Australia's Updated Cyber Security Act 2026: What Every Business Must Do Now

Mandatory Ransomware Payment Reporting: The Change Most Businesses Need to Act On Now

For the majority of Australian businesses outside the critical infrastructure sectors, the most immediately relevant provision of the 2026 amendments is mandatory ransomware payment reporting. Any entity with annual turnover exceeding $3 million that makes or facilitates a ransomware payment must notify the ASD's ACSC within 72 hours of making — or deciding to make — that payment.

Several aspects of this obligation are widely misunderstood. The 72-hour clock starts from the decision to pay, not from the moment of payment or recovery. In the chaos of a ransomware incident, this distinction matters: organisations that spend two days in crisis management before engaging external counsel may find they have already exhausted half their notification window. The notification must include the identity of the threat actor (where known), the demand and negotiated amounts, the payment method, and a description of affected systems — information that needs to be documented in real-time during the incident, not reconstructed afterward.

Critically, this reporting requirement does not prohibit payment. The government has deliberately sidestepped a payment ban pending further consultation with industry. But the penalty for paying without reporting — up to $275,000 for corporations, $55,000 for individuals — is meaningful, and regulators have signalled they intend to enforce it. The provision is in effect now.

SOCI Expansion: Is Your Organisation Suddenly Critical Infrastructure?

The 2026 amendments significantly expand the definition of critical infrastructure under the SOCI Act. Four new categories have been added: cloud service providers meeting defined scale thresholds, data centre operators, managed service providers with access to critical infrastructure systems, and satellite communications operators. This last category — MSPs with critical infrastructure access — will capture a substantial number of IT service providers who have never previously considered themselves to be in scope for SOCI obligations.

Organisations in newly designated sectors face a material compliance task. They must register critical infrastructure assets with the ASD by 30 September 2026, develop and implement a risk management program meeting the SOCI requirements, and become subject to the government's assistance powers — which can include mandatory cooperation with ASD incident response teams. These are not trivial obligations, and the 30 September deadline for registration is approaching quickly. Entities that suspect they may be newly captured should engage legal counsel now, not when the deadline looms.

The 12-Hour Notification and What It Actually Means

The headline on notification timelines is that the 72-hour requirement for critical infrastructure entities has been retained. The less-reported change is more operationally significant: a new 12-hour "heads up" notification has been introduced for incidents that are likely to have a significant impact on the availability of critical infrastructure services. This is not a full incident report — it is a preliminary alert designed to allow ASD to pre-position support resources and, where appropriate, begin notifying downstream entities before an incident escalates.

The practical implication is that critical infrastructure entities need an incident command structure capable of making a preliminary impact assessment and issuing government notification within 12 hours of an incident crossing the materiality threshold. For many organisations, this will require significant revision to existing incident response plans, which were typically designed around the 72-hour standard. Twelve hours includes time for initial triage, internal escalation, legal review, and notification drafting — a demanding timeline when critical systems are actively compromised.

Director Liability: Personal Consequences from 1 July 2026

The most consequential governance change in the 2026 amendments is the introduction of personal liability for directors of critical infrastructure entities. From 1 July 2026, a director who was aware that their organisation was not complying with its cyber risk management program requirements — and who failed to take reasonable steps to remedy that non-compliance — may be personally liable for civil penalties of up to $55,000.

This is not theoretical. The provision is explicitly modelled on director liability frameworks in UK and EU critical infrastructure legislation that have already produced enforcement actions. The practical implication for Australian directors is stark: awareness of a compliance gap without action creates personal exposure. This means boards need documented evidence that they have reviewed the risk management program, identified gaps, and taken steps to address them — not just that they received a briefing at a board meeting. Minutes recording that cybersecurity was discussed are no longer sufficient.

For CISOs, the dynamics shift as well. The director liability provisions create a powerful incentive for boards to seek independent assurance on cybersecurity posture rather than relying solely on management reporting — and they create corresponding pressure on security leaders to ensure material risks are clearly communicated and documented at board level.

