Mandatory Ransomware and Cyber Extortion Reporting Begins 30 May 2025: What Australian Businesses Need to Know
From 30 May 2025, Australia’s Cyber Security Act 2024 introduces mandatory reporting requirements for ransomware and cyber extortion payments. If your business meets the criteria of a “reporting business entity”—including having an annual turnover of AUD $3 million or more—you must report any such payments to the Australian Signals Directorate (ASD) within 72 hours of making the payment or becoming aware of it.
Key Obligations:
Who Must Report: Businesses with $3 million+ turnover, new businesses (calculated pro-rata), and critical infrastructure operators.
What Must Be Reported: Payment details (including non-monetary benefits), the nature of the cyber incident, extortion demands, communications with threat actors, and impacted systems or customers.
Where to Report: Via the ASD’s reporting portal – cyber.gov.au/report-and-recover/report
Timeframe: Reports must be lodged within 72 hours of payment or awareness of payment.
Two-Phase Rollout:
Education Phase (30 May–31 Dec 2025): Focus on awareness and support. Regulatory action only in cases of serious non-compliance.
Enforcement Phase (from 1 Jan 2026): Stricter compliance checks and potential penalties for failure to report—up to 60 penalty units.
What Happens to the Information?
The ASD uses reports to help businesses respond to cyber incidents and for intelligence purposes.
The Department of Home Affairs monitors compliance and may use information to improve Australia’s cybersecurity posture.
Your report data won’t be used in court (except in rare, serious cases like providing false information).
Why This Matters:
This reporting regime helps the government understand ransomware trends, protect businesses, and inform future policies. It especially supports SMEs by enabling tailored cybersecurity guidance.
Need Help?
Visit the Cyber Security Act website, attend town hall sessions, or email: ransomware.reporting@homeaffairs.gov.au
