Definitive global law guides offering comparative analysis from top-ranked lawyers
CHAMBERS GLOBAL PRACTICE GUIDES
Cybersecurity 2025
Definitive global law guides offering comparative analysis from top-ranked lawyers
Contributing Editor Christian Schröder Orrick
Global Practice Guides
Cybersecurity Contributing Editor Christian Schröder Orrick
2025
Chambers Global Practice Guides For more than 20 years, Chambers Global Guides have ranked lawyers and law firms across the world. Chambers now offer clients a new series of Global Practice Guides, which contain practical guidance on doing legal business in key jurisdictions. We use our knowledge of the world’s best lawyers to select leading law firms in each jurisdiction to write the ‘Law & Practice’ sections. In addition, the ‘Trends & Developments’ sections analyse trends and developments in local legal markets. Disclaimer: The information in this guide is provided for general reference only, not as specific legal advice. Views expressed by the authors are not necessarily the views of the law firms in which they practise. For specific legal advice, a lawyer should be consulted. Content Management Director Claire Oxborrow Content Manager Jonathan Mendelowitz Senior Content Reviewer Sally McGonigal, Ethne Withers, Deborah Sinclair and Stephen Dinkeldein Content Reviewers Vivienne Button, Lawrence Garrett, Sean Marshall, Marianne Page, Heather Palomino and Adrian Ciechacki Content Coordination Manager Nancy Laidler Senior Content Coordinators Carla Cagnina and Delicia Tasinda Content Coordinator Hannah Leinmüller Head of Production Jasper John Production Coordinator Genevieve Sibayan
Published by Chambers and Partners 165 Fleet Street London EC4A 2AE Tel +44 20 7606 8844 Fax +44 20 7831 5662 Web www.chambers.com
Copyright © 2025 Chambers and Partners
Contents
INTRODUCTION Contributed by Christian Schröder and Odey Hardan, Orrick p.4
MEXICO Law and Practice p.183 Contributed by Nader Hayaux & Goebel
AUSTRALIA Law and Practice p.8 Contributed by Nyman Gibson Miralis Trends and Developments p.29 Contributed by Nyman Gibson Miralis
PORTUGAL Law and Practice p.197
Contributed by Abreu Advogados Trends and Developments p.215 Contributed by Abreu Advogados
BELGIUM Law and Practice p.39
SINGAPORE Law and Practice p.222
Contributed by Alston & Bird LLP Trends and Developments p.53 Contributed by Loyens & Loeff BRAZIL Trends and Developments p.61 Contributed by Machado Meyer CHILE Law and Practice p.71 Contributed by Magliona Abogados
Contributed by Drew & Napier LLC Trends and Developments p.244 Contributed by CMS
SWEDEN Law and Practice p.252
Contributed by Mannheimer Swartling Trends and Developments p.266 Contributed by Mannheimer Swartling
SWITZERLAND Law and Practice p.272
HUNGARY Law and Practice p.91 Contributed by PROVARIS Varga & Partners Trends and Developments p.114 Contributed by PROVARIS Varga & Partners
Contributed by Walder Wyss Ltd Trends and Developments p.286 Contributed by Walder Wyss Ltd TÜRKIYE Law and Practice p.293 Contributed by YAZICIOGLU Legal Contributed by Sidley Austin LLP Trends and Developments p.336 Contributed by Sidley Austin LLP USA Law and Practice p.343 Contributed by Freshfields Trends and Developments p.358 Contributed by Freshfields UK Law and Practice p.318
INDIA Trends and Developments p.121 Contributed by JSA
ITALY Law and Practice p.127
Contributed by ICT Legal Consulting Trends and Developments p.158 Contributed by ICT Legal Consulting
JAPAN Law and Practice p.163 Contributed by Mori Hamada & Matsumoto Trends and Developments p.174 Contributed by Nagashima Ohno & Tsunematsu
3
CHAMBERS.COM
INTRODUCTION Contributed by: Christian Schröder and Odey Hardan, Orrick
Orrick is a global law firm dedicated to serv - ing the technology and innovation, energy and infrastructure, finance, and life sciences and healthtech sectors. With more than 1,100 law - yers across 25+ markets worldwide, Orrick provides forward-looking, pragmatic advice on transactions, litigation, and compliance mat - ters. As one of the world’s leading tech law firms, cybersecurity and privacy are central to Orrick’s practice. The firm has 15 cybersecurity and privacy-focused partners and over 50 spe - cialised lawyers, making it one of the strongest
data protection practices in the market, recog - nised by Chambers Global, US, and Europe. Or - rick helps clients navigate the complex cyber - security and privacy legal landscape, managing global compliance matters, cyber incidents, litigation, and regulatory investigations. They maximise data value, address global privacy re - quirements, and reduce security risks. Whether clients are managing compliance challenges, li - censing data, or acquiring new companies, Or - rick offers forward-thinking solutions to address data challenges.
Contributing Editor
Co-Author
Christian Schröder is a partner in Orrick’s Düsseldorf office and leads the firm’s Cyber, Privacy & Data Innovation Group in Europe. He collaborates with team members across the USA,
Odey Hardan is an associate in Orrick’s Cyber, Privacy & Data Innovation Group. He provides comprehensive advice on data law and EU digital law, offering strategic guidance to clients and representing them before regulatory authorities and in court proceedings. Prior to joining Orrick, Odey served as a research assistant focusing on European law, authoring several academic papers. During his doctoral studies, he specialised in European, international, and data protection law.
EU, and Asia to support global clients. Christian specialises in data-focused laws, including cybersecurity, privacy compliance, incident response, data licensing, AI, and regulatory investigations. He advises on internal and external data transfers, product launches, and privacy requirements for connected cars. Christian maintains strong relationships with German and EU data protection authorities, effectively defending clients in investigations. Recognised by Chambers as a top practitioner, he is a noted thought leader in privacy law.
4
CHAMBERS.COM
INTRODUCTION Contributed by: Christian Schröder and Odey Hardan, Orrick
Orrick, Herrington & Sutcliffe LLP Heinrich-Heine-Allee 12 40213 Düsseldorf Germany Tel: +49 211 3678 7316 Email: cschroeder@orrick.com Web: www.orrick.com
Introduction to the Cybersecurity Guide In recent years, cybersecurity has become a paramount concern for legal professionals, poli - cymakers, and businesses. The increasing fre - quency and sophistication of cyberattacks have prompted jurisdictions worldwide to enact com - prehensive legal frameworks to protect digital infrastructures and ensure the safety of personal and non-personal data. The recent wave of cybersecurity regula - tions reflects a global recognition of the criti - cal importance of safeguarding digital assets. These regulations have significant implications for businesses. They underscore the necessity for comprehensive risk management strategies, accountability at the highest levels of manage - ment, and the implementation of rigorous secu - rity measures across all sectors. One of the primary implications of these regu - lations is the heightened accountability placed on organisational leadership. With the mandate for senior executives to oversee cybersecurity measures, laws aim to ensure that cybersecurity is prioritised at the strategic level. This shift in responsibility requires a cultural change within organisations, where cybersecurity is integrated into the core business strategy rather than treat - ed as a peripheral IT issue.
Furthermore, the emphasis on incident report - ing and transparency has profound implications for how organisations handle data breaches and cyber incidents. Timely reporting to regula - tory authorities and affected parties is not only a legal obligation but also a critical component of maintaining trust and credibility. Organisa - tions must develop clear protocols for incident response and communication to comply with these requirements. The focus on supply chain security and the resil - ience of critical infrastructures highlights the interconnected nature of modern digital eco - systems. Cybersecurity cannot be viewed in isolation; it requires an inclusive approach that involves stakeholders across the supply chain. This interconnectedness of services neces - sitates that organisations conduct thorough assessments of their third-party relationships and implement stringent security controls to mitigate risks. The European Union (EU) has implemented a series of directives and regulations aimed at enhancing the security of its digital market. One of the cornerstone laws in the EU's cyber - security framework is the Network and Informa - tion Security Directive (NIS2). The NIS2 Direc -
5
CHAMBERS.COM
INTRODUCTION Contributed by: Christian Schröder and Odey Hardan, Orrick
tive applies to companies in sectors deemed critical and listed in Annex I and II of the Direc - tive, including digital infrastructure and certain manufacturing industries. Specifically, it affects entities such as internet node operators, DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, and providers of publicly accessible electronic communication services. Addition - ally, digital service providers like online search engines, online marketplaces, and social net - works, as well as manufacturers of electrical equipment, data processing devices, medi - cal devices, and those in the machinery and automotive industries, are also covered. This directive sets out obligations for essential and important entities, such as digital service pro - viders and operators of critical infrastructure, to implement risk management measures, con - duct regular cybersecurity audits, and report significant incidents to national authorities. By holding management bodies accountable for compliance, NIS2 ensures that cybersecurity is prioritised at the highest levels of organisational leadership. In addition to NIS2, the EU has introduced the Digital Operational Resilience Act (DORA), which targets the financial sector. The regula - tion addresses the critical role of information and communication technologies (ICT) in the finan - cial sector, the vulnerabilities to cyber threats, and the dependencies on external service pro - viders. DORA requires financial entities and criti - cal ICT providers to establish comprehensive ICT risk management frameworks and mandates regular testing of digital operational resilience. This framework should address ICT risks and ensure high digital operational resilience. It must include strategies, policies, procedures, proto - cols, and applications necessary to protect all information and ICT assets. The principle of
proportionality and a risk-based approach are emphasised in DORA, requiring the framework to be tailored to the company’s processes and technical means. To maintain a high level of protection, financial entities must continuously test their digital operational stability. They must develop a programme to assess their defensive readiness, identify vulnerabilities, and implement corrective measures. Tests should be conducted by independent internal or external parties, with sufficient resources provided to avoid conflicts of interest. The Cyber Resilience Act (CRA) further com - plements the EU’s cybersecurity framework by addressing the security of products with digital elements. The CRA imposes life cycle security obligations on manufacturers, importers, and distributors, requiring them to conduct cyber- risk assessments, manage vulnerabilities, and report security incidents to the European Union Agency for Cybersecurity (ENISA) within speci - fied timeframes. By focusing on the security of digital products, the CRA aims to mitigate vul - nerabilities and enhance user trust in the digital marketplace. The draft CRA complements other legislation like NIS2. It applies to all products connected to other devices or networks, with some exclusions such as open-source software and certain regulated services (eg, medical devices, aviation, and cars). One of the key challenges in cybersecurity regu - lation is the harmonisation of standards across jurisdictions. While the EU has made strides in creating a unified cybersecurity framework, achieving global consensus remains a complex task. Differences in legal systems, regulatory approaches, and levels of technological devel - opment can hinder efforts to establish common standards. However, international co-operation and dialogue are essential to overcoming these
6
CHAMBERS.COM
INTRODUCTION Contributed by: Christian Schröder and Odey Hardan, Orrick
barriers and creating a cohesive global cyberse - curity strategy. Another challenge lies in the integration of emerging technologies, such as artificial intel - ligence (AI) and the Internet of Things (IoT), into existing cybersecurity frameworks. These tech - nologies offer tremendous potential for innova - tion but also introduce new vulnerabilities that must be addressed. The EU’s AI Act, for exam - ple, sets standards for the design and opera - tion of AI systems to ensure they are resilient to errors and secure against unauthorised altera - tions. As technology continues to evolve, legal frameworks must be adaptable to accommo - date new developments and address emerging threats. Public-private partnerships also play a crucial role in enhancing cybersecurity. By collaborat - ing with private sector entities, governments can leverage the expertise, resources, and innova - tion of industry leaders to strengthen cyberse - curity defences. These partnerships facilitate the sharing of best practices, threat intelligence, and technical expertise, leading to more resilient digital infrastructures.
