← Back to home Browse all bills

Intelligence Services and Other Legislation Amendment (Cyber Security)

Current status

This bill became law on Nov 29th, 2024.

Policy area

Immigration, border & security

What does this bill do?

People and businesses can share cyber incident or vulnerability information with the Australian Signals DirectorateThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. knowing protections also cover material the agency gathers or creates with their consent.

Why was it introduced?

Compliance fears, litigation risk and the evolving regulatory environment left businesses less willing to share timely cyber incident and vulnerability information with the Australian Signals DirectorateThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here.. The bill creates limited-use protections so information voluntarily shared with ASDThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here., or gathered with consent, can be used for cyber security help without being repurposed for general regulatory or court use against the entity.

Broader context

ASDThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. was already Australia’s lead technical cyber adviser, but Home Affairs said an evolving regulatory environment, compliance fears and litigation risk were making businesses less willing to share incident, telemetry and vulnerability information quickly, weakening the national threat picture. After the government released a cyber legislative reforms paper in December 2023 and gathered feedback, it introduced this bill in October 2024 to give limited-use protections for information voluntarily shared with ASDThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here., and Parliament passed it in November 2024.

Key criticism

The main criticism was not the bill's cyber security goal but that it was pushed through too quickly and left some safeguards and drafting questions unresolved, especially around how protected information could be shared and how independent oversight would work. These concerns were raised most clearly by the Greens and in process terms by Coalition speakers, but no party represented in the debate opposed the bill's overall passage.

Who supported it?

Hon Tony Burke MP introduced this bill. It passed on the voices.

Introduced in House 09 Oct 2024
Passed House 20 Nov 2024
Passed Senate 25 Nov 2024
Became law 29 Nov 2024

Did it become law?

Yes

Became law 29 Nov 2024

Final passage

Passed without a counted vote

Members called out ‘aye’ or ‘no’ — no individual votes were recorded.

Passage speed

51 days

From introduction to the latest recorded parliamentary step

Official record

View on APH

Parliament of Australia bill page

Meaning

What does this bill do?

  1. People and businesses can share cyber incident or vulnerability information with the Australian Signals DirectorateThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. knowing protections also cover material the agency gathers or creates with their consent.

  2. The Australian Signals DirectorateThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. can pass protected cyber information on only for set cyber security purposes, such as helping ministers and other agencies respond to threats, not for general use.

  3. Protected information shared with the Australian Signals DirectorateThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. cannot be used for civil or regulatory action against the affected entity, although regulators can still get the same information directly using their own powers.

  4. These protections do not cover information given to meet mandatory reporting laws, so required cyber reports can still be passed to the regulator that enforces those rules.

  5. Protected cyber information generally cannot be used as evidence against the affected entity in criminal or some civil court cases, and documents handled by the National Cyber Security CoordinatorThe coordinator role that can receive some protected cyber information, with extra limits and a freedom of information carve-out for documents it handles. are exempt from Freedom of Information requests.

Show source excerpts
  1. Cyber security incident information must meet a prescribed threshold in order to be classified as limited cyber security information to be protected by the limited use obligation. The information must relate to a cyber security incident that has occurred, is occurring or has the potential to occur. This broad applicability allows the limited use obligation to protect information relating to the discovery of vulnerabilities on a system, in addition to incident information where exploitation has occurred. Further, Schedule 1 applies to information which has been voluntarily provided to ASD by an impacted entity or a representative of the impacted entity, such as an incident response provider. Information that is acquired or prepared by ASD, through the performance of its functions and with the consent of the entity, is also eligible for classification as limited cyber security information. This enables technical programs administered by ASD where an entity is informed of a breach to be covered by the Schedule, to promote early and open engagement with ASD.
    Intelligence Services and Other Legislation Amendment (Cyber Security) explanatory memorandum
  2. Subsection (1) places a restriction on staff members of ASD, including the Director-General of ASD, to only communicate limited cyber security information to a person who is not a staff member of ASD for a permitted cyber security purpose.
    Intelligence Services and Other Legislation Amendment (Cyber Security) explanatory memorandum
  3. Subsection (2) is applicable only to the limited cyber security information that has been voluntarily provided to, or acquired or prepared by, ASD. This subsection ensures that information captured by the limited use obligation cannot be used for civil or regulatory action against the impacted entity. However, this does not prevent regulatory agencies from using their own powers to acquire the information directly from the impacted entity.
    Intelligence Services and Other Legislation Amendment (Cyber Security) explanatory memorandum
  4. ASD is not a Commonwealth enforcement body, or regulator, and does not hold regulatory powers to enforce compliance against mandatory reporting obligations. The exclusion of information that has been provided to ASD for mandatory reporting purposes, obligations or requirements ensures this information can be transferred to the responsible regulator and does not override or displace any legislative responsibilities entities may have in relation to reporting cyber security incidents.
    Intelligence Services and Other Legislation Amendment (Cyber Security) explanatory memorandum
  5. Subsection (2) provides that limited cyber security information is not admissible as evidence against the impacted entity in Commonwealth, State or Territory criminal proceedings, subject to limited exceptions dealing with false or misleading information, or in certain Commonwealth, State or Territory civil proceedings dealing with obstruction of Commonwealth public officials.
    Intelligence Services and Other Legislation Amendment (Cyber Security) explanatory memorandum

