On 22 November 2023 the Australian government released the 2023–2030 Australian Cyber Security Strategy (the “Strategy”), with the aim of strengthening Australia’s cyberdefences and supporting people and businesses to be resilient to and recover quickly from cyber-attacks.

Alongside the Strategy was the 2023–2030 Australian Cyber Security Strategy: Action Plan (the “Action Plan”) setting out three “Horizons”, which culminate in Horizon 3 with Australia as a leader of the global frontier in developing cybertechnologies and adapting to risk and opportunities.

Last year marked the end of Horizon 1 (“Strengthen our foundations”), which aimed to address critical gaps, build protections, and support an initial uplift in cybermaturity. Between July and August 2025, the government conducted a public consultation concerning Horizon 2 (“Expand our search”). The government has moved into industry co-design on specific actions and initiatives; however, no substantive announcements have yet been made. Originally, Horizon 2 was intended to involve scaling Australia’s “maturity across the whole economy” through investments in the broader cyber-ecosystem and workforce.

The government has grounded its vision in six “shields” or “layers of defence” comprising the businesses and citizens, safe technology, world-class threat sharing and blocking, protected critical infrastructure, sovereign capabilities, and resilient region and global leadership. It has set out in its Action Plan different actions and objectives for each shield.

While the co-design process of Horizon 2 and any amendments to the Strategy and the Action Plan are still being contemplated, it is expected that changes to Australia’s overall strategy will be announced in the next 12 months. 

Australia has a broad system of federal, state, and territory-based laws which govern data protection, cybersecurity, and cybercrime.

Data Protection

Entities dealing with personal information in Australia should also be aware of their obligations with respect to:

• the Privacy Act 1988 (Cth) (the “Privacy Act”), which regulates the handling of personal information by “APPs entities” pursuant to the Australian Privacy Principles (APPs).
• the Digital ID Act 2024 (Cth) (the “Digital ID Act”), which is intended to embed safeguards for digital ID services and data in addition to the Privacy Act;
• privacy legislation enacted at the state and territory level;
• the My Health Records Act 2012 (Cth) (the “My Health Records Act”), which imposes specific obligations for health information collected and stored in Australia’s national online health database (in addition to the Privacy Act);
• state and territory health records legislation enacted in New South Wales, Victoria, and the Australian Capital Territory; and
• federal, state, and territory surveillance legislation, which regulates video surveillance, computer and data monitoring, GPS tracking, and the use of listening devices on individuals.

Further definitions and details on the Privacy Act are set out in 6.1 Cybersecurity and Data Protection.

Cybersecurity

Cybersecurity laws in Australia are primarily governed under sector-specific federal laws, and include the following.

• Critical infrastructure: this sector is regulated under the Security of Critical Infrastructure Act 2018 (Cth) (the “SOCI Act”), which imposes registration, reporting, and notification obligations on owners and operators of critical infrastructure and empowers the Australian government to gather information and issue directions where there is a risk to security. More details are contained in 2. Critical Infrastructure Cybersecurity Regulation.
• Telecommunications: this sector is regulated by dual legislation, namely:
1. the Telecommunications Act 1997 (Cth) (the “Telecommunications Act”), which imposes security and notification obligations on Australian telecommunications providers and empowers the Australian government to gather information and issue directions; and
2. the Telecommunications (Interception and Access) Act 1979 (Cth) (the “TIA Act”), which prohibits the interception of communication and access to stored communication data, except for certain law enforcement and national security purposes.
• Corporate: corporations generally are regulated under the Corporations Act 2001 (Cth) (the “Corporations Act”), which is highly relevant to the cybersecurity space. For example, the director’s duty to exercise “care and diligence” (Section 180) is equally relevant to the management of foreseeable cyber and information security risks.
• Financial services: certain financial, insurance, and superannuation entities are regulated through standards, including the Prudential Standard CPS 234 on Information Security (CPS 234), issued by the Australian Prudential Regulation Authority (APRA). Additionally, entities in the financial services have specific obligations under the Corporations Act, such as adequate risk management systems to hold a financial licence (section 912A). 

There are additional laws that are highly relevant to the cybersecurity space that are less sector-specific, such as consumer law, specifically the Competition and Consumer Act 2010 (Cth) (the “Consumer Act”) which addresses consumer affairs, including consumer data protection and cyberscams.

Cybercrime

Overlaying the above are various cybercrime offences in Australia at the federal, state, and territory levels. These offences broadly encompass two categories:

• offences that are directed at computers or other devices and involve hacking-related activities; and
• cyber-enabled offences where such devices are used as a key component of the offence, including online fraud, online child abuse offences, and cyberstalking.

Federally, cybercrime is criminalised under Parts 10.6 and 10.7 of the Schedule to the Criminal Code Act 1995 (Cth) (the “Criminal Code”), which sets out a variety of offences with maximum penalties ranging from fine-only through to life imprisonment.

Organisations should note that in addition to the Criminal Code:

• the TIA Act also makes it a federal offence for an individual to (without authorisation) intercept or access private telecommunications without the knowledge of those involved; and
• state and territory laws criminalise computer offences similar to those criminalised under the Criminal Code (eg, Part 6 of the Crimes Act 1900 (NSW) provides for multiple computer offences regarding unauthorised access, modification, or impairment of restricted data and electronic communications).

Australian states and territories also have their own criminal laws which govern cybercrime offences.

