Back to Insights
2026 Compliance Guide

IT Compliance in Australia: What Your Business Needs to Know

June 2026 9 min read Australia Privacy Act · Cyber Security Act · SOCI

For most of the last decade, "IT compliance" in Australia meant one thing: the Privacy Act, and not much beyond it for businesses outside finance or government. That era is over. Since late 2024, Australia has passed its first standalone cyber security law, overhauled the Privacy Act, introduced mandatory ransomware reporting, extended anti-money-laundering obligations to entire new sectors, and signalled a shift from regulators issuing guidance to regulators conducting audits. None of this is theoretical — deadlines are landing throughout 2026. This guide breaks down what's actually mandatory, what applies to your specific industry, and what to do about it.

$50M
maximum penalty for serious or repeated privacy breaches — or 30% of adjusted turnover, whichever is greater
Privacy Act 1988 (Cth), as amended
72 hrs
window to report a ransomware payment to the ASD under the Cyber Security Act 2024
Cyber Security Act 2024 (Cth)
1 Jul 2026
AML/CTF Tranche 2 compliance deadline for accountants, lawyers & real estate agents
AML/CTF Amendment Act 2024
The big picture

2026: from guidance to enforcement

If you've felt like the compliance landscape shifted under your feet recently, you're not imagining it. A wave of legislation passed in late 2024 is now landing in stages throughout 2025 and 2026 — and regulators are moving from issuing warnings to actively checking who's listening.

The Office of the Australian Information Commissioner (OAIC) began a nationwide compliance sweep in early 2026, with high-risk sectors including property, pharmacy, retail, and digital services specifically targeted for proactive review — not waiting for a complaint to be lodged. At the same time, penalties for serious or repeated privacy breaches were substantially increased, reaching up to $50 million or 30% of a company's adjusted turnover, whichever is greater. For a mid-sized business, that second figure can dwarf the first.

$50M

or 30% of adjusted turnover — whichever is greater. This is the maximum civil penalty now available under the Privacy Act for serious or repeated breaches, a dramatic step up from the prior framework, and a clear signal of how seriously this is now being treated.

None of this exists in isolation. Together, the Privacy Act reforms, the new Cyber Security Act 2024, updates to the Security of Critical Infrastructure (SOCI) Act, and sector-specific changes like AML/CTF Tranche 2 form an interlocking compliance landscape — and most Australian businesses now sit somewhere within it, even if they've never thought of themselves as "regulated."

The foundation

The Privacy Act 1988: your mandatory baseline Mandatory

The Privacy Act 1988, administered by the OAIC, remains the cornerstone of Australian data protection — governing how organisations collect, use, store, and disclose personal information under the Australian Privacy Principles (APPs). It's paired with the Notifiable Data Breaches (NDB) scheme, which requires eligible organisations to notify affected individuals and the OAIC when a data breach is likely to result in serious harm.

What's changed for 2026 is the scope and teeth of this framework. Several reforms from the Privacy Act Amendment Act commenced through 2025, with more landing this year:

Statutory tort for privacy invasions

In effect

Commenced June 2025. Individuals now have a direct legal right to sue for serious intentional or reckless invasions of privacy — a significant new avenue of liability that didn't previously exist in Australian law.

Automated decision-making transparency

From 10 Dec 2026

Businesses using AI or automated systems to make decisions that significantly affect individuals — credit, employment, insurance — must disclose this in their privacy policy, including how the system works at a general level.

Expanded OAIC powers

In effect

The OAIC's monitoring and investigation powers have been broadened, supporting the shift toward proactive compliance sweeps rather than purely complaint-driven enforcement.

New doxing offences

In effect

New civil and criminal penalties apply to the unauthorised release of personal information via a carriage service — relevant for any business handling customer data that could be exposed in a breach.

Watch this space: historically, businesses with annual turnover under $3 million were largely exempt from the Privacy Act. The Australian Government has indicated further reform is likely during 2026, and this small business exemption is widely expected to be narrowed or removed — meaning many smaller businesses that currently sit outside the Act's scope may not for much longer.

New law

The Cyber Security Act 2024: Australia's first standalone cyber law Mandatory

Passed in late 2024, the Cyber Security Act gave Australia, for the first time, a dedicated piece of cyber security legislation rather than relying solely on privacy and critical infrastructure law. It introduced four key components that businesses need to understand:

Mandatory ransomware reporting

In effect

If your business makes a ransomware or cyber extortion payment — or becomes aware one has been made on your behalf — you must report it to the ASD within 72 hours. This applies to entities covered by the SOCI Act and to organisations above a set revenue threshold (commonly cited at $3 million turnover).

Smart device security standards

From 4 Mar 2026

New rules require manufacturers and suppliers of in-scope "relevant connectable products" to eliminate universal default passwords, provide a vulnerability disclosure contact, and clearly state how long a device will receive security updates. Desktops, laptops, tablets, smartphones, and vehicles are explicitly excluded.

Cyber Incident Review Board

In effect

A new no-fault review body examines significant cyber incidents after the fact to identify lessons for the broader economy — separate from any regulatory enforcement action.

"Limited use" obligation

In effect

Information voluntarily shared with the ASD during an incident response is restricted from being used for unrelated regulatory action — intended to encourage businesses to engage openly during an active incident.

The ransomware reporting requirement is the one most businesses underestimate. It's not about whether you've been breached — it's specifically triggered by making a payment. If your incident response plan doesn't already account for this 72-hour reporting obligation, it needs updating before it's tested in a live incident.