Context

Broader context for this bill

ASDThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. was already Australia’s lead technical cyber adviser, but Home Affairs said an evolving regulatory environment, compliance fears and litigation risk were making businesses less willing to share incident, telemetry and vulnerability information quickly, weakening the national threat picture. After the government released a cyber legislative reforms paper in December 2023 and gathered feedback, it introduced this bill in October 2024 to give limited-use protections for information voluntarily shared with ASDThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here., and Parliament passed it in November 2024.

  1. 19 Dec 2023

    Government releases cyber legislative reforms consultation paper

    Home Affairs opened consultation on proposed cyber legislation, including the limited-use model later applied to information shared with ASDThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here..

    Intelligence Services and Other Legislation Amendment (Cyber Security) explanatory memorandum ↗
  2. 01 Mar 2024

    Consultation closes after more than 130 submissions

    The department said stakeholders were broadly supportive of the limited-use proposal while focusing on whether it would work as intended.

    Intelligence Services and Other Legislation Amendment (Cyber Security) explanatory memorandum ↗
  3. 09 Oct 2024

    Government introduces the bill as part of its cyber security package

    The minister presented the bill as the second measure in a broader legislative package aimed at lifting national cyber resilience.

    Hansard ↗
  4. 25 Nov 2024

    Parliament passes the bill

    Both houses agreed to the bill in the same form, completing its parliamentary passage and locking in the new limited-use protections.

    Parliamentary timeline ↗
  5. 29 Nov 2024

    Royal AssentThe final step that turns a passed bill into an Act of Parliament. makes the bill law

    Royal AssentThe final step that turns a passed bill into an Act of Parliament. turned the bill into an Act, finalising ASDThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. limited-use protections and an FOIThe law that lets people request government documents, but the bill creates an exemption for some documents held by the coordinator. exemption for certain Coordinator documents.

    Parliamentary timeline ↗

Legislative route

How did it move through Parliament?

House Senate
Introduced 09 Oct 2024

The bill was formally presented to the chamber and read a first time, which starts its parliamentary journey.

Introduced and read a first time

Second reading opened 09 Oct 2024

A minister or sponsoring member moved the second reading, opening the main debate on the bill's purpose and principles.

Second reading moved

Intelligence and Security review 10 Oct 2024

Referred to Committee (10/10/2024): Parliamentary Joint Committee on Intelligence and Security; Committee Report (18/11/2024)

Referred to committee

APH bill page notes
Second reading debate 18 Nov 2024

The bill reached this recorded parliamentary step.

Sent to Federation Chamber for debate 19 Nov 2024

The bill reached this recorded parliamentary step.

Referred to Federation Chamber

Federation Chamber debate 19 Nov 2024

The bill reached this recorded parliamentary step.

Second reading debate

House second reading agreed 19 Nov 2024

The chamber agreed to the bill at second reading, meaning it accepted the bill in principle and allowed it to continue.

Second reading agreed to

House agreed to amendment packages 19 Nov 2024

The chamber considered amendments before the bill moved to the next stage.

Consideration in detail debate

Returned from Federation Chamber 20 Nov 2024

The bill reached this recorded parliamentary step.

Reported from Federation Chamber

House third reading agreed 20 Nov 2024

The chamber agreed to the bill at third reading, which completed passage through that chamber.

Third reading agreed to

Introduced 25 Nov 2024

The bill was formally presented to the chamber and read a first time, which starts its parliamentary journey.

