ARTICLE
1 March 2026

TMT trends 2026: cyber security and online safety

CC
Corrs Chambers Westgarth

Contributor

Corrs Chambers Westgarth logo
With over 175 years of experience and a team of over 1000 talented professionals, we offer exceptional legal services for major transactions, projects, and disputes. Our client-focused approach and commitment to excellence ensure success for our clients. We connect with top lawyers globally for the best results.
Explore Firm Details
Service providers should seek tailored advice to navigate this complicated area of regulation.
Australia Technology
James North,Eugenia Kolivos, and Jodie Burger
Your Author LinkedIn Connections
James North’s articles from Corrs Chambers Westgarth are most popular:
  • in Australia
  • with readers working within the Automotive, Media & Information and Law Firm industries
Corrs Chambers Westgarth are most popular:
  • within Technology, Antitrust/Competition Law and Intellectual Property topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel

Ongoing consultations on cybersecurity reform and ASIC enforcement attitudes, proposed legislation prohibiting unfair trading practices and recent developments to online safety legislation are rapidly evolving the digital and consumer regulatory landscape. This is affecting how technology, media and telecommunications (TMT) companies operate day-to-day.

Find out more about changes to digital infrastructure and emerging technology regulation and privacy, surveillance and spam in parts 1 and 2 of our series about reform and regulation across in TMT.

Cybersecurity reform in Australia

Ongoing consultations

The federal government is consulting on amendments to the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules (LIN 23/006) 2023 (CIRMP Rules) for high‑risk asset classes (including, among others, energy market operators, electricity and gas). This is in response to Australia's evolving cyber threat landscape, which was accelerated by AI and rapid digitisation creating new attack vectors.

If left unchecked, these risks could significantly affect the nation's critical assets. The Australian Signals Directorate's (ASD) Annual Cyber Threat Report 2024–25 records that critical infrastructure accounted for 13% of more than 1,200 reported incidents (up 2% from the previous year). Foreign ownership, control or influence (FOCI) and espionage in particular are being linked to this heightened risk. The threat is not theoretical. For instance, in the United States, undeclared communications modules have been identified in certain foreign state‑manufactured solar inverters installed on critical energy assets, enabling remote settings changes and risking grid instability. Similar inverters have also been deployed in Australia's energy sector devices. The ASD further estimates insider threats (including state or state‑sponsored activity) have cost Australian businesses up to $324.8 million.

The key proposals are summarised below, considering each hazard category and the proposal:

All‑hazards

Entities must consider and address risk advice as specified by the Department of Home Affairs (the Department). CIRMPs must also address material FOCI risks.

Cybersecurity

Entities must comply with maturity level 2 of a revised list of updated cyber maturity frameworks, ensure critical systems are segregated, and implement phishing-resistant multi-factor authentication with robust logging and review protocols. The Department can also specify cyber and information hazards that are to be addressed in CIRMPs.

Supply chain

Supply chain mapping for major suppliers and critical systems. CIRMPs must include processes to manage vendor risks, particularly those related to FOCI.

Personnel security

Entities must have personnel security plans, identify all critical workers and conduct AusCheck background checks for onshore critical staff before employment and at least every five years. The Department can also specify personnel-related hazards that are to be addressed in CIRMPs.

Consultation on the enhanced CIRMP Rules closed on 13 February 2026.

This uplift complements the Independent Review of the Security of Critical Infrastructure Act 2018 (Cth) and development of Horizon 2 of the 2023–2030 Australian Cyber Security Strategy. While Horizon 1 (2023–2025) addressed critical gaps and foundational capabilities, Horizon 2 (2026–2028) aims to scale maturity across the economy and invest in the broader cyber ecosystem, with a focus on awareness, literacy, support for small entities and victims, and more harmonised regulation. Although submissions on the Charting New Horizons: Developing Horizon 2 of the 2023-2030 Australian Cybersecurity Strategy Policy Discussion Paper (published 29 July 2025) have closed, targeted engagement and industry co‑design are continuing.

ASIC enforcement attitude

Regulatory focus is intensifying. The Australian Securities and Investments Commission's (ASIC) 2025 enforcement priorities included action against 'licensee failures to have adequate cybersecurity protections', with ASIC commencing proceedings in 2025 against FIIG Securities and Fortnum Private Wealth, alleging failures to adequately manage cybersecurity risks and maintain protections. On 9 February 2026, the Federal Court ordered FIIG Securities to pay a $2.5 million penalty and $500,000 for ASIC's legal costs, and undertake a compliance programme relating to cybersecurity and cyber resilience. The enforcement action against Fortnum Private Wealth is expected to carry into the remainder of 2026. See Cybersecurity enforcement intensifies: lessons from FIIG Securities' $2.5m compliance penalty for more details.

Although cybersecurity protection is not expressly listed in ASIC's 2026 priorities, further cyber‑related actions are expected in 2026 as 2025 investigations mature. ASIC has also noted that cyber-attacks, data breaches and inadequate operational resilience and crisis management that undermine market confidence and harm consumers will be a significant risk area that ASIC will focus upon in 2026. This emphasis is directed at safeguarding trust in Australia's financial system.

In addition, boards should note that inadequate cyber risk management can give rise to liability for breach of directors' duties, with such directors' duties failures generally continuing to be an enduring priority for ASIC.

Whilst we are still in the consultation process, boards can expect stricter and more detailed cybersecurity, supply chain and personnel security requirements for critical infrastructure, with regulators focusing on FOCI and overall cyber maturity. To prepare, organisations should proactively review and strengthen their cybersecurity and cyber resilience systems, risk management, supply chain oversight and staff vetting processes, while staying alert to ongoing regulatory changes and enforcement trends.

Australian Consumer Law

Unfair Trading Practices reform

The digitisation of business has increased drastically in recent years, particularly following the COVID-19 pandemic. Consequently, the ACCC has argued that the Australian Consumer Law does not adequately address the potential harms to consumers and small businesses resulting from a rapidly expanding digital era. In particular, it has called for the introduction of an unfair trading practices prohibition to address unfair practices in digital markets (in particular, online retailing environments).

After years of discussion, in February 2026 the Australian government released an exposure draