IT Compliance Requirements in Australia: Complete Guide

IT compliance in Australia has tightened fast. Serious or repeated privacy breaches can now attract penalties of up to $50 million under the Privacy Act. From the Essential Eight to new IoT security rules in March 2026, every business faces closer scrutiny.

This guide shows which laws apply to you and the minimum steps you need to stay compliant.

What Laws Govern IT Compliance in Australia?

Australian IT compliance is shaped by a layered system of federal laws, industry-specific regulations, and technical frameworks. Understanding which of these apply to your organisation is the essential first step.

Privacy Act 1988 and the Notifiable Data Breach Scheme

The Privacy Act 1988 is the cornerstone of data protection law in Australia. It applies to all private sector organisations with an annual turnover exceeding $3 million, health service providers, credit reporting bodies, and certain other entities regardless of size.

Under the Notifiable Data Breach (NDB) Scheme, organisations must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable after becoming aware of an eligible data breach likely to result in serious harm.

Penalties under the 2022 amendments are severe. For serious or repeated interferences with privacy, corporations face the greater of:

• $50 million
• Three times the value of the benefit obtained from the breach
• 30% of adjusted turnover during the breach period

The OAIC now operates within a much tougher enforcement environment under this three-tier penalty structure.

Security of Critical Infrastructure (SOCI) Act

The SOCI Act covers 11 critical infrastructure sectors including energy, water, transport, communications, health, finance, and data storage. Covered entities must register their assets, report critical cyber security incidents to the ASD within 12 hours and other reportable incidents within 72 hours, in line with SOCI rules, and maintain a Critical Infrastructure Risk Management Program (CIRMP).

APRA CPS 234 (Financial Services)

For banks, insurers, and APRA-regulated entities, Prudential Standard CPS 234 sets legally binding information security requirements. Regulated entities must maintain security capabilities proportionate to the threats they face, test those controls regularly, notify APRA within 72 hours of a material incident, and conduct annual reviews of third-party security arrangements.

What Is the Essential Eight and Do You Have to Comply?

The Essential Eight is the Australian Signals Directorate’s prioritised set of eight cyber mitigation strategies. Formally mandatory only for Commonwealth entities, it has become the de facto baseline for all Australian businesses. Many insurers and government procurement contracts now require demonstrated compliance.

The eight strategies are:

• • Application control

• Patch applications
• Configure Microsoft Office macro settings
• User application hardening
• Restrict administrative privileges
• Patch operating systems
• Multi-factor authentication (MFA)
• Regular backups

Essential Eight Maturity Levels

Maturity Level	What It Means	Who Should Target It
Level 1	Mitigation of common commodity threats	Minimum baseline for all businesses
Level 2	Mitigation of more targeted attacks	Recommended for most commercial organisations
Level 3	Mitigation of advanced persistent adversaries	Government agencies, critical infrastructure

Sector-Specific Compliance Requirements

Beyond the universal frameworks above, your industry will determine additional obligations. The requirements vary significantly depending on the sector you operate in, and in many cases they run alongside, not instead of, the Privacy Act and Essential Eight.

Financial Services organisations regulated by APRA must comply with CPS 234, which enforces strict information security controls, mandatory incident reporting, and annual third-party security reviews. This applies to banks, insurers, superannuation funds, and any entity holding an APRA licence. Non-compliance can result in licence restrictions that effectively prevent a business from operating.

Healthcare providers are bound by the My Health Records Act 2012, which governs how medical information stored in the My Health Record system is accessed, used, and protected. Healthcare entities also carry heightened Privacy Act obligations because health information is classified as sensitive information under the Australian Privacy Principles, attracting the most stringent handling requirements.

Retailers and any business that processes credit or debit card payments must comply with the Payment Card Industry Data Security Standard (PCI DSS). This is not a government regulation but a contractual requirement enforced by card schemes. Failing an annual PCI DSS assessment can result in the loss of your ability to accept card payments, as well as financial penalties from your acquiring bank.

