Australia's Ransomware Reporting Law Is Now in Enforcement Mode: What Your Business Must Do
Australia's mandatory ransomware payment reporting law entered active enforcement in January 2026. If your turnover exceeds $3 million, a 72-hour reporting clock is now ticking after any ransom payment.
The average ransomware incident cost Australian medium-sized businesses $97,166 in the 2024β25 financial year, according to the ASD's Annual Cyber Threat Report β and that's before accounting for legal exposure. Since January 2026, there's a new layer of obligation sitting on top of that financial pain: Australia's Cyber Security Act 2024 is now in its active enforcement phase, meaning businesses that pay a ransom and fail to report it face civil penalties on top of everything else. Many businesses with annual turnover above $3 million are unaware the education-first grace period has expired.
What Australia's First Standalone Cyber Security Law Actually Requires
The Cyber Security Act 2024 received Royal Assent on 29 November 2024 β Australia's first standalone piece of cyber security legislation. Among its key provisions is a mandatory reporting regime for ransomware and cyber extortion payments, which commenced on 30 May 2025.
The obligation is straightforward in concept: if your business makes a ransomware or cyber extortion payment, you must report it to the Australian Signals Directorate (ASD) within 72 hours. The report is made through a purpose-built portal on cyber.gov.au. Critically, there is no minimum payment amount that triggers the requirement β a payment of any size starts the clock.
The regime initially operated under an education-first approach, running from May through December 2025. The Department of Home Affairs used that period to help businesses understand the framework before moving to penalties. That phase ended on 31 December 2025. Since 1 January 2026, the Department has been in active compliance and enforcement mode.
Who Must Report β and Who Is Exempt
The threshold is an annual turnover exceeding $3 million, as set by the Cyber Security (Ransomware Payment Reporting) Rules 2025. Entities responsible for critical infrastructure assets under the Security of Critical Infrastructure Act 2018 are also covered, regardless of turnover.
This brings a significant portion of Australian SMEs into scope. A business turning over $3.5 million β a mid-sized accounting practice, a regional engineering firm, a trade logistics operator β is now a reporting entity. The obligation applies whether the payment is made directly by the business or by a third party on its behalf, such as an insurer or incident response provider. If you become aware a payment has been made on your behalf, the 72-hour clock starts from the moment you learn of it.
Commonwealth and state government bodies are exempt, as are businesses below the turnover threshold. But if your revenue has grown in recent years, it is worth checking whether you've crossed the threshold since you last considered it.
Three things to do before an incident happens
First, confirm whether your business exceeds the $3 million annual turnover threshold β if it does, you are a reporting entity under the Cyber Security Act 2024. Second, brief whoever handles your finances, IT, and external legal counsel on the 72-hour reporting requirement, so that no one makes a payment decision without understanding the obligation attached to it. Third, if you have cyber insurance, check whether your policy covers incident response providers who may make payments on your behalf β and confirm they know about the mandatory reporting regime, because the clock starts when they pay, not when you find out.
Penalties, Protections, and the Practical Reality
Non-compliance carries civil penalties of up to 60 penalty units β currently $19,800. That number is less alarming than the reputational and regulatory consequences of being found to have paid a ransom without disclosure. The Act was designed partly to give government better visibility of the ransomware payment ecosystem, and non-reporting undermines that purpose in ways that are likely to attract scrutiny.
The concern most businesses raise is whether reporting will be used against them β whether disclosing a ransomware payment amounts to an admission that something went wrong. The Act addresses this directly through limited use protections. Information provided in a ransomware payment report is subject to strict constraints on how it can be used and disclosed. It cannot be used as admissible evidence against the reporting party in certain court proceedings. The regime is designed to capture data about the ransomware economy, not to turn incident disclosure into a self-incrimination mechanism.
This matters for decision-making before an attack. If your board or leadership team has ever discussed the "pay quietly and move on" approach to ransomware, that option has materially narrowed. Paying without reporting now carries a statutory penalty and, if it later comes to light, reputational risk that is harder to manage than upfront disclosure.
The Broader Picture
The mandatory reporting regime is one component of a wider shift in how Australian law treats cyber security obligations. The same Act introduces security standards for smart device manufacturers due to take effect in 2026, and the SOCI Act continues to extend obligations to critical infrastructure operators. The direction of travel is clear: regulators are moving from voluntary guidance to enforceable requirements.
For businesses above the $3 million threshold, the question is no longer whether to engage with these obligations but how to operationalise them. The 72-hour window is tight in the middle of a ransomware incident β decisions are being made under pressure, systems may be offline, and leadership teams are scrambling. Organisations that think through the reporting process before an incident occurs will be far better placed to meet the deadline than those encountering the obligation for the first time during a crisis.