Other Laws

Areas that are also related to cybersecurity include:

• the Broadcasting Services Act 1992 (Cth) (the “Broadcasting Act”) regulates broadcasting services through internet and other means in Australia and enables the creation of industry codes of practice regulating the content of such services;
• the Online Safety Act 2021 (Cth) (OSA) establishes complaint systems for cyberbullying of children, non-consensual sharing of intimate images, cyber-abuse of adults, and the online/social media availability of content that would be subject to broadcasting classifications (restricted or age 18 years or older);
• the Spam Act 2003 (Cth) (the “Spam Act”) prohibits the use of electronic communications for the purpose of sending unsolicited marketing materials to individuals; and
• the Do Not Call Register Act 2006 (Cth) (the “DNCR Act”) prohibits unsolicited telemarketing calls being made to phone numbers registered on a Do Not Call Register.

Australia has a range of federal, state, and territory regulators and agencies which deal with cybersecurity.

The overarching government agencies are:

• Department of Home Affairs (DoHA); and
• Australian Signals Directorate (ASD).

While the key regulators and enforcement bodies include:

• Office of the Information Commissioner (OAIC);
• Critical Infrastructure Centre (CIC);
• Australian Communications and Media Authority (ACMA);
• Australian Securities and Investments Commission (ASIC);
• Australian Prudential Regulation Authority (APRA); and
• Australian Competition and Consumer Commission (ACCC).

Specifically in relation to criminal enforcement, the following regulators are key:

• Australian Federal Police (AFP);
• Commonwealth Director of Public Prosecutions (CDPP);
• Australian Security Intelligence Organisation (ASIO);
• Australian Transaction Reports and Analysis Centre (AUSTRAC); and
• Australian Criminal Intelligence Commission (ACIC).

Each of the above are addressed below.

Overarching Government Agencies

DoHA

The DoHA is the lead government department for cyberpolicy. The DoHA develops cybersecurity and cybercrime law and policy, implements Australia’s national cybersecurity strategy, and responds to international and domestic cybersecurity threats and opportunities, including in the areas of critical infrastructure and emerging technologies. The DoHA also has responsibility for cybersecurity and cybercrime operational agencies including the AFP, ACIC, AUSTRAC, and ASIO.

ASD, ACSC and CERT

The ASD is Australia’s operational lead on cybersecurity and plays both a signals intelligence and information security role. The ASD undertakes cyberthreat monitoring and conducts defensive, disruption, and offensive cyber-operations offshore to support military operations and to counter terrorism, cyber-espionage, and serious cyber-enabled crime. The ASD also advises and co-ordinates operational responses to cyber-intrusions on government, critical infrastructure, information networks and other systems of national significance.

Within the ASD sits the Australian Cyber Security Centre (ACSC). The ACSC drives cyber-resilience across the whole Australian economy including with respect to critical infrastructure, government, large organisations and small to medium businesses, academia, NGOs, and the broader Australian community. The ACSC provides general information, advice, and assistance to Australian organisations and the public on cyberthreats and it collaborates with business, government, and the community to increase cyber-resilience across Australia.

The ACSC also runs the Computer Emergency Response Team (CERT), which provides advice and support to industry on cybersecurity issues affecting Australia’s critical infrastructure and other systems of national significance.

Other key government bodies

At this juncture, the following bodies should also be noted:

• the Attorney-General’s Department (AGD) advises government on cybersecurity policies and law, including in relation to human rights, privacy, protective security, international law, administration of criminal justice, and oversight of intelligence, security, and law enforcement agencies;
• the Department of Defence (DoD) contributes to Australia’s whole-of-government cybersecurity policy and operations and houses ASD; it also houses the Information Warfare Division, which develops information warfare capabilities for the Australian Defence Force (ADF); and
• the Department of Foreign Affairs and Trade (DFAT) advances Australia’s international cyber-affairs agenda, which includes digital trade, cybersecurity, cybercrime, international security, internet governance and co-operation, human rights and democracy online, and technology for development.

Data Protection and Privacy

The OAIC is the federal privacy and information regulator with a range of functions and powers to investigate and resolve privacy complaints, enforce privacy compliance, make determinations, and provide remedies for breaches under the notifiable data breach (NDB) scheme. The OAIC operates by reference to the Privacy Act, the My Health Records Act, the Telecommunications Act, the TIA Act, and recently the Digital ID Act.

The remedies range from enforceable undertakings to civil penalties of 2,000 penalty units (approximately AUD660,000); but may also involve imprisonment. Since December 2022, serious and repeated interferences with privacy may attract a penalty of up to:

• for entities, not body corporates – AUD2.5 million; or
• for body corporates – the greater of AUD50 million, three times the value of the benefit attributable to the conduct, or 30% of the adjusted turnover for the relevant period.

There are also state and territory privacy commissioners which administer state and territory-based privacy and health information laws. These include:

• the NSW Information and Privacy Commission, who administers, inter alia, the Privacy and Personal Information Protection Act 1998 (NSW) and Health Records and Information Privacy Act 2002 (NSW); and
• the Office of the Victorian Information Commissioner, who administers the Privacy and Data Protection Act 2014 (Vic) and the Victorian Health Complaints Commissioner, who handles breaches of the Health Records Act 2001 (Vic).

Critical Infrastructure Cybersecurity

The CIC is part of the DoHA and is the federal regulator of the SOCI Act and certain provisions of the Telecommunications Act with powers to investigate, audit, and enforce on compliance matters.

