This Act provides for mandatory security standards for certain products that can directly or indirectly connect to the internet (called relevant connectable products).

This Act also provides an obligation to report payments or benefits (called ransomware payments) provided to an entity that is seeking to benefit from a cyber security incident.

Information may be voluntarily provided to the National Cyber Security Coordinator in relation to a significant cyber security incident. The National Cyber Security Coordinator's role is to lead across the whole of Government the coordination and triaging of action in response to a significant cyber security incident.

The Cyber Incident Review Board is established by this Act. Its functions include causing reviews to be conducted in relation to certain cyber security incidents. A review will make recommendations to Government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, incidents of a similar nature in the future.

Information provided by entities under provisions of this Act may only be used and disclosed for limited purposes. Certain information provided to the Australian Government under this Act is not admissible in evidence in proceedings against the entity that provided the information.

A range of compliance and enforcement powers are provided for, including by applying the Regulatory Powers (Standard Provisions) Act 2014 .

This Act also deals with administrative matters such as delegations and the power to make rules.