In the EU, initiatives such as the European Cyber - security Organisation (ECSO) and the European Cybersecurity Competence Centre (ECCC) exemplify the importance of public-private col - laboration. These organisations bring together stakeholders from government, industry, and academia to promote research, innovation, and capacity building in cybersecurity. By fostering a collaborative approach, the EU aims to cre - ate a secure digital environment that supports economic growth and protects citizens’ rights. For legal professionals, navigating the com - plexities of cybersecurity law requires a deep understanding of both the regulatory landscape and the technical aspects of cybersecurity. The path forward involves balancing innovation with regulation, ensuring that legal frameworks are both comprehensive and adaptable to emerg - ing threats. By focusing on the implications of recent regulations and adopting forward-think - ing strategies, governments and organisations can enhance their cybersecurity defences and protect their digital assets.
7
CHAMBERS.COM
AUSTRALIA
Australia
Law and Practice Contributed by: Dennis Miralis and Jack Dennis Nyman Gibson Miralis
Sydney
Tasmania
Contents 1. General Overview of Laws and Regulators p.10 1.1 Cybersecurity Regulation Strategy p.10 1.2 Cybersecurity Laws p.10 1.3 Cybersecurity Regulators p.12 2. Critical Infrastructure Cybersecurity p.16 2.1 Scope of Critical Infrastructure Cybersecurity Regulation p.16 2.2 Critical Infrastructure Cybersecurity Requirements p.17 2.3 Incident Response and Notification Obligations p.17 2.4 State Responsibilities and Obligations p.19 3. Financial Sector Operational Resilience Regulation p.20 3.1 Scope of Financial Sector Operational Resilience Regulation p.20 3.2 ICT Service Provider Contractual Requirements p.20
3.3 Key Operational Resilience Obligations p.21 3.4 Operational Resilience Enforcement p.22
3.5 International Data Transfers p.22 3.6 Threat-Led Penetration Testing p.24 4. Cyber-Resilience p.24 4.1 Cyber-Resilience Legislation p.24 4.2 Key Obligations Under Legislation p.25 5. Security Certification for ICT Products, Services and Processes p.25
5.1 Key Cybersecurity Certification Legislation p.25 6. Cybersecurity in Other Regulations p.26 6.1 Cybersecurity and Data Protection p.26 6.2 Cybersecurity and AI p.27 6.3 Cybersecurity in the Healthcare Sector p.27
8
CHAMBERS.COM
AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
Nyman Gibson Miralis is a market leader in all aspects of general, complex and international criminal law and is widely recognised for its involvement in some of Australia’s most sig - nificant cases. The firm’s team in Sydney has expertise in dealing with complex national and international cybercrime investigations and ad - vising individuals and businesses who are the
subject of cybercrime investigations. Its exper - tise includes dealing with law enforcement re - quests for information from foreign jurisdictions, challenging potential extradition proceedings as well as advising and appearing in cases where assets have been restrained and confiscated worldwide.
Authors
Dennis Miralis is a partner at Nyman Gibson Miralis and a leading Australian defence lawyer who specialises in international criminal law, with a focus on complex multi-
Jack Dennis is a senior criminal defence lawyer who practises in international and domestic criminal, corporate and tax law at Nyman Gibson Miralis. His international criminal work
jurisdictional investigations and criminal prosecutions. His areas of expertise include cybercrime investigations, anti-bribery and corruption, global tax investigations, proceeds of crime, anti-money laundering, worldwide freezing orders, national security law, INTERPOL Red Notices, extradition and mutual legal assistance law. In 2021 Dennis was awarded a certificate of completion for the “Cybersecurity: The Intersection of Policy and Technology” programme, January 2021, John F. Kennedy School of Government at Harvard University, Executive Education.
includes transnational criminal and regulatory investigations, liaising with foreign legal and regulatory bodies, as well as advising clients on matters concerning international public law. Domestically, Jack has advised on a range of criminal issues and investigations, including white-collar crime, fraud, sanctions, INTERPOL, extraditions and national security. He also has significant international, corporate and tax experience, having advised on cross- border transactions and disputes involving foreign and domestic corporations and individuals, across the software, financial services and crypto industries.
