---
title: "Australia Cyber Security Act 2024 Compliance Hub"
canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act"
source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act"
author: "Sorena AI"
description: "Practical Australia Cyber Security Act 2024 compliance hub covering commencement dates, smart device security standards."
published_at: "2026-03-04"
updated_at: "2026-03-04"
keywords:
  - "Australia Cyber Security Act 2024 compliance"
  - "Cyber Security Act 2024 compliance"
  - "Australia Cyber Security Act 2024 timeline"
  - "Australia Cyber Security Act 2024 requirements"
  - "Australia Cyber Security Act 2024 checklist"
  - "smart device security standards Australia"
  - "relevant connectable product Australia"
  - "consumer grade relevant connectable products"
  - "statement of compliance smart devices"
  - "statement of compliance recordkeeping"
  - "ransomware payment reporting 72 hours"
  - "ransomware reporting Australia"
  - "turnover threshold $3 million"
  - "reporting business entity Australia"
  - "SOCI Act critical infrastructure"
  - "cyber incident reporting Australia"
  - "compliance evidence pack"
  - "implementation guide"
  - "compliance calendar"
  - "compliance templates"
  - "Australia Cyber Security Act 2024"
  - "Cyber Security Act 2024"
  - "smart device security standards"
  - "ransomware payment reporting"
  - "72 hour reporting"
  - "statement of compliance"
  - "relevant connectable products"
  - "APAC compliance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Australia Cyber Security Act 2024 Compliance Hub

Practical Australia Cyber Security Act 2024 compliance hub covering commencement dates, smart device security standards.

![Australia Cyber Security Act artifact preview](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-au-cyber-security-act-timeline-small.jpg?v=cheatsheets%2Fprod)

*Australia Cyber Security Act* *Free Resource*

## Australia Cyber Security Act Timeline and Decision Flow

A practical Australia Cyber Security Act 2024 compliance hub for legal, product, security, and operations teams. Use the timeline and decision flow to understand when Part 2 and Part 3 apply, then use the topic guides to run scope tests, implement smart device controls, issue statements of compliance, and prepare ransomware payment reporting within 72 hours.

This hub brings together the Act, the Smart Devices Rules 2025, the Ransomware Payment Reporting Rules 2025, and the CIRB Rules 2025. Focus areas include relevant connectable product scope, consumer grade exemptions, support period publication, statement of compliance recordkeeping, reporting business entity thresholds, enforcement risk, and cross market comparison pages.

[Get implementation support](/contact.md)

## What you can decide faster

- **Smart devices**: Confirm relevant connectable product scope, implement the smart device standard, issue compliant statements, and maintain a retrievable evidence pack.
- **Ransomware reporting**: Decide whether you are a reporting business entity, document the 3 million dollar threshold logic, and prepare the 72 hour report path before an incident.
- **Evidence pack**: Define owners, acceptance criteria, website disclosure checks, and regulator ready records for statements, support periods, and incident reports.

By Sorena AI | Updated 2026 | No signup required

### Quick scan

*Artifact*

- **Timeline view**: Plan staged commencement and operational readiness checkpoints across Part 2, Part 3, and the 2025 rules.
- **Decision flow**: Turn scope, product, and reporting business entity questions into clear implementation actions.
- **Topic guides**: Deep dives on requirements, checklists, deadlines, templates, reporting playbooks, and comparison guides.

Use the artifact and topic guides to turn Australia Cyber Security Act 2024 legal text into release gates, reporting playbooks, website disclosures, and evidence controls.

| Value | Metric |
| --- | --- |
| 1 | Artifact |
| 16 | Guides |
| 2026 | Updated |
| SEO | Optimized |

**Key highlights:** Scope first | Plan controls | Track evidence

## Topic Guides

- [Australia Cyber Security Act 2024 Applicability Test | Who Must Comply](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Complete Australia Cyber Security Act 2024 applicability test covering smart device security standards, ransomware payment reporting obligations.
- [Australia Cyber Security Act 2024 Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Comprehensive Australia Cyber Security Act 2024 compliance checklist covering smart device security standards, ransomware payment reporting.
- [Australia Cyber Security Act 2024 Compliance Guide | Implementation Playbook](/artifacts/apac/australia-cyber-security-act/compliance.md): A detailed Australia Cyber Security Act 2024 compliance guide covering smart device security standards, statement of compliance requirements.
- [Australia Cyber Security Act 2024 Compliance Templates | Statement of Compliance, Ransomware Report, Evidence Pack, Vulnerability Disclosure, Support Period](/artifacts/apac/australia-cyber-security-act/templates.md): Comprehensive Australia Cyber Security Act 2024 compliance templates with every required field.
- [Australia Cyber Security Act 2024 Deadlines and Compliance Calendar | Commencement Dates](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Complete Australia Cyber Security Act 2024 deadlines and compliance calendar with all commencement dates: 30 November 2024 Royal Assent.
- [Australia Cyber Security Act 2024 FAQ | Frequently Asked Questions](/artifacts/apac/australia-cyber-security-act/faq.md): Get detailed answers to frequently asked questions about the Australia Cyber Security Act 2024.
- [Australia Cyber Security Act 2024 Requirements | Smart Device and Ransomware Reporting Obligations](/artifacts/apac/australia-cyber-security-act/requirements.md): Complete guide to Australia Cyber Security Act 2024 requirements covering smart device password rules, vulnerability disclosure.
- [Australia Cyber Security Act 2024 Timeline and Commencement Dates | Full Schedule](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Complete Australia Cyber Security Act 2024 timeline with every commencement date from Royal Assent on 29 November 2024.
- [Australia Cyber Security Act 2024 vs EU Cyber Resilience Act | Full CRA Comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Detailed comparison of the Australia Cyber Security Act 2024 and the EU Cyber Resilience Act covering scope, product categories, security requirements.
- [Australia Cyber Security Act 2024 vs UK PSTI Act | Product Security Comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Detailed product security comparison of the Australia Cyber Security Act 2024 and the UK PSTI Act covering scope, ETSI EN 303 645, password requirements.
- [Australia Smart Device Compliance Checklist | Cyber Security Act 2024 | Sorena](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Complete Australia Cyber Security Act 2024 smart device compliance checklist covering Schedule 1 password security, vulnerability disclosure.
- [Penalties and fines | Australia Cyber Security Act 2024 | 60 Penalty Units, Smart Device Enforcement, Ransomware Reporting](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Australia Cyber Security Act 2024 penalties explained: 60 penalty units (AUD 19,800) per contravention for individuals.
- [Ransomware Payment Reporting in 72 Hours | Australia Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Complete guide to the 72 hour ransomware payment reporting obligation under Part 3 of the Australia Cyber Security Act 2024.
- [Scope and Definitions | Australia Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Complete guide to the Australia Cyber Security Act 2024 scope and definitions.
- [Smart device security standards | Australia Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Complete technical guide to the three Australia Cyber Security Act 2024 smart device security standards: password security under Clause 2.
- [Statement of Compliance and Recordkeeping | Australia Cyber Security Act 2024 | Section 9, Section 10, 5 Year Retention](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): Australia Cyber Security Act 2024 statement of compliance explained: all mandatory fields under Section 9(3) of the Smart Device Rules 2025.

## Key milestones for Australia Cyber Security Act

*Timeline*

Use timeline milestones to sequence policy, engineering, assurance, and reporting work.

## How to operationalize Australia Cyber Security Act

*Decision Flow*

Use the decision flow to convert applicability and requirement questions into clear actions.

*Next step*

## Turn Australia Cyber Security Act Timeline and Decision Flow into an operational assessment workflow

Australia Cyber Security Act Timeline and Decision Flow should be the shared entry point for your team. Route execution into Assessment Autopilot for live work and into Research Copilot when the artifact needs deeper research, evidence governance, or supporting analysis.

- Start from Australia Cyber Security Act Timeline and Decision Flow and route the work by entity, product, team, or control owner.
- Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints.
- Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs.
- Move from artifact reading to accountable execution without rebuilding the guidance in separate files.

- [Open Assessment Autopilot](/solutions/assessment.md): Turn the guidance into owned tasks, evidence requests, and review checkpoints for Australia Cyber Security Act Timeline and Decision Flow.
- [Open Research Copilot](/solutions/research-copilot.md): Answer scope, timing, and interpretation questions with cited outputs from the same artifact.
- **Download decision flow**: Share the logic with implementation teams.
- **Download timeline**: Align milestones across stakeholders.
- [Talk through Australia Cyber Security Act Timeline and Decision Flow](/contact.md): Review your current process, evidence model, and next steps for Australia Cyber Security Act Timeline and Decision Flow.

## Decision Steps

### OVERVIEW: Cyber Security Act 2024 (Cth)  -  compliance decision map

- Part 2: smart device security standards (connectable products).
- Part 3: ransomware payment reporting (72-hour report) for reporting business entities.
- Part 4: voluntary information sharing with the National Cyber Security Coordinator for significant incidents.
- Part 5: Cyber Incident Review Board (CIRB) reviews and document production notices.

- -> Smart device security standards

### PART 2: Smart device security standards

- Applies to relevant connectable products manufactured/supplied on/after Part 2 commencement (s 13).
- Current standard covers consumer-grade connectable products acquired by a consumer (Rules s 8).
- Mandatory Schedule 1 requirements start 4 Mar 2026 (Rules commencement).

- -> Do you manufacture or supply a relevant connectable product that will be acquired in Australia?

