IT Compliance in Australia: What Your Business Needs to Know
For most of the last decade, "IT compliance" in Australia meant one thing: the Privacy Act, and not much beyond it for businesses outside finance or government. That era is over. Since late 2024, Australia has passed its first standalone cyber security law, overhauled the Privacy Act, introduced mandatory ransomware reporting, extended anti-money-laundering obligations to entire new sectors, and signalled a shift from regulators issuing guidance to regulators conducting audits. None of this is theoretical — deadlines are landing throughout 2026. This guide breaks down what's actually mandatory, what applies to your specific industry, and what to do about it.
2026: from guidance to enforcement
If you've felt like the compliance landscape shifted under your feet recently, you're not imagining it. A wave of legislation passed in late 2024 is now landing in stages throughout 2025 and 2026 — and regulators are moving from issuing warnings to actively checking who's listening.
The Office of the Australian Information Commissioner (OAIC) began a nationwide compliance sweep in early 2026, with high-risk sectors including property, pharmacy, retail, and digital services specifically targeted for proactive review — not waiting for a complaint to be lodged. At the same time, penalties for serious or repeated privacy breaches were substantially increased, reaching up to $50 million or 30% of a company's adjusted turnover, whichever is greater. For a mid-sized business, that second figure can dwarf the first.
or 30% of adjusted turnover — whichever is greater. This is the maximum civil penalty now available under the Privacy Act for serious or repeated breaches, a dramatic step up from the prior framework, and a clear signal of how seriously this is now being treated.
None of this exists in isolation. Together, the Privacy Act reforms, the new Cyber Security Act 2024, updates to the Security of Critical Infrastructure (SOCI) Act, and sector-specific changes like AML/CTF Tranche 2 form an interlocking compliance landscape — and most Australian businesses now sit somewhere within it, even if they've never thought of themselves as "regulated."
The Privacy Act 1988: your mandatory baseline Mandatory
The Privacy Act 1988, administered by the OAIC, remains the cornerstone of Australian data protection — governing how organisations collect, use, store, and disclose personal information under the Australian Privacy Principles (APPs). It's paired with the Notifiable Data Breaches (NDB) scheme, which requires eligible organisations to notify affected individuals and the OAIC when a data breach is likely to result in serious harm.
What's changed for 2026 is the scope and teeth of this framework. Several reforms from the Privacy Act Amendment Act commenced through 2025, with more landing this year:
Statutory tort for privacy invasions
In effectCommenced June 2025. Individuals now have a direct legal right to sue for serious intentional or reckless invasions of privacy — a significant new avenue of liability that didn't previously exist in Australian law.
Automated decision-making transparency
From 10 Dec 2026Businesses using AI or automated systems to make decisions that significantly affect individuals — credit, employment, insurance — must disclose this in their privacy policy, including how the system works at a general level.
Expanded OAIC powers
In effectThe OAIC's monitoring and investigation powers have been broadened, supporting the shift toward proactive compliance sweeps rather than purely complaint-driven enforcement.
New doxing offences
In effectNew civil and criminal penalties apply to the unauthorised release of personal information via a carriage service — relevant for any business handling customer data that could be exposed in a breach.
Watch this space: historically, businesses with annual turnover under $3 million were largely exempt from the Privacy Act. The Australian Government has indicated further reform is likely during 2026, and this small business exemption is widely expected to be narrowed or removed — meaning many smaller businesses that currently sit outside the Act's scope may not for much longer.
The Cyber Security Act 2024: Australia's first standalone cyber law Mandatory
Passed in late 2024, the Cyber Security Act gave Australia, for the first time, a dedicated piece of cyber security legislation rather than relying solely on privacy and critical infrastructure law. It introduced four key components that businesses need to understand:
Mandatory ransomware reporting
In effectIf your business makes a ransomware or cyber extortion payment — or becomes aware one has been made on your behalf — you must report it to the ASD within 72 hours. This applies to entities covered by the SOCI Act and to organisations above a set revenue threshold (commonly cited at $3 million turnover).
Smart device security standards
From 4 Mar 2026New rules require manufacturers and suppliers of in-scope "relevant connectable products" to eliminate universal default passwords, provide a vulnerability disclosure contact, and clearly state how long a device will receive security updates. Desktops, laptops, tablets, smartphones, and vehicles are explicitly excluded.
Cyber Incident Review Board
In effectA new no-fault review body examines significant cyber incidents after the fact to identify lessons for the broader economy — separate from any regulatory enforcement action.
"Limited use" obligation
In effectInformation voluntarily shared with the ASD during an incident response is restricted from being used for unrelated regulatory action — intended to encourage businesses to engage openly during an active incident.