The CIC also has the ability to make recommendations to DoHA and the Home Affairs Minister on whether their information-gathering powers and directions powers should be exercised. The CIC additionally has enforcement powers which allows it to issue penalties for non-compliance that range from performance injunctions, enforceable undertakings, civil penalties of up to 120 penalty units (AUD39,600), or seek two years’ imprisonment.

Telecommunications, Broadcasting and Marketing Cybersecurity

The ACMA is Australia’s regulator for broadcasting, telecommunication, and certain online content and provides licensing to industry providers. ACMA has specific regulatory powers under the Telecommunications Act, the TIA Act, the Spam Act, and the DNCR Act to investigate and resolve complaints and enforce compliance.

In dealing with non-compliance, ACMA is empowered to issue warnings, infringement notices, enforceable undertakings, and remedial directions. ACMA is further able to cancel or impose conditions on licences and accreditations. ACMA also has the ability to commence civil proceedings or refer matters for criminal prosecution.

Additionally, the Office of the eSafety Commissioner (the “eSafety Commissioner”) has powers to promote and regulate online safety with respect to telecommunications, broadcasting, and other online industries. However, the eSafety Commissioner cannot investigate matters of cybercrime. Penalties range from takedown notices and blocking directions to infringement notices and injunction proceedings.

Corporations, Consumers and Financial Services Cybersecurity

ASIC is Australia’s corporate, market, and financial services regulator. It regulates publicly-listed corporations under the Corporations Act and is empowered to investigate and take action against corporations, directors, and officers for non-compliance with the Corporations Act, including cybersecurity issues.

APRA regulates certain finance, banking, insurance, and superannuation entities and issues regulatory guidance (eg, information security standards CPS 234). APRA has powers to supervise, monitor, and intervene in matters of cybersecurity for regulated entities and has a range of enforcement powers to deal with breaches of its standards. Such powers involve APRA issuing infringement notices, providing directions or enforceable undertakings, imposing licensing conditions, disqualifying senior officials, and commencing court-based action.

The ACCC is Australia’s competition regulator and consumer protector, and may, where appropriate, undertake enforcement action against breaches of the Consumer Act, including breaches involving cybersecurity, cybercrime, and cyberscam issues. The ACCC additionally:

• administers the Consumer Data Right (CDR) regime;
• co-regulates (with OAIC) the Digital ID Act; and
• hosts the Scamwatch website, which provides public information, alerts, and access to complaints mechanisms on a wide range of consumer scams, including scams perpetrated online.

Also relevant for the financial sector is that OAIC regulates the aspects of the Privacy Act which deal with credit reporting obligations and the credit reporting code, which imposes certain conditions on entities that hold credit-related personal information.

Cybercrime

Cybercrime at the federal level is investigated and enforced by the AFP and prosecuted by the CDPP. The AFP have a dedicated Cybercrime Operations team comprising investigators, technical specialists, and intelligence analysts who operate across multiple jurisdictions to conduct cyber-assessments and to triage, investigate, and disrupt cybercrime.

More specifically:

• ACIC is Australia’s national criminal intelligence agency; it has broad investigative and coercive powers and shares information between all levels of law enforcement;
• AUSTRAC is the domestic watchdog for Australia’s anti-money laundering and counter-terrorism measures; it supports law enforcement operations involving cybercrime financing; and
• ASIO investigates cyber-activity involving espionage, sabotage, and terrorism related activities; ASIO also contributes to the investigation of computer network operations directed against Australia’s systems.

State and territory-based police and prosecution agencies investigate, enforce and prosecute state and territory cybercrimes.

Australia’s critical infrastructure and assets are regulated through Commonwealth, state, and territory legislation, with a particular emphasis on the SOCI Act. That said, there is broader legislation, such as the Privacy Act and Cyber Security Act, and more sector-specific legislation, such as the Telecommunications Act, that cannot be ignored.

The SOCI Act currently regulates certain assets across eleven sectors: communications, data storage and processing, financial services, energy, food and grocery, health and medical, higher education and research, space technology, transport, water and sewerage, and the defence industry. In November 2025, telecommunications security obligations (which were previously under the Telecommunication Sector Security Reforms (TSSR)) were moved into the SOCI, a change implemented by the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (the “2024 SOCI Amendment Act”).

Notwithstanding recent reforms which clarified the SOCI Act, the exact parameters of the legislation are broad and complex, and extend to various participants in a supply chain including “responsible entities”, “reporting entities”, “direct interest holders”, “managed service providers”, and “operators”. Some of these definitions are asset-specific, but for our purposes, it is important to note that a “responsible entity” is generally the entity that owns, is licensed, or otherwise responsible for operating the asset.

Further, despite the imminent shift of the TSSR and its obligations to the SOCI Act, these obligations still remain in force and apply to the relevant infrastructure as is. The TSSR are applicable to carriers, carriage service providers, and carriage service intermediaries.

Cyber Security Act

Additionally, there are cybersecurity obligations imposed on critical infrastructure under the Cyber Security Act where they constitute “a reporting business entity”.

A “reporting business entity” is an entity that:

• is carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the “turnover threshold for that year” (to be determined) but is not a Commonwealth body, State body, or responsible entity for a critical infrastructure asset; or
• a responsible entity for a critical infrastructure asset “to which Part 2B of the Security of Critical Infrastructure Act 2018 applies” ‒ specifically, these entities are listed in Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 and include most infrastructure assets.

