Compliance for Software & SaaS
Tech companies — captured by Privacy Act, Online Safety Act, AI Voluntary Standard, and SOCI if critical-infrastructure-aligned.
Published obligations that apply to software & saas (11)
- criticalCWLTHNotifiable Data Breach (NDB) scheme
Under the NDB scheme, APP entities must notify the OAIC and affected individuals of an eligible data breach likely to cause serious harm — assessed within 30 days.
- criticalCWLTHReport cyber security incidents to ASD (SOCI)
Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.
- criticalCWLTHAdopt Essential Eight Maturity Level 2 (federal subcontractors)
Federal government contractors handling OFFICIAL: Sensitive must meet Right Fit For Risk (RFFR) including E8 ML2.
- criticalCWLTHComply with online safety industry codes (Phase 1 + 2)
Eight industry sections covered by binding codes under the Online Safety Act 2021.
- highCWLTHComply with the Spam Act 2003 (consent, identify, unsubscribe)
All commercial electronic messages must have consent, identify the sender, and offer a working unsubscribe.
- highCWLTHAvoid unfair contract terms in standard form consumer & small business contracts
From November 2023, unfair contract terms carry pecuniary penalties — up to $100M per term (from 28 March 2026).
- highCWLTHComply with Basic Online Safety Expectations + industry codes
Social media services, app distribution services, and other captured providers must meet the BOSE and industry codes.
- highCWLTHHonour consumer guarantees under the Australian Consumer Law
Goods and services supplied to consumers come with automatic statutory guarantees that cannot be excluded.
- highCWLTHPublish a Privacy Policy compliant with APP 1
Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.
- mediumCWLTHMandatory AI guardrails for high-risk AI (in development)
Australian Mandatory Guardrails for High Risk AI Settings — Treasury consultation in 2024/2025.
- mediumCWLTHAdopt the Voluntary AI Safety Standard (DISR 2024)
10 voluntary guardrails for safe + responsible AI deployment; mandatory regime in development.