### STEP 1: Do you manufacture or supply a relevant connectable product that will be acquired in Australia?

*Reference: CSA ss 13, 15, 16*

- Relevant connectable product: internet-connectable or network-connectable; not exempted under rules.
- Part 2 applies to products manufactured on/after Part 2 commencement OR supplied (not second hand) on/after commencement.
- Obligations trigger where you are aware (or should be aware) the product will be acquired in Australia in specified circumstances.

- **YES** Is the product a consumer grade relevant connectable product acquired by a consumer in Australia?
- **NO** Ransomware payment reporting obligations

### STEP 2: Is the product a consumer grade relevant connectable product acquired by a consumer in Australia?

*Reference: Smart Devices Rules 2025 ss 6, 8*

- Consumer grade: intended/likely for personal, domestic or household use.
- Excluded: desktops/laptops, tablets, smartphones, therapeutic goods, road vehicles, vehicle components.
- Specified circumstance: acquired in Australia by a consumer (ACL).

- **YES** Mandatory smart device security standard applies
- **NO** No mandatory smart device standard under current Rules

### PART 3: Ransomware payment reporting obligations

- If you are a reporting business entity and a ransomware payment is made, report within 72 hours (CSA s 27).
- Turnover threshold: $3 million (Rules s 6).
- Payment can be money or a non-monetary benefit.

- -> Are you a 'reporting business entity' at the time the ransomware payment is made?

### STEP 3: Are you a 'reporting business entity' at the time the ransomware payment is made?

*Reference: CSA s 26(2); Ransomware Rules 2025 s 6*

- Track A: business in Australia + previous FY annual turnover > $3m (or prorated), and not a Commonwealth/State body, and not a SOCI responsible entity.
- Track B: responsible entity for a critical infrastructure asset to which SOCI Act Part 2B applies.
- If unsure: confirm turnover and whether you are a SOCI responsible entity.

- **YES** Did an extortion demand and a ransomware payment occur in connection with a cyber security incident impacting you?
- **NO** Significant incident coordination (voluntary)

### STEP 4: Did an extortion demand and a ransomware payment occur in connection with a cyber security incident impacting you?

*Reference: CSA s 26(1)*

- Incident occurred/occurring/imminent and is a cyber security incident (s 9).
- Demand made by an extorting entity to benefit from the incident/its impact on you.
- You made a payment/benefit, or you're aware another entity made it on your behalf, directly related to the demand.

- **YES** Ransomware payment report required
- **NO** Significant incident coordination (voluntary)

### PART 4: Significant incident coordination (voluntary)

- If impacted by (or likely impacted by) a significant cyber security incident, you may voluntarily share info with the National Cyber Security Coordinator (CSA s 35).
- Impacted entity scope: carrying on a business in Australia OR a SOCI responsible entity (CSA s 35(1)(d)).
- There is no obligation to provide information in response to a request (note to s 35).
- Protections apply (Div 3) and this does not replace other reporting duties (CSA s 44).

- -> Are you impacted by a 'significant cyber security incident'?

### STEP 5: Are you impacted by a 'significant cyber security incident'?

*Reference: CSA s 34*

- Material risk of serious prejudice to social/economic stability, defence, or national security; OR
- Incident is/could be of serious concern to the Australian people.

- **YES** Voluntary information sharing available
- **NO** Cyber Incident Review Board (CIRB)

### PART 5: Cyber Incident Review Board (CIRB)

- CIRB can cause reviews into certain incidents (CSA s 46).
- Entities may be requested (voluntary) or required (notice) to provide documents (CSA ss 48-50).
- Draft review reports must not be disclosed (CSA s 59).

- -> Could your incident be eligible for a CIRB review (or are you referring one)?

### STEP 6: Could your incident be eligible for a CIRB review (or are you referring one)?

*Reference: CSA s 46*

- Referrals: Minister, Coordinator, impacted entity, or Board member (s 46(1)).
- Criteria: serious prejudice, novel/complex methods/tech, or serious concern (s 46(3)).
- Timing: only after incident + immediate response ended, and Minister approves terms (s 46(2)).

- **YES** Have you received a notice requiring you to produce documents (s 49)?
- **NO** Be ready to cooperate if approached

### STEP 7: Have you received a notice requiring you to produce documents (s 49)?

*Reference: CSA ss 48-50*

- s 48 request for info/docs is voluntary (no requirement to comply).
- s 49 notice (compulsory) can be issued to certain non-government entities involved in the incident, after a s 48 request; must allow at least 14 days.
- Non-compliance with a s 49 notice is a civil penalty (s 50), subject to exceptions.

- **YES** Comply with the s 49 notice (document production)
- **NO** Be ready to cooperate if approached

## Reference Information

### Key definitions (CSA)

- Cyber security incident: s 9 (tied to SOCI meaning + constitutional limits).
- Relevant connectable product: internet- or network-connectable; not exempted (s 13).
- Ransomware payment: payment/benefit to extorting entity directly related to demand (s 26).
- Reporting business entity: turnover or SOCI Part 2B responsible entity test (s 26).
- Significant cyber security incident: high-impact/serious concern test (s 34).

