Software & SaaS compliance in Australian Capital Territory

Report cyber security incidents to ASD (SOCI)

Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.

Adopt Essential Eight Maturity Level 2 (federal subcontractors)

Federal government contractors handling OFFICIAL: Sensitive must meet Right Fit For Risk (RFFR) including E8 ML2.

Notify the OAIC and affected individuals of eligible data breaches

Eligible data breaches must be notified to OAIC and affected individuals 'as soon as practicable'.

Comply with online safety industry codes (Phase 1 + 2)

Eight industry sections covered by binding codes under the Online Safety Act 2021.

Comply with Basic Online Safety Expectations + industry codes

Social media services, app distribution services, and other captured providers must meet the BOSE and industry codes.

Publish a Privacy Policy compliant with APP 1

Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.

Avoid unfair contract terms in standard form consumer & small business contracts

From November 2023, unfair contract terms carry pecuniary penalties — up to $100M per term (from 28 March 2026).

Honour consumer guarantees under the Australian Consumer Law

Goods and services supplied to consumers come with automatic statutory guarantees that cannot be excluded.

Comply with the Spam Act 2003 (consent, identify, unsubscribe)

All commercial electronic messages must have consent, identify the sender, and offer a working unsubscribe.

Mandatory AI guardrails for high-risk AI (in development)

Australian Mandatory Guardrails for High Risk AI Settings — Treasury consultation in 2024/2025.

Adopt the Voluntary AI Safety Standard (DISR 2024)

10 voluntary guardrails for safe + responsible AI deployment; mandatory regime in development.