9
CHAMBERS.COM
AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
Nyman Gibson Miralis Level 9, 299 Elizabeth Street Sydney NSW 2000 Australia Tel: +61 292 648 884
Email: dm@ngm.com.au Web: www.ngm.com.au
1. General Overview of Laws and Regulators 1.1 Cybersecurity Regulation Strategy On 22 November 2023 the Australian govern - ment released the 2023-2030 Australian Cyber Security Strategy (the “Strategy”), with the aim of strengthening Australia’s cyber defences and supporting people and businesses to be resilient to and recover quickly from cyber-attacks. Alongside the Strategy was the 2023-2030 Australian Cyber Security Strategy: Action Plan (the “Action Plan”) setting out three “Horizons”, which culminate in Horizon 3 with Australia as a leader of the global frontier in developing cyber technologies and adapting to risk and opportu - nities. Currently, Australia is in the final year of Horizon 1 (“Strengthen our foundations”) where - by it is aiming to address critical gaps, build protections and support “initial cyber maturity uplift”, with the government setting itself up for Horizon 2 (“Expand our search”) come 2026, which aims to scale cyber maturity across the whole economy, make investments and grow a diverse cyber workforce. The government has grounded its vision in six “shields” or “layers of defence” comprising the
businesses and citizens, safe technology, world- class threat sharing and blocking, protected critical infrastructure, sovereign capabilities, and resilient region and global leadership. It has set out in its Action Plan different actions and objec - tives for each shield, some of which can be seen through recent reform and others not. Notwithstanding 2025 is the final year of Horizon 1, it is also the first year that the Action Plan is set to be reviewed; and with the Federal election to take place by May 2025, there may be some changes to the strategy, purposes and actions to come. 1.2 Cybersecurity Laws Australia has a broad system of federal, state and territory-based laws which govern data pro - tection, cybersecurity and cybercrime. Data Protection Entities dealing with personal information in Aus - tralia should also be aware of their obligations with respect to: • the Privacy Act 1988 (Cth) (the “Privacy Act”), which regulates the handling of personal information by “APPs entities” pursuant to the Australian Privacy Principles (APPs);
10
CHAMBERS.COM
AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
• the Digital ID Act 2024 (Cth) (the “Digital ID Act”), which is intended to embed safeguards for digital ID services and data in addition to the Privacy Act; • privacy legislation enacted at the state and territory level; • the My Health Records Act 2012 (Cth) (the “My Health Records Act”), which imposes specific obligations for health information col - lected and stored in Australia’s national online health database (in addition to the Privacy Act); • state and territory health records legislation enacted in NSW, Victoria (Vic) and the Aus - tralian Capital Territory (ACT); and • federal, state and territory surveillance legisla - tion, which regulates video surveillance, com - puter and data monitoring, GPS tracking and the use of listening devices on individuals. Further definitions and details on the Privacy Act are set out in 6.1 Cybersecurity and Data Protection . Cybersecurity Cybersecurity laws in Australia are primarily gov - erned under sector-specific federal laws, and include the following. • Critical infrastructure: this sector is regulated under the Security of Critical Infrastruc - ture Act 2018 (Cth) (the “SOCI Act”), which imposes registration, reporting and notifica - tion obligations on owners and operators of critical infrastructure and empowers the Australian government to gather information and issue directions where there is a risk to security. More details are in 2. Critical Infra- structure Cybersecurity . • Telecommunications: this sector is regulated by dual legislation, being:
(a) the Telecommunications Act 1997 (Cth) (the “Telecommunications Act”), which imposes security and notification obliga - tions on Australian telecommunications providers and empowers the Australian government to gather information and issue directions; and (b) the Telecommunications (Interception and Access) Act 1979 (Cth) (the “TIA Act”), which prohibits the interception of communication and access to stored communication data, except for certain law enforcement and national security purposes. • Corporate: corporations generally are regulat - ed under the Corporations Act 2001 (Cth) (the “Corporations Act”), which is highly relevant to the cybersecurity space. For example, the director’s duty to exercise “care and dili - gence” (Section 180) is equally relevant here. • Financial services: certain financial, insurance and superannuation entities are regulated through standards, including the Prudential Standard CPS 234 on Information Security (CPS 234), issued by the Australian Pruden - tial Regulation Authority (APRA). Additionally, entities in the financial services have specific obligations under the Corporations Act, such as adequate risk management systems to hold a financial licence (Section 912A). There are additional laws that are highly relevant to the cybersecurity space that are less sector- specific, such as consumer law, specifically the Competition and Consumer Act 2010 (Cth) (the “Consumer Act”) which addresses consumer affairs, including consumer data protection and
cyberscams. Cybercrime
Overlaying the above are various cybercrime offences in Australia at the federal, state and ter -
11
CHAMBERS.COM
AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
ritory levels. These offences broadly encompass two categories: • offences that are directed at computers or other devices and involve hacking-type activi - ties; and • cyber-enabled offences where such devices are used as a key component of the offence, including in online fraud, online child abuse offences and cyberstalking. Federally, cybercrime is criminalised under Parts 10.6 and 10.7 of the Schedule to the Criminal Code Act 1995 (Cth) (the “Criminal Code”), which set out a variety of offences with maxi - mum penalties ranging from fine-only through to life imprisonment. Organisations should note that in addition to the Criminal Code: • the TIA Act also makes it a federal offence for an individual to (without authorisation) inter - cept or access private telecommunications without the knowledge of those involved; and • state and territory laws criminalise computer offences similar to those criminalised under the Criminal Code (eg, Part 6 of the Crimes Act 1900 (NSW) provide for multiple computer offences regarding unauthorised access, modification or impairment of restricted data and electronic communications). Australian states and territories also have their own criminal laws which govern cybercrime offences. Other Laws Areas that are also related to cybersecurity include:
• the Broadcasting Services Act 1992 (Cth) (the “Broadcasting Act”) regulates broadcasting services through internet and other means in Australia and enables the creation of industry codes of practice regulating the content of such services; • the Online Safety Act 2021 (Cth) (OSA) estab - lishes complaint systems for cyberbullying of children, non-consensual sharing of intimate images, cyber-abuse of adults, and the online/social media availability of content that would be subject to broadcasting classifica - tions (restricted or age 18 years and over); • The Spam Act 2003 (Cth) (the “Spam Act”) prohibits the use of electronic communica - tions for the purpose of sending unsolicited marketing materials to individuals; and • The Do Not Call Register Act 2006 (Cth) (the “DNCR Act”) prohibits unsolicited telemar - keting calls being made to phone numbers registered on a Do Not Call Register. 1.3 Cybersecurity Regulators Australia has a range of federal, state and ter - ritory regulators and agencies which deal with cybersecurity. The overarching government agencies are: • the Department of Home Affairs (DoHA); and • the Australian Signals Directorate (ASD). The key regulators and enforcement bodies include: • the Office of the Information Commissioner (OAIC); • the Critical Infrastructure Centre (CIC); • the Australian Communications and Media Authority (ACMA); • the Australian Securities and Investments Commission (ASIC);
12
CHAMBERS.COM
AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
• the Australian Prudential Regulation Authority (APRA); and • the Australian Competition and Consumer Commission (ACCC). Specifically in relation to criminal enforcement, the following regulators are key: • the Australian Federal Police (AFP); • the Commonwealth Director of Public Pros - ecutions (CDPP); • the Australian Security Intelligence Organisa - tion (ASIO); • the Australian Transaction Reports and Analy - sis Centre (AUSTRAC); and • the Australian Criminal Intelligence Commis - sion (ACIC). Each of the above are addressed below. Overarching Government Agencies DoHA The DoHA is the lead government department for cyberpolicy. The DoHA develops cybersecu - rity and cybercrime law and policy, implements Australia’s national cybersecurity strategy and responds to international and domestic cyber - security threats and opportunities, including in the areas of critical infrastructure and emerging technologies. The DoHA also has responsibil - ity for cybersecurity and cybercrime operational agencies including the AFP, ACIC, AUSTRAC, and ASIO. ASD, ACSC and CERT The ASD is Australia’s operational lead on cyber - security and plays both a signals intelligence and information security role. The ASD undertakes cyberthreat monitoring and conducts defen - sive, disruption and offensive cyber-operations offshore to support military operations and to counter terrorism, cyber-espionage and serious
cyber-enabled crime. The ASD also advises and co-ordinates operational responses to cyber- intrusions on government, critical infrastruc - ture, information networks and other systems of national significance. Within the ASD sits the Australian Cyber Secu - rity Centre (ACSC). The ACSC drives cyber- resilience across the whole Australian economy including with respect to critical infrastructure, government, large organisations and small to medium businesses, academia, NGOs and the broader Australian community. The ACSC pro - vides general information, advice and assistance to Australian organisations and the public on cyberthreats and it collaborates with business, government and the community to increase cyber-resilience across Australia. The ACSC also runs the Computer Emergency Response Team (CERT), which provides advice and support to industry on cybersecurity issues affecting Australia’s critical infrastructure and other systems of national significance. Other key government bodies At this juncture, the following should also be noted. • The Attorney-General’s Department (AGD) advises government on cybersecurity policies and law, including in relation to human rights, privacy, protective security, international law, administration of criminal justice, and over - sight of intelligence, security and law enforce - ment agencies. • The Department of Defence (DoD) contributes to Australia’s whole-of-government cyber - security policy and operations and houses ASD; it also houses the Information Warfare Division, which develops information warfare
13
CHAMBERS.COM
AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
capabilities for the Australian Defence Force (ADF). • The Department of Foreign Affairs and Trade (DFAT) advances Australia’s international cyber-affairs agenda, which includes digital trade, cybersecurity, cybercrime, international security, internet governance and co-opera - tion, human rights and democracy online, and The OAIC is the federal privacy and information regulator with a range of functions and powers to investigate and resolve privacy complaints, enforce privacy compliance, make determina - tions and provide remedies for breaches under the notifiable data breach (NDB) scheme. The OAIC operates by reference to the Privacy Act, the My Health Records Act, the Telecommunica - tions Act, the TIA Act, and recently the Digital ID Act. technology for development. Data Protection and Privacy The remedies range from enforceable under - takings to civil penalties of 2,000 penalty units (approximately AUD626,000); but may also involve imprisonment. Since December 2022, serious and repeated interferences with privacy may attract a penalty of up to: • for entities, not body corporates – AUD2.5 million; or • for body corporates – the greater of AUD50 million, three times the value of the benefit attributable to the conduct or 30% of the adjusted turnover for the relevant period. There are also state and territory privacy com - missioners which administer state and territo - ry-based privacy and health information laws. These include:
• the NSW Information and Privacy Commis - sion who administers, inter alia, the Privacy and Personal Information Protection Act 1998 (NSW) and Health Records and Information Privacy Act 2002 (NSW); and • the Office of the Victorian Information Com - missioner who administers the Privacy and Data Protection Act 2014 (Vic) and the Victorian Health Complaints Commissioner handles breaches of the Health Records Act 2001 (Vic). Critical Infrastructure Cybersecurity The CIC is part of the DoHA and is the federal regulator of the SOCI Act and certain provisions of the Telecommunications Act with powers to investigate, audit and enforce on compliance matters. The CIC also has the ability to make recommen - dations to DoHA and the Home Affairs Minister on whether their information-gathering powers and directions powers should be exercised. The CIC also has enforcement powers which allows it to issue penalties for non-compliance that range from performance injunctions, enforce - able undertakings, civil penalties of up to 250 penalty units (AUD78,250) or seek two years’ imprisonment. Telecommunications, Broadcasting and Marketing Cybersecurity The ACMA is Australia’s regulator for broadcast - ing, telecommunication and certain online con - tent and provides licensing to industry providers. ACMA has specific regulatory powers under the Telecommunications Act, the TIA Act, the Spam Act, and the DNCR Act to investigate and resolve complaints and enforce compliance. In dealing with non-compliance, ACMA is empowered to issue warnings, infringement notices, enforcea - ble undertakings and remedial directions. ACMA
