Australia's New Security Legislative Package: Six Months On


The Qantas breach disclosed in early July, affecting the personal information of several million customers through a compromised third-party contact centre platform, is a reminder that major cyber incidents are no longer exceptional events in Australia.

What has changed is the law waiting for them. Over the past eight months, Australia has assembled its first dedicated cyber security statute book, and July 2025 is a good moment to consider what was introduced.

The Cyber Security Legislative Package

The package was introduced into Parliament on 9 October 2024 as the legislative centrepiece of the 2023 to 2030 Australian Cyber Security Strategy. It consists of three statutes synergising together:

StatuteWhat it does
Cyber Security Act 2024 (Cth)Australia’s first standalone cyber statute. Ransomware payment reporting, smart device security standards, Cyber Incident Review Board, limited use protection for information shared with the National Cyber Security Coordinator
Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024Extends an equivalent limited use protection to information shared with the Australian Signals Directorate
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024Clarifies that data storage systems holding business-critical data form part of a critical infrastructure asset; sharpens government assistance, information gathering and directions powers
Inside the Cyber Security Act

Until now, cyber obligations were scattered across the Privacy Act, the SOCI Act, the Corporations Act and sector-specific regimes, with no statute treating cyber security as a subject in its own right. The new Act changes that with four measures:

  • Mandatory ransomware payment reporting. The measure with the most immediate operational bite, covered in detail below.
  • Smart device security standards. A power for the Minister to mandate baseline security requirements for internet-connected consumer products, Australia’s answer to the UK’s product security regime.
  • Cyber Incident Review Board. An independent body loosely modelled on transport safety investigators. It conducts no-fault reviews of significant incidents and publishes lessons learned rather than findings of blame.
  • Limited use obligation. Information voluntarily given to the National Cyber Security Coordinator during an incident cannot be used and shared freely across government.

The pair of limited-use rules, covering the Coordinator and the Australian Signals Directorate, address a real behavioural problem. In past incidents, there were concerns that information relayed to the Government in the fog of a crisis could later surface in regulatory enforcement. Consequently, there was a general reluctance to disclose.

The new rules are a legislative attempt to buy candour: information provided to the Australian Signals Directorate or the Coordinator will not be handed to other regulators and is generally inadmissible in civil and criminal proceedings.

How it passed

The passage of the package is notable in itself. The bills were referred to the Parliamentary Joint Committee on Intelligence and Security, which took submissions from industry bodies concerned about compliance burden and the interaction of the new reporting duty with existing regimes. The Committee recommended passage with modest refinements, and both houses passed the package on 25 November 2024, with royal assent on 29 November. For reform of this scale, that is remarkably quick and remarkably bipartisan. The political consensus forged by the Optus and Medibank breaches of 2022 evidently held: nobody in the federal department wanted to be seen slowing down cyber legislation.

While not all aspects of the legislation are in effect, one significant regime has recently become effective.

The ransomware payment reporting obligation

The regime commenced on 30 May 2025 under Part 3 of the Act. At a glance:

ElementDetail
Who must reportEntities carrying on business in Australia with annual turnover above 3 million dollars (pro-rated for part-year operations), and responsible entities for critical infrastructure assets regardless of turnover. Commonwealth and State bodies excluded; not-for-profits are not expressly exempt
What triggers itMaking a ransomware or cyber extortion payment, or becoming aware one was made on your behalf. Payment includes non-monetary benefits such as goods or services
Deadline72 hours from payment
HowOnline form via the Australian Signals Directorate at cyber.gov.au, reported to Home Affairs
PenaltyCivil penalty of 60 penalty units, currently 19,800 dollars
ProtectionSection 32: report contents generally not admissible in evidence against the reporting entity

Three features of the design deserve attention.

The trigger is paying, not being attacked. Four elements must be satisfied:

  1. A cyber security incident;
  2. an actual or potential impact on the entity;
  3. a demand from an extorting entity; and
  4. a payment or benefit provided in response.

An entity that refuses to pay has nothing to report under this regime, although the notifiable data breaches scheme and, where applicable, SOCI incident reporting continue to run in parallel.

The regime gathers intelligence rather than punishing victims. The $19,800 penalty has drawn criticism as a rounding error for the large enterprises the regime most needs to hear from, but the modest figure is deliberate, and the section 32 inadmissibility protection points in the same direction.

Home Affairs is rolling the regime out in two phases:

  • Phase 1 (30 May to 31 December 2025): a settling-in period focused on guidance and awareness, with the regulator indicating it will only act against serious or deliberate breaches
  • Phase 2 (from 1 January 2026): enforcement begins in earnest

Parliament stopped short of banning payment. A prohibition was canvassed during consultation and shelved, for fear it would drive payments underground and criminalise victims making impossible choices. The policy problem is visibility: the Australian Signals Directorate’s most recent Annual Cyber Threat Report found over 70% of the extortion-related incidents it responded to involved ransomware, yet payments have been chronically underreported, leaving government to set policy on a data set it knows understates the problem. The settlement is disclosure. Pay if you must, but tell the Commonwealth within three days.

Open questions

The new statute book does not make organisations more secure by itself, and whether it achieves its own stated aims is a fair question to consider.

The regime measures payers, not the problem. The policy justification for ransomware reporting is visibility: government cannot calibrate policy on a data set it knows understates the threat. Yet the trigger is payment. An entity that receives a demand and refuses has nothing to report under this regime, so the very design filters out the cases where defences held, or victims stood firm. The Commonwealth will learn how many entities pay and how much, but not how many were asked. That is the numerator without the denominator, and it seems like an odd shape for a regime whose entire purpose is to produce a better data set. Demands that coincide with a notifiable data breach or a SOCI incident will surface through those channels, but nothing systematically captures the refused demand on its own.

The penalty is flat where other regimes scale. Sixty penalty units apply equally to a business just over the 3 million-dollar threshold and to a national carrier. That choice is defensible on the regime’s own logic of gathering intelligence rather than punishing victims, but it leaves a puzzle for Phase 2: from January 2026 the regulator is meant to shift to active enforcement, and it is not obvious what enforcement with a 19,800 dollar ceiling meaningfully changes for the largest entities the regime most needs to hear from.

Three things worth watching over the next year or so:

  • Reporting volumes once enforcement begins. Whether the January 2026 shift changes behaviour, and whether government closes the loop by sharing aggregated insights back with industry, will be the first real evidence of whether disclosure without punishment works
  • The Cyber Incident Review Board’s first review. The Board has yet to conduct one. Its choice of inaugural subject, and whether it can extract candid lessons under a no-fault model, will set the tone for the institution
  • Whether limited use changes anything. The regime’s core wager is that legal protection will make general counsel comfortable engaging with government early. That assumption is close to untestable from the outside, but incident response practice over the next few years will quietly answer it

The law has caught up with the threat. Whether it produces the visibility and candour it was built for is now an empirical question, and July 2025 is only the start of the experiment.

Published by

Victor Lin

Victor Lin

Current USYD Student, Aspiring Legal and Technology Professional

Victor is a student at the University of Sydney, with over three years of experience in paralegal roles at leading law firms, experiences in tech consulting, and entrepreneurship within various tech startups.

Comments