### Extraterritorial reach

- CSA applies both within and outside Australia (s 5).
- Practical triggers still depend on the Part (e.g., products acquired in Australia; business in Australia; SOCI Part 2B links).

### Security standard (Schedule 1)  -  core requirements

- Passwords: unique per product or user-defined; not incremental/guessable; avoid public info and raw serials (crypto/hashing if used).
- Security issue reporting: publish contact + acknowledgement + status updates; accessible/clear; in English; free; no personal info required.
- Support period & updates: publish defined support period (end date) for security updates; do not shorten; publish extensions; ensure prominence and clarity (including understandable without prior technical knowledge).

### Statement of compliance (Rules s 9)  -  include

- Product type + batch identifier.
- Manufacturer name/address + authorised representative(s) (including those in Australia).
- Declarations: product complies with standard + manufacturer complied with other Schedule 1 obligations.
- Defined support period at issue date; plus signatory signature/name/function + place/date of issue.
- Retention: 5 years (Rules s 10).

### Supplier obligations (high-level)

- Do not supply non-compliant products in Australia when aware/should be aware of relevant circumstances.
- Supply product with manufacturer-prepared statement of compliance.
- Retain copy of statement for required period (5 years for current standard).

### Enforcement tools (Part 2)

- Secretary may issue compliance, stop, and recall notices (Div 3).
- Internal review is available for compliance/stop/recall notices (and certain variations) (s 22).
- Failure to comply with a recall notice can trigger public notification (s 20), including matters prescribed by rules (Smart Devices Rules s 11).
- Independent examination/audit may be used to assess compliance and statements (s 23).

### Scope notes (current standard)

- Current standard only covers consumer-grade relevant connectable products acquired by a consumer in Australia (Rules s 8).
- Excluded product categories are not subject to Schedule 1 (Rules s 8).
- Act allows future standards for other product classes and acquisition circumstances (CSA s 14).

### Turnover threshold (Rules s 6)

- Threshold: $3 million (previous financial year).
- Part-year formula: $3m x (days carried on / days in previous FY).
- SOCI Part 2B responsible entities are in scope regardless of turnover; SOCI responsible entities not covered by Part 2B are not reporting business entities (CSA s 26(2)).

### Report contents (CSA s 27 + Rules s 7)

- Entity details: ABN (if any) + address for reporting entity and payor (Rules s 7(2)-(3)).
- Incident: when occurred/estimated; when aware; impact on infrastructure + customers; ransomware/malware variant; vulnerabilities exploited; info to assist response (Rules s 7(4)).
- Demand: amount/description + method demanded (Rules s 7(5)).
- Payment/benefit: amount/description + method provided (Rules s 7(6)).
- Communications: nature/timing; brief description; pre-payment negotiations (Rules s 7(7)).

### Protections (Part 3)

- Use/disclosure restricted to permitted purposes and not for most civil/regulatory enforcement (CSA ss 29-30; Privacy Act limits apply).
- Disclosure to State bodies requires consent (CSA s 11).
- Legal professional privilege preserved (s 31).
- Info not admissible against reporting entity in most proceedings (s 32), with limited exceptions.

### Liability protection (Part 3)

- Good faith compliance with s 27: entity not liable for damages for acts/omissions (s 28(1)).
- Officers, employees, and agents also protected when acting in good faith (s 28(2)).
- Entity bears an evidential burden when relying on this protection (s 28(3)).

### Who receives the report?

- Report goes to a 'designated Commonwealth body' (CSA s 27(1)).
- Designated body is set by rules; if none, defaults to the Department + ASD (CSA s 8 definition).
- Form may be approved by Secretary; manner may be prescribed by rules (CSA s 27(4)).

### National Cyber Security Coordinator (role)

- Lead whole-of-government coordination and triaging of action in response to a significant cyber security incident (s 37).
- Inform and advise the Minister and whole of Government on the response (s 37).

### Parallel reporting may still apply

- Voluntary sharing under Part 4 does not affect other legal requirements to provide information (CSA s 44).
- Act examples: Part 3 ransomware reporting; SOCI Act Part 2B; Telecommunications Act 1997.
- Common outside-CSA reporting: OAIC NDB scheme (Privacy Act) and APRA CPS 234 (if applicable).

### Information sharing beyond significant incidents (ss 36, 39)

- If it's unclear whether an incident is a cyber security incident or a significant cyber security incident, you can still provide information (s 36(1)).
- NCSC may collect and use the information to determine whether the incident qualifies (s 36(2)).
- This collection/use is authorised for Privacy Act purposes (note to s 36(2)).
- If you provide information about an incident that is not significant (or not a cyber security incident), NCSC use/disclosure is still limited to specific purposes (s 39).

