Timeline
The Cyber Security Act 2024 (Cth) represents Australia's first standalone federal cybersecurity law, enacted as part of a broader legislative package to implement the 2023–2030 Australian Cyber Security Strategy. It addresses ransomware, smart devices, incident coordination, and reviews, with parts commencing progressively since late 2024.
Legislative Timeline
-
Oct 2024: Cyber Security Legislative Package introduced to Parliament on 9 Oct; referred to Parliamentary Joint Committee on Intelligence and Security (PJCIS).
-
18 Nov 2024: PJCIS review concludes.
-
25 Nov 2024: Passed by Senate.
-
29 Nov 2024: Royal Assent; Parts 1, 6, and 7 commence 30 Nov 2024 (preliminary provisions).
-
20 Dec 2024: Key measures from companion bills commence by proclamation.
-
4 Apr 2025: Schedule 5 (telecom security) and certain rules commence.
-
30 May 2025: Ransomware payment reporting rules commence; Cyber Incident Review Board rules begin.
-
May 2026: First smart device security standards take effect (12 months after rules registration).
No major revisions or amendments have been enacted as of Feb 2026; subordinate rules and consultations continue for implementation.
Key Provisions by Part
| Part/Measure | Description | Commencement/Status |
|---|---|---|
| Ransomware Payments | Mandatory reporting for critical infrastructure assets or businesses >$3M revenue; limited use protections. | Rules from 30 May 2025. |
| Smart Devices/IoT Standards | Minimum cybersecurity standards for consumer IoT (e.g., smart watches, baby monitors); compliance statements required from manufacturers/suppliers. | Standards effective May 2026. |
| National Cyber Security Coordinator (NCSC) | Voluntary info sharing on significant incidents; "limited use" obligations to protect sharers. | 30 Nov 2024. |
| Cyber Incident Review Board | Independent, no-fault reviews of major incidents; expert panel for recommendations. | Rules from 30 May 2025. |
Companion and Related Legislation
The Act forms part of a package with immediate amendments to existing laws; no standalone additions post-2024 noted yet.
-
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (SOCI Amendment Act): Expands SOCI Act 2018 obligations—data storage systems, all-hazards directions, protected info, risk management directions, telecom integration, SoNS notifications. Schedules 1–4,6: 20 Dec 2024; Schedule 5: 4 Apr 2025.
-
Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024: Applies limited use obligations to Australian Signals Directorate (ASD) info; FOI exemptions for NCSC docs. Commenced Dec 2024.
-
Pre-existing Foundations: Builds on SOCI Act 2018 (critical infrastructure risk programs), PSPF (govt entities), Notifiable Data Breaches scheme under Privacy Act 1988.
These reforms emphasize coordination, reporting, and standards without new major enforcement penalties beyond existing frameworks, with ongoing rules development (e.g., Cyber Security Rules 2025).