1-855-263-7328
Security Portal Login
1-855-263-7328
Security Portal Login

AU Ransomware Law 2025

Ransomware attacks continue to pose an escalating threat to global businesses and critical infrastructure, demanding ever-evolving regulatory and operational responses. In 2025, Australia introduced a pioneering regulatory mandate requiring all organizations that make ransomware payments to report these transactions within seventy-two hours to the Australian Cyber Security Centre (ACSC). This groundbreaking law signals a shift toward increased transparency and government-led coordination in combatting ransomware, with profound implications for incident response, compliance, and risk management across industries.

This article provides a comprehensive, deeply researched exploration of Australia’s ransomware payment reporting regulation, contextualizes it against international counterparts, and outlines critical compliance strategies. It aims to guide organizations through the complex legal landscape and operationalize effective ransomware governance frameworks.

The Rising Tide of Ransomware and the Need for Mandatory Reporting

Ransomware has evolved from isolated cybercrime incidents to systemic threats impacting governments, healthcare, finance, and critical infrastructure worldwide. Criminal groups employ sophisticated malware and extortion tactics, often demanding payment in cryptocurrencies to evade tracing. The financial and operational toll of ransomware attacks includes service outages, data loss, regulatory fines, and reputational damage.

Historically, many ransomware victims chose not to disclose ransom payments, fearing legal consequences or reputational harm. This opacity hindered law enforcement’s ability to track criminal actors and respond effectively. Australia’s law mandates reporting to close this gap, facilitating intelligence sharing and coordinated disruption of ransomware ecosystems.

Australia’s Ransomware Payment Reporting Law: Provisions and Requirements

Effective from 2025, the law requires organizations to report any ransom payments to the ACSC within seventy-two hours of payment. Key elements include:

  • Scope: All payments made to malicious actors, including direct transactions and those facilitated by intermediaries such as negotiators or cyber insurers.
  • Content of Reports: Organizations must disclose payment amount, cryptocurrency or payment method, ransom notes, victim impact assessments, and communications with attackers.
  • Reporting Mechanism: The ACSC provides an online portal for secure submission, ensuring confidentiality and data protection.
  • Compliance: Noncompliance can trigger regulatory sanctions and heightened scrutiny from law enforcement and privacy regulators.

The regulation applies broadly to Australian businesses and government entities across sectors, emphasizing a unified national approach.

International Context: Comparing Australia’s Approach

Australia’s mandatory ransomware reporting law aligns with a growing global trend toward transparency and regulation.

United States

The US has long encouraged voluntary ransomware incident reporting via agencies like the Cybersecurity and Infrastructure Security Agency (CISA). Recent federal proposals aim to formalize reporting obligations, emphasizing timely disclosure to combat ransomware threats and protect critical infrastructure.

European Union

The EU’s Network and Information Security Directive (NIS2) and forthcoming regulations similarly emphasize incident notification, including ransom payments, within strict timelines. The EU framework integrates data privacy considerations under GDPR, highlighting compliance complexities.

Key Differentiators

Australia’s 72-hour mandatory reporting window is notably stringent, reflecting urgency in response capabilities. Confidentiality protections also encourage compliance without penalizing victims for transparency, a balance that some jurisdictions are still refining.

Legal and Regulatory Implications

The ransomware payment reporting law intersects multiple legal domains:

  • Anti-Money Laundering (AML): Ransom payments often involve cryptocurrencies, raising AML concerns. Organizations must ensure payment and reporting processes do not contravene AML statutes.
  • Privacy Laws: Disclosures must balance transparency with protection of personal and sensitive data, particularly under Australian Privacy Principles and GDPR for multinational firms.
  • Contractual and Insurance Considerations: Reporting obligations may trigger clauses in cyber insurance policies and vendor agreements, necessitating careful legal review.
  • Enforcement Landscape: The ACSC collaborates with federal and state law enforcement, integrating ransomware reporting into broader cybercrime investigations.
The Reporting Process via ACSC

The Australian Cyber Security Centre’s portal streamlines reporting with an emphasis on usability and security:

  • Secure login and identity verification
  • Structured input fields capturing detailed ransom payment data
  • Upload options for ransom notes and communication logs
  • Automated acknowledgments and follow-up support
  • Assurance of confidentiality to mitigate fear of reputational damage

Organizations are advised to integrate this reporting step into their ransomware playbooks to meet deadlines and maintain audit trails.