### Part 4 protections (high-level)

- Use/disclosure limited to permitted purposes and not for most civil/regulatory enforcement (CSA ss 38-40; Privacy Act limits apply).
- Legal professional privilege preserved (s 41).
- Info not admissible against impacted entity in most proceedings (s 42), with limited exceptions.
- NCSC may be certified as not compellable as a witness for certain matters (s 43).
- Disclosure to State bodies requires consent (s 11).

### CIRB Rules 2025 (process highlights)

- Board must consider referrals and decide whether a review should be conducted (Rules s 7).
- Prioritisation factors include severity/scale and panel availability (Rules s 8).
- Reviews must not be conducted if they would interfere with or prejudice investigations/proceedings (Rules s 10).
- Board publishes notice when a review will be conducted (Rules s 11).
- Board may discontinue a review at any time and must publish notice within 28 days (CSA s 47).

### CIRB reports: publication, redaction, and no-blame constraints

- Final review report must be published, excluding redacted sensitive review information (s 52(6)).
- Final review report must not apportion blame, determine liability, identify individuals without consent, or allow adverse inference that an entity is subject of review (s 52(4)).
- Sensitive review information must be redacted; protected review report contains redacted info + reasons and is provided to Minister and Prime Minister (ss 53-54).

### Confidentiality & protections (Part 5)

- If you receive a draft review report, do not disclose/use it except allowed purposes (CSA s 59).
- Legal professional privilege preserved (s 57); admissibility limits (s 58).
- Use/disclosure restrictions apply to the Board and recipients (ss 55-56).
- Disclosure to State bodies requires consent under the CSA framework (s 11).

### Other Australian cyber reporting obligations (common)

- SOCI Act Part 2B incident reporting (critical infrastructure).
- SOCI Act CIRMP and other enhanced cyber security obligations may also apply (separate regime; depends on asset classification).
- Telecommunications Act 1997 reporting (telecommunications entities).
- Privacy Act NDB scheme (OAIC): assess within 30 days; notify OAIC/individuals for eligible data breaches.
- APRA CPS 234: notify APRA within 72 hours of certain information security incidents (if APRA-regulated).

### Regulatory powers & enforcement framework (Part 6)

- CSA civil penalty provisions are enforceable under the Regulatory Powers (Standard Provisions) Act 2014 (s 79).
- Enforceable undertakings can cover CSA civil penalty provisions and smart device sections 15-16 (s 79(2)).
- Part 6 also includes monitoring/investigation powers and infringement notices mechanisms.

## Possible Outcomes

### [APPLIES] Mandatory smart device security standard applies

Security Standards for Smart Devices Rules 2025 (Schedule 1)  -  effective 4 Mar 2026

- Manufacture in compliance with Schedule 1 (passwords, security issue reporting, defined support period & security updates).
- Publish required security information clearly, in English, free of charge (Schedule 1).
- Provide/retain a statement of compliance; suppliers must supply with the statement; retain for 5 years (Rules ss 9-10; CSA s 16).

### [NOT COVERED] No mandatory smart device standard under current Rules

Part 2 can expand via future rules (other classes/circumstances)

- If excluded (e.g., smartphone, therapeutic goods, vehicle) or not acquired by a consumer, Schedule 1 does not apply.
- Track Part 2 commencement and any future standards/exemptions made under the rules.
- If you both manufacture and supply, map obligations for each role.

### [REPORT <=72H] Ransomware payment report required

Give the report to the designated Commonwealth body (CSA s 27)

- Report within 72 hours of making the payment or becoming aware it was made on your behalf.
- Include required information (CSA s 27(2); Rules s 7) based on reasonable search/enquiry within the 72-hour window.
- Civil penalty for failing to report: 60 penalty units (CSA s 27(5)).

### [VOLUNTARY] Voluntary information sharing available

National Cyber Security Coordinator (Part 4)

- Impacted entities (or others acting on their behalf) may provide information about significant incidents, or incidents that could reasonably be expected to be significant (CSA s 35(2)).
- Information can be shared during the response, on your initiative or in response to a request (s 35(3)).
- NCSC collection is authorised (including sensitive information) for Privacy Act purposes (note to s 35(2)).
- If it's unclear whether an incident is a cyber security incident or significant, you can still share information for qualification/triage (s 36).
- Protections on use/disclosure and admissibility apply (Div 3); this does not replace other obligations (s 44).

### [ACTION] Comply with the s 49 notice (document production)

Civil penalty risk for non-compliance

- Produce documents/copies within stated period (>=14 days) and manner (CSA s 49(2)).
- Civil penalty for failing to comply: 60 penalty units (s 50), subject to prejudice exceptions.
- Reasonable compensation may apply for making copies (s 49(4)).

### [MONITOR] Be ready to cooperate if approached

CIRB reviews are not automatic

- A review can be initiated via referral, but only after incident/response ends and Minister approves terms (s 46).
- Requests under s 48 are voluntary; notices under s 49 are compulsory.
- Maintain incident evidence and decision records in case of a review.

