Transition to a Compliance‑Focused Phase
From 1 January 2026, Australia’s mandatory ransomware and cyber extortion payment reporting regime moves into its Phase 2 “compliance and education” approach, signalling a more actively compliance‑focused posture from regulators while continuing to provide guidance and support. The reporting framework is established under the Cyber Security Act and the Cyber Security (Ransomware Payment Reporting) Rules 2025, and is designed to give government better visibility of ransomware and cyber extortion payments made by organisations operating in Australia.
Mandatory reporting obligations for ransomware and cyber extortion payments have been in force since 30 May 2025, when the regime commenced. During Phase 1 (30 May 2025 to 31 December 2025), the Australian Government adopted an “education‑first” approach, focusing on helping entities understand and meet their obligations, and reserving stronger regulatory responses for more serious non‑compliance. From 1 January 2026, Phase 2 begins and the focus shifts to a “Compliance and Education Approach”, under which regulators are expected to place greater emphasis on compliance and enforcement, while still supporting entities to improve their cyber security practices.
Who Must Report and When
Under the Rules, “reporting entities” are required to notify the Australian Signals Directorate (ASD) within 72 hours after making a ransomware or cyber extortion payment, or becoming aware that such a payment has been made on their behalf. Reporting entities include businesses that carry on an enterprise in Australia with total annual revenue of at least AUD 3 million in the previous financial year, as well as responsible entities for certain critical infrastructure assets. The obligation applies regardless of whether the underlying cyber incident occurs inside or outside Australia, as long as the entity falls within the definition of a reporting entity.
Reports must be submitted through the ASD’s online reporting portal and must include prescribed information about the incident and the payment. This includes details such as when the incident occurred, the systems and services affected, the type of ransomware or cyber extortion incident, any vulnerabilities exploited, the nature and amount of the payment (including payment method and any digital asset addresses), and information about any communications or negotiations with the threat actor. Reporting is mandatory only where a payment is made; there is no statutory requirement under this regime to report unsuccessful ransom demands where no payment occurs, although other incident reporting obligations may still apply.
Penalties and Enforcement Approach
If a reporting entity fails to comply with the ransomware payment reporting obligations, civil penalties may apply. In particular, a failure to report a payment within the required timeframe can attract a civil penalty of up to 60 penalty units, which is currently equivalent to approximately AUD 19,800, although this amount may change over time as the value of a penalty unit is updated. The regime is intended to be proportionate, and enforcement action is expected to focus on more serious or repeated non‑compliance, especially as Phase 2 progresses.
Information provided in a ransomware or cyber extortion payment report is protected and subject to strict rules on its use and disclosure. Generally, the information cannot be used in proceedings against the reporting entity, and may only be used or disclosed for specified “permitted purposes”, such as assisting with cyber security, supporting law enforcement activities, or informing government policy responses, with limited statutory exceptions (for example, where false or misleading information is provided). The Government has also clarified that making a ransomware or cyber extortion payment is not, in itself, prohibited under this regime, but entities must still consider other legal risks, including sanctions, anti‑money laundering and counter‑terrorism financing laws.
Governance, Playbooks and 2026 Priorities
For boards and senior management, the 72‑hour reporting requirement and the commencement of Phase 2 underscore the importance of having clear governance arrangements and playbooks for responding to ransomware incidents. Organisations should ensure they can quickly identify whether they are a reporting entity, determine if a contemplated payment would trigger a reporting obligation, gather the information needed to complete a report within 72 hours, and coordinate with legal advisors, insurers and technical responders as part of a structured response plan. In 2026, ransomware payment reporting will remain a key focus area in Australia’s cyber security landscape, shaping how organisations manage incident response and transparency around cyber extortion.
Practical Next Steps for Compliance
As Australia’s ransomware payment reporting regime enters Phase 2, organisations must prioritise readiness for the 72-hour reporting window and robust incident response planning. ANP Technology is an Australian cybersecurity and IT infrastructure solutions provider. Readers seeking further guidance on these obligations are welcome to contact ANP Technology.
