The Australian Cyber Security Act 2024 (Cth) is a landmark piece of federal legislation passed in November 2024. It introduced mandatory ransomware payment reporting, a new independent review body, and minimum security standards for internet-connected devices. If your business turns over more than $3 million annually, at least one of these obligations applies to you right now.

This guide breaks down what the Act actually says, which businesses are affected, and what you need to do about it in plain English.

What Is the Cyber Security Act 2024 Australia?

The Cyber Security Act 2024 is Australia’s first standalone cybersecurity law. It was passed by federal parliament in November 2024 and came into force progressively through 2025 and 2026. The Act is administered by the Department of Home Affairs and sits alongside existing legislation including the Security of Critical Infrastructure Act 2018 (SOCI), the Privacy Act 1988, and the Australian Signals Directorate’s Essential Eight framework.

The Act does not replace any of those laws. It adds new, specific obligations on top of them.

Before 2024, Australia had no dedicated cybersecurity legislation. Businesses faced a patchwork of obligations under privacy law, sector-specific regulation, and voluntary frameworks. The Cyber Security Act 2024 changed that by creating direct, enforceable duties with penalties attached.

Why Was the Act Introduced?

Australia has experienced a significant increase in serious cyber incidents since 2021. High-profile breaches affecting millions of Australians, including Medibank, Optus, and Latitude Financial, demonstrated that existing frameworks were insufficient. The Act is the government’s legislative response to close those gaps.

The Act also reflects a global shift toward mandatory incident reporting. The United States, United Kingdom, and European Union have each moved in this direction. Australia is aligning its regulatory approach with major trading partners.

What Are the Five Key Measures in the Act?

The Cyber Security Act 2024 introduced five distinct measures. Each has its own commencement date, scope, and enforcement regime.

1. Mandatory Ransomware Payment Reporting

Any business with an annual turnover of $3 million or more must report ransomware payments to the Australian Signals Directorate (ASD) within 72 hours of making a payment. This obligation came into force in May 2025.

The report must include:

• The amount paid
• The currency used (including cryptocurrency details)
• Who the payment was made to (where known)
• What systems were affected
• Whether the business had cyber insurance

The reporting obligation applies even if your insurer makes the payment on your behalf. It applies to all businesses above the threshold, not just those in critical infrastructure sectors.

The penalty for non-compliance is $19,800 per incident. The Department of Home Affairs operated an “education-first” grace period from May 2025 to 31 December 2025. That period has ended. Full enforcement is now active.

This provision does not make paying ransoms illegal. It does not require businesses to refuse payment. It simply requires that payments be reported to government so the ASD can track threat actors, payment patterns, and attack vectors.

2. Cyber Incident Review Board (CIRB)

The Cyber Incident Review Board was established in May 2026. It is an independent body modelled on the aviation safety investigation framework used by the Australian Transport Safety Bureau (ATSB).

The CIRB conducts no-fault, systemic reviews of significant cyber incidents. Its purpose is to understand what went wrong and publish learnings that improve the security posture of the broader economy. It is not a regulator and cannot issue fines or penalties.

The board can:

• Review incidents voluntarily referred to it
• Be directed by the Minister to review significant incidents
• Interview affected parties, access technical evidence, and engage external experts
• Publish public reports with findings and recommendations

Because the CIRB operates on a no-fault basis, evidence gathered during its reviews cannot be used in civil or criminal proceedings. This is the same protection that applies to ATSB investigations. The intent is to encourage genuine openness and system-level learning rather than blame assignment.

3. Smart Device Security Standards

From March 2026, internet-connected consumer devices sold in Australia must meet minimum security standards. This includes devices such as smart TVs, home routers, IP cameras, smart speakers, connected appliances, and wearable devices.

The standards draw from international best practice, including the UK’s PSTI (Product Security and Telecommunications Infrastructure) Act. They require:

• No default universal passwords (each device must have a unique credential or require the user to set one)
• A publicly disclosed support period with security updates
• A mechanism for reporting security vulnerabilities to the manufacturer

This measure primarily affects device manufacturers and importers, not end-user businesses. However, businesses that purchase or deploy internet-connected devices should be aware that devices without compliant security practices will not be permitted for sale in Australia.

For businesses managing large numbers of connected devices, this is a positive development. It raises the baseline security of the devices you are likely buying for staff or deploying in premises.

4. Critical Infrastructure Obligations

The Act expands cybersecurity obligations for owners and operators of critical infrastructure assets already regulated under the Security of Critical Infrastructure Act 2018. This includes sectors such as electricity, water, gas, ports, financial services, healthcare, telecommunications, and food supply.

