The Cyber Security Bill 2024[1] marks a pivotal moment in Australia's cybersecurity landscape, introducing critical reforms aimed at strengthening resilience across businesses and government entities.
The legislation incorporates updates to the Limited Use Obligation, IoT security standards, and extends obligations under the Security of Critical Infrastructure Act 2018 (SOCI Act). These changes require organisations to enhance their compliance strategies to address evolving cyber threats effectively.
For Australian organisations, particularly those governed by the Protective Security Policy Framework (PSPF) and the Public Governance, Performance and Accountability Act (PGPA Act)[2], compliance with the new regulatory framework is essential. Meanwhile, in New Zealand, the approach remains largely voluntary through CERT NZ[3], lacking equivalent legal mandates outside of the public sector.
Download our Cyber Risk Management eBook for more information on how your organisation can manage and mitigate cyber risks:
What are the bill’s key provisions?
Mandatory reporting of ransomware payments
Organisations with revenue above $3 million or those classified as critical infrastructure must now report ransomware payments within 72 hours. This requirement aims to enhance threat intelligence and strengthen national cybersecurity responses. By enforcing this mandate, the government ensures greater transparency and a collective effort toward mitigating ransomware threats.
New IoT security standards
The bill introduces mandatory security standards for all manufacturers, distributors, and users of smart devices. Organisations that fail to comply may face penalties, stop orders, or even product recalls. These new requirements align with global best practices, reinforcing security across interconnected devices.
Expanded critical infrastructure protection under the SOCI Act
Recent updates to the SOCI Act significantly broaden the definition of critical infrastructure, now encompassing data storage providers, financial markets, energy systems, and healthcare services. Organisations within these sectors must implement comprehensive risk management plans that address cybersecurity, physical security, personnel security, and supply chain vulnerabilities. Furthermore, any significant cyber incident must be reported within 12 hours of detection. The bill also grants government agencies intervention powers, enabling direct action during critical cyber incidents to prevent or mitigate national harm.
Revised limited use obligation
To encourage transparency in incident reporting, organisations that voluntarily share cybersecurity incident data with the Australian Signals Directorate (ASD) are now legally protected from regulatory repercussions. This safeguard fosters a culture of cooperation and shared intelligence, enhancing national resilience against cyber threats.
Cyber Incident Review Board (CIRB)
An independent Cyber Incident Review Board (CIRB) has been established to evaluate significant cybersecurity incidents, identify systemic risks, and provide actionable recommendations. The board’s findings will shape future cybersecurity policies and guide corporate best practices.
What are the implications for different sectors?
Federal government and AGORs (Australian government organisations)
The Protective Security Policy Framework (PSPF) was updated in November 2024 to align with the latest cybersecurity legislation. Government entities must now comply with three new mandatory directives: managing risks related to foreign ownership of technology assets, conducting regular technology asset stocktakes, and improving threat visibility across agencies. Additionally, participation in the Cyber Security Partnership Program is now required, ensuring better information-sharing and response coordination across government agencies.
Large enterprises and compliance requirements
Large Australian enterprises face increasing scrutiny under the Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Bill 2024. This legislation introduces mandatory climate-related financial disclosures, requiring organisations to report cybersecurity risks, greenhouse gas emissions, and corporate sustainability strategies. Compliance with Australian Accounting Standards Board’s sustainability requirements is now a key aspect of corporate governance. Furthermore, enterprises classified under the updated SOCI Act must develop and maintain detailed risk management strategies to align with new regulatory expectations.
Small and medium-sized enterprises (SMEs)
SMEs, though not the primary target of the bill, will still be affected. Those involved in the manufacture or distribution of smart devices must meet newly enforced IoT security standards. Additionally, SMEs are encouraged to voluntarily report cyber incidents to benefit from the legal protections provided by the Limited Use Obligation. However, compliance challenges, particularly financial constraints and resource limitations, remain a concern. To support smaller businesses, the government has allocated $20.8 million toward a Cyber Health Check Program, which provides cybersecurity assessments and best-practice guidance. Further proposals for tax incentives and additional state-level support programs are under consideration.
Australia versus New Zealand in cybersecurity approaches
While Australia enforces strict cybersecurity regulations with mandatory reporting and intervention powers, New Zealand maintains a more flexible, voluntary compliance model. Australian organisations must adhere to strict reporting mandates and expanded critical infrastructure obligations, while their New Zealand private sector counterparts primarily rely on CERT NZ’s advisory services and industry support (with government departments and agencies obliged to follow the NZISM[4] framework). This difference underscores the need for multinational organisations operating in both countries to tailor their cybersecurity strategies accordingly.
|
Key area |
Australia (Cyber Security Bill 2024 & SOCI Act) |
New Zealand (CERT NZ Framework) |
|
Incident reporting |
72-hour mandatory ransomware reporting; 12-hour critical infrastructure incident reporting. |
Voluntary reporting with no legal penalties. |
|
Scope of reporting |
Covers ransomware payments, IoT compliance breaches, and critical infrastructure incidents. |
General cybersecurity threats with advisory support. |
|
Limited use obligation |
Protects voluntarily shared data from regulatory consequences. |
No equivalent legal protection. |
|
Critical infrastructure obligations |
Expanded SOCI Act requirements for key industries. |
No specific cybersecurity legislation for critical infrastructure. |
|
Government assistance powers |
Intervention powers for direct response to major cyber incidents. |
No equivalent intervention powers. |
|
IOT security standards |
Enforceable standards with penalties. |
Voluntary best practices only. |
|
Support for SMEs |
Cyber Health Check program, proposed tax incentives. |
Free CERT NZ resources, no financial support. |
|
Incident review board |
CIRB established to assess major incidents. |
No equivalent review board. |
|
Government compliance obligations |
Mandatory PSPF and PGPA Act compliance. |
NZISM compliance mandatory for government agencies. |
Australian organisations should immediately review and update their cybersecurity policies to incorporate new ransomware reporting, IoT security, and CIRB compliance requirements. Government entities must ensure alignment with the updated PSPF and PGPA Act frameworks. Large enterprises should refine their governance strategies to meet SOCI Act risk management obligations, while SMEs should take advantage of government support programs like the Cyber Health Check to ease compliance burdens.
While regulatory enforcement in the private sector in New Zealand is less stringent, organisations should proactively report cybersecurity incidents to CERT NZ to contribute to national cyber resilience. In addition to the mandatory use by government departments and agencies, local government and crown entities are strongly recommended to use the NZISM framework, and private sector organisations should also consider its requirements. In all cases, aligning with international cybersecurity frameworks and prioritising employee training will strengthen overall security postures.
Conclusions and next steps for your organisation
Australia’s Cyber Security Bill 2024 reinforces the nation’s role as a leader in cybersecurity governance by introducing enforceable obligations, legal protections, and financial support mechanisms. In contrast, New Zealand continues to take a more voluntary, guidance-driven approach for private sector organisations. Businesses operating in both jurisdictions must remain agile, adapting their cybersecurity strategies to meet local regulatory requirements while maintaining global best practices.
With these evolving regulatory requirements, organisations need a comprehensive and structured approach to cyber and IT risk management. Protecht ERM provides an off-the-shelf control library, centralised registers, and advanced analytics to give organisations visibility into their IT control framework and its effectiveness. By leveraging Protecht ERM, you can demonstrate compliance, strengthen resilience, and streamline reporting to boards, executives, and regulators.
Request a demo of Protecht ERM today to see how our solution can help you simplify compliance, improve risk visibility, and enhance your organisation’s cyber resilience:
