The eagerly anticipated Australian Cyber Security Act 2024 (Cth) (the Act) received Royal Assent and came into effect on 29 November 2024.
A very brief summary
Security Standards for Smart Devices (Part 2 of the Act)
Manufacturers and suppliers of smart devices ('relevant connectable products' that can directly or indirectly connect to the internet) must comply with new mandatory security standards.
The Act states that the Minister can mandate these standards for smart devices through Ministerial rules.
The first standard proposed to be introduced under Ministerial rules will enhance the cyber security of consumer-grade smart devices (with some exceptions) by aligning the standards with established international practices (Rules)1. These Rules will require manufacturers and suppliers of smart devices intended for ‘personal, domestic, or household use or consumption’ and which are ‘acquired in Australia by a consumer’ (as defined by the Australian Consumer Law) to implement certain measures, such as:
(i) requiring unique passwords;
(ii) informing consumers about the security update support period and providing regular updates; and
(iii) maintaining a program for reporting and compliance.
The proposed Rules will be operational 12 months after they have been made to allow sufficient time to prepare for the new requirements.
By giving the Minister the power to mandate these standards for smart devices through Ministerial Rules, the Act provides flexibility in tailoring security standards to specific subsets, types, or classes of smart devices.
Note: The Rules will not apply to smart devices that are already manufactured or available on the market.
Mandatory Ransomware Reporting (Part 3 of the Act)
Entities with an annual turnover of A$3 million (or certain responsible entities for critical infrastructure) are now required to report ransomware payments within 72 hours of the transaction. Non-compliance may result in civil penalties.
National Cyber Security Coordinator (NCSC) (Part 4 of the Act)
The Act officially designates the NCSC as Australia’s lead authority for managing significant cyber incidents. It establishes a voluntary information-sharing framework to support incident coordination and allowing organisations to voluntarily share details of cyber incidents.
The Coordinator can record, use and disclose the provided information to mitigate or resolve a cyber security incident, or for permitted cyber security purposes where the limited use obligation applies.
The framework ensures that voluntarily shared information cannot generally be used for enforcement actions (except for certain criminal laws), is not typically admissible as evidence, and does not waive legal privilege where applicable.
Establishment of the Cyber Incident Review Board (CIRB) (Part 5 of the Act)
A Board has been created to conduct post-incident reviews of significant cyber security incidents in Australia. The CIRB will provide recommendations to prevent future incidents, promoting a culture of continuous improvement in cyber security practices.
Our recommended steps for manufacturers and suppliers of 'relevant connectable products'
| Monitor Regulatory UpdatesStay informed about the specific security standards for smart devices as they are released, ensuring products meet the prescribed requirements. Navigating and staying on top of the rapidly evolving cyber security landscape is vital to maintain compliance. |
| Develop Incident Response ProtocolsWhether you meet the threshold, or are close to meeting the threshold, it is time to implement robust procedures to ensure accurate and timely reporting of ransomware payments to avoid potential civil penalties. |
| Enhance Cyber Security MeasuresStrengthen overall cyber security practices and protect data to mitigate risks and align with the Act's objectives, thereby reducing the likelihood of incidents that could trigger mandatory reporting or CIRB review. |
Our recommended steps also apply generally to enterprise grade devices as the Department of Home Affairs has explicitly stated that it will evaluate the implementation of mandatory security standards for enterprise-grade devices in the future (along with introducing additional standards for consumer-grade devices). Therefore, now is a good time to start getting prepared.
The 12 month implementation period allows you time to get prepared.
The Act includes an extraterritoriality clause. This means that the Act can apply to conduct occurring outside Australia if it has a substantial and foreseeable effect within Australia. Therefore, overseas entities that supply products or services in Australia may be subject to the Act's provisions, particularly if its activities impact Australian consumers or businesses.
How does Australia compare with other G20 member countries?
In June 2024, G20 leaders held a seminar to address the challenges of digital connectivity, focusing on security and privacy issues driven by emerging technologies like AI. The seminar emphasised the need for global regulations to protect vulnerable groups and ensure security systems evolve alongside technological advances.
Did Australia meet this brief? And how does Australia compare to other G20 countries?
United Kingdom
Product Security and Telecommunications Infrastructure Act 2022 (PSTIA)
The PSTIA has two main parts:
Part 1 imposes cyber security obligations on manufacturers, importers and distributors of smart consumer products to improve resilience against cyber threats.
Part 2 focuses on accelerating the rollout of gigabit-capable broadband across the UK.
Key Requirements of Part 1
The PSTIA applies to "relevant connectable products". These are consumer devices that connect to the internet and can transmit and receive digital data such as smartphones, smart TVs, smart speakers and other smart devices (baby monitors, connected alarm systems, etc.,). Certain products, like EV charge points and medical devices are exempt.
Manufacturers, importers, and distributors of these "relevant connectable products" must comply with specific security measures, including:
Stronger password protections: Prohibiting weak default passwords and requiring unique or user-defined credentials.
Security issue reporting:
Providing a clear, accessible way for users to report security vulnerabilities, along with response time expectations.
Minimum security update periods: Clearly informing consumers how long security updates will be provided.