The SOCI Act imposes requirements on owners and operators of assets across various fields. The exact requirements vary depending on the particular asset/industry; however, it may include a requirement to:

• register with the Register of Critical Infrastructure Assets;
• provide ownership and operational information;
• notify the government of certain cyber-incidents;
• implement and comply with a critical infrastructure risk management programme (CIRMP); and
• if they have “business critical data” processed or stored by a third party on a commercial basis, they must take reasonable steps to notify that third party.

Further still, the SOCI Act and associated rules impose enhanced cybersecurity obligations on assets designated as “systems of national significance” (SoNS). These must be assets that are already considered a “critical infrastructure asset”, but also that they are of “national significance”. These designations are private and confidential so as to avoid publicising their significance to malicious actors. Reports indicate that over 200 systems have been designated to date.

A responsible entity for a SoNS may be required to:

• fulfil statutory response planning obligations;
• undertake a cybersecurity exercise (see 3.6 Threat-Led Penetration Testing);
• undertake a vulnerability assessment (see 3.6 Threat-Led Penetration Testing); and
• where the system is a computer or needs a computer to operate the system, undertake periodic reports, provide event-based reports or install software that transmits system information to the ASD.

It is also worth noting that the SOCI Act also includes:

• an information gathering power for the Secretary of the DoHA to monitor compliance; and
• a directions power for the Home Affairs Minister to direct regulated entities to do or not do a specified thing that is reasonably necessary to protect critical infrastructure from national security risks.

The SOCI Act

The SOCI Act imposes mandatory incident reporting obligations for responsible entities of critical infrastructure assets with regards to cybersecurity incidents.

Responsible entities must report cybersecurity incidents that have a significant or relevant impact on their asset. In other words, a “responsible entity” must make a report when it becomes aware of the following.

• Under Section 30BC a “cyber security incident” that “has had, or is having, a significant impact (whether direct or indirect) on the availability of the asset” ‒ such a “significant impact” is defined as being where “the incident has materially disrupted the availability of [the] essential goods or service” in connection with which the asset is used to provide. The report must be made “as soon as practicable, and in any event within 12 hours, after the entity becomes aware”. If the initial report is oral, then a written report must be made within 84 hours after the oral report is given; and
• Under Section 30BD a “cyber security incident” that “has had, or is having, or is likely to have, a relevant impact on the asset” ‒ such a “relevant impact” is defined (for critical infrastructure assets) as a (direct or indirect) impact on the availability, integrity, reliability of the asset, or on the confidentiality of information about the asset, information stored on the asset or computer data constituting the asset. The report must be made “as soon as practicable, and in any event within 72 hours, after the entity becomes aware. If the initial report is oral, then a written report must be filed within 48 hours of the oral report.

A “cyber security incident”, as defined under Section 12M, is the:

• unauthorised access to or modification of computer data or computer program;
• unauthorised impairment of electronic communications to or from a computer (but does not include “a mere interception of any such communication”); or
• unauthorised impairment of the availability, reliability, security or operation of computer data, a computer program or a computer.

Either of these reports must be given to the ASD (unless another relevant Commonwealth body is specified in the rules). Failure to make a report at all or in writing, or in the approved form, is punishable by 50 penalty units (AUD16,500 fine).

The Cyber Security Act

Irrespective of whether the cybersecurity incident meets the above significance or relevance thresholds, most critical infrastructure assets (being “a reporting business entity”) have additional reporting obligations under the Cyber Security Act.

In summary, there is an obligation to report to the ASD (or another designated Commonwealth agency) where:

• there is a cybersecurity incident that has had, is having, or could reasonably be expected to have a (direct or indirect) impact on a reporting business entity;
• an entity (the extorting entity) demands a benefit; and
• the reporting entity (or a third party on their behalf) makes the ransomware payment.

Such a report must be given with 72 hours of the reporting business entity becoming aware of the payment and must contain certain information.

A “cyber security incident” for these purposes is broader than under the SOCI Act. Under the Cyber Security Act, a “cyber security incident” is an act, event or circumstance covered by the SOCI Act but can also be an act, event, or circumstance if it involves “unauthorised impairment of electronic communication to or from a computer” (even mere interception).

However, in the case of the latter, the incident must involve a critical infrastructure asset; involve an Australian corporation (attracting paragraph 51(xx) of the Constitution); (actually or is reasonably expected to be) effected by means of “telegraphic, telephonic or other like service”; (actually, probably, or it is reasonable to expect it) impeded or impaired “the ability of a computer to connect to such a service”; or (probably or is reasonably expected to have) prejudiced Australia’s social/economic stability, defence or national security.

Voluntary Incident Reporting Obligations

The ACSC has a cyber-incident reporting portal through which critical asset owners are encouraged to voluntarily report cybersecurity incidents.

Any impacted entity carrying or a business in Australia or otherwise a responsible entity for critical infrastructure is now being statutorily encouraged to make voluntary reports to the NCS Coordinator under the Cyber Security Act, even where it is unclear if an incident is a cybersecurity incident.

Other Mandatory Reporting Obligations

Other reporting obligations under the SOCI Act for critical infrastructure assets include:

• taking reasonable steps to notify a third-party entity if that third party is processing or storing “business critical data” on a commercial basis;
• an ongoing obligation on a “reporting entity” to report a “notifiable event” in relation to an asset usually within 30 days after the event occurs, which relates to changes in the operational information and interest/control information in relation to “director interest holders”, or the status of an entity as a reporting entity; and
• reporting if a hazard had significant relevant impacts on a critical infrastructure asset.

