The ACSC should become Australia’s cybersecurity regulator

The ACSC should become Australia’s cybersecurity regulator

The ACSC should become Australia’s cybersecurity regulator

https://www.aspistrategist.org.au/the-acsc-should-become-australias-cybersecurity-regulator/

Publish Date: 2026-07-12 16:03:00

Source Domain: www.aspistrategist.org.au

The Australian Cyber Security Centre (ACSC) should evolve into a formal cybersecurity regulator, with a role comparable in principle to what the Therapeutic Goods Administration (TGA) does in Australia’s health sector. The ACSC would have authority to set minimum cybersecurity standards, certify high-risk products and services, investigate major cyber incidents, mandate remediation of systemic vulnerabilities and enforce compliance across critical sectors.

It would be responsible for regulation, compliance, certification and public accountability, while the Australian Signals Directorate (ASD) would continue to lead operational cyber defence, intelligence, and national cyber operations.

Australia’s cybersecurity framework has matured significantly over the past decade but is still largely built around guidance, voluntary compliance and partnership with industry. While this approach has delivered important gains, the growing frequency and severity of cyber incidents suggest it alone is no longer sufficient. Cyber insecurity is increasingly a public safety issue rather than simply an information-technology problem. As cyber vulnerabilities threaten critical infrastructure, essential services, economic stability and national security, Australia should consider establishing a dedicated cyber regulatory framework led by an empowered ACSC.

The logic is straightforward. Governments don’t rely solely on voluntary compliance to ensure the safety and security of medicines, aircraft, food products or nuclear facilities. Regulatory authorities establish standards, certify products and enforce compliance because failures in these sectors can cause widespread harm. The same principle increasingly applies to cybersecurity.

Recent years have demonstrated the consequences of inadequate cybersecurity practices. Data breaches affecting millions of Australians, ransomware attacks against healthcare providers, supply-chain compromises and attacks against critical infrastructure…

Source