These obligations include:

• Adoption of a Cyber Security Framework within a defined timeline
• Compliance with rules issued by the Minister on specific security outcomes
• Expanded incident reporting requirements beyond what SOCI already required

If your business operates in a regulated critical infrastructure sector, your legal team or a specialist cybersecurity advisor should be reviewing these obligations in detail. The scope and specifics vary by sector.

5. Voluntary Security Codes

The Act creates a framework for voluntary security codes to be developed for cloud service providers, app stores, and social media platforms. These are not mandatory obligations at this stage. They provide a pathway for industry to self-regulate with government endorsement and potential future elevation to mandatory status.

Businesses that use cloud services or software products should watch this space. The voluntary codes will likely influence procurement decisions and vendor due diligence requirements over time.

Who Does the Cyber Security Act 2024 Apply To?

The scope of the Act depends on which provision you are looking at.

Ransomware reporting applies to any business with $3 million or more in annual turnover. This threshold deliberately captures a wide range of Australian businesses, including:

• Professional services firms: law practices, accounting firms, financial advisers, consulting firms
• Healthcare providers: specialist clinics, allied health practices, private hospitals
• Retail and hospitality businesses of meaningful scale
• Technology and software companies
• Construction, engineering, and property businesses

The $3 million threshold is not indexed to inflation. It applies on an annual basis. If your turnover has recently crossed that threshold, the obligation already applies to you.

For most small and medium businesses, the ransomware reporting obligation is the only provision that applies directly. The critical infrastructure obligations apply to a narrower set of regulated sectors.

Does It Apply to Professional Services Firms?

Yes. In our experience, this is the question we receive most often from clients in legal, accounting, and financial services. If your firm turns over more than $3 million, you must comply with the ransomware payment reporting obligation.

Professional services firms are attractive targets for ransomware operators because they hold sensitive client data, they operate under time pressure, and they often have cyber insurance that attackers know can fund payments. The Act is directly relevant to your sector.

How Does the Cyber Security Act 2024 Relate to Other Laws?

The Act does not replace existing obligations. It adds to them. Here is how it sits alongside the major frameworks your business may already be managing.

Security of Critical Infrastructure Act 2018 (SOCI): The SOCI Act governs security obligations for critical infrastructure sectors. The Cyber Security Act 2024 builds on SOCI obligations for those sectors but is broader in scope for the ransomware reporting provision.

Privacy Act 1988: The Privacy Act requires businesses to take reasonable steps to protect personal information and to notify affected individuals and the OAIC when an eligible data breach occurs. A ransomware attack may trigger both Privacy Act obligations and Cyber Security Act reporting obligations simultaneously. These are separate reports to separate regulators.

Essential Eight Framework: The Essential Eight is a voluntary mitigation strategy published by the ASD. It is not referenced directly in the Cyber Security Act 2024 but remains the most practical baseline security framework for Australian businesses. Otto IT recommends implementing the Essential Eight alongside Cyber Security Act compliance rather than treating them as alternatives.

What Does the Cyber Security Act 2024 Mean for Your Business?

For most Australian businesses above the $3 million turnover threshold, the immediate priority is ransomware readiness. That means being prepared not just to respond to an attack, but to meet the 72-hour reporting requirement while the attack is still unfolding.

Think about what 72 hours actually looks like during a ransomware incident. Your systems may be encrypted or partially offline. Your team is managing client communications, insurance notifications, and internal recovery efforts at the same time. The 72-hour clock starts when you make the payment, not when you finish your investigation.

In our experience, businesses that struggle most with the reporting requirement are those that have never documented their incident response process. When everything is happening at once, it is not the time to figure out how to contact the ASD.

Practical steps to take now:

• Confirm whether your annual turnover exceeds $3 million. If it does, the obligation is active.
• Identify who in your business would make the ransomware report. Name a person, not a role.
• Confirm your cyber insurance policy covers ransomware and check whether the insurer notifies ASD on your behalf or requires you to do so directly.
• Update your cyber incident response plan to include the ASD reporting step and the information you need to gather.
• Brief your executive team and board on the obligation and the penalty for non-compliance.

If you do not have a cyber incident response plan, building one is the most valuable investment you can make right now. A plan does not need to be long. It needs to be specific, tested, and known by the people who will use it.

What Is the Penalty for Not Reporting a Ransomware Payment?

The penalty for failing to report a ransomware payment is $19,800 per incident. This is a civil penalty, not a criminal one. It is applied per incident, meaning each separate ransomware attack that results in a payment and is not reported could attract a separate penalty.