See additionally relevant obligations in 6.1 Cybersecurity and Data Protection.

Criminal Offences

Related to infrastructure, Part 10.6 of the Criminal Code places obligations on providers of content or hosting services to notify the AFP as to the existence of material displaying “abhorrent violent conduct” (if occurring in Australia) and, in any event, to expeditiously remove or cease to host such material.

Relevantly, this reporting obligation is supplemented by the OSA, which empowers the eSafety Commissioner to issue removal notices requiring hosting service providers to remove cyberbullying, cyber-abuse, and other harmful material within strict statutory timeframes.

The Australian government considers “the responsibility for ensuring the continuity of operations and the provision of essential services to the Australian economy and community” as being shared “between owners and operators of critical infrastructure, state and territory governments and the Australian government”.

Generally speaking, government bodies may also be captured within the scope of legislative regimes such as the Privacy Act and therefore have the same (or similar) obligations as their private-sphere counterparts. However, the SOCI Act does not apply to the Commonwealth or a body corporate established under Commonwealth law unless so declared or prescribed.

The Australian government is responsible for the “final defence” of Australian infrastructure and cybersecurity. To this end, the SOCI Act grants the Minister last resort “government assistance measures” and powers where a cybersecurity incident relates to a declared national emergency, or elsewhere there is a material risk that a cybersecurity incident has, is, or will likely seriously prejudice the Australia’s social or economic stability, defence, or national security. These include the heavily circumscribed Ministerial power to request an authorised agency to intervene in relation to computer-related activities where an entity is unwilling or unable to respond to an incident.

Additionally, the Cyber Incident Review Board (CIRB) has been established as an independent statutory advisory body responsible for conducting no-fault, post-incident reviews of significant cybersecurity incidents in Australia. The CIRB post review report will contain recommendations to government and industry about actions to prevent, detect, respond to, or minimise the impact of future cybersecurity incidents of a similar nature.

In pursuit of national cohesion, the state authorities adopt the following approaches.

• The ACSC facilitates information and collaboration across private, public, and NGO sectors to develop collective cyber-resilience and to respond to cyber-incidents. In this regard, the ACSC has commenced: a partnership programme, involving private, public, and NGO sectors to enable information sharing and network hardening; and an alert service which provides information on recent cyberthreats as well as prevention and mitigation advice.
• The Joint Cyber Security Centres (JCSC) are state-based agencies which collaborate with organisations across the private, public, and NGO sectors on cybersecurity and cybercrime threats and response options.

Even for the financial sector, there is a patchwork of legislation covering the financial sector’s operational resilience, leading to variations in scope. This legislation includes the SOCI Act, the Corporations Act, the Banking Ac 1959 (Cth), and the Insurance Act 1973 (Cth).

Corporations Act

As a starting point, the Corporations Act imposes a duty to exercise “care and diligence” on all directors and officers of corporations (Section 180), which inherently involves considerations relating to cybersecurity resilience. But more specifically, the Corporations Act requires corporations holding financial licences to have adequate risk management systems (Section 912A).

CPS 234

On top of this, APRA’s CPS 234 regulates information security standards for APRA-regulated financial, insurance, and superannuation entities.

Other Legislation (SOCI Act and Cyber Security Act)

Additionally, other legislation and regulation applicable to sectors beyond the financial is equally relevant here. These include the SOCI Act, since the financial services and markets sector does fall within its scope, so as to include certain banking assets, superannuation assets, insurance assets, and financial market infrastructure assets (see 2. Critical Infrastructure Cybersecurity Regulation). Each of these are, in turn, defined and cover a range of assets owned or operated by entities with certain Australian market licensees, CS facility licensees, benchmark administrators, and more, but most with the underlying condition that the asset is “critical to the security and reliability of the financial services and markets sector”.

Those that fall outside the scope of the SOCI Act may fall within the scope of the Cyber Security Act, which imposes reporting obligations on “reporting business entities”. See 2. Critical Infrastructure Cybersecurity Regulation.

Information and communications technology (ICT) service providers are not expressly defined in Australia. However, legislation does address “data processing or storage” assets and providers. Such an asset may be considered itself a critical infrastructure asset, separate to other critical infrastructure, and therefore fall within the scope of the SOCI Act.

Specifically, an entity that owns or operates a “data storage or processing asset” will be considered a responsible entity under the SOCI Act and their asset “critical” if:

• the entity wholly or primarily provides data storage or processing services that relate to “business critical data”, being “personal information” (per the Privacy Act ‒ see 6.1 Cybersecurity and Data Protection) relating to at least 20,000 individuals, or otherwise information relating to any research and development, needed to operate, systems needed to operate, or risk management and business continuity in relation to a critical infrastructure asset;
• these services are provided to certain end‑users, primarily either:
1. the Commonwealth, a State, a Territory, or a body corporate established under such a Commonwealth, State, or Territory law; or
2. the responsible entity for a critical infrastructure asset;
• the entity knows that the asset is used by the above end-user; and
• the asset does not constitute another critical infrastructure asset.

Further, the 2024 SOCI Amendment Act clarified the SOCI Act so that it included secondary assets who hold business critical data relating to the primary asset. Notably, the intent behind these amendments is not to capture all non-operational systems holding business critical data; rather only those where vulnerabilities could significantly impact critical infrastructure assets. Examples of relevant operational data included network blueprints, encryption keys, algorithms, operational system code, and tactics, techniques and procedures.

