The Australian Parliament passed a suite of legislative reforms on November 25, 2024, designed to strengthen Australia’s national cyber defences and cyber resilience.
The Comprehensive Cyber Security Legislation comprises:
- The Cyber Security Act 2024 (Cyber Security Act);
- The Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024; and
- The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (SOCI Amendment Act).
“This package forms a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever-changing cyber landscape,” said Minister for Cyber Security Tony Burke.
The Cyber Security legislative package addresses legislative gaps and brings Australia in line with international best practice with world first measures to ensure Australia is on track to become a global leader in cyber security.
The government has passed laws to enact seven initiatives under the Cyber Security Strategy. These new laws:
- Enable the Minister for Cyber Security to prescribe mandatory cyber security standards for smart devices to give Australians assurance the devices they purchase aren’t putting them at risk;
- Require certain businesses to report ransom payments, so our cyber experts can build a better picture of the threat landscape;
- Give effect to a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD) to facilitate rapid and open sharing of information during a cyber security incident; and
- Establish a Cyber Incident Review Board (CIRB) to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia and make concrete recommendations to aid in the prevention, detection, response, and minimisation of cyber incidents in the future.
The package also progresses reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act) that will:
- Clarify existing obligations in relation to systems holding business critical data;
- Expand existing last resort powers to enable government assistance to manage the impacts of all hazards incidents on critical infrastructure;
- Simplify information sharing across industry and government;
- Enable the government to direct entities to address serious deficiencies within their risk management programmes; and
- Integrate regulation for the security of telecommunications into the SOCI Act.
Burke says the package cements the government’s stance to focus on a whole-of economy approach to cyber security, following the establishment of a National Office for Cyber Security and appointment of a the National Cyber Security Coordinator.
“The Cyber Security Act marks an important step in bringing Australia’s cyber laws into the 21st century,” he said.