Sector-specific

Does your industry have extra obligations? Sector-Specific

Beyond the economy-wide requirements above, several sectors carry additional, more prescriptive obligations. If your business sits in one of these categories, the baseline requirements above are a floor, not a ceiling.

Financial Services — APRA CPS 234

APRA-regulated entities — banks, insurers, and superannuation funds — must maintain information security capability commensurate with the size and extent of threats, including third-party and supply-chain arrangements, with regular testing and board-level accountability.

Critical Infrastructure — SOCI Act

Covered entities must register their assets, maintain a Critical Infrastructure Risk Management Program, and report critical cyber incidents to the ASD within 12 hours (other reportable incidents within 72 hours). Entities designated as Systems of National Significance face additional obligations, including sector-specific incident response plans.

Accounting, Legal & Real Estate — AML/CTF Tranche 2

From 1 July 2026, "tranche two" entities — including accountants, lawyers, and real estate agents providing designated services such as trust administration or handling client funds — must enrol with AUSTRAC, develop a written AML/CTF program, conduct customer due diligence, and report suspicious matters.

Government Suppliers — Hosting Certification

Since mid-2022, all government contracts for hosting services must be with a certified provider under a three-tier framework (strategic, assured, or uncertified). If your business hosts or processes data on behalf of a government client, this can flow down as a contractual requirement.

Building your compliance stack

Mandatory vs. recommended: the full picture

It helps to separate what's legally required from what's strongly advised but not (yet) mandated for most businesses. Here's how the major frameworks stack up.

Framework
Status
Who it applies to
Privacy Act 1988 & NDB Scheme
Mandatory
Most businesses handling personal information (APP entities)
Cyber Security Act — Ransomware Reporting
Mandatory
SOCI entities, and organisations above the revenue threshold
SOCI Act 2018
Mandatory
Critical infrastructure asset owners and operators
APRA CPS 234
Sector-specific
APRA-regulated financial entities
AML/CTF Act (Tranche 2)
From 1 Jul 2026
Accountants, lawyers, real estate agents, trust & company service providers
Smart Device Security Standards
From 4 Mar 2026
Manufacturers/suppliers of in-scope connectable consumer devices
ACSC Essential Eight
Recommended*
All businesses — *mandatory for non-corporate Commonwealth entities
ISO/IEC 27001 & NIST CSF
Recommended
All businesses — particularly useful for demonstrating maturity to clients and insurers
Cyber Insurance
Risk transfer
All businesses — complements, but does not replace, compliance obligations
Key dates

The 2026 compliance timeline

Several of these obligations are already in force; others are landing on specific dates throughout the year. Here's the sequence.

May 2025

Ransomware payment reporting commences

The 72-hour mandatory reporting obligation under the Cyber Security Act 2024 takes effect for in-scope entities.

June 2025

Statutory tort for privacy invasions commences

Individuals gain a direct legal right to sue over serious intentional or reckless privacy invasions.

Early 2026

OAIC compliance sweeps begin

Proactive audits commence across high-risk sectors — property, pharmacy, retail, and digital services — without waiting for complaints.

4 March 2026

Smart device security standards take effect

New obligations apply to manufacturers and suppliers of in-scope consumer connectable products.

1 July 2026

AML/CTF Tranche 2 deadline

Accountants, lawyers, real estate agents, and trust & company service providers must be enrolled with AUSTRAC and have a compliant AML/CTF program in place.

10 December 2026

Automated decision-making disclosure deadline

Privacy policies must disclose the use of automated decision-making in ways that significantly affect individuals.

Throughout 2026

Further Privacy Act reform expected

Additional "agreed in principle" reforms — potentially including changes to the small business exemption — are expected to be progressed during the year.

Getting started

Your compliance action plan

This can feel like a lot at once — because it is. But most of it breaks down into a manageable set of concrete actions. Here's where to start.

Review and update your privacy policy for automated decision-making disclosures ahead of the 10 December 2026 deadline — particularly if you use AI tools in hiring, credit, or customer decisions.

Confirm your ransomware reporting obligations and update your incident response plan to include the 72-hour ASD reporting requirement if a payment is made.

Check whether any systems qualify as critical infrastructure assets under the SOCI Act — the definitions are broader than many businesses expect, particularly in energy, water, transport, and communications supply chains.

If you're in accounting, legal, or real estate, begin AML/CTF Tranche 2 preparation now. AUSTRAC enrolment and a documented program take longer to stand up than most firms expect — don't leave this until June 2026.

Benchmark your security posture against the Essential Eight, even if it's not strictly mandatory for your sector — it's increasingly the reference point insurers, clients, and regulators use to assess "reasonable steps."

Review your cyber insurance policy against your actual reporting obligations — make sure coverage and notification timeframes in your policy align with the legal deadlines you now face.

If you're under the $3 million turnover threshold, don't assume the small business exemption protects you indefinitely — start building basic privacy practices now so a future change in scope isn't a scramble.

Compliance in 2026 isn't a single project with an end date — it's an ongoing operating requirement, much like the cybersecurity posture it increasingly overlaps with. The businesses that treat it as a continuous practice, built into how systems are run day to day, will be far better placed than those treating each new law as a one-off scramble.

This guide is general information only and does not constitute legal advice. Compliance obligations vary based on your specific business, sector, and circumstances — consult a qualified lawyer or compliance professional to confirm how these laws apply to you.

Not sure which of these apply to your business?

We'll help you map your current IT environment against the obligations above — and build a practical plan to close the gaps before they become a problem.

Book a compliance gap review →