The “education-first” enforcement approach applied from May 2025 to 31 December 2025. During that period, the Department of Home Affairs prioritised helping businesses understand their obligations rather than issuing penalties. That period ended on 31 December 2025. Full enforcement is now active as of 2026.

The penalty amount may appear modest relative to the cost of a ransomware attack itself. However, non-compliance creates additional risk. A failure to report suggests either that the business was unaware of its legal obligations, which raises questions about its overall security governance, or that it chose not to comply, which is a more serious regulatory concern.

How Should You Prepare for the Cyber Security Act 2024?

The preparation steps differ depending on your situation. The following structure applies to most businesses above the $3 million threshold.

Step 1: Assess Your Exposure

Confirm your turnover threshold, identify which provisions apply, and review your existing cybersecurity posture against those obligations. If you are in a critical infrastructure sector, get legal advice on the expanded SOCI obligations.

Step 2: Update Your Incident Response Plan

Your incident response plan should explicitly address the 72-hour ransomware reporting requirement. This includes:

• Who makes the decision to pay a ransom
• Who submits the ASD report
• What information needs to be collected before the report is submitted
• How the report is submitted (the ASD provides an online portal for this purpose)

Step 3: Review Your Cyber Insurance

Many cyber insurance policies include incident response support, but the scope varies. Confirm that your policy covers ransomware, check whether the insurer’s incident response team handles ASD notification, and verify the trigger conditions and waiting periods in your policy.

Step 4: Train Your Team

The people who will respond to a ransomware incident need to know the plan before the incident happens. A tabletop exercise once per year is a practical way to test your response process and identify gaps.

Step 5: Engage a Specialist

The Cyber Security Act 2024 is new. The enforcement environment is still developing. Otto IT recommends working with a cybersecurity specialist who understands both the technical and regulatory dimensions of compliance, rather than treating this as purely a legal or purely an IT problem.

You can review our managed cybersecurity services or contact our team to discuss what your business specifically needs.

Frequently Asked Questions

Q: Does the Cyber Security Act 2024 apply to small businesses?

A: The ransomware payment reporting obligation applies to businesses with annual turnover of $3 million or more. Businesses below that threshold are not captured by this provision. The smart device security standards and critical infrastructure obligations have different scopes. If your turnover is below $3 million, the Act does not currently impose direct reporting obligations on you, but it is still worth reviewing your cybersecurity posture given the broader threat environment.

Q: What happens if I pay a ransom but do not report it?

A: You face a civil penalty of $19,800 per incident under the Cyber Security Act 2024. The “education-first” grace period ended on 31 December 2025, so full enforcement applies now. Beyond the penalty, failing to report may attract additional scrutiny from regulators, particularly if a related data breach triggers Privacy Act notification obligations.

Q: Do I need to report a ransomware attack even if I do not pay?

A: The ransomware reporting obligation in the Cyber Security Act 2024 specifically applies when a payment is made. If your business is attacked but does not pay a ransom, there is no obligation to report under this Act. However, a ransomware attack that results in a data breach may still require notification under the Privacy Act’s Notifiable Data Breach scheme.

Q: What is the Cyber Incident Review Board and how is it different from a regulator?

A: The CIRB is an independent review body that conducts no-fault, systemic reviews of significant cyber incidents. It is modelled on the aviation safety investigation framework and cannot issue penalties or prosecute anyone. Its purpose is to publish learnings that improve national cybersecurity. Evidence gathered by the CIRB cannot be used in civil or criminal proceedings, which encourages genuine openness from affected businesses.

Q: How does the Cyber Security Act 2024 interact with the Privacy Act?

A: They are separate laws with separate obligations. A ransomware attack may trigger both the Cyber Security Act 2024 ransomware reporting requirement and the Privacy Act’s Notifiable Data Breach (NDB) scheme if personal information is compromised. The reports go to different bodies: ransomware payment reports go to the ASD, while NDB notifications go to the OAIC. You may need to submit both, and the timelines differ.

Ready to Get Your Business Cyber Security Act Ready?

The Cyber Security Act 2024 introduced real, enforceable obligations with penalties attached. The grace period is over. If your business is above the $3 million turnover threshold and you have not yet reviewed your ransomware response process, now is the time.

Otto IT works with professional services firms, healthcare businesses, and mid-sized Australian organisations to build practical cybersecurity programs that cover both technical protection and regulatory compliance. We understand the Cyber Security Act 2024, the Essential Eight, and what it actually takes to respond to a ransomware incident under pressure.

Book a conversation with our team to talk through your specific situation. Or if you prefer to start with a services overview, visit our managed cybersecurity page.

You can also get in touch directly and we will get back to you the same business day.