Australia’s 2023-2030 Cyber Security Strategy and What It Means for Businesses

Government agencies are central to national cyber resilience, holding critical citizen data and delivering essential services.

Challenges:

• Legacy IT barriers: Many systems not designed for Zero Trust.
• Workforce shortages: In the 2024 PSPF survey, 25% of agencies cited staff shortages as barriers to compliance (PSPF, 2025).

Regulatory Requirements:

• PSPF 2025: From July 2025, adoption of Zero Trust principles and compliance with the Gateway Security Standard.
• Digital ID Act 2024: In force from 1 December 2024, governs accreditation and use of digital identity across agencies.
• Privacy Act 1988 (as amended in 2024): Office of the Australian Information Commissioner (OAIC) was granted expanded enforcement powers — including the ability to initiate investigations, compel information, issue infringement notices, and coordinate with other regulators (Attorney-General’s Department, 2024)
• Cyber Security Act 2024: Mandatory ransomware/extortion payment reporting (commencing 2025) for agencies above the reporting threshold (Parliament of Australia, 2024; CISC, 2025).

Expected Impact: Elevated expectations for digital service resilience.

Opportunity: Leadership in secure, trusted e-government services.

Energy providers and utilities face systemic risk, as cyber incidents can trigger physical safety issues and national disruption to critical services.

Challenges:

• Operational technology (OT)/IT integration complexity; Industrial control systems (ICS) often insecure by design.
• Ransomware risk: The sector accounted for 15% of ransomware incidents in 2022–23 (ACSC, 2023).

Regulatory Requirements:

• Privacy Act 1988 (as amended in 2024): Strengthened requirements for protecting customer and employee data, introducing mandatory breach notifications, governance over automated systems, and higher penalties to align privacy compliance with critical infrastructure obligations.
• SOCI Act: CIRMP obligations phased from 2023; updated in 2025 (CISC, 2025).
• Cyber Security Act 2024: Mandatory ransomware/extortion payment reporting (commencing 2025) and Smart device standards relevant for IoT-enabled metering and grid technology (Parliament of Australia, 2024).

Expected Impact: Increased investment in OT security and sovereign threat intelligence.

Opportunity: Environmental, social and governance (ESG)-aligned resilience strengthens trust with regulators and investors.

TMT companies operate Australia’s digital backbone and are frequently targeted due to the value and volume of customer data.

Challenges:

• Telco breaches: OAIC reported that telecommunications accounted for the largest share of breached records in 2022–23 (OAIC, 2023).
• 5G/6G expansion multiplies attack surfaces.

Regulatory Requirements:

• SOCI Act: Applies to telecommunications, data storage and broadcasting infrastructure.
• Cyber Security Act 2024: Mandatory ransomware reporting and smart device standards.
• Privacy Act 1988 (as amended in 2024): Higher penalties and new privacy rights (Attorney-General’s Department, 2024).
• CPS 230 Information Security standard (as material provider to the financial services sector).

Expected impact: Greater liability for network resilience.

Opportunity: Secure-by-design infrastructure as a competitive differentiator.

Healthcare entities are high-value targets due to sensitive personal data and critical service delivery.

Challenges:

• The Medibank breach of 2022 exposed 9.7 million records; remediation costs ~$250m (Parliament of Australia, 2023).
• Healthcare remains the sector with the highest number of breach notifications, followed by the finance sector (ACSC, 2023).

Regulatory Requirements:

• SOCI Act: Hospitals and pharmaceutical supply chains classified as critical assets.
• Privacy Act 1988 (as amended in 2024): Stronger protections for health data.
• Cyber Security Act 2024: Ransomware reporting obligations critical to healthcare providers.

Expected Impact: Increased compliance and monitoring costs.

Opportunity: Trusted, secure digital health platforms to build patient confidence.

Universities and research institutions face dual risks: foreign interference and financial pressures.

Challenges:

• Espionage risk: Foreign actors are actively targeting Australian research IP (ASPI, 2025; Department of Home Affairs, 2023).
• Funding constraints: Smaller universities lack resources; North South Wales (NSW) Audit Office flagged deficits delaying cyber uplift. (NSW Audit Office, 2024).

Regulatory Requirements:

• SOCI Act: CIRMPs and incident reporting within 12–72 hours.
• Digital ID Act 2024: Applies to student and researcher identity ecosystems.
• Privacy Act 1988 (as amended in 2024): Expanded obligations for student and research data.
• Cyber Security Act 2024: Mandatory ransomware/extortion payment reporting (commencing 2025), relevant given the sector’s rising exposure to extortion campaigns (Parliament of Australia, 2024; CISC, 2025).

