Australia’s mandatory ransomware-payment reporting obligation — businesses with annual turnover of $3 million or more must report any ransomware or cyber-extortion payment to government within 72 hours — has changed gear. The first six months after commencement (30 May to 31 December 2025) were run as an education-first period to bed in the reporting form and surface compliance barriers. From 1 January 2026, the Department shifted to active compliance and enforcement.
The practical meaning is that the grace period is over. If your business meets the $3 million threshold (and many SMBs do once you count gross turnover), the 72-hour clock is a real obligation with real scrutiny behind it now — and it sits on top of, not instead of, your Notifiable Data Breach duties to the OAIC.
Don’t wait for an incident to learn the process. Bake the reporting obligation into your incident-response plan: who decides, who reports, what the form needs, and the 72-hour deadline written down. The worst time to discover the requirement is in the middle of the event that triggers it.