Operational Impact: Transforming Incident Response and Risk Management

Organizations must fundamentally adapt how they prepare for and respond to ransomware incidents:

  • Incident Response Integration: Ransom payment reporting becomes a critical checkpoint in incident escalation, requiring predefined roles and workflows.
  • Cross-Functional Collaboration: Legal, compliance, security, finance, and communications teams must coordinate to manage reporting obligations and mitigate risks.
  • Training and Awareness: Regular employee training is essential to ensure timely internal notification and understanding of reporting protocols.
  • Third-Party Dependencies: Coordination with Managed Security Service Providers (MSSPs), insurers, and external negotiators is vital to gather accurate information and comply with reporting.
Industries Most Affected by the Reporting Law

While all sectors are impacted, several industries face heightened ransomware risks and compliance complexity.

  • Healthcare: Patient safety, privacy laws, and critical services place healthcare at the frontline of ransomware defense and reporting obligations.
  • Financial Services: Stringent regulatory frameworks and high-value targets necessitate robust governance and rapid reporting mechanisms.
  • Government and Public Sector: National security and citizen data protection prioritize rapid transparency and coordinated response.
  • Critical Infrastructure: Energy, water, transportation, and telecommunications sectors must maintain operational continuity while complying with new reporting demands.
  • Retail and Supply Chain: Disruptions to supply chains and consumer trust require heightened vigilance and swift reporting actions.
Preparing for Compliance: Best Practices for Organizations

To navigate the complexities of Australia’s ransomware reporting law, organizations should:

  1. Update Incident Response Plans: Incorporate mandatory reporting workflows with clear responsibilities and escalation triggers.
  2. Designate Reporting Officers: Assign trained personnel responsible for timely submissions to ACSC.
  3. Implement Robust Documentation: Maintain detailed logs of ransomware incidents, payments, and attacker communications.
  4. Engage Legal and Compliance Advisors: Review reporting obligations in the context of AML, privacy, insurance, and contractual obligations.
  5. Coordinate with External Partners: Align with MSSPs, cyber insurers, and negotiation firms to ensure seamless information flow.
  6. Conduct Training Programs: Raise awareness among executives and operational teams on new legal requirements and response protocols.
  7. Perform Regular Audits: Test ransomware response and reporting procedures to identify gaps and improve readiness.
Conclusion

Australia’s mandatory ransomware payment reporting law represents a significant advancement in national cybersecurity policy, pushing transparency to the forefront of ransomware defense. By requiring rapid disclosure of ransom payments, the law empowers government agencies to disrupt criminal networks and supports informed risk management by organizations.

The regulation also introduces new operational and legal complexities, demanding proactive adaptation by businesses across industries. Organizations that integrate these reporting requirements into comprehensive ransomware governance frameworks will not only achieve compliance but enhance their overall cyber resilience and trustworthiness in a threat-laden digital environment.

About COE Security

COE Security is committed to supporting organizations through evolving cybersecurity regulations with tailored solutions designed to meet compliance and risk management challenges. Our services include:

  • Cybersecurity governance and risk management advisory
  • Incident response planning and ransomware readiness
  • Regulatory compliance consulting including AML, privacy, and reporting laws
  • Training and awareness programs for executives and operational teams
  • Coordination with external stakeholders such as insurers and service providers

We serve diverse sectors including healthcare, financial services, government, critical infrastructure, and retail. Follow COE Security on LinkedIn to stay informed on cybersecurity best practices and regulatory developments to keep your organization cyber safe.

Click to read our Linkedin feature article

Empowering Businesses with Confidence in Their Security

Connect with us

Linkedin Youtube Instagram X-twitter
CyberSecurity Services
Industries
Company
Compliance Solutions

© Copyright 2025-2026 COE Security LLC