Incoming Cyber Regulations: Your Guide to Staying Ahead in 2025

Published by Hema Berggren, Strategy and Consulting on 3 April 2025

As we move further into 2025, the cyber regulatory landscape continues to evolve at pace. In Australia, we already have a patchwork of legislative and regulatory mechanisms that impose economy-wide and industry specific cyber obligations – and this complexity is growing.

To stay ahead, organisations must proactively and strategically plan to uplift their cyber risk practices to move beyond compliance and build confidence in their cyber resilience.

Below is a snapshot of what we know, as well as what we suspect might be coming in 2025.

Economy-Wide

Privacy Reforms

The Attorney General’s Privacy Act Review Report 2022 proposed extensive privacy reforms. The Government agreed, or agreed in principle, to several of these proposals. However, changes have been delayed due to extensive consultations and the complexity of implementing privacy reform. The first tranche of reforms under Privacy & Other Legislation Amendment Act (Cth) came into effect in December 2024. This included some less controversial changes, including (without limitation):

• Expanding the Information Commissioner’s powers and new civil penalties
• Facilitating information sharing in emergency situations or following eligible data breaches
• Development of a Children’s Online Privacy Code
• Protections for overseas disclosures of personal information
• Increased transparency for automated decisions using personal information (grace period until 10 December 2026)
• New statutory tort to redress for serious invasions of privacy (grace period until 10 June 2025)
• New criminal offences for ‘doxxing’.

We expect that a second tranche of more substantive amendments could follow on the other side of the federal election. To prepare for the second tranche of reforms, enterprise organisations should ensure they understand how their systems and technologies consume personal information. Strong data visibility will be essential to implement anticipated privacy reforms and avoid the penalties included in the Act.

Cyber Security Act 2024 (Cth) (Cyber Security Act)

The Cyber Security Act came into effect in November 2024 (see previous Insight). The legislative rules to support the implementation of the Act have been scheduled to come into effect over the next year:

• Cyber Security (Security Standards for Smart Devices) Rules 2025 (Cth): These rules will commence on 4 March 2026
• Cyber Security (Ransomware Reporting) Rules 2025 (Cth): These rules will commence on 30 May 2025
• Cyber Security (Cyber Incident Review Board) Rules 2025 (Cth): These rules will commence on 30 May 2025.

These rules include important information about the proposed application of the Cyber Security Act. For example, the rules clarify that businesses with an annual turnover of AUD $3 million will be captured by the mandatory ransomware reporting obligation.

Beyond the reporting requirements, the most significant change for many organisations is likely to be the imposition of minimum security standards for smart devices. Depending on the classes of device that government elects to regulate, there is the potential for businesses to be confronted by fewer security vulnerabilities in their technology environments. Against this backdrop, organisations will remain responsible for managing the cyber risks associated with the use of smart and operational technology (OT). This means ensuring the networks and systems they are part of are designed and operate in way that minimises the potential for disruption caused by malicious cyber activity.

Sector Specific

Critical Infrastructure

The amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI) came into effect in November 2024 (see previous Insight). Broadly speaking, the changes appear to be focused on ‘right-sizing’ the application of the of Act and don’t represent a radical shift in direction. The most significant impact is to confirm that organisations responsible for SOCI assets must ensure risks to data essential to the asset’s operation are considered in their Critical Infrastructure Risk Management Program (CIRMP). The practical effect is that enterprise technology systems supporting the operation of SOCI assets need to be managed in a way that eliminates, or minimizes and mitigates, material risk.

In addition, the following legislative changes for telecommunications providers will take effect from 4 April 2025:

• Some of the security components of the Telecommunications Act 1997 (Cth) will be uplifted and embedded into the SOCI Act
• The Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (Cth) will be ‘switched on’. There will be a 6-month grace period before the requirement to have a CIRMP takes effect on 4 October 2025.

Further, the Security of Critical Infrastructure Amendment (2025 Measures No. 1 Rules) 2025 have now been released. These rules amend the application of positive security obligations to specific data storage systems, and a subset of critical telecommunications assets.

APRA-Regulated Entities

Prudential Standard CPS 230 Operational Risk Management (CPS 230) takes effect from 1 July 2025. This new Prudential Standard will require specific APRA-regulated entities to:

• Effectively manage operational risks, and set and maintain appropriate standards for conduct and compliance
• Maintain critical operations within tolerance levels through severe disruptions
• Manage the risks associated with the use of server providers.

This will require APRA-regulated entities to identify the technology and systems enabling critical operations, as well as commensurate cyber risk controls. This will involve (without limitation) monitoring the age and health of information assets.

Scams Prevention Framework (SPF)

The Scams Prevention Framework Bill 2025 (Cth) (SPF Bill) passed both Houses of Parliament on 13 February 2025.

The SPF Bill requires service providers in selected sectors to take a variety of actions to combat scams relating to, connected with, or using their services. There are overarching SPF principles which will apply to regulated entities: Govern, Prevent, Detect, Report and Disrupt.

After the SPF Bill receives royal assent, we expect the Treasurer will enact legislative instruments identifying the industry sectors which will be subject to SPF principles. The SPF enables the Treasurer to make sector-specific codes for regulated sectors.

The Treasurer has indicated that the SPF is likely to apply to banks, telecommunications providers, and digital platforms.

So, what does this mean for you?

CISOs and security teams can start taking practical steps to prepare for upcoming reforms:

• Understand the purpose of reforms: Organisations that understand the drivers behind regulatory change can better integrate compliance with their broader cyber risk mitigation strategies
• Plan structured uplifts: While the incoming reforms target different aspects of cyber risk management, they often address common challenges such as data identification, third party risk management and incident response preparedness. Organisations should endeavor to strategically plan cyber uplifts to address multiple compliance requirements concurrently
• Improve asset visibility: Establishing accurate asset visibility is foundational to implementing new cyber regulatory obligations. By automating the identification and cataloging of assets, organisations can ensure that all assets are accounted for and reduce the risk of non-compliance due to poor asset visibility
• Robust cyber governance: Create well-defined cyber governance structures to oversee the implementation and sustainment of cyber regulatory uplifts. This includes establishing mechanisms to govern external parties who need to support compliance uplifts.

2025 is shaping up to be a significant year for cyber regulatory reform. While some of the incoming changes are subject to further consultation, organisations should start planning for how the proposed reforms will impact them.