Introduced and read a first time

Second reading opened 25 Nov 2024

A minister or sponsoring member moved the second reading, opening the main debate on the bill's purpose and principles.

Second reading moved

Second reading debate 25 Nov 2024

The bill reached this recorded parliamentary step.

Senate second reading agreed 25 Nov 2024

The chamber agreed to the bill at second reading, meaning it accepted the bill in principle and allowed it to continue.

Second reading agreed to

Committee of the Whole debate 25 Nov 2024

The bill reached this recorded parliamentary step.

Senate third reading agreed 25 Nov 2024

The chamber agreed to the bill at third reading, which completed passage through that chamber.

Third reading agreed to

Passed both houses 25 Nov 2024

Both houses passed the bill in the same form, completing parliamentary passage.

Finally passed both Houses

Assent 29 Nov 2024

The Governor-General gave Royal AssentThe final step that turns a passed bill into an Act of Parliament., turning the bill into an Act.

Key criticism

The main case against this bill

The main criticism was not the bill's cyber security goal but that it was pushed through too quickly and left some safeguards and drafting questions unresolved, especially around how protected information could be shared and how independent oversight would work. These concerns were raised most clearly by the Greens and in process terms by Coalition speakers, but no party represented in the debate opposed the bill's overall passage.

Criticism was limited and mostly conditional rather than a broad case against the bill.

Rushed scrutiny and process

Critics argued the bill was handled too quickly, leaving too little time for proper parliamentary scrutiny of a significant cyber security reform package.

Raised by Coalition speakers including Michelle Landry and James Paterson Source ↗

Safeguards and independence needed strengthening

The Greens argued the bill needed stronger safeguards, including tighter limits on when ASDThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. could pass on voluntarily shared cyber information, a more independent incident review board, and clearer alignment with overseas device-security standards.

Raised by David Shoebridge and the Greens Source ↗

Further sources

parlinfo.aph.gov.au ↗

Votes

Recorded votes

How the bill itself passed

The bill passed both chambers on the voices, so there is no list of individual Aye and No votes for final passage.

Passed

House passed the bill

House agreed to the bill's third reading on the voices, so there is no list of individual Aye and No votes for final passage in that chamber.

20 Nov 2024

Passed on the voices

In a voice vote, members call out Aye or No and the presiding officer judges which side has it. Individual names are only recorded if a formal division is called.

Passed

Senate passed the bill

Senate agreed to the bill's third reading on the voices, so there is no list of individual Aye and No votes for final passage in that chamber.

25 Nov 2024

Passed on the voices

In a voice vote, members call out Aye or No and the presiding officer judges which side has it. Individual names are only recorded if a formal division is called.

Amendments at a glance

Amendments grouped by chamber. Where APH reports aggregate counts, the package card summarizes the matching public amendment sheets by source theme.

House

Carried

Government package: 4 amendments

Government amendments would change the bill text so the relevant provisions cover material prepared or acquired by ASD, and add a note that ASD is a Commonwealth body.

19 Nov 2024

Passed on the voices

The chamber agreed to this amendment package without a counted vote. APH records the agreed count by amendment, while the source documents are grouped into amendment sheets.

Themes in the public amendment sheets

Senate

Defeated

Senate amendment defeated

The Senate Journal records this outcome as defeated on voices.

Defeated on voices

The chamber decided this amendment without a counted division, so there is no list of individual Aye and No votes.

Hansard record ↗

Defeated

Board oversight amendment defeated

The Senate Journal records this Shoebridge amendment package as defeated on voices.

Defeated on voices

The chamber decided this amendment without a counted division, so there is no list of individual Aye and No votes.

Hansard record ↗

Defeated

Information-sharing consent amendment defeated

The Senate Journal records this Shoebridge amendment as defeated on voices.

Defeated on voices

The chamber decided this amendment without a counted division, so there is no list of individual Aye and No votes.

Hansard record ↗

Defeated

Require consent to share with coordinator

The Senate rejected Senator Shoebridge's proposal on voices, which would have limited ASDThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here.'s sharing of voluntarily provided cyber security information with the National Cyber Security CoordinatorThe coordinator role that can receive some protected cyber information, with extra limits and a freedom of information carve-out for documents it handles. unless the entity consented, except in urgent or exceptional circumstances with later notice.

