Australia’s first standalone cyber security law, the Cyber Security Act 2024, has been introduced and is reshaping how businesses must handle digital risk.
For SMEs and growing businesses, it’s vital to understand this critical legislation to remain compliant, safeguard sensitive data, strengthen operational resilience and protect customer trust.
With cyber risks on the rise, the stakes have never been higher. Proactive awareness and preparation are a must to operate your business safely.
An Overview of the Cyber Security Act 2024
The Cyber Security Act 2024, became law on the 29th November 2024 and is Australia’s first standalone cybersecurity law. It sets out obligations for businesses to improve digital resilience, protect sensitive data and report significant cyber incidents.
Key provisions include the following:
Smart‑device security standards
For manufacturers, “relevant connectable products” (devices capable of connecting to the internet) must meet minimum security requirements, like including unique passwords, defining support periods for security updates and providing avenues for people to report security issues.
Ransomware and cyber‑extortion reporting
Designated “reporting business entities” must notify authorities of ransom payments or cyber‑extortion events to improve government visibility of emerging threats.
Cyber Incident Review Board
This new body was established to review major incidents, and provide guidance and lessons to help businesses strengthen defences.
Effective dates and scope
Businesses with an annual turnover of >AUD $3 million, or those responsible for critical infrastructure, must comply with the Act. It also applies to Australian manufacturers of relevant products, including some manufacturers overseas. While it is now law, various obligations come into effect at different times.
(Mandatory ransomware payment reporting, for instance, came into effect on the 29th May 2025. Security standards for manufacturers will be in effect within twelve months from the Act’s introduction date.)
What Are the Key Obligations for Businesses?
Understanding requirements of the Cyber Security Act 2024 can help you stay ahead of compliance deadlines and protect your systems, customers and reputation.
Security Standards for Smart Devices
If your business manufactures, supplies or sells internet-connected devices, they must meet the new security standards. These “relevant connectable products” must, for example:
- avoid default passwords
- provide a way for users to report security issues
- provide software updates for a minimum period.
Ransomware and Cyber-Extortion Payment Reporting
If your business meets certain revenue or operational thresholds, you are now required to report ransomware or cyber-extortion payments to authorities within 72 hours.
This includes providing details of the incident, the payment and the timeframe in which the attack occurred.
Reporting quickly and accurately is important for demonstrating responsibility and helping government agencies respond to threats nationally.
Voluntary Information Sharing & the Limited Use Obligation
The Act encourages businesses to share cyber-incident information with the National Cyber Security Coordinator. Any information you provide is subject to a “limited use” rule, meaning it can only be used for cyber security analysis and not against your business in civil/regulatory enforcement actions.
Cyber Incident Review Board Established
For significant cyber events, the new Cyber Incident Review Board conducts independent, post-incident reviews.
The board’s findings and guidance aim to help businesses strengthen defences and prevent similar attacks in the future.
Why This Matters for Queensland SMEs
Is your business captured in the Cyber Security Act? Understanding its requirements is important. Non-compliance can carry legal, financial and reputational risks, while poor cyber practices can have harmful consequences for your operations and supply chains.
For Queensland SMEs, it’s especially relevant for remote or hybrid workforces, connected devices and IoT systems.
Be proactive to protect your business and strengthen resilience across your digital operations.
What Growing Businesses Should Do to Prepare
Preparing for to meet requirements in the Act doesn’t have to be overwhelming. Take practical steps for your business now to support compliance, reduce risk and strengthen your digital resilience.
1. Conduct a Gap-Analysis of Your Current IT & Cyber Security Setup
Start by reviewing your devices, networks and workforce access. Identify weaknesses or outdated systems that could leave you exposed under the new law.
To strengthen your defences further, explore our guide on How to Implement Essential Eight Cyber Security Controls in Your Business to improve your protection against common threats.
2. Integrate Managed IT and Cyber Security Services for Compliance
Partnering with managed IT and cyber security provider can help you meet your obligations more effectively.
Consider gaining support from cyber security experts in Cairns or cyber security experts in Brisbane from a trusted provider like Future IT Services.
3. Establish Internal Policies & Incident Response Plans
Set clear roles, internal policies and incident response protocols so your team can respond quickly to incidents.
Documented procedures can enable you to report within required timeframes and demonstrate responsible management.
4. Select and Manage Smart Devices Securely
Keep an up-to-date inventory of all connectable devices, enforce endpoint management and follow secure procurement standards. This can help your business meet device security obligations and protect your digital environment.
How Future IT Services Can Support Your Business
Navigating the Cyber Security Act 2024 can feel like a big change, but your business doesn’t have to do it alone.
Future IT Services provides cyber security expertise in Queensland, including managed cyber security services and compliance consultations.
With local offices, we understand the unique challenges and opportunities Queensland businesses face. Let us help you stay ahead of obligations and protect your operations. Schedule a consultation today.
Next Steps
The Cyber Security Act 2024 has raised the bar for digital safety across Australia. Protect your organisation by taking proactive steps now.
Review your systems, strengthen your policies and invest in IT and cyber security solutions to safeguard your business and support compliance. These valuable steps can help you strengthen resilience, customer trust and long-term growth.
Ready to strengthen your cyber defences and meet the latest Cyber Security Act compliance requirements? Explore our cyber security services and get in touch with our cyber security experts.