IoT Device Security: Watch This Space

The 2026 amendments also introduce a product security regime for consumer and commercial IoT devices sold in Australia, requiring manufacturers and importers to meet baseline requirements including unique default credentials, defined software update support periods, and vulnerability disclosure programs. This provision does not take effect until 1 January 2027, giving manufacturers an 18-month runway. For enterprise buyers of connected devices, it creates an expectation of vendor accountability that did not previously exist in Australian law.

Your Compliance Timeline, Plainly Stated

For most organisations, the immediate priority is to answer three questions: Does your turnover exceed $3 million, making you subject to the ransomware reporting obligation? Does your business fall into a newly designated critical infrastructure sector? And for directors specifically — do you serve on the board of a SOCI-regulated entity, and if so, is the risk management program in documented compliance?

If the answer to the first question is yes, establish a ransomware payment notification process now — before an incident forces you to improvise one. This means identifying who in the organisation has authority to make a payment decision, who is responsible for drafting the ASD notification, who provides legal sign-off, and how the 72-hour clock is tracked. These decisions should be documented in your incident response plan and rehearsed in tabletop exercises.

For organisations that are newly captured by SOCI — particularly MSPs and cloud providers — the 30 September asset registration deadline is the near-term milestone. But asset registration is only the start; the substantive work is developing a risk management program that meets the ASD's requirements. Given the complexity of these programs, beginning that work now rather than in August is strongly advisable.

Common Questions, Answered Plainly

Does reporting a ransomware payment expose us to prosecution?

No. The reporting obligation exists entirely separately from laws relating to sanctions or proceeds of crime. The government has been explicit that the regime is designed to generate intelligence — understanding who is attacking Australian organisations, what they're demanding, and how payments are being made — not to penalise victims who are already in crisis. Reporting a payment does not, of itself, constitute an admission of wrongdoing or trigger any criminal exposure. That said, every ransomware payment should be made with legal advice, because the sanctions landscape is evolving and some threat actors are subject to sanctions regimes that create separate exposure entirely independent of the reporting obligation.

What counts as a "decision to pay" for the 72-hour clock?

This is where organisations most frequently misunderstand the obligation. The clock starts when an authorised person within the organisation decides that a payment will be made — not when the payment is transmitted, and not when the decryption key is delivered. In practice this means that if your CEO approves a payment on Day 1 and the cryptocurrency transfer happens on Day 3, the reporting deadline is Day 4, not Day 5. Build your incident response plan accordingly: the notification decision tree should activate simultaneously with the payment authorisation process, not after it.

We're an MSP. Are we suddenly a critical infrastructure entity?

Potentially, yes — and this is the question many MSPs have not yet asked themselves. The 2026 amendments capture managed service providers with access to critical infrastructure systems as a newly designated critical infrastructure category. If your client base includes organisations in sectors like energy, financial services, healthcare, or communications, and you have privileged access to those clients' systems, you may be in scope. The ASD has published guidance on the threshold criteria, and this question should be resolved with legal advice before the 30 September registration deadline — not after it.

Are smaller businesses exempt from everything?

The $3 million turnover threshold exempts micro-businesses from the ransomware payment reporting obligation. But "exempt from mandatory reporting" does not mean "free from cyber obligations." All Australian businesses remain subject to Privacy Act notification requirements for eligible data breaches under the Notifiable Data Breaches scheme, which has its own 30-day notification timeline for affected individuals. And the SOCI framework's asset threshold criteria apply regardless of business size — a small but operationally critical infrastructure asset can still attract SOCI obligations regardless of the entity's overall revenue.

CyberSec.au Assessment

The 2026 amendments represent a maturing Australian approach to cybersecurity regulation that increasingly mirrors the EU's NIS2 Directive and the UK's Network and Information Systems regulations in its scope and ambition. The combination of mandatory ransomware reporting, expanded critical infrastructure coverage, and personal director liability creates a regulatory environment in which cybersecurity compliance is no longer a discretionary investment — it is a legal obligation with personal consequences for executives who fail to discharge their governance responsibilities.

For most medium and large Australian businesses, the immediate priority is establishing the operational capability to comply with the ransomware payment reporting obligation — a process that must be rehearsed before an incident, not improvised during one.