### [BASELINE] Operationalise the obligations

Practical next steps across Parts 2-5

- If you sell covered connectable products into Australia: prepare statements and published disclosures before 4 Mar 2026.
- If you are (or could become) a reporting business entity: add ransomware payment reporting (72-hour clock) to IR runbooks and vendor/insurer playbooks.
- Maintain a parallel reporting matrix and do not treat Part 4 sharing as a substitute for other obligations (s 44).

## CSA 2024 Timeline

| Date | Event | Reference |
| --- | --- | --- |
| 2024-11-29 | Cyber Security Act 2024 receives Royal Assent | Cyber Security Act 2024 (Cth) |
| 2024-11-30 | Parts 1, 4, 6, 7 commence (day after Royal Assent) | CSA s 2(1) table |
| 2025-05-29 | Parts 3 and 5 commence (backstop if no proclamation) | CSA s 2(1) table |
| 2025-11-29 | Part 2 commences (backstop if no proclamation) | CSA s 2(1) table |
| 2026-03-04 | Smart device security standard begins (Schedule 1 in force) | Smart Devices Rules 2025 commencement table |

## Compliance Timeline

| Date | Event | Category | Reference |
| --- | --- | --- | --- |
| 2021-12-02 | SLACI Act 2021 commences (SOCI reforms  -  tranche 1) | SOCI Act Context |  |
| 2021-12-15 | SLACIP Bill exposure-draft consultation window | Policy & Consultation |  |
| 2022-02-04 | SLACIP Bill exposure-draft: final Town Hall held | Policy & Consultation |  |
| 2022-02-10 | SLACIP Bill introduced and referred to PJCIS | Legislative Process |  |
| 2022-03-25 | PJCIS advisory report published (SLACIP Bill) | Legislative Process |  |
| 2022-04-01 | SLACIP Act 2022 made (Federal Register date) | SOCI Act Context |  |
| 2022-04-02 | SLACIP Act 2022 comes into effect (SOCI reforms  -  tranche 2) | SOCI Act Context |  |
| 2022-04-08 | SOCI Application Rules (LIN 22/026) come into effect | SOCI Act Context |  |
| 2022-07-07 | Telecommunications assets: Cyber Reporting compliance date (Telecommunications Act context) | SOCI Act Context |  |
| 2022-09-09 | Protected Information guidance (consultation draft v1) | Guidance (Non-binding) |  |
| 2022-10-05 | RMP Rules consultation window (SOCI reforms) | Policy & Consultation |  |
| 2022-10-07 | Telecommunications assets: Register compliance date (Telecommunications Act context) | SOCI Act Context |  |
| 2022-11-03 | Draft Risk Management Program Guidance (consultation draft v2) | Guidance (Non-binding) |  |
| 2023-02-16 | CIRMP Rules (LIN 23/006) as made (F2023L00112) | SOCI Act Context |  |
| 2023-02-27 | Australian Cyber Security Strategy consultation window | Policy & Consultation |  |
| 2023-11-22 | Smart device standards: Impact Analysis published | Policy & Consultation |  |
| 2023-12-19 | Cyber Security legislative reforms consultation window | Policy & Consultation |  |
| 2024-10-09 | Minister's second reading speech (House of Representatives) | Legislative Process |  |
| 2024-11-25 | Minister's second reading speech (Senate) | Legislative Process |  |
| 2024-11-29 | Cyber Security Act 2024 receives Royal Assent | Cyber Security Act 2024 |  |
| 2024-11-30 | Act commences: Parts 1, 4, 6 and 7 | Commencement & Application |  |
| 2024-12-16 | Draft Cyber Security Act Rules consultation window | Policy & Consultation |  |
| 2025-02-27 | Cyber Security Act Rules are made (dated) | Subordinate Rules (2025) |  |
| 2025-03-03 | CIRB Rules registered (F2025L00277) | Subordinate Rules (2025) |  |
| 2025-03-03 | Ransomware Payment Reporting Rules registered (F2025L00278) | Subordinate Rules (2025) |  |
| 2025-03-04 | Smart Devices Rules registered; Part 1 commences (F2025L00276) | Subordinate Rules (2025) |  |
| 2025-03-27 | Smart device standards: Supplementary Explanatory Statement registered | Policy & Consultation |  |
| 2025-04-03 | CIRMP Rules: as-made version end date (superseded) | SOCI Act Context |  |
| 2025-04-04 | SOCI Application Rules: April 2025 compilation/version date | SOCI Act Context |  |
| 2025-05-29 | Act commences: Part 3 (ransomware payment reporting) (backstop date) | Commencement & Application | Part 3; s.27 |
| 2025-05-29 | Ransomware Payment Reporting Rules commence (F2025L00278) (aligned to Part 3) | Commencement & Application |  |
| 2025-05-29 | Act commences: Part 5 (Cyber Incident Review Board) (backstop date) | Commencement & Application |  |
| 2025-05-29 | CIRB Rules commence (F2025L00277) (aligned to Part 5) | Commencement & Application |  |
| 2025-11-29 | Act commences: Part 2 (smart device security standards framework) (backstop date) | Commencement & Application |  |
| 2026-01-28 | Compiled Act: replaced authorised version registered | Cyber Security Act 2024 |  |
| 2026-03-04 | Smart Devices Rules substantive obligations commence (Part 2 and Schedule 1) | Commencement & Application |  |
| 2027-12-01 | Statutory review can begin (PJCIS) | Statutory Review | s.88 |