14
CHAMBERS.COM
AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
is further able to cancel or impose conditions on licences and accreditations. ACMA also has the ability to commence civil proceedings or refer matters for criminal prosecution. Additionally, the Office of the eSafety Commis - sioner (the “eSafety Commissioner”) has pow - ers to promote and regulate online safety with respect to telecommunications, broadcasting and other online industries. However, the eSafe - ty Commissioner cannot investigate matters of cybercrime. Penalties range from takedown notices and blocking directions. Corporations, Consumers and Financial Services Cybersecurity The ASIC is Australia’s corporate, market and financial services regulator, is empowered under the Corporations Act to investigate and bring actions against corporations, directors and offic - ers for non-compliance with the Corporations Act, which, in some circumstances, may involve cybersecurity issues. It regulates publicly listed corporations under the Corporations Act and may investigate issues which touch on cyber - security. The APRA regulates certain finance, banking, insurance and superannuation entities and issued information security standards CPS 234. APRA has powers to supervise, monitor and intervene in matters of cybersecurity for regu - lated entities and has a range of enforcement powers to deal with breaches of its standards. Such powers involve APRA issuing infringement notices, providing directions or enforceable undertakings, imposing licensing conditions, disqualifying senior officials and commencing court-based action. The ACCC is Australia’s competition regulator and consumer protector, may, where appro -
priate, undertake enforcement action against breaches of the Consumer Act, including breaches involving cybersecurity, cybercrime and cyberscam issues. The ACCC additionally: • administers the Consumer Data Right (CDR) regime; • co-regulates (with OAIC) the Digital ID Act; and • hosts the Scamwatch website which pro - vides public information, alerts and access to complaints mechanisms on a wide range of consumer scams, including scams perpe - trated online. Also relevant for the financial sector is that OAIC regulates the aspects of the Privacy Act which deal with credit reporting obligations and the credit reporting code, which imposes certain conditions on entities that hold credit-related personal information. Cybercrime Cybercrime at the federal level is investigated and enforced by the AFP and prosecuted by the CDPP. The AFP have a dedicated cybercrime operations team comprising investigators, tech - nical specialists and intelligence analysts who operate across multiple jurisdictions to conduct cyber-assessments and to triage, investigate and disrupt cybercrime. More specifically: • ACIC is Australia’s national criminal intel - ligence agency – it has broad investigative and coercive powers and shares information between all levels of law enforcement; • AUSTRAC is the domestic watchdog for Australia’s anti-money laundering and counter-terrorism measures – it supports law
15
CHAMBERS.COM
AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
enforcement operations involving cybercrime financing; and • ASIO investigates cyber-activity involving espionage, sabotage and terrorism related activities – ASIO also contributes to the investigation of computer network operations directed against Australia’s systems. State and territory-based police and prosecu - tion agencies investigate, enforce and prosecute state and territory cybercrimes. 2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation Australia’s critical infrastructure and assets are regulated through Commonwealth, state and territory legislation, with a particular emphasis on the SOCI Act. That said, there is broader legislation, such as the Privacy Act and Cyber Security Act, and more sector-specific legisla - tion, such as the Telecommunications Act, that cannot be ignored. SOCI Act (and TSSR) The SOCI Act currently regulates certain assets across eleven sectors: communications, data storage and processing, financial services, ener - gy, food and grocery, health and medical, high - er education and research, space technology, transport, water and sewerage, and the defence industry. And from November 2025, telecommu - nications security obligations (which are current - ly under the Telecommunication Sector Security Reforms (TSSR)) will be moved into the SOCI, a change implemented by the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (the “2024 SOCI Amendment Act”).
Notwithstanding recent reforms which clarified the SOCI Act, the exact parameters of the leg - islation are broad and complex, and extend to various participants in a supply chain includ - ing “responsible entities”, “reporting entities”, “direct interest holders”, “managed service pro - viders” and “operators”. Some of these defini - tions are asset-specific, but for our purposes, it is important to note that a “responsible entity” is generally the entity that owns, is licensed or otherwise responsible for operating the asset. Further, despite the imminent shift of the TSSR and its obligations to the SOCI Act, these obli - gations still remain in force and apply to the rel - evant infrastructure as is. The TSSR are appli - cable to carriers, carriage service providers and carriage service intermediaries. Cyber Security Act Additionally, there are cybersecurity obliga - tions imposed on critical infrastructure under the Cyber Security Act where they constitute “a reporting business entity”. A “reporting business entity” is an entity that: • is carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the “turnover threshold for that year” (to be determined) but is not a Com - monwealth body, State body, or responsible entity for a critical infrastructure asset; or • a responsible entity for a critical infrastruc - ture asset “to which Part 2B of the Security of Critical Infrastructure Act 2018 applies”, which is defined in the rules or declaration – at the time of writing, these were prescribed in Security of Critical Infrastructure (Appli - cation) Rules (LIN 22/026) 2022 (the “SOCI Application Rules”) and includes most infra - structure assets.