Energy, water, transport, and other critical infrastructure operators face the most demanding layer of obligations under the SOCI Act. Beyond registration and risk management programs, entities declared as Systems of National Significance must develop sector-specific incident response plans and may be subject to government-directed action during a cyber incident.

Manufacturers, importers, and distributors of in-scope consumer smart devices (“relevant connectable products”) face new obligations from March 2026 under the Cyber Security (Security Standards for Smart Devices) Rules 2025. The Rules apply to consumer-grade products likely to be acquired for personal, domestic or household use. Some device types are explicitly excluded, including desktops, laptops, tablets, smartphones, therapeutic goods, and road vehicles. This is covered in detail in the next section.

If you are unsure which sector-specific obligations apply to your business, the starting point is reviewing your regulatory licences, your data types, and whether any of your systems are classified as critical infrastructure assets under the SOCI Act.

New IoT Security Rules Starting March 2026

From 4 March 2026, the Cyber Security (Security Standards for Smart Devices) Rules 2025 require manufacturers and suppliers of in-scope consumer smart devices (“relevant connectable products”) to meet three core obligations:

1. No universal default passwords: Each device must ship with a unique password or require the user to set one before operation.
2. Vulnerability disclosure: A publicly accessible point of contact must be provided for reporting security flaws.
3. Defined support periods: Suppliers must clearly communicate how long a device will receive security updates.

The Rules apply to consumer-grade products, not all business IoT. Explicit exclusions include desktops, laptops, tablets, smartphones, therapeutic goods, and road vehicles.

If your business imports, distributes, or retails smart devices in scope, you need to review your supplier contracts and product documentation before the commencement date.

How to Achieve Compliance: Step-by-Step

Step 1: Scope Your Obligations

Map which laws apply based on your turnover, industry sector, data types, and whether you process card payments or supply connected devices.

Step 2: Classify Your Information Assets

Identify where sensitive data lives, who has access, and how it flows across your environment. This is a prerequisite for the Essential Eight and CPS 234.

Step 3: Implement Technical Controls

At minimum, most Australian businesses should have:

• MFA on all remote access and privileged accounts
• Automated patch management with documented patch success rates
• Offline or immutable backups tested quarterly
• Centralised event logging retained for an appropriate period (often at least 12–18 months, depending on your regulatory obligations and risk profile)
• Restricted administrative privileges with quarterly access reviews

Step 4: Train Your People

According to the ASD’s Annual Cyber Threat Report, phishing is the number one initial access vector for attacks against Australian organisations. Staff training on phishing recognition and data handling is not optional.

Step 5: Run a Regular Risk Assessment

Perform a formal cyber security risk assessment at least annually, and after any significant change to your environment. Document residual risks and your decisions around them. This documentation is what regulators ask for first.

Frequently Asked Questions

How do I report a data breach to the OAIC in 2026?

Notify the OAIC as soon as practicable after forming a reasonable belief that an eligible data breach has occurred. Use the OAIC’s online NDB form and include the nature of the breach, information types involved, and recommended steps for affected individuals. While the Privacy Act does not prescribe a fixed deadline, acting promptly demonstrates good faith to the regulator.

What are the consequences of failing IT compliance requirements in Australia?

Corporations face civil penalties up to $50 million or 30% of adjusted turnover for serious privacy breaches under the amended Privacy Act. SOCI Act non-compliance can attract multi-million-dollar civil penalties, which increase over time with penalty unit indexation. Beyond financial penalties, non-compliant businesses risk losing government contracts, being unable to obtain cyber insurance, and lasting reputational damage.

Does my small business need to comply with the Essential Eight?

The Essential Eight is formally mandated for Commonwealth entities, but the ASD recommends it as the baseline for all Australian businesses. Many cyber insurers now require demonstrated compliance as a condition of coverage. Small businesses that provide health services or trade in personal information also remain subject to the Privacy Act regardless of turnover.

How often should we audit our IT compliance?

As a recommended practice, a formal review should be conducted at least annually. High-risk sectors such as financial services, healthcare, and critical infrastructure should run quarterly health checks. Re-assess after any significant change: a new system, a staff restructure, a merger, or a vendor breach.