The regulations may specifically exclude other such assets. See 2. Critical Infrastructure Cybersecurity Regulation for their obligations and responsibilities.

There is no specific legislation for “digital operational resilience” for the financial sector as seen in the European jurisdictions; however, the objectives of enabling the financial sector to be or remain resilient in the face of serious operational disruption and prevent/mitigate cyberthreats are reflected in the patchwork of legislation.

The SOCI Act

Specifically looking at the obligations under the SOCI Act for the financial sector, although financial business using or constituting critical infrastructure assets have the same incident reporting obligations already covered (see 2.3 Incident Response and Notification Obligations), such services do not have the obligations to register as critical assets and to have a CIRMP under the SOCI Act (except where they are “payment services”). As an aside, a financial service can be classified as a SoNS under the SOCI Act, attracting the enhanced cybersecurity obligations.

The Corporations Act

Notwithstanding the position under the SOCI Act, financial services are likely already required to be registered with APRA and/or obtain a form of financial service licensing; and in doing the latter, must, inter alia, provide their services “efficiently and fairly” and have an adequate risk management program. Australian courts have already confirmed that such a risk management plan must ensure adequate cybersecurity and cyber-resilience measures are adequately implemented across its business.

CPS 234

APRA’s CPS 234 requires APRA-regulated financial, insurance, and superannuation entities to comply with legally binding minimum standards of information security, including by:

• specifying information security roles and responsibilities for the entities’ board, senior management, governing bodies, and individuals;
• implementing and maintaining appropriate information security capabilities;
• maintaining tools to detect and respond to information security incidents in a timely way; and
• notifying APRA of any material information security incidents.

These standards provide that an entity’s board is ultimately responsible for information security and that the board must ensure that its entity maintains information security in a manner that is commensurate with the size and vulnerability of that entity’s information assets.

APRA-regulated entities are required to externally audit their organisation’s compliance with CPS 234 and report to APRA in a timely manner.

If organisations are non-compliant, they may be required to issue breach notices and create rectification plans. If organisations are unable to comply with the standards following this process, APRA may undertake a more formal enforcement process which may include enforceable undertakings or court proceedings.

The Cyber Security Act

In addition to the reporting obligations under the CPS 234, certain responsible entities concerning “critical financial market infrastructure asset” (2.1 Scope of Critical Infrastructure Cybersecurity Regulation) also have ransomware reporting obligations under the Cyber Security Act (see 2.3 Incident Response and Notification Obligations).

There has been no enforcement action against “data processing or storage” providers or other ICT services. In fact, there has been no enforcement action reported in relation to the SOCI Act.

According to CISC’s Compliance and Enforcement Strategy published in April 2022, the CISC prioritises industry partnership and pursues a co-operative, educative, and overall voluntary approach. Although it has a range of regulatory options available, it is yet to use any penalising enforcement action.

Depending on the breach, action against ICTs may also come from other regulators such as the OAIC.

Government Transfers

Although there are limits on the use of the cybersecurity information provided by reporting business entities under the Cyber Security Act and Intelligence Services Act 2001 (Cth), these limitations are unlikely to prevent the ASD, National Cyber Security Coordinator (the “NCS Coordinator”), or CIRB from disclosing the information to foreign authorities or joint partnerships for particular purposes.

For example, if information is voluntarily provided in relation to a significant cybersecurity incident, the NCS Coordinator may disclose this information for the purpose of “coordinating the whole of Government response” or to inform Commonwealth ministers. Those ministers may then disclose the same information for a “permitted cyber security purpose”, such as mitigating material risks that could prejudice Australia’s social/economic stability, defence, or national security. This onward disclosure may include sharing and international transfers of information to foreign authorities or co-ordinated partnerships.

Market Transfers

The Privacy Act

The principal legislation governing data transfers is the Privacy Act. International (cross-border) disclosures of personal information are addressed primarily by Chapter 8 of the Australian Privacy Principles (APP 8).

These principles require APP entities to “take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles”. What is “reasonable” depends on one’s specific circumstances but will usually involve a contract incorporating the APP 8 and the Australian entities monitoring or at least assessing the overseas entity’s systems. Importantly, APP 8 is not limited to where there is an active transfer of data but rather extends to wherever data is accessible to an overseas entity (eg, stored on servers in Australia, but accessible by overseas entities).

Since November 2024, the government has been able to add countries to a “white list”, a binding scheme that recognised countries as being on par to and therefore an exception to the APP 8 requirements. To date, no white list has been announced.

The CDR regime

In respect of data transfers more generally, Part IVD of the Consumer Act regulates the handling (including sharing) of CDR. The CDR was rolled out to the banking and energy sectors in 2020 and 2022 respectively. In 2023, the government paused the roll-out the superannuation, insurance, and telecommunications sectors (and then non-bank lenders and Buy Now Pay Later products) and remains in hiatus since an August 2024 report found compliance costs exceeded initial estimates. Enforcement continues with the Commonwealth Bank of Australia (CBA) receiving four infringement notices totalling AUD792,000 from the ACCC under the CDR scheme. CBA had failed to enable data sharing on accounts with a Trading Entity Business Name (TEBN) customer profile.

However, the Consumer Affairs Ministers across Australia recently renewed their commitment to a strong national consumer protection framework, including progressing nation-wide reforms to protect consumers from unfair trading practices. To many, including the Consumer Policy Research Centre, this suggests addressing questionable transfer and use of consumer data through subscriptions, digital design tactics or “dark patterns”, and other deceptive practices. What impact this has on data transfers remains to be seen.

