurity measures?

    What are adequate cybersecurity measures?

    The adequacy of cyber security measures was considered in the case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (ASIC v Ri Advice Group).  One of the issues raised was whether the respondent had adequate cyber security and cyber resilience in place across its network of financial advisors. …

    Read more …

  • Introduction of cryptocurrency and hacking offences to Parliament

    Introduction of cryptocurrency and hacking offences to Parliament

    The Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 is set to revolutionize the way cybercrime is prosecuted. Learn more about the changes it brings and the implications they have.

    Read more …

Send this to a friend