Australia has entered a new era of cyber regulation. With ransomware attacks, supply chain risks and insecure devices becoming part of everyday headlines, the government has introduced reforms designed to lift security standards across the economy. For businesses, boards and technology leaders, the cyber regulations in 2025 are more than just rules on paper – they represent a shift in expectations around how cyber security is managed, reported and governed.
Several major reforms under Australia’s Cyber Security Strategy 2023–2030 and amendments to the Cyber Security Act are already in effect, with more on the way. The most significant updates include:
Since 30 May 2025, organisations with an annual turnover of $3 million or more must report ransomware or cyber extortion payments to the Australian Signals Directorate within 72 hours. This includes non-monetary payments such as services or benefits, not just cash. There is currently a six-month “education first” phase, running until the end of 2025, but civil penalties will soon apply for those who fail to comply.
Reports must capture transaction details, payment method, and incident timelines, requiring structured coordination between IT, finance and legal functions.
Also live from May 2025, the new Cyber Incident Review Board is conducting post-incident reviews of significant cyber events. Its role is not to apportion blame, but to gather lessons learned and strengthen national resilience. Businesses can expect to see recommendations and insights from the Board that will shape best practice over time.
The Review Board’s scope covers nationally significant incidents, with findings intended to drive regulatory guidance and influence sector-wide cyber maturity.
Looking ahead, from March 2026, manufacturers and suppliers of consumer smart devices (from smart speakers to connected appliances) will need to meet baseline security requirements. These include unique default passwords, clear statements about software support lifecycles, and a way for consumers to report vulnerabilities. The obligations apply not only to local manufacturers but also to importers and distributors selling into Australia.
Compliance will require product security baselines, documented software support commitments, and formal vulnerability disclosure processes.
These reforms are not just compliance exercises – they matter for business resilience and reputation today:
These reforms sit within a broader regulatory landscape. Privacy law updates are on the horizon, APRA’s CPS 230 standard is raising operational risk expectations for the financial sector, and critical infrastructure rules continue to reshape how risk is managed nationally. Cyber security is now firmly a governance and compliance priority – not just an IT issue.
Anticipated updates to the Privacy Act are expected to increase penalties, mandate privacy risk assessments, and strengthen individual rights, aligning Australia more closely with GDPR-style regimes.
For many organisations, the challenge isn’t knowing the rules – it’s embedding them into daily operations without slowing the business down. That’s where Infotrust comes in. Our team works with boards, CISOs and IT leaders to:
The 2025 cyber regulations are an opportunity to lift resilience, strengthen trust and demonstrate leadership in a climate where threats are constant. Infotrust is here to help you navigate these changes with clarity and confidence – get in touch with our team today.