Manufacturers must ensure compliance, retain statements of compliance for at least 10 years and take corrective actions for security failures. Importers and distributors must also prevent non-compliant products from being sold.
The UK Government is focusing on cyber security in 2025 and currently consulting on new ransomware incident response rules. Plans were recently announced in the King’s speech to introduce a Cyber Security and Resilience Bill to:
expand the scope and application of cyber requirements in the UK;
increase regulator powers to oversee compliance; and
increase incident reporting including following ransomware attacks.
If passed, similar to Australia, there will be a reporting regime for ransomware incidents requiring victims to report incidents within 72 hours of the incident. The UK Government is considering whether a reporting threshold should apply or whether all incidents should be reportable.
United States
Cyber Security Information Sharing Act (CISA) 2015
There are several Cyber Security Acts in the US. For the purposes of this insight, we have summarised the Cyber security Information Sharing Act (CISA) 2015 which:
Facilitates the sharing of cyber security threat information between the government and private sector.
Provides legal protections for entities sharing cyber threat data.
Includes measures to protect personal information during data sharing.
European Union
General Data Protection Regulation 2018 (EU GDPR)
and the EU Cyber Security Act 2019
EU GDPR
Requires organisations to report data breaches within 72 hours.
Mandates stringent data protection protocols for organisations handling personal data.
EU Cyber security Act
Introduces Regulations to:
Strengthen the EU Agency for Cyber Security (ENISA's) role by reinforcing its mandate and establishing an EU-wide cyber security certification framework for ICT products, services, and processes.
This framework sets out a system for issuing European cyber security certificates and statements of conformity and ensuring compliance with security standards for ICT products, services, and processes.
China
Cyber Security Law 2017
Requires critical data to be stored within China.
Mandates security assessments for network products and services.
Sets guidelines for the collection and use of personal information.
Japan
Act on the Protection of Personal Information (APPI) Amended 2017 and Japan’s Cyber Security Act
APPI
Encourages voluntary disclosure of data breaches by business operators.
Introduces penalties for illegal handling of personal data.
Relies on cultural emphasis on trust and reputation to enforce compliance.
Introduces the Personal Information Protection Commission responsible for issuing guidelines surrounding the general rules for handling Personal Information.
Cyber Security Act
Japan's cyber security law, centered on "Active Cyber Defense," enables the government to take proactive action against cyber threats by gathering specific communication metadata from private telecom companies to identify and potentially stop attacks before they escalate. This includes the authority to access servers involved in cyberattacks to prevent further harm. The law primarily focuses on safeguarding critical infrastructure and mandates that providers of such infrastructure report cyber security incidents to the government.
Key differences
Australia's Act focuses on smart device security, ransomware reporting and information sharing. Similarly, the US also prioritises cyber threat information sharing, like Australia, but places additional emphasis on requiring agencies to remove personal information from shared data. Additionally, both countries share a focus on post-incident reviews to enhance cyber security resilience. Australia's CIRB initiative aligns with the US’ approach by promoting transparency, while the NCSC in Australia encourages the sharing of cyber security threat information, ensuring protection for those who provide it.
The EU laws prioritise data protection and aim to establish an EU-wide cyber security certification framework for ICT products and services. It expands the role and authority of ENISA and aims to improve overall security in the digital market. There is a strong focus on compliance and reporting of cyber security incidents.
Japan's approach leverages cultural norms for compliance, differing from the more formal regulatory frameworks of Australia.
The UK’s PSTIA Act specifically targets the security of consumer connectable products and the enhancement of telecommunications infrastructure. Unlike the Australian Act, currently there are no ransomware reporting requirements and there is no dedicated incident review mechanism (although this is likely to change in the near future). However, there are very close similarities between the requirements around security of consumer connectable products. In fact, it is worth noting that according to the Security Standards Factsheet provided by the Australian Department of Home Affairs, the first standard intended to be introduced under the Ministerial rules (which will uplift the cyber security of consumer-grade smart devices (with some device exceptions) “will closely follow the Product Safety and Telecommunications Act 2022 (UK), based on the first three principles of the ETSI EN 303 645 standard”.
Summary
The Australian Act closely aligns with the UK's approach, and this similarity will become even more pronounced if the UK passes the proposed Cyber Security and Resilience Bill.
While Australia's Cyber Security Act 2024 shares common goals with other G20 nations' legislation, it introduces unique measures tailored to Australia's specific cyber threat landscape and policy objectives. The effectiveness of the initiatives in the Act will depend on their implementation and the broader cyber security culture and practices within the country.
Ongoing evaluation and adaptation will be essential to ensure that Australia's cyber security framework remains robust and responsive to emerging threats.
For further information, please contact Julian Courtney-Stubbs or Sylvia Mansour of our Digital & Technology team.
1 Cyber Security (Security Standards for Smart Devices) Rules 2024 (Cth)
This publication has been prepared for general guidance on matters of interest only and does not constitute professional legal advice. You should not act upon the information contained in this publication without obtaining specific professional legal advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication and to the extent permitted by law, Cowell Clarke does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting or refraining to act in relation on the information contained in this publication or for any decision based on it.