16
CHAMBERS.COM
AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
2.2 Critical Infrastructure Cybersecurity Requirements The SOCI Act imposes requirements on owners and operators of assets across various fields. The exact requirements vary depending on the particular asset/industry; however, may include a requirement to: • register with the Register of Critical Infrastruc - ture Assets; • provide ownership and operational informa - tion; • notify the government of certain cyber-inci - dents; • implement and comply with a critical infra - structure risk management programme (CIRMP); and • if they have “business critical data” pro - cessed or stored by a third party on a com - mercial basis, they must take reasonable steps to notify that third party. Further still, the SOCI Act and associated rules impose enhanced cybersecurity obligations on assets designated as “systems of national sig - nificance” (SoNS). These must be assets that are already considered a “critical infrastructure asset”, but also that they are of “national sig - nificance”. These designations are private and confidential so as to avoid publicising their sig - nificance to malicious actors. Reports indicate that over 200 systems have been designated to date. A responsible entity for a SoNS may be required to: • fulfil statutory response planning obligations; • undertake a cybersecurity exercise (see 3.6 Threat-Led Penetration Testing ); • undertake a vulnerability assessment (see 3.6 Threat-Led Penetration Testing ); and
• where the system is a computer or needs a computer to operate the system, undertake periodic reports, provide event-based reports or install software that transmits system infor- mation to the ASD. It is also worth noting that the SOCI Act also includes: • an information gathering power for the Secre - tary of the DoHA to monitor compliance; and • a directions power for the Home Affairs Minis - ter to direct regulated entities to do or not do a specified thing that is reasonably necessary to protect critical infrastructure from national security risks. 2.3 Incident Response and Notification Obligations Mandatory Incident Reporting Obligations SOCI Act As mentioned above, the SOCI Act and associ - ated rules impose reporting obligations on vari - ous entities. Responsible entities must report cybersecu - rity incidents that have a significant or relevant impact on their asset. In other words, a “respon - sible entity” must make a report when it becomes aware of the following. • A “cyber security incident” that “has had, or is having, a significant impact (whether direct or indirect) on the availability of the asset” – such a “significant impact” is defined as being where “the incident has materially dis - rupted the availability of [the] essential goods or service” in connection with which the asset is used to provide. The report must be made “as soon as practicable, and in any event within 12 hours, after the entity becomes aware”. If the initial report is oral, then a writ -
17
CHAMBERS.COM
AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
ten report must be made within 84 hours after the oral report is given. • A “cyber security incident” that “has had, or is having, or is likely to have, a relevant impact on the asset” – such a “relevant impact” is defined (for critical infrastructure assets) as a (direct or indirect) impact on the availability, integrity, reliability of the asset, or on the confidentiality of information about the asset, information stored on the asse or com - puter data constituting the asse. The report must be made “as soon as practicable, and in any event within 72 hours, after the entity becomes aware. If the initial report is oral, then a written report must be filed within 48 hours of the oral report. A “cyber security incident” is the: • unauthorised access to or modification of computer data or computer program; • unauthorised impairment of electronic com - munications to or from a computer (but does not include “a mere interception of any such communication”); or • unauthorised impairment of the availability, reliability, security or operation of computer data, a computer program or a computer. Either of these reports must be given to the ASD (unless another relevant Commonwealth body is specified in the rules). Failure to make a report at all or in writing, or in the approved form, can each be punished by an AUD16,500 fine. Cyber Security Act Irrespective of whether the cybersecurity inci - dent meets the above significance or relevance thresholds, most critical infrastructure assets (being “a reporting business entity”) have addi - tional reporting obligations under the Cyber Security Act.
In summary, there is an obligation to report to the ASD (or other designated Commonwealth agency) where: • there is a cybersecurity incident that has had, is having, or could reasonably be expected to have a (direct or indirect) impact on a report - ing business entity; • an entity (the extorting entity) demands a benefit; and • the reporting entity (or a third party on their behalf) makes the ransomware payment. Such a report must be given with 72 hours of the reporting business entity becoming aware of the payment and must contain certain information. A “cyber security incident” for these purpos - es broader than under the SOCI Act as it not only includes any such incident that falls within the scope of the SOCI Act, but is presumed to include any incident: • involving unauthorised impairment of elec - tronic communication to or from a computer (per the SOCI Act) including mere interception of any such communication; and • where the incident is (actually or is reasonably expected to be) effected by means of “tel - egraphic, telephonic or other like service”, if the incident (actually, probably, or it is reason - able to expect it) impeded or impaired “the ability of a computer to connect to such a service” or the incident (probably or is rea - sonably expected to have) prejudiced Aus - tralia’s social/economic stability, defence or national security. Voluntary Incident Reporting Obligations The ACSC has a cyber-incident reporting portal through which critical asset owners are encour -
18
CHAMBERS.COM
AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
2.4 State Responsibilities and Obligations
aged to voluntarily report cybersecurity inci - dents. Any impacted entity carrying or a business in Australia or otherwise a responsible entity for critical infrastructure is now being statutorily encouraged to make voluntary reports to the NCS Coordinator under the Cyber Security Act, even where it is unclear if an incident is a cyber - security incident. Other Mandatory Reporting Obligations Other reporting obligations under the SOCI Act for critical infrastructure assets include: • taking reasonable steps to notify a third-party entity if that third party is processing or stor - ing “business critical data” on a commercial basis; • an ongoing obligation on a “reporting entity” to report a “notifiable event” in relation to an asset usually within 30 days after the event occurs, which relates to changes in the operational information and interest/control information in relation to “director inter - est holders”, or the status of an entity as a reporting entity; and • reporting if a hazard had significant relevant impacts on a critical infrastructure asset. See additionally relevant obligations in 6.1 Cybersecurity and Data Protection . Criminal Offences Related to infrastructure, Part 10.6 of the Crimi - nal Code places obligations on providers of con - tent or hosting services to notify the AFP as to the existence of material displaying “abhorrent violent conduct” (if occurring in Australia) and, in any event, to expeditiously remove or cease to host such material.
