Australia introduced a new cyber security bill this week in a move to overhaul the nation’s cyber security framework, addressing key areas including security standards for internet-of-things (IoT) devices, mandatory reporting of ransomware incidents, and the creation of a Cyber Incident Review Board.

The government said the bill will provide “a clear legislative framework for contemporary, whole-of-economy cyber security issues, positioning the Australian government to identify and respond to new and emerging cyber security threats”.

Moving from a voluntary to a mandatory code of practice for IoT devices, the bill aligns with UK legal definitions and requirements to minimise industry burden. Manufacturers will be required to provide a compliance statement declaring adherence to relevant security standards, with support provided for a defined period.

The legislation’s scope extends beyond internet protocol (IP) devices to encompass products connecting bidirectionally with internet-connectable devices, regardless of the connection type, unless the device only connects to one other device at a time.

This broadened definition encompasses connected vehicles, a timely issue given recent concerns around data collection by car manufacturers. The bill’s explanatory memorandum noted how “smart devices can be used to collect significant volumes of potentially sensitive data about users with or without the awareness of consumers”.

Security standards for device classes will be adaptable through rules established under the legislation, allowing for exemptions for specific products or categories.

The secretary of home affairs will have the power to issue enforcement notices for non-compliance, including product recalls.