Expected Impact: Institutions with limited resources face growing risk exposure.

Opportunity: Universities that invest in cyber resilience can attract global grants and partnerships.

Retailers manage vast amounts of personal and transactional data through loyalty and e-commerce platforms.

Challenges:

• OAIC reported 26% of breaches in 2023 involved consumer-facing sectors (OAIC, 2023).
• Rising compliance costs in low-margin environments.

Regulatory Requirements:

• Privacy Act 1988 (as amended in 2024): New tort and higher penalties effective from 10 June 2025.
• Cyber Security Act 2024: Mandatory ransomware reporting obligations commenced in early 2025.

Expected Impact: Greater reputational damages from breaches.

Opportunity: Secure-by-design branding can be a differentiator in a competitive market.

Defence and space are not only critical infrastructure sectors under the SOCI Act — they are also global growth industries for Australia, tightly linked to national security, trade, and international alliances.

Challenges:

• High-value IP theft: Foreign interference campaigns routinely target Australian defence contractors and space research organisations (ASPI, 2025).
• Geopolitical exposure: Strategic projects (e.g., AUKUS, joint space initiatives) increase the risk profile of Australian organisations.
• Rise of state-linked ransomware as a geopolitical weapon.

Regulatory Requirements:

• SOCI Act: Expanded coverage to defence industry contractors and space assets; requires CIRMPs and 12–72 hour incident notification (CISC, 2025).
• Cyber Security Act 2024: Mandatory ransomware/extortion payment reporting commencing in 2025 (Parliament of Australia, 2024; CISC, 2025).
• Privacy Act 1988 (as amended in 2024): Applies to handling of personnel and contractor data.
• PSPF 2025: Heightened requirements for classified projects, Zero Trust adoption, and gateway protections.

Expected Impact: Heightened scrutiny of contractors and research partners for compliance. Loss of contract opportunities if breaches occur.

Opportunity: Strengthens Australia’s role as a trusted partner in international defence and space supply chains.

Challenges:

• Increased IT/OT convergence risk in logistics systems (ports, aviation, freight).
• Growing ransomware threats targeting global logistics chains.

Regulatory Requirements:

• SOCI Act: Ports, aviation, and freight covered by CIRMP and incident reporting obligations (CISC, 2025).
• Privacy Act 1988 (as amended in 2024): Stricter requirements to secure passenger, freight, and tracking data, timely breach notifications and transparency in automated logistics systems to strengthen accountability across digital supply chains.
• Cyber Security Act 2024: Ransomware/extortion payment reporting obligations apply from 2025 (Parliament of Australia, 2024; CISC, 2025).

Expected Impact: Increased investment needed in supply chain visibility, monitoring, and resilience testing.

Opportunity: Increased trust in Australian transport corridors as secure trade gateways.

Challenges:

• Globalised supply chains create vulnerabilities.
• Ransomware and cyberattacks on logistics/distribution networks can directly impact food availability.

Regulatory Requirements:

• SOCI Act: CIRMP obligations apply to ensure continuity of supply (CISC, 2025).
• Privacy Act 1988 (as amended in 2024): Stricter obligations for protecting customer and supplier data, including mandatory breach notifications, higher penalties, and transparency over automated systems used in ordering and logistics.
• Cyber Security Act 2024: Ransomware/extortion payment notification obligations from 2025 (Parliament of Australia, 2024; CISC, 2025).

Expected Impact: Higher compliance costs to secure distribution networks. Cyber incidents could directly affect ESG and food security reporting obligations.

Opportunities: Cyber maturity becomes a differentiator in supplier negotiations with major retailers.

Challenges:

• Legacy OT/ICS systems highly vulnerable to cyberattacks.
• Ransomware campaigns increasingly target manufacturing to cause operational downtime.

Regulatory Requirements:

• SOCI Act & PSPF 2025: Critical manufacturing assets face resilience obligations, including CIRMPs and mandatory incident reporting (CISC, 2025; PSPF, 2025).
• Privacy Act 1988 (as amended in 2024): Expanded obligations to protect employee, supplier, and production data, mandatory breach notifications and governance over automated and AI-driven systems used in smart factories and supply chain operations.
• Cyber Security Act 2024: Mandatory ransomware/extortion payment reporting from 2025 (Parliament of Australia, 2024; CISC, 2025).

Expected Impact: Significant uplift in cybersecurity controls needed across OT environments. Higher audit and compliance burden for manufacturers embedded in critical supply chains.

Opportunities: Integration of cyber resilience accelerates innovation and market positioning.