Prohibitions

Certain information is prohibited from being held or taken outside Australia, such as records held for the purposes of the My Health Record system. Breaching this prohibition could result in a maximum criminal penalty of five years imprisonment and AUD99,000; or a civil penalty of AUD495,000.

Cybercrime

For completeness, it should also be noted that unauthorised access to computer systems (hacking, forceable transfers, etc) is criminalised by both State and Federal legislation. For example, persons suspected of unauthorised access to computer systems are charged pursuant to Section 478.1 of the Criminal Code, which provides for the offence of “Unauthorised access to, or modification of, restricted data”.

These offences have extraterritorial application, meaning that conduct undertaken outside Australia can still be charged and prosecuted under Australian law if:

• the crime involves conduct both inside and outside Australia;
• the crime results in harm within Australia;
• the offender is an Australian citizen, or a corporation incorporated in Australia; or
• the crime is related to another crime that occurred in Australia.

Digital ID

The Digital ID Act and the Digital ID (Transitional and Consequential Provisions) Act 2024 (Cth) restrict an accredited entity on the collection, use, and disclosure of biometrics and other personal information. Although the Digital ID Rules can address the storing and transfer of information outside Australia and were expected to take the form of blanket prohibitions (with minimal exemptions), no such rules have yet been introduced.

Threat-led penetration testing (TLPT) is the testing of systems by replicating the methods used by actual threat actors against. Generally speaking, TLPT is not a requirement in Australia.

Currently, only those critical infrastructure assets designated as a SoNS may be required to undertake:

• a “cyber security exercise”, the purpose of which is to test the entity’s ability to respond appropriateness, preparedness to respond appropriately, and ability to mitigate the relevant impacts, and thereafter prepare an internal report which can in turn be audited; and
• a vulnerability assessment, the purpose of which is to test system vulnerabilities to the relevant cybersecurity incident and thereafter prepare a vulnerability assessment report.

TLPT is also a component of regulatory guidance (eg, ASD’s best practices for deploying secure and resilient AI systems).

On the flipside, unsolicited/unauthorised penetration testing activity could be captured by Section 478.1 of the Criminal Code, which provides for the offence of “[un]authorised access to, or modification of, restricted data”.

There is no specific legislation for cyber-resilience in Australia. However, cyber-resilience requirements have legislative status across various contexts, including:

• the risk management programmes required by the legislation already discussed under the SOCI Act for responsible entities of critical infrastructure assets (2.2 Critical Infrastructure Cybersecurity Requirements) and the Corporations Act for financial licensees (3.3 Key Operational Resilience Obligations);
• other obligations on certain responsible entities concerning TLPT-like requirements (3.6 Threat-Led Penetration Testing); and
• the data protection standards for various types of information such as “personal information” (6.1 Cybersecurity and Data Protection) and the healthcare sector (6.3 Cybersecurity in the Healthcare Sector).

Under the Cyber Security Act, the government is moving towards mandatory security standards for smart devices, with the Cyber Security (Security Standards for Smart Device) Rules 2025 (Cth) set to take effect from 4 March 2026. This framework will be primarily targeted towards the manufacturers and suppliers of these devices. 

Cyber-resilience obligations are imposed on certain responsible entities of critical infrastructure asset by way of the Critical Infrastructure Risk Management Program, which must be adopted, reviewed, and updated. The purpose of these programmes is to identify each hazard with a material risk and minimise, eliminate, or mitigate that hazard (or its material risk). The relevant responsible entities and specific requirements for these programs are set out in the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023.

Additionally for APRA-regulated entities, Prudential Standard CPS 234 imposes obligations relating to information security capability, including maintaining controls over information assets and oversight of third-party service providers.

Other cyber-resilience obligations for critical infrastructure, the broader financial sector and others, as well as relevant enforcement mechanisms, are discussed elsewhere in this chapter.

There is no single legislation in Australia addressing broad-sweeping information technology and cybersecurity (ITC) certification procedures.

However, ITC-relevant certification provisions are relevant to the SOCI Act. Specifically, where a responsible entity holds a certain “certificate of hosting certification (strategic level)” that relates to its critical infrastructure asset, that entity is exempt from needing a critical infrastructure risk management programme. This certificate must be issued under a scheme that is administered by the Commonwealth and is known as the “Hosting Certification Framework” (HCF).

This HCF is only available to data centre providers and cloud service providers; and approximately 11 data centre facilities and 14 cloud services were certified. However, the DoHA has paused the HCF registration process until reforms have been completed in line with the DoHA’s Protective Security Policy Framework released on 24 July 2025 and tranche 2 of the Commonwealth Cyber Security Uplift reforms. These reforms are still ongoing.

For additional context, since 30 June 2022, all government contracts for hosting services must be with certified service providers. However, this policy requirement is not restricted to “strategic level” certification per the SOCI Act. Under this framework, there are three certification levels: “strategic”, “assured”, and “uncertified”. Depending on a government department’s risk profile and data set, they may contract with a “Certified Assured Service Provider”.

At present, Australia does not operate mandatory, sector-specific cybersecurity certification schemes for industries such as the automotive sector, nor does cybersecurity certification generally operate as a condition of market access outside defined government procurement contexts.

The Privacy Act

Scope

Federally, data containing personal information is protected under the Privacy Act, which regulates the handling of this information by “APP entities”.

