The ACSC should become Australia’s cybersecurity regulator

The ACSC should become Australia’s cybersecurity regulator

The ACSC should become Australia’s cybersecurity regulator

https://www.aspistrategist.org.au/the-acsc-should-become-australias-cybersecurity-regulator/

Publish Date: 2026-07-12 16:03:00

Source Domain: www.aspistrategist.org.au

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points. The Australian Cyber Security Centre (ACSC) should evolve into a formal cybersecurity regulator, with a role comparable in principle to what the Therapeutic Goods Administration (TGA) does in Australia’s health sector. The ACSC would have authority to set minimum cybersecurity standards, certify high-risk products and services, investigate major cyber incidents, mandate remediation of systemic vulnerabilities and enforce compliance across critical sectors.It would be responsible for regulation, compliance, certification and public accountability, while the Australian Signals Directorate (ASD) would continue to lead operational cyber defence, intelligence, and national cyber operations.Australia’s cybersecurity framework has matured significantly over the past decade but is still largely built around guidance, voluntary compliance and partnership with industry. While this approach has delivered important gains, the growing frequency and severity of cyber incidents suggest it alone is no longer sufficient. Cyber insecurity is increasingly a public safety issue rather than simply an information-technology problem. As cyber vulnerabilities threaten critical infrastructure, essential services, economic stability and national security, Australia should consider establishing a dedicated cyber regulatory framework led by an empowered ACSC.The logic is straightforward. Governments don’t rely solely on voluntary compliance to ensure the safety and security of medicines, aircraft, food products or nuclear facilities. Regulatory authorities establish standards, certify products and enforce compliance because failures in these sectors can cause widespread harm. The same principle increasingly applies to cybersecurity.Recent years have demonstrated the consequences of inadequate cybersecurity practices. Data breaches affecting millions of Australians, ransomware attacks against healthcare providers, supply-chain compromises and attacks against critical infrastructure have exposed systemic weaknesses across public and private sectors. While organisations recognise cyber risk, market incentives alone haven’t consistently produced adequate investment in security. In many cases, the costs of cyber failure are borne not only by the affected organisation but also by customers, citizens and the broader economy.The Cyber Security Act 2024 represents an important first step in addressing this challenge. By introducing new cybersecurity obligations, reporting mechanisms and assurance measures, the act signals a shift away from a purely voluntary approach to cyber risk management. However, much like early health and safety legislation that eventually gave rise to modern regulators such as the TGA and the Australian Radiation Protection and Nuclear Safety Agency, the act should be viewed as the beginning rather than the culmination of Australia’s cyber regulatory journey. An empowered ACSC could build upon this foundation by evolving into a dedicated cybersecurity regulator responsible for certification, compliance, enforcement and public accountability across the nation’s most critical digital systems.A cybersecurity regulator would establish mandatory baseline requirements across critical sectors. These standards could include secure-by-design principles, multi-factor authentication, vulnerability management programs, incident reporting obligations and supply-chain assurance measures. Organisations responsible for essential services would be required to demonstrate compliance rather than merely aspire to best practice.One of the regulator’s most important functions would be certification of high-risk technologies and services. Just as medical devices must meet safety standards before entering the market, software and digital products used in critical environments should undergo independent assessment before deployment. This could include industrial control systems, cloud service providers supporting government functions, telecommunications equipment and high-risk artificial intelligence systems. Certification would provide assurance that products meet minimum security requirements before they become embedded in critical national systems.The ACSC should also possess authority to investigate major cyber incidents and mandate remediation where systemic vulnerabilities are identified. At present, organisations may receive advice and support following an incident, but enforcement powers remain limited. A regulator could conduct formal investigations, issue findings, require corrective action and, where necessary, impose penalties for non-compliance. Such powers would create stronger incentives for organisations to prioritise cyber resilience before incidents occur rather than after.Importantly, this model would separate regulatory oversight from operational cyber defence. The ASD would continue to perform its critical functions in cyber threat intelligence, offensive cyber operations, incident response support and national cyber defence. The ACSC, operating as an independent regulatory authority, would focus on standards, certification, compliance monitoring and public accountability. This distinction mirrors arrangements in other sectors where regulators oversee safety, security and compliance while operational agencies manage day-to-day activities and emergency response.There is also a compelling strategic rationale for reform. Australia faces an increasingly contested security environment characterised by intensifying strategic competition, state-sponsored cyber activity and the growing integration of digital technologies into critical infrastructure. Cybersecurity is now inseparable from national resilience. A successful cyberattack can disrupt energy systems, telecommunications, healthcare networks, financial services and government operations without a single shot being fired.Australia has long recognised that some risks are too consequential to be managed through voluntary measures alone. Cybersecurity has reached that threshold. As digital systems become foundational to modern society, governments must move beyond awareness campaigns and advisory guidance toward a mature regulatory model that treats cybersecurity as a matter of public safety and national resilience.The question is no longer whether cyber failures can have national consequences. They already do. The question is whether Australia’s regulatory framework is prepared to address them. Empowering the ACSC as a cybersecurity regulator would be a significant step toward ensuring that it is.