Defeated on voices

The chamber decided this amendment without a counted division, so there is no list of individual Aye and No votes.

Hansard record ↗

Parliamentary debate

Who spoke, and what they said

Start here — lead voices

Sponsor speech Supports

Tony Burke

Australian Labor Party • MP 09 Oct 2024

Mr Burke supports the bill, saying it will give industry legal assurance that information shared with the Australian Signals DirectorateThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. during a cyber incident is protected and can be used for permitted purposes.

Read in Hansard ↗
Lead supporting voice Supports

James Paterson

Liberal Party • Senator 25 Nov 2024

Paterson says the coalition will support the bill and the wider cyber package, because Australia needs stronger laws and sensible powers to deal with evolving cyberthreats.

Read in Hansard ↗
Lead voice Supports

Tim Ayres

Australian Labor Party • Senator 25 Nov 2024

Ayres supports the bill and says it will improve cyber incident response by giving ASDThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. a limited use obligationThe rule that stops protected cyber information from being reused for general regulation, litigation, or other purposes outside the bill's allowed uses. that encourages industry and victims to share timely technical information without fear it will be used for regulatory action.

Read in Hansard ↗
Lead voice Supports

Michelle Landry

National Party • MP 18 Nov 2024

Michelle Landry says the coalition will support the bill without amendment because it backs the policy intent and wants the limited-use provisions to help industry share cyber incident information with government.

Read in Hansard ↗

All speeches by bloc

Labor

7 speakers · 7 support

  1. Tim Ayres Ayres supports the bill and says it will improve cyber incident response by giving ASDThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. a limited use obligationThe rule that stops protected cyber information from being reused for general regulation, litigation, or other purposes outside the bill's allowed uses. that encourages industry and victims to share timely technical information without fear it will be used for regulatory action.
    “This is the second Bill in the Cyber Security Legislative Package and seeks to amend the Intelligence Services Act 2001 to legislate a limited use obligation for the Australian Signals Directorate (ASD), similar to the provisions relating to the National Cyber Security Coordinator under the Cyber Security Bill. A limited use obligation will protect the information voluntarily provided to, or acquired or prepared by, ASD during an impacted entity's engagement in relation to a cyber security incident or vulnerability.”

    Australian Labor Party • Senator • 25 Nov 2024

    Read the full speech in Hansard ↗
  2. Andrew Charlton Andrew Charlton supports the bill and says it makes key reforms to strengthen Australia’s cybersecurity, including mandatory smart-device standards, ransomware reporting, limited-use rules for incident information and a new cyber incident review board.
    “This is a package of key reforms necessary to support the continued uplift of Australia's collective cybersecurity. I want Australian citizens and businesses to be best placed to take every opportunity in the digital economy, something that cannot occur without being safe and secure online. I commend these bills to the Chamber.”

    Australian Labor Party • MP • 19 Nov 2024

    Read the full speech in Hansard ↗
  3. Tim Watts Watts supports the bill and says it is an urgent, necessary step to strengthen Australia’s response to ransomware and other cyber threats.
    “In many respects Australia is already a leader in cybersecurity, but this bill will ensure that Australia has a world-leading, robust cybersecurity regime going forward. The time to act is now, and I commend this bill to the House.”

    Australian Labor Party • MP • 19 Nov 2024

    Read the full speech in Hansard ↗
  4. Raff Ciccone Ciccone supports the bill, saying it will strengthen Australia’s cyber defences by helping the Australian Signals DirectorateThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. gather incident information and better protect businesses and individuals.
    “The Albanese government is committed to lifting our country's cyber legislative strategy and doing everything it can to support Australians and small businesses around the country. The Cyber Security Bill and related bills provide an opportunity for this country and for the Senate to strengthen our national cybersecurity defences. The bills will position Australians and our businesses, particularly in the small business community, to better respond and recover from cybersecurity threats and help our nation become a world leader in cybersecurity by 2030 in an evolving threat environment. I commend the bill to the Senate.”

    Australian Labor Party • Senator • 25 Nov 2024

    Read the full speech in Hansard ↗
  5. Helen Polley Polley supports the bill and recommends that the Senate pass it, saying it will strengthen Australia’s cyber defences, improve reporting and victim protections, and set mandatory standards for smart devices.
    “We must remember that cyber crimes can impact businesses and individuals, and it's important that when you have an incident, you report it and reach out and get the support that you need. I thank Minister Burke and Minister O'Neill for their leadership, and I thank those who provided evidence to our committee to investigate this. I recommend the bill to be passed in the Senate today.”

