Commonwealth Numbered Acts Commonwealth Numbered ActsNo. 98, 2024
Contents
Part 1--Preliminary
1 Short title
2 Commencement
3 Objects
4 Simplified outline of this Act
5 Extraterritoriality
6 Act binds the Crown
7 Concurrent operation of State and Territory laws
9 Meaning of cyber security incident
10 Meaning of permitted cyber security purpose
11 Disclosure to State body
Part 2--Security standards for smart devices
Division 1--Preliminary
12 Simplified outline of this Part
13 Application of this Part
Division 2--Security standards for relevant connectable products
14 Security standards for relevant connectable products
15 Compliance with security standard for a relevant connectable product
16 Obligation to provide and supply products with a statement of compliance with security standard
Division 3--Enforcement
17 Compliance notice
18 Stop notice
19 Recall notice
20 Public notification of failure to comply with recall notice
Division 4--Miscellaneous
21 Revocation and variation of notices given under this Part
22 Internal review of decision to give compliance, stop or recall notice
23 Examination to assess compliance with security standard and statement of compliance
24 Acquisition of property
Part 3--Ransomware reporting obligations
Division 1--Preliminary
25 Simplified outline of this Part
Division 2--Reporting obligations
26 Application of this Part
27 Obligation to report following a ransomware payment
28 Liability
Division 3--Protection of information
29 Ransomware payment reports may only be used or disclosed for permitted purposes
30 Limitations on secondary use and disclosure of information in ransomware payment reports
31 Legal professional privilege
32 Admissibility of information in ransomware payment report against reporting business entity
Part 4--Coordination of significant cyber security incidents
Division 1--Preliminary
33 Simplified outline of this Part
34 Meaning of significant cyber security incident
Division 2--Voluntary information sharing with the National Cyber Security Coordinator
35 Impacted entity may voluntarily provide information to National Cyber Security Coordinator in relation to a significant cyber security incident
36 Voluntary provision of information in relation to other incidents or cyber security incidents
37 Role of the National Cyber Security Coordinator
Division 3--Protection of information
38 Information provided in relation to a significant cyber security incident--use and disclosure by National Cyber Security Coordinator
39 Information provided in relation to other incidents--use and disclosure by National Cyber Security Coordinator
40 Limitations on secondary use and disclosure
41 Legal professional privilege
42 Admissibility of information voluntarily given by impacted entity
43 National Cyber Security Coordinator not compellable as witness
Division 4--Miscellaneous
44 Interaction with other requirements to provide information in relation to a cyber security incident
Part 5--Cyber Incident Review Board
Division 1--Preliminary
45 Simplified outline of this Part
Division 2--Reviews
46 Board must cause reviews to be conducted
47 Board may discontinue a review
48 Chair may request information or documents
49 Chair may require certain entities to produce documents
50 Civil penalty--failing to comply with a notice to produce documents
51 Draft review reports
53 Certain information must be redacted from final review reports
Division 3--Protection of information relating to reviews
55 Limitations on use and disclosure by the Board
56 Limitations on secondary use and disclosure
57 Legal professional privilege
58 Admissibility of information given by an entity that has been requested or required by the Board
59 Disclosure of draft review reports prohibited
Division 4--Establishment, functions and powers of the Board
60 Cyber Incident Review Board
61 Constitution of the Board
62 Functions of the Board
63 Independence
Division 5--Terms and conditions of appointment of the Chair and members of the Board
64 Appointment of Chair
65 Remuneration of the Chair
66 Appointment of standing members of the Board
67 Remuneration of standing members of the Board
68 Acting Chair
69 Terms and conditions etc. for standing members
Division 6--Expert Panel, staff assisting and consultants
70 Expert Panel
71 Arrangements relating to staff of the Department
72 Consultants
Division 7--Other matters relating to the Board
73 Board procedures
74 Liability
75 Certification of involvement in review
76 Annual report
77 Rules may prescribe reporting requirements etc.
Part 6--Regulatory powers
Division 1--Preliminary
78 Simplified outline of this Part
Division 2--Civil penalty provisions, enforceable undertakings and injunctions
79 Civil penalty provisions, enforceable undertakings and injunctions
Division 3--Monitoring and investigation powers
80 Monitoring powers
81 Investigation powers
Division 4--Infringement notices
82 Infringement notices
Division 5--Other matters
83 Contravening a civil penalty provision
Part 7--Miscellaneous
84 Simplified outline of this Part
85 How this Act applies in relation to non-legal persons
86 Delegation by Secretary
87 Rules
88 Review of this Act
No. 98, 2024
An Act relating to cyber security for Australians, and for other purposes
[Assented to 29 November 2024]
The Parliament of Australia enacts: