Australian cyber governance runs on two tiers that increasingly lock together. The Commonwealth sets the reference architecture — what good risk and control looks like. The NSW Government layers an assurance regime on top — who has to prove it, and by when. For any department, and for the suppliers behind it, the practical question is no longer “are we secure?” but “can we evidence that we meet both?”
Commonwealth and NSW cyber obligations at a glance
| Layer | Commonwealth (federal) | NSW Government |
|---|---|---|
| Strategic anchor | 2023–2030 Australian Cyber Security Strategy | 2026–2028 NSW Government Cyber Security Strategy (Jan 2026) |
| Central authority | ASD / ACSC, the National Cyber Security Coordinator, Home Affairs | Cyber Security NSW; the NSW Chief Cyber Security Officer |
| Technical baseline | ASD Information Security Manual; the Essential Eight | NSW Cyber Security Policy (refreshed 2023); the Essential Eight |
| Risk posture | “Assume compromise”; protect the crown jewels | Posture assessed against all-of-government risks; crown-jewel inventories |
| Compliance & assurance | Sector laws, regulator enforcement, ASD uplift programs | Mandatory NSW Cyber Security Policy; annual reporting; directive DCS-2025-04 |
| Protection for citizens | ASD’s ACSC hotline, ReportCyber, alerts and advisories | ID Support NSW |
What government requires of its agencies
The federal expectation: a reference architecture
The Australian Signals Directorate, through its Australian Cyber Security Centre, is the Commonwealth’s technical authority. Its Information Security Manual and the Essential Eight set the baseline controls, and the 2023–2030 Australian Cyber Security Strategy frames the national uplift. The posture is blunt: assume you will be compromised, and concentrate protection on the assets that matter most — the “crown jewels.” This is increasingly backed by law, with the Cyber Security Act 2024 — Australia’s first standalone cyber security legislation — sitting alongside the Security of Critical Infrastructure regime and the Privacy Act.
The NSW overlay: an assurance regime
NSW does not reinvent the federal architecture; it plugs into it and adds accountability. The NSW Cyber Security Policy is the mandatory baseline for departments and agencies, requiring them to identify their crown jewels, run Essential Eight maturity assessments, manage operational-technology and IoT risk, and attest to compliance — reporting to Cyber Security NSW each year by 31 October. In 2025 the bar rose under directive DCS-2025-04:
- 24-hour incident reporting — from 4 August 2025, incidents must be reported through the Cyber Security NSW portal within 24 hours.
- Crown-jewel inventories and lifecycle plans — covering ICT, cloud, software, OT, IoT and network assets, with crown jewels in scope by 30 June 2026.
- Third-party risk management — registering and assessing the supply chain that sits behind most modern breaches.
The 2026–2028 NSW Government Cyber Security Strategy, released in January 2026, sharpens the direction again: five objectives across three goals, with a stated focus on critical infrastructure and third-party supply-chain risk.
The obligation, federal versus NSW
| Theme | Commonwealth expectation | NSW overlay |
|---|---|---|
| Baseline controls | Essential Eight, ASD ISM, secure-by-design | Essential Eight maturity under the NSW Cyber Security Policy |
| Asset focus | Identify and protect crown jewels | Crown-jewel inventory + lifecycle plan (DCS-2025-04, due 30 June 2026) |
| Incident reporting | Report to ASD’s ACSC; C1–C6 severity scale | Within 24 hours via the Cyber Security NSW portal (from 4 Aug 2025) |
| Third-party / supply chain | Strengthen third-party risk management | Third-party provider register and assessment |
| Assurance | Regulator enforcement, ASD uplift programs | Annual attestation to Cyber Security NSW by 31 October |
What government offers to protect everyone
The same system that sets obligations also extends help outward — to businesses, and to the people caught in a breach or a scam.
- Australian Cyber Security Hotline & ReportCyber — round-the-clock advice and the national portal for reporting cybercrime, run by ASD’s ACSC.
- National Anti-Scam Centre & Scamwatch — the ACCC-led service for reporting scams and warning the public, sharing intelligence across government and industry to disrupt them.
- OAIC & the Notifiable Data Breaches scheme — the Office of the Australian Information Commissioner regulates eligible data breaches and guides affected people on what to do when their information is exposed.
- Alerts, advisories and guidance for individuals and small business, plus partner threat-intelligence sharing for organisations.
- ID Support NSW — free, practical recovery help for individuals and organisations hit by data compromise, identity theft and scams.
The scale behind the policy — ASD Annual Cyber Threat Report 2024–25
- Over 1,200 incidents responded to (up 11%), and more than 1,700 proactive notifications to entities (up 83%).
- More than 84,700 cybercrime reports — about one every six minutes.
- Average cost of cybercrime to a business: A$80,850 (up 50%).
- Notifications to critical-infrastructure entities up 111%.
Where the gap is
Obligations keep multiplying — a federal Act, a NSW directive, a supply-chain mandate. Yet the recurring failure in Australia’s major breaches is the same: legitimate credentials reached through a third party. The frameworks describe what good looks like. The recurring gap is translating each obligation into a named owner and verifying it is actually met — not just attested to. We examine that gap, across every Australian jurisdiction, in “Government Is Failing Its Own Cyber Rules.”
Sources
- Australian Signals Directorate — Annual Cyber Threat Report 2024–25
- 2026–2028 NSW Government Cyber Security Strategy
- DCS-2025-04 — Cyber Security NSW Directive (Targeted Initiatives)
- NSW Cyber Security Policy & Cyber Security NSW policies
- Department of Home Affairs — Cyber Security (2023–2030 Strategy, Cyber Security Act 2024)
- National Anti-Scam Centre / Scamwatch (ACCC)
- Office of the Australian Information Commissioner — Notifiable Data Breaches
- ID Support NSW
Frequently asked questions
Who is responsible for cyber security in Australian government?
Federally, the Australian Signals Directorate's ACSC is the technical authority, supported by the National Cyber Security Coordinator and Home Affairs. In NSW, Cyber Security NSW and the NSW Chief Cyber Security Officer lead.
What is the Essential Eight?
A baseline set of mitigation strategies from the Australian Signals Directorate, used as the control and maturity benchmark across Commonwealth and state government, and recommended well beyond it.
What is DCS-2025-04?
A 2025 NSW directive that mandates 24-hour incident reporting, crown-jewel inventories and lifecycle plans, and third-party provider registers for NSW agencies.
Where do I report a cyber incident or scam?
Use ReportCyber or the ASD Cyber Security Hotline nationally. In NSW, ID Support NSW helps individuals and organisations affected by breaches, identity theft and scams.