Home Publications Australia’s cyber security strategy 2023 to 2030 – progress to date and the shift to Horizon 2

Australia’s cyber security strategy 2023 to 2030 – progress to date and the shift to Horizon 2

4 Dec 2025

Cyber, Privacy & Data Protection

On 21 November 2023, the Australian Government released the 2023-2030 Australian Cyber Security Strategy (Strategy), setting out a seven-year plan to strengthen national resilience by improving Australia’s approach to cyber security, including managing emerging risks, and supporting citizens and businesses to navigate the increasingly complex cyber environment around them.

The Strategy is structured in three phases: Horizon 1 (2023-25), Horizon 2 (2026-28) and Horizon 3 (2029 – 30). As Horizon 1 draws to a close and Horizon 2 prepares to commence, this article provides a timely summary overview of Horizon 1’s key outcomes, the objectives and early developments shaping Horizon 2, and the practical implications for Australian businesses of the same.

The implementation of the Strategy, following Horizon 1 and leading into Horizon 2, marks a significant expansion of cyber-security obligations from a focus on critical infrastructure and large organizations to virtually the whole economy, including Small and Medium Enterprises (SMEs) and not for profit organisations (NFPs). For Australian businesses, of all sizes, this serves as a timely reminder to review governance frameworks, take proactive steps to comply with evolving legal requirements, and strengthen measures to mitigate cyber-security risks.

Horizon 1

Horizon 1 of the Strategy was aimed at strengthening cyber resilience for Australian citizens, businesses, critical infrastructure and the broader economy.¹ A key focus of this phase was the introduction of core law reforms, streamlined reporting processes, and improved incident response mechanisms.

In line with these objectives, on or around 25 November 2024, the Federal Government passed a suite of legislative reforms collectively referred to as the ‘Comprehensive Cyber Security Legislation’, comprising the:

Cyber Security Act 2024;
Intelligence Servies and Other Legislation Amendment (Cyber Security) Act 2024; and
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024,

(together, the 2024 Legislative Package).

These reforms implemented several proposals outlined in the Strategy.

Key highlights of the 2024 Legislative Package include:

First comprehensive, economy-wide cyber-security regime: Australia has moved beyond piecemeal, sector-specific laws to a unified national framework grounded in the Strategy;
Expanded scope of critical infrastructure: the legislation now includes data-storage systems, reflecting the reality that cyber risk is no longer confined to physical assets;
Clarified reporting obligations with protections: the introduction of a “no-fault, no-liability, non-admissibility” regime incentivises businesses to report incidents and promotes transparency.

While a detailed summary of all reforms pursuant to Horizon 1 is beyond the scope of this article, the most notable outcomes for Australian businesses include the introduction of mandatory reporting of ransom payments, and the new voluntary information-sharing regime. For more detail on these specific reforms, see our previous article, ‘New Cyber Security Regulations: An Insight Into New Reporting Obligations For Ransomware Attacks’.

These reforms are only part of the legislative outcomes of Horizon 1, and a summary of the overall achievements and outcomes of Horizon 1 are detailed in the ‘Charting New Horizons 2 Policy Discussion Paper’.

In light of these changes, Australian businesses should, if they have not already done so, review their cyber-security governance, risk management, and policies to ensure compliance with the new obligations.

Horizon 2

Horizon 2 of the Strategy seeks to scale Australia’s cyber maturity across the entire economy, make further investments in the broader cyber ecosystem, continue the growth of Australia’s cyber industry, and develop a diverse cyber workforce.²

Key objectives of Horizon 2 include:

embedding cyber standards and literacy throughout society;
empowering SMEs, NFPs, and individual citizens with accessible and effective cyber-security controls;
harmonising regulation across sectors to ensure consistency and proportionality;
strengthen workforce capability, including training and upskilling.

In anticipation of Horizon 2, preparatory work is already underway. On or around 29 July 2025, the government published a Policy Discussion Paper titled ‘Charting New Horizons: Developing Horizon 2’, seeking public consultation and feedback from industry, businesses, experts, and citizens on the priorities and design of Horizon 2. Submissions were collected between 29 July and 29 August 2025, with over 170 responses received, some of which are publicly available on the Department of Home Affairs website. An industry co-design process is now underway to translate this feedback into specific, implementable actions and initiatives under Horizon 2.

From the submissions received, stakeholders have made several key recommendations for Horizon 2, including:

uplifting research and development across the economy, particularly for emerging technologies critical to sectors such as water, energy, health and transport;³
expanding professional development, micro-credentials, and cyber-security training to address the skills gap, with particular focus on SMEs and NFPs, which are often more vulnerable to cyber threats;⁴
broadening cyber-security awareness campaigns to target schools, youth, SMEs, and NFPs, raising baseline cyber literacy across society;⁵and
ensuring regulatory balance, with obligations designed to be proportionate, consistent, and predictable, particularly for smaller organisations with limited resources.⁶

We now await the outcome of the industry co-design process and the resulting concrete initiatives, regulatory guidance and support measures that will be implemented under Horizon 2.

Lavan Comment

From a legal and regulatory perspective, Horizon 2 is likely to broaden cyber-security obligations from a limited set of entities – critical infrastructure and large organisations – to virtually the entire economy, including SMEs, NFPs, and even individual citizens. This expansion carries several important implications for Australian businesses, including:

introduction of new regulatory instruments: Businesses can expect additional laws, standards, and possibly certification schemes that go beyond the 2024 Legislative Package implemented under Horizon 1; and
shifts in compliance obligations: cyber-security will no longer be optional, it will be regulated, expected, and possibly subject to audit. This increases the compliance burden, particularly for SMEs and NFPs.

Australian businesses of all sizes should proactively review governance, risk management, and compliance frameworks to ensure ongoing compliance with obligations implemented under Horizon 1 and to prepare for the evolving requirements of Horizon 2. Strengthening internal policies and practices and taking active steps to enhance overall cyber resilience is essential to address both regulatory obligations and emerging cyber risks. Recommended actions include:

reviewing internal procedures, policies, and guidelines;
providing staff training on cyber-security, risks and internal procedures;
assessing third-party and supply-chain risks;
uplifting incident-response capabilities;
monitoring and tracking new regulations as they emerge.

By undertaking these measures, businesses can position themselves to meet regulatory expectations, mitigate risks, and build a more resilient cyber environment in line with the aims of the Strategy.

For any advice on the Strategy, the 2024 Legislative Package or internal business compliance with cyber security, please contact Iain Freeman, Partner in Lavan’s Dispute Resolution and Investigations team.

Disclaimer

The information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.

Footnotes

‘2023-2030 Australian Cyber Security Strategy Action Plan’ (Link)
Consultation on developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy, by the Australian Government, Department of Home Affairs (link).
Australian Academy of Technological Sciences & Engineering, ‘submission on developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy’, dated 29 August 2025 (link).
Australian Academy of Technological Sciences & Engineering, ‘submission on developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy’, dated 29 August 2025 (link).
Australian Academy of Technological Sciences & Engineering, ‘submission on developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy’, dated 29 August 2025 (link).
Law Council of Australia, submission to the ‘2023-2030 Australian Cyber Security Strategy Discussion Paper’, dated 26 November 2024 (link).