The Australian government considers “the responsibility for ensuring the continuity of oper - ations and the provision of essential services to the Australian economy and community” as being shared “between owners and operators of critical infrastructure, state and territory govern - ments and the Australian Government”. Generally speaking, government bodies may also be captured within the scope of legislative regimes such as the Privacy Act, and therefore have the same (or similar) obligations as their private-sphere counterparts. However, the SOCI Act does not apply to the Commonwealth or a body corporate established under Common - wealth law unless so declared or prescribed. The Australian government is responsible for the “final defence” of Australian infrastructure and cybersecurity. To this end, the SOCI Act grants the Minister last resort “government assistance measures” and powers where a cybersecurity incident relates to a declared national emergen - cy, or else where there is a material risk that a cybersecurity incident has, is or will likely seri - ously prejudice the Australia’s social or econom - ic stability, defence or national security. These include the heavily circumscribed Ministerial power to request an authorised agency to inter - vene in relation to computer-related activities where an entity is unwilling or unable to respond to an incident. Additionally, the Cyber Incident Review Board (CIRB) has been established as an independent statutory advisory body responsible for conduct - ing no-fault, post-incident reviews of significant cybersecurity incidents in Australia. The CIRB post review report will contain recommenda - tions to government and industry about actions
19
CHAMBERS.COM
AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
to prevent, detect, respond to or minimise the impact of future cybersecurity incidents of a similar nature. In pursuit of national cohesion, the state authori - ties adopt the following approaches. • The ACSC facilitates information and collabo - ration across private, public and NGO sectors to develop collective cyber-resilience and to respond to cyber-incidents. In this regard, the ACSC has commenced: a partnership programme, involving private, public, and NGO sectors, to enable information sharing and network hardening; and an alert service, which provides information on recent cyber threats as well as prevention and mitigation advice. • The Joint Cyber Security Centres (JCSC) are state-based agencies which collaborate with organisations across the private, public and NGO sectors on cybersecurity and cyber - crime threats and response options. 3. Financial Sector Operational Resilience Regulation 3.1 Scope of Financial Sector Operational Resilience Regulation Even for the financial sector, there is a patch - work of legislation covering the financial sec - tor’s operational resilience, leading to variation in scopes. This legislation includes the SOCI Act, the Corporations Act, the Banking Ac 1959 (Cth) and the Insurance Act 1973 (Cth). Corporations Act As a starting point, the Corporations Act impos - es a duty to exercise “care and diligence” on all directors and officers of corporations (Section 180) which inherently involves considerations
relating to cybersecurity resilience. But more specifically, the Corporations Act requires cor - porations holding financial licences to have ade - quate risk management systems (Section 912A). CPS 234 On top of this, APRA’s CPS 234 regulates infor - mation security standards for APRA-regulated financial, insurance and superannuation entities. Other Legislation (SOCI Act and Cyber Security Act) Additionally, other legislation and regulation applicable to sectors beyond the financial is equally relevant here. These include the SOCI Act, since the financial services and markets sector does fall within its scope, so as to include certain banking assets, superannuation assets, insurance assets and financial market infrastruc - ture assets (see 2. Scope of Critical Infrastruc- ture Cybersecurity ). Each of these are, in turn, defined and cover a range of assets owned or operated by entities with certain Australian mar - ket licensees, CS facility licensees, benchmark administrators, and more, but most with the underlying condition that the asset is “critical to the security and reliability of the financial ser - vices and markets sector”. Those that fall outside the scope of the SOCI Act may fall within the scope of the Cyber Secu - rity Act, which imposes reporting obligations on “reporting business entities”. See 2. Scope of Critical Infrastructure Cybersecurity . 3.2 ICT Service Provider Contractual Requirements Information and communications technology (ICT) service providers are not expressly defined in Australia. However, legislation does address “data processing or storage” assets and pro - viders. Such an asset may be considered itself
20
CHAMBERS.COM
Page i Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70 Page 71 Page 72 Page 73 Page 74 Page 75 Page 76 Page 77 Page 78 Page 79 Page 80 Page 81 Page 82 Page 83 Page 84 Page 85 Page 86 Page 87 Page 88 Page 89 Page 90 Page 91 Page 92 Page 93 Page 94 Page 95 Page 96 Page 97 Page 98 Page 99 Page 100 Page 101 Page 102 Page 103 Page 104 Page 105 Page 106 Page 107 Page 108 Page 109 Page 110 Page 111 Page 112 Page 113 Page 114 Page 115 Page 116 Page 117 Page 118 Page 119 Page 120 Page 121 Page 122 Page 123 Page 124 Page 125 Page 126 Page 127 Page 128 Page 129 Page 130 Page 131 Page 132 Page 133 Page 134 Page 135 Page 136 Page 137 Page 138 Page 139 Page 140 Page 141 Page 142 Page 143 Page 144 Page 145 Page 146 Page 147 Page 148 Page 149 Page 150 Page 151 Page 152 Page 153 Page 154 Page 155 Page 156 Page 157 Page 158 Page 159 Page 160 Page 161 Page 162 Page 163 Page 164 Page 165 Page 166 Page 167 Page 168 Page 169 Page 170 Page 171 Page 172 Page 173 Page 174 Page 175 Page 176 Page 177 Page 178 Page 179 Page 180 Page 181 Page 182 Page 183 Page 184 Page 185 Page 186 Page 187 Page 188 Page 189 Page 190 Page 191 Page 192 Page 193 Page 194 Page 195 Page 196 Page 197 Page 198 Page 199Powered by FlippingBook