๐ข Not Sure If This Applies to You?
Australian cyber security laws apply differently depending on your business size and sector. Every business faces real-world risk โ but formal legal obligations vary. Look for these labels throughout this page:
๐ข All businesses โ any size
๐ Businesses >$3M annual turnover
๐ต Specific sectors only
๐ฃ Coming soon โ watch this space
Think of It Like Work Health & Safety
Under the Work Health and Safety Act 2011 (Cth), every business owner โ regardless of size โ has a primary duty of care to maintain a safe working environment. You can engage a safety consultant, but you cannot hand the responsibility away. The obligation is yours, and failure carries real penalties.
Cyber security is heading the same way. Australian law already places clear, enforceable obligations on many businesses to protect personal data, report breaches, and โ for those above certain thresholds โ report ransomware payments within 72 hours. The scope is growing every year. Getting ahead of it now is far cheaper than catching up after an incident.
WHS vs. Cyber Security: The Parallel Obligations
| Responsibility Area | Work Health & Safety Act 2011 | Cyber Security Laws (Australia) |
|---|---|---|
| Who is responsible? | The business owner / PCBU โ all sizes | The business owner / data custodian |
| Can you delegate it away? | No โ duty of care cannot be contracted out | No โ data custodianship stays with you |
| Must you have controls in place? | Yes โ safe systems of work | Yes โ “reasonable steps” to protect data (Privacy Act) |
| Must you report incidents? | Yes โ notifiable incidents to SafeWork | Yes โ eligible data breaches to OAIC; ransomware payments to Home Affairs within 72 hrs (businesses >$3M turnover) |
| Are there financial penalties? | Yes โ significant penalties for organisations of all sizes | Yes โ significant civil penalties apply (Privacy Act & Cyber Security Act 2024) |
| Does ignorance protect you? | No | No |
The Australian Laws You Need to Know
Each card shows exactly which business sizes and types are covered โ so you know where you stand.
Since 2018
Privacy Act 1988 & Notifiable Data Breaches Scheme
Requires organisations to take reasonable steps to protect the personal information they hold. If a data breach is likely to cause serious harm, you must notify both affected individuals and the Office of the Australian Information Commissioner (OAIC).
Who this covers
- $3M+ Businesses & not-for-profits with annual turnover over $3 million
- All sizes All private health service providers, regardless of turnover
- Sector Credit providers, tax file number holders, businesses that trade in personal information
Enacted November 2024
Cyber Security Act 2024 (Cth)
Australia’s first standalone cyber security law. Mandates reporting of ransomware and extortion payments to the Department of Home Affairs and the Australian Signals Directorate (ASD) within 72 hours of payment. Also introduces minimum security standards for internet-connected smart devices.
Who this covers
- $3M+ Businesses with annual turnover exceeding $3 million (from May 2025)
- Sector Responsible entities under the SOCI Act, regardless of size
Amended December 2024
Security of Critical Infrastructure Act 2018 (SOCI Act)
Covers operators of assets across 11 critical sectors. Requires Cyber Incident Response Management Plans (CIRMPs) and mandatory incident reporting. The 2024 amendments expanded coverage to include internal data storage systems as critical infrastructure assets.
Who this covers
- Sector Healthcare, finance, energy, food & grocery, transport, education, communications, water, defence, space technology, data storage & processing
Updated November 2024
Privacy and Other Legislation Amendment Act 2024
Strengthens OAIC enforcement powers and tightens obligations around automated decision-making and children’s privacy. The existing small business exemption is under active review โ the government has signalled it may be removed in coming years.
Who this covers
- $3M+ Same as Privacy Act currently
- Watch Small business exemption under active review โ scope likely to expand
Ongoing to 2030
2023โ2030 Australian Cyber Security Strategy
The Federal Government’s roadmap to make Australia a global leader in cyber security. It underpins all recent legislation and signals that business obligations โ including for small businesses โ will increase over time. Getting ahead of it now is far cheaper than being caught unprepared.
Who this covers
- All sizes All Australian businesses โ sets the direction of future regulation
Federal
Work Health & Safety Act 2011 โ The Precedent
Not a cyber law, but the most powerful analogy. WHS created a non-delegable duty for every employer to identify hazards, implement controls, train staff and report incidents. Regulators and courts are increasingly treating cyber posture through this same lens.
Who this covers
- All sizes Every employer and business owner in Australia, regardless of size or industry
A Note for Smaller Businesses
If your annual turnover is under $3 million, you are currently exempt from some of the more formal reporting obligations โ such as mandatory ransomware payment reporting under the Cyber Security Act 2024. That is genuinely good news.
However, the legal exemption does not protect you from the real-world impact of a cyber incident. A ransomware attack, stolen customer data, or a phishing compromise can still cost you days of downtime, thousands in recovery costs, and the trust of your customers โ regardless of your size. The small business exemption is also under active government review and may not exist in a few years.
The IT Health Check is just as relevant for you โ because good cyber hygiene is about protecting your business, not just satisfying a regulator.
The Cost of Getting It Wrong (For Those Covered)
For businesses that fall within the scope of these laws, failing to meet your obligations carries real financial and legal consequences:
- Privacy Act โ serious or repeated breaches: Significant civil penalties apply (refer to current OAIC guidance for up-to-date figures)
- Failure to report a ransomware payment (businesses >$3M): Civil penalties under the Cyber Security Act 2024
- SOCI Act breaches (critical infrastructure sectors): Substantial civil penalties for non-compliance with CIRMPs and incident reporting obligations
- Customer litigation: Data breach claims from affected individuals are rising in Australian courts โ even for smaller businesses
What “Reasonable Steps” Looks Like for Your Business
- Regular patching and software updates to close known vulnerabilities
- Multi-factor authentication (MFA) on all critical accounts
- Tested, offsite backups โ so a ransomware attack isn’t the end
- An incident response plan โ know what to do before it happens
- Staff awareness training โ most breaches start with a human click
- Network monitoring to detect unusual activity early
- A documented data register โ know what you hold and where
- Essential 8 alignment โ Australia’s own baseline cyber framework
Find Out Where You Stand โ Right Now
The Approved Systems IT Health Check takes less than 5 minutes and shows you exactly where your business is exposed โ before a regulator or a criminal does.
* This page provides general information only and does not constitute legal advice. Legislation thresholds and obligations may change โ always refer to current guidance from the Office of the Australian Information Commissioner (oaic.gov.au) or consult a qualified legal practitioner.