The ransomware reporting requirement is the one most businesses underestimate. It's not about whether you've been breached — it's specifically triggered by making a payment. If your incident response plan doesn't already account for this 72-hour reporting obligation, it needs updating before it's tested in a live incident.
Does your industry have extra obligations? Sector-Specific
Beyond the economy-wide requirements above, several sectors carry additional, more prescriptive obligations. If your business sits in one of these categories, the baseline requirements above are a floor, not a ceiling.
Financial Services — APRA CPS 234
APRA-regulated entities — banks, insurers, and superannuation funds — must maintain information security capability commensurate with the size and extent of threats, including third-party and supply-chain arrangements, with regular testing and board-level accountability.
Critical Infrastructure — SOCI Act
Covered entities must register their assets, maintain a Critical Infrastructure Risk Management Program, and report critical cyber incidents to the ASD within 12 hours (other reportable incidents within 72 hours). Entities designated as Systems of National Significance face additional obligations, including sector-specific incident response plans.
Accounting, Legal & Real Estate — AML/CTF Tranche 2
From 1 July 2026, "tranche two" entities — including accountants, lawyers, and real estate agents providing designated services such as trust administration or handling client funds — must enrol with AUSTRAC, develop a written AML/CTF program, conduct customer due diligence, and report suspicious matters.
Government Suppliers — Hosting Certification
Since mid-2022, all government contracts for hosting services must be with a certified provider under a three-tier framework (strategic, assured, or uncertified). If your business hosts or processes data on behalf of a government client, this can flow down as a contractual requirement.
Mandatory vs. recommended: the full picture
It helps to separate what's legally required from what's strongly advised but not (yet) mandated for most businesses. Here's how the major frameworks stack up.
The 2026 compliance timeline
Several of these obligations are already in force; others are landing on specific dates throughout the year. Here's the sequence.
Ransomware payment reporting commences
The 72-hour mandatory reporting obligation under the Cyber Security Act 2024 takes effect for in-scope entities.
Statutory tort for privacy invasions commences
Individuals gain a direct legal right to sue over serious intentional or reckless privacy invasions.
OAIC compliance sweeps begin
Proactive audits commence across high-risk sectors — property, pharmacy, retail, and digital services — without waiting for complaints.
Smart device security standards take effect
New obligations apply to manufacturers and suppliers of in-scope consumer connectable products.
AML/CTF Tranche 2 deadline
Accountants, lawyers, real estate agents, and trust & company service providers must be enrolled with AUSTRAC and have a compliant AML/CTF program in place.
Automated decision-making disclosure deadline
Privacy policies must disclose the use of automated decision-making in ways that significantly affect individuals.
Further Privacy Act reform expected
Additional "agreed in principle" reforms — potentially including changes to the small business exemption — are expected to be progressed during the year.
Your compliance action plan
This can feel like a lot at once — because it is. But most of it breaks down into a manageable set of concrete actions. Here's where to start.
Review and update your privacy policy for automated decision-making disclosures ahead of the 10 December 2026 deadline — particularly if you use AI tools in hiring, credit, or customer decisions.
Confirm your ransomware reporting obligations and update your incident response plan to include the 72-hour ASD reporting requirement if a payment is made.
Check whether any systems qualify as critical infrastructure assets under the SOCI Act — the definitions are broader than many businesses expect, particularly in energy, water, transport, and communications supply chains.
If you're in accounting, legal, or real estate, begin AML/CTF Tranche 2 preparation now. AUSTRAC enrolment and a documented program take longer to stand up than most firms expect — don't leave this until June 2026.
Benchmark your security posture against the Essential Eight, even if it's not strictly mandatory for your sector — it's increasingly the reference point insurers, clients, and regulators use to assess "reasonable steps."
Review your cyber insurance policy against your actual reporting obligations — make sure coverage and notification timeframes in your policy align with the legal deadlines you now face.
If you're under the $3 million turnover threshold, don't assume the small business exemption protects you indefinitely — start building basic privacy practices now so a future change in scope isn't a scramble.
Compliance in 2026 isn't a single project with an end date — it's an ongoing operating requirement, much like the cybersecurity posture it increasingly overlaps with. The businesses that treat it as a continuous practice, built into how systems are run day to day, will be far better placed than those treating each new law as a one-off scramble.
This guide is general information only and does not constitute legal advice. Compliance obligations vary based on your specific business, sector, and circumstances — consult a qualified lawyer or compliance professional to confirm how these laws apply to you.
Not sure which of these apply to your business?
We'll help you map your current IT environment against the obligations above — and build a practical plan to close the gaps before they become a problem.
Book a compliance gap review →