    Australian Labor Party • Senator • 25 Nov 2024

    Read the full speech in Hansard ↗
  6. Tony Burke Mr Burke supports the bill, saying it will give industry legal assurance that information shared with the Australian Signals DirectorateThe agency that receives the cyber information in this bill and can use it only for the limited security purposes set out here. during a cyber incident is protected and can be used for permitted purposes.
    “The limited-use obligation in this bill provides industry with the legal assurance that they can engage and provide information to the very agencies the government has established to help them prepare for and respond to cybersecurity incidents.”

    Australian Labor Party • MP • 09 Oct 2024

    Read the full speech in Hansard ↗
  7. Murray Watt Watt supports the cyber security package, including this bill, and says the government wants the parliament to pass it after the committee’s inquiry.
    “That committee has now handed down its report and recommended that, subject to implementation of the recommendations in its report, the package be passed by the parliament. The government agrees or agrees in principle to all 13 recommendations in the committee's report and, in line with recommendation 1, proposes the package be passed by the parliament.”

    Australian Labor Party • Senator • 25 Nov 2024

    Read the full speech in Hansard ↗

Coalition

4 speakers · 4 support

  1. James Paterson Paterson says the coalition will support the bill and the wider cyber package, because Australia needs stronger laws and sensible powers to deal with evolving cyberthreats.
    “As I said, the coalition supports the policy intent of this legislative package. In the face of a complex and evolving threat environment, the government needs robust levers to protect Australians from cyberthreats. We will always support sensible changes which ensure our legislation is fit for purpose to tackle the ever-evolving cyberthreats facing Australia, which is why we will be supporting the passage of these bills and the accompanying government amendments.”

    Liberal Party • Senator • 25 Nov 2024

    Read the full speech in Hansard ↗
  2. Michelle Landry Michelle Landry says the coalition will support the bill without amendment because it backs the policy intent and wants the limited-use provisions to help industry share cyber incident information with government.
    “The coalition supports the policy intent of the legislative package. In the face of a complex and evolving threat environment, the Commonwealth government needs robust leaders to protect Australians from cyberthreats. Industry should also be able to engage quickly and confidently with government in responding to cyber challenges, and we welcome the limited use provisions which will go some way to facilitating this culture of cooperation. The coalition will be supporting these bills without amendment.”

    National Party • MP • 18 Nov 2024

    Read the full speech in Hansard ↗
  3. Michael McCormack McCormack supports the bill and says the coalition backs it because stronger cyber rules are needed to respond to growing cybercrime and protect Australians and businesses.
    “It's clear Australia must entrench its place on the world stage as a nation which is proactive and a world leader in cybersafety when it comes to digital technology, and I would like to think that, whichever party or parties occupy the government benches in Australia, the same priority and the same importance is placed on cybersecurity. I know that the government come to this place and space with good intent, and I encourage them and acknowledge them for that. It's very clear that Australia is targeted all too often by people and nations that want to do us harm. But this bill and other measures will ensure business has the confidence to continue to invest and grow.”

    National Party • MP • 19 Nov 2024

    Read the full speech in Hansard ↗
  4. Andrew Wallace Andrew Wallace supports the bill and says the coalition backs the cyber security reforms, but argues they are long overdue and only part of a broader national security framework that still needs a comprehensive strategy.
    “This legislation is so very important. The three bills we're debating are designed to mandate minimum cybersecurity standards for smart devices; to introduce mandatory ransomware reporting for certain businesses to report ransom payments; to introduce limited-use obligations for the National Cyber Security Coordinator and the Australian Signals Directorate, or ASD; to establish a cyber incident review board and clarify, simplify, streamline, and align existing obligations, regulations and government assistance measures.”

    Liberal National Party • MP • 19 Nov 2024

    Read the full speech in Hansard ↗

Greens

1 speaker · 1 mixed

  1. David Shoebridge Shoebridge says the Greens will engage with the cyber security bill, but he argues it is rushed and needs stronger safeguards, clearer international standards for internet-of-things devices, and a more independent incident review board.
    “I'll finish with this. This is rushed legislation that's important, and the rush is part of the problem. I move:”

    Australian Greens • Senator • 25 Nov 2024

    Read the full speech in Hansard ↗

Record

Full record

Full chat