**Event details:**

- **2021-12-02 - SLACI Act 2021 commences (SOCI reforms  -  tranche 1)**: Home Affairs describes the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act) as the first tranche of reforms to the SOCI Act, commencing from 2 December 2021.
- **2021-12-15 - SLACIP Bill exposure-draft consultation window**: Home Affairs records an exposure-draft consultation period for the SLACIP Bill and accompanying draft Explanatory Document running from 15 December 2021 until Tuesday 1 February 2022.
- **2022-02-04 - SLACIP Bill exposure-draft: final Town Hall held**: Home Affairs notes a final Town Hall was held on 4 February 2022 following the closure of submissions on the SLACIP Bill exposure draft.
- **2022-02-10 - SLACIP Bill introduced and referred to PJCIS**: Home Affairs records that the Minister for Home Affairs introduced the SLACIP Bill to Parliament and referred it to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on 10 February 2022.
- **2022-03-25 - PJCIS advisory report published (SLACIP Bill)**: Home Affairs notes that the PJCIS published its advisory report on the SLACIP Bill on 25 March 2022.
- **2022-04-01 - SLACIP Act 2022 made (Federal Register date)**: The Federal Register of Legislation entry for the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (C2022A00033) shows a date of 1 April 2022 (as-made Act entry).
- **2022-04-02 - SLACIP Act 2022 comes into effect (SOCI reforms  -  tranche 2)**: Home Affairs records that the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) came into effect on 2 April 2022.
- **2022-04-08 - SOCI Application Rules (LIN 22/026) come into effect**: Draft Risk Management Program Guidance states that the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 came into effect on 8 April 2022, outlining asset classes required to comply with Mandatory Cyber Incident Reporting and certain Register reporting requirements.
- **2022-07-07 - Telecommunications assets: Cyber Reporting compliance date (Telecommunications Act context)**: Draft Risk Management Program Guidance notes that telecommunications assets comply with Cyber Reporting from 7 July 2022 under the Telecommunications Act 1997.
- **2022-09-09 - Protected Information guidance (consultation draft v1)**: Protected Information Guidance Material for industry is marked as a consultation draft (v1) and states it is current "as at 9 September 2022".
- **2022-10-05 - RMP Rules consultation window (SOCI reforms)**: Draft Risk Management Program Guidance states the consultation period for the draft risk management program (RMP) rules was 45 days, from 5 October 2022 to 18 November 2022.
- **2022-10-07 - Telecommunications assets: Register compliance date (Telecommunications Act context)**: Draft Risk Management Program Guidance notes that telecommunications assets comply with the Register from 7 October 2022 under the Telecommunications Act 1997.
- **2022-11-03 - Draft Risk Management Program Guidance (consultation draft v2)**: Draft Risk Management Program Guidance is marked as a consultation draft (v2) and states it is current "as at 03 November 2022".
- **2023-02-16 - CIRMP Rules (LIN 23/006) as made (F2023L00112)**: Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 appear on the Federal Register of Legislation as an as-made version dated 16 February 2023 (F2023L00112).
- **2023-02-27 - Australian Cyber Security Strategy consultation window**: Smart Devices Rules Explanatory Statement references the Australian Government consultation on the 2023-2030 Australian Cyber Security Strategy running from 27 February 2023 to 15 April 2023.
- **2023-11-22 - Smart device standards: Impact Analysis published**: Impact Analysis Addendum for smart device standards states that the Department of Home Affairs published an Impact Analysis on mandatory security standards and an industry-led voluntary cyber security labelling scheme on 22 November 2023.
- **2023-12-19 - Cyber Security legislative reforms consultation window**: Smart Devices Rules Explanatory Statement records that, on 19 December 2023, the Minister released the "Australian Cyber Security Strategy: Cyber Security Legislative Reforms Consultation Paper" and that consultation remained open until 1 March 2024.
- **2024-10-09 - Minister's second reading speech (House of Representatives)**: The Act records that the Minister's second reading speech was made in the House of Representatives on 9 October 2024.
- **2024-11-25 - Minister's second reading speech (Senate)**: The Act records that the Minister's second reading speech was made in the Senate on 25 November 2024.
- **2024-11-29 - Cyber Security Act 2024 receives Royal Assent**: Cyber Security Act 2024 (No. 98, 2024) receives Royal Assent on 29 November 2024.
- **2024-11-30 - Act commences: Parts 1, 4, 6 and 7**: Commencement table: Part 1 (and provisions not otherwise covered), Part 4 (coordination of significant cyber security incidents), and Parts 6-7 (regulatory powers and miscellaneous) commence the day after Royal Assent (30 November 2024).
