Since 30 May 2025, Australia has had a law that most business owners I speak to still don't know applies to them. If your business makes a ransomware payment, you now have 72 hours to tell the government about it. It is a small obligation on paper, but it tells you a lot about where cyber risk and regulation are heading, and it is worth understanding before you are ever in a position to need it.
What actually changed
The Cyber Security Act 2024 is Australia's first standalone piece of cyber security legislation, part of the 2023 to 2030 Australian Cyber Security Strategy. It introduced several measures, but the one that matters most to everyday businesses is a mandatory reporting obligation for ransomware and cyber extortion payments. That obligation commenced on 30 May 2025.
The logic behind it is straightforward. Ransomware has been one of the most damaging threats to Australian organisations for years, but a lot of it happens in the dark. Businesses quietly pay, recover as best they can, and never tell anyone. That leaves government and the rest of us with no real picture of how bad the problem is or who is behind it. Mandatory reporting is an attempt to turn the lights on.
Does it apply to your business?
The obligation applies to two groups. The first is businesses carrying on business in Australia with an annual turnover above the threshold set in the rules, which is A$3 million. The second is entities responsible for critical infrastructure assets, regardless of turnover.
If you are a smaller business under that threshold and not in critical infrastructure, you are not legally required to report. That sounds like a reprieve, and legally it is, but I would not treat it as one. Plenty of smaller businesses sit inside the supply chains of larger ones, and those larger organisations increasingly expect their suppliers to have the same discipline whether the law compels it or not. The preparation that the law assumes is good practice for everyone.
What you actually have to do
If your business makes a ransomware or cyber extortion payment, or a payment is made on your behalf, you must report it to the designated Australian Government body within 72 hours of making the payment or becoming aware that it was made. In practice that is the Australian Signals Directorate, and the guidance and reporting channel live at cyber.gov.au.
The report covers the basics of the incident: who you are, what happened, the extortion demand, the payment itself, and your communications with the attacker. None of that is onerous to provide, but a frightened team in the middle of an incident is not in a good position to pull it together from scratch. Knowing the obligation exists, and having a plan for who gathers what, is the whole point.
The part that encourages honesty
One feature of the Act is worth knowing, because it changes the calculation for business owners who worry that reporting will be used against them. Information you give to the Australian Signals Directorate under this obligation has a limited use protection. Broadly, it cannot be turned around and used by regulators to take action against you over the incident. The intent is to remove the fear that stops businesses from coming forward, so the national picture actually reflects reality. You should confirm the specifics for your situation, but the direction is clear: the government wants you to report, not to punish you for it.
Reporting is the floor, not the strategy
Here is the thing I want business owners to take from this. The reporting obligation is about transparency after the worst has already happened. It does nothing to reduce your risk of getting there. A law that assumes you will eventually pay a ransom is not a plan. It is a backstop.
The real goal is never being in the room where paying feels like the only option. That comes from unglamorous fundamentals: tested, isolated backups you have actually restored from, multi-factor authentication everywhere, the ACSC Essential Eight mitigations in place, sensible access controls, and a written incident response and business continuity plan that someone has rehearsed. Businesses with those in place rarely face the ransom question, because they can recover without negotiating.
And think hard before you pay
If the question does land on your desk, the strong guidance from government is not to pay. There is no guarantee you will get your data back, no guarantee it will not be leaked anyway, and every payment funds the next attack. There is also a real legal trap: a payment to a sanctioned entity can itself breach Australian sanctions law, which means the decision is never purely commercial. It should never be made alone, under pressure, in the first hour of an incident. Have the advisers, the legal contact and the plan identified before you need them.
The law assumes an incident. Make sure you don't.
Mandatory ransomware reporting is a sensible rule, but it is the floor. The businesses that come through a ransomware attack well are the ones that did the work before it: clean backups, strong fundamentals, and a rehearsed plan. If a payment ever becomes a live question for you, the preparation should already be done.
If you are not certain whether the obligation applies to you, or whether you could recover from a ransomware attack without paying, that is a conversation worth having now rather than during an incident. Our cyber security team can walk through where you stand, and a Virtual CISO engagement is often the quickest way to get the governance and response side in order.