Skip to main
Help and resources
Register
for My Account
Sign in
to My Account
Search
Australian Government
Federal Register of Legislation
Site navigation
Constitution
Acts
Legislative instruments
Notifiable instruments
Gazettes
Administrative Arrangements
Prerogative instruments
Norfolk Island
Home
Acts
In force
Text
Details
Authorises
Downloads
All versions
Interactions
Cyber Security Act 2024
In force
Administered by
Department of Home Affairs
Latest version
Order print copy
Save this title to My Account
Set up an alert
C2024A00098
29 November 2024
Legislation text
View document
Select value
Act
Filter active
Table of contents
Enter text to search the table of contents
Collapse
Part 1—Preliminary
1 Short title
2 Commencement
3 Objects
4 Simplified outline of this Act
5 Extraterritoriality
6 Act binds the Crown
7 Concurrent operation of State and Territory laws
8 Definitions
9 Meaning of cyber security incident
10 Meaning of permitted cyber security purpose
11 Disclosure to State body
Collapse
Part 2—Security standards for smart devices
Collapse
Division 1—Preliminary
12 Simplified outline of this Part
13 Application of this Part
Division 2—Security standards for relevant connectable products
14 Security standards for relevant connectable products
15 Compliance with security standard for a relevant connectable product
16 Obligation to provide and supply products with a statement of compliance with security standard
Division 3—Enforcement
17 Compliance notice
18 Stop notice
19 Recall notice
20 Public notification of failure to comply with recall notice
Division 4—Miscellaneous
21 Revocation and variation of notices given under this Part
22 Internal review of decision to give compliance, stop or recall notice
23 Examination to assess compliance with security standard and statement of compliance
24 Acquisition of property
Collapse
Part 3—Ransomware reporting obligations
Collapse
Division 1—Preliminary
25 Simplified outline of this Part
Collapse
Division 2—Reporting obligations
26 Application of this Part
27 Obligation to report following a ransomware payment
28 Liability
Collapse
Division 3—Protection of information
29 Ransomware payment reports may only be used or disclosed for permitted purposes
30 Limitations on secondary use and disclosure of information in ransomware payment reports
31 Legal professional privilege
32 Admissibility of information in ransomware payment report against reporting business entity
Collapse
Part 4—Coordination of significant cyber security incidents
Collapse
Division 1—Preliminary
33 Simplified outline of this Part
34 Meaning of significant cyber security incident
Collapse
Division 2—Voluntary information sharing with the National Cyber Security Coordinator
35 Impacted entity may voluntarily provide information to National Cyber Security Coordinator in relation to a significant cyber security incident
36 Voluntary provision of information in relation to other incidents or cyber security incidents
37 Role of the National Cyber Security Coordinator
Collapse
Division 3—Protection of information
38 Information provided in relation to a significant cyber security incident—use and disclosure by National Cyber Security Coordinator
39 Information provided in relation to other incidents—use and disclosure by National Cyber Security Coordinator
40 Limitations on secondary use and disclosure
41 Legal professional privilege
42 Admissibility of information voluntarily given by impacted entity
43 National Cyber Security Coordinator not compellable as witness
Collapse
Division 4—Miscellaneous
44 Interaction with other requirements to provide information in relation to a cyber security incident
Collapse
Part 5—Cyber Incident Review Board
Collapse
Division 1—Preliminary
45 Simplified outline of this Part
Collapse
Division 2—Reviews
46 Board must cause reviews to be conducted
47 Board may discontinue a review
48 Chair may request information or documents
49 Chair may require certain entities to produce documents
50 Civil penalty—failing to comply with a notice to produce documents
51 Draft review reports
52 Final review reports
53 Certain information must be redacted from final review reports
54 Protected review reports
Collapse
Division 3—Protection of information relating to reviews
55 Limitations on use and disclosure by the Board
56 Limitations on secondary use and disclosure
57 Legal professional privilege
58 Admissibility of information given by an entity that has been requested or required by the Board
59 Disclosure of draft review reports prohibited
Collapse
Division 4—Establishment, functions and powers of the Board
60 Cyber Incident Review Board
61 Constitution of the Board
62 Functions of the Board
63 Independence
Collapse
Division 5—Terms and conditions of appointment of the Chair and members of the Board
64 Appointment of Chair
65 Remuneration of the Chair
66 Appointment of standing members of the Board
67 Remuneration of standing members of the Board
68 Acting Chair
69 Terms and conditions etc. for standing members
Collapse
Division 6—Expert Panel, staff assisting and consultants
70 Expert Panel
71 Arrangements relating to staff of the Department
72 Consultants
Collapse
Division 7—Other matters relating to the Board
73 Board procedures
74 Liability
75 Certification of involvement in review
76 Annual report
77 Rules may prescribe reporting requirements etc.
Collapse
Part 6—Regulatory powers
Collapse
Division 1—Preliminary
78 Simplified outline of this Part
Collapse
Division 2—Civil penalty provisions, enforceable undertakings and injunctions
79 Civil penalty provisions, enforceable undertakings and injunctions
Collapse
Division 3—Monitoring and investigation powers
80 Monitoring powers
81 Investigation powers
Collapse
Division 4—Infringement notices
82 Infringement notices
Collapse
Division 5—Other matters
83 Contravening a civil penalty provision
Collapse
Part 7—Miscellaneous
84 Simplified outline of this Part
85 How this Act applies in relation to non legal persons
86 Delegation by Secretary
87 Rules
88 Review of this Act
Australian GovernmentAustralian Government