Australia has introduced a Cyber Security Legislative Package into Parliament, reinforcing its commitment to safeguarding its cyber environment and critical infrastructure. As global cyber threats intensify, the new measures on security standards, reporting and coordination are intended to create a resilient and secure framework for the nation’s security and economic stability.
A Standalone Cyber Security Act
Subject to the passage of this legislation, Australia will soon have its first standalone Cyber Security Act. This marks a levelling up in addressing cyber risks and forms a crucial part of the government’s broader 2023-2030 Australian Cyber Security Strategy.
This new legal framework is designed to tackle existing legislative gaps and align Australia with international cyber security standards. Fresh off the passing of the Digital ID bill in May this year, the government is seeking to shore up Australia’s cyber crime laws.
Seven Key Initiatives to Boost Cyber Resilience
The legislative package introduces seven initiatives to strengthen Australia’s cyber defences. These include:
- Mandatory Cyber Standards for Smart Devices: Establishing minimum security standards for internet connected devices.
- Ransomware Reporting: Mandating that certain businesses report ransom payments, addressing the rise of ransomware attacks.
- National Cyber Security Coordinator Obligations: Introducing voluntary reporting obligations in relation to significant cyber security incidents with a ‘limited use’ provision for both the National Cyber Security Coordinator (NCSC) and the Australian Signals Directorate (ASD). The intention is to limit how the NCSC can use that information for the purposes of encouraging reporting.
- Cyber Incident Review Board: Establishing a board to review significant cyber incidents and improve national preparedness.
Reforming Critical Infrastructure Protections
In addition to the new Cyber Security Act, the package will also drive reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act). These reforms aim to:
- Clarify the responsibilities of businesses managing critical data systems.
- Strengthen government assistance for managing large-scale incidents affecting critical infrastructure.
- Simplify information sharing between industry and government.
- Provide the government with new powers to address serious risks within business risk management programs.
- Harmonise telecommunications security regulations with the SOCI Act framework.
Collaboration to Tackle Emerging Threats
The measures in this package reflect extensive consultation with industry and the community, including feedback from the Cyber Security Legislative Reforms Consultation Paper (December 2023) and the Exposure Draft package (September 2024).
A collaborative approach is essential to preparing Australia to respond to emerging threats and fortifying its cyber security in an increasingly digital world. The reforms are expected to bolster Australia’s cyber resilience, safeguard critical infrastructure, and protect the nation’s economic stability.
Steven Pettigrove – Partner, Piper Alderman
Luke Misthos – Lawyer, Piper Alderman