At this juncture, it is important to note two definitions.

• “Personal information” under the Privacy Act is defined broadly as information or an opinion about an identified or reasonably identifiable individual. It is not required to be true or recorded in a material form. Personal information also includes “sensitive information”, which includes information or opinions on an individual’s race, ethnicity, politics, religion, sexual orientation, health, trade associations, and criminal records. Sensitive information is often afforded a higher level of protection than other personal information.
• “APP entities” are, subject to some exceptions, federal government agencies, private sector organisations with an annual turnover of over AUD3 million, and smaller entities with data-intensive business practices (including private health providers, businesses that sell or purchase personal information, and service providers to the federal government).

Schedule 1 of the Privacy Act contains 13 Australian Privacy Principles, which are minimum standards for processing and handling personal information by APP entities. The Privacy Act also requires mandatory reporting for certain APP breaches under the NDB scheme. Breaches of the Privacy Act may result in investigation and enforcement action by the OAIC.

Reporting obligations (the NDB scheme)

The NDB scheme requires APP entities to notify both affected individuals and the OAIC where there are reasonable grounds to believe that an “eligible data breach” has occurred. In short, as per Section 26WE(2) of the Privacy Act, an “eligible data breach” occurs where:

• there is unauthorised access to/disclosure of personal information and a reasonable person would conclude that this “would be likely to result in serious harm to any of the individuals to whom the information relates”; or
• personal information is lost in circumstances where a reasonable person would conclude that unauthorised access to/disclosure of it is likely to occur and, were it to occur, it “would be likely to result in serious harm to any of the individuals to whom the information relates”.

However, Section 26WF of the Privacy Act creates an exception to reporting such an incident, where the entity in question takes remedial action to ensure that the breach does not cause serious harm to the individuals concerned.

Notably, specific data breaches related to certain health records are excluded from this scheme and are to be addressed under Section 75 of the My Health Records Act (see 6.3 Cybersecurity in the Healthcare Sector).

The ACSC provides an overarching definition for cybersecurity events in its Guidelines for Cyber Security Incidents. In these Guidelines, a cybersecurity event is “an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security”. While there is no general legislative definition of a cybersecurity event, the SOCI Act in Section 12M provides a limited, more complex definition.

Statutory tort

Since 2024, the Privacy Act has contained a statutory tort for serious invasions of privacy, giving individuals a route to seek redress for privacy harms in the courts.

State and Territory Reporting Obligations

There are also schemes at the state/territory level. For example, both NSW and Queensland had introduced mandatory notification of data breach schemes via, respectively, the Privacy and Personal Information Protection Amendment Act 2022 (NSW) (entered into force 28 November 2023) and Information Privacy and Other Legislation Amendment Act 2023 (Qld) (commencement date to be set by proclamation). These largely mirror the federal scheme.

Other Reporting Obligations

There is other relevant legislation for data protection and reporting obligations, including in relation to certain health records (see 6.3 Cybersecurity in the Healthcare Sector), the financial sector (3. Operational Resilience in the Financial Sector) and critical infrastructure assets (2. Critical Infrastructure Cybersecurity Regulation).

At the time of writing, there is no AI-specific regulation on AI; however, there is a patchwork of laws regulating critical infrastructure, privacy, consumer protection, data security, and more that all touch on aspects of AI development and use.

Further, Australia has voluntary instruments, including the following.

• Ethical frameworks, including the Australia’s AI Ethics Principles, which was supplemented on 15 June 2023 by NAIC’s Implementing Australia’s AI Ethics principles: A selection of responsible AI practices and resources.
• A voluntary AI Safety Standard was released on 5 September 2024, comprising practical guidance in the form of ten “AI guardrails”.
• A “Guidance for AI Adoption” was published on 21 October 2025 by the Australian Department of Industry, Science and Resource, outlining six essential practices for safe and responsible AI governance. In line with the report, Australia’s AI Ethics Principles was updated on 2 December 2025 to reflect the recommendations.

Similarly, regulators such as ASD, in conjunction with foreign authorities such as the U.S. National Security Agency’s Artificial Intelligence Security Centre, has published guidance on deploying, engaging with, and developing AI systems. On 24 January 2024, the ASD alongside international partners published a report titled “Engaging with artificial intelligence”, which recognises privacy issues such as when organisations provide customer data to generative AI systems.

Further, the ASD has endorsed the Cybersecurity Performance Goals (CPGs) developed by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).

In Australia, healthcare provider organisations must generally notify the Australian Digital Health Agency (ADHA) of potential risk or actual data breaches relating to the My Health Record system.

The ADHA has provided a guide on how to notify the agency if there is a risk or if an actual data breach has occurred. The four steps are: Contain, Assess, Manage Notifications, and Continue Investigation.

Reporting Obligations

Certain data breaches relating to My Health Record information or the system itself are to be reported under Section 75 of the My Health Records Act (rather than through the NDB scheme under the Privacy Act).

Section 75 of the My Health Records Act requires a report where there has (actually or potentially) been unauthorised collection, use, or disclosure of health information included in a healthcare recipient’s My Health Record or the (actual or potential) compromise of the security or integrity of the My Health Record. This report must be made to the relevant system operator and/or the OAIC. Subsequently, all “affected healthcare recipients” must also be notified of the compromise or unauthorised disclosure.

Other than those data breaches to which the My Health Records Act applies, medical data would generally be personal information and covered by the federal NDB scheme (see 6.1 Cybersecurity and Data Protection).