- **2024-12-16 - Draft Cyber Security Act Rules consultation window**: Explanatory Statements record that the draft Rules package was published on the Department's website on 16 December 2024 and closed for submissions on 14 February 2025.
- **2025-02-27 - Cyber Security Act Rules are made (dated)**: The three Cyber Security Act Rules instruments are dated 27 February 2025 (Smart Devices Rules; Cyber Incident Review Board Rules; Ransomware Payment Reporting Rules). Registration dates follow in early March 2025.
- **2025-03-03 - CIRB Rules registered (F2025L00277)**: Cyber Security (Cyber Incident Review Board) Rules 2025 are registered on 3 March 2025. The instrument commences later of the day after registration and the commencement of Act Part 5.
- **2025-03-03 - Ransomware Payment Reporting Rules registered (F2025L00278)**: Cyber Security (Ransomware Payment Reporting) Rules 2025 are registered on 3 March 2025. The instrument commences later of the day after registration and the commencement of Act Part 3.
- **2025-03-04 - Smart Devices Rules registered; Part 1 commences (F2025L00276)**: Cyber Security (Security Standards for Smart Devices) Rules 2025 are registered on 4 March 2025. The commencement table provides that Part 1 commences on registration, while Part 2 and Schedule 1 have a delayed commencement (4 March 2026).
- **2025-03-27 - Smart device standards: Supplementary Explanatory Statement registered**: The smart device standards Impact Analysis (Supplementary Explanatory Statement) is an authorised version registered on 27 March 2025 in connection with F2025L00276.
- **2025-04-03 - CIRMP Rules: as-made version end date (superseded)**: The Federal Register of Legislation page for F2023L00112 shows the as-made version dated 16 February 2023 and indicates it is superseded, with the as-made version running until 3 April 2025.
- **2025-04-04 - SOCI Application Rules: April 2025 compilation/version date**: The Federal Register metadata for the SOCI Application Rules references an April 2025 compilation (F2025C00404) and links to a 4 April 2025 version in the legislation history/amendment history.
- **2025-05-29 - Act commences: Part 3 (ransomware payment reporting) (backstop date)**: Commencement table provides for commencement by proclamation, with an automatic commencement if not commenced within 6 months of Royal Assent. The published commencement table includes 29 May 2025 as the backstop date for Part 3. Part 3 imposes the 72-hour ransomware payment reporting obligation for reporting business entities; the 2025 Rules specify (among other details) the $3 million turnover threshold and report content requirements.
- **2025-05-29 - Ransomware Payment Reporting Rules commence (F2025L00278) (aligned to Part 3)**: Commencement clause: the whole instrument commences later of the day after registration and the commencement of Act Part 3; the backstop commencement date for Part 3 is 29 May 2025.
- **2025-05-29 - Act commences: Part 5 (Cyber Incident Review Board) (backstop date)**: Commencement table provides for commencement by proclamation, with an automatic commencement if not commenced within 6 months of Royal Assent. The published commencement table includes 29 May 2025 as the backstop date for Part 5.
- **2025-05-29 - CIRB Rules commence (F2025L00277) (aligned to Part 5)**: Commencement clause: the whole instrument commences later of the day after registration and the commencement of Act Part 5; the backstop commencement date for Part 5 is 29 May 2025.
- **2025-11-29 - Act commences: Part 2 (smart device security standards framework) (backstop date)**: Commencement table provides for commencement by proclamation, with an automatic commencement if not commenced within 12 months of Royal Assent. The published commencement table includes 29 November 2025 as the backstop date for Part 2 (security standards for smart devices).
- **2026-01-28 - Compiled Act: replaced authorised version registered**: The Act text indicates a replaced authorised version was registered on 28 January 2026 (compiled version reference).
- **2026-03-04 - Smart Devices Rules substantive obligations commence (Part 2 and Schedule 1)**: Commencement table: Part 2 and Schedule 1 of the Smart Devices Rules commence on 4 March 2026 (12-month delayed commencement). This is when the mandatory security standards, statement-of-compliance requirements (including 5-year retention period), and defined support-period rules take effect for covered products.
- **2027-12-01 - Statutory review can begin (PJCIS)**: The Parliamentary Joint Committee on Intelligence and Security may review the operation, effectiveness and implications of the Act, so long as it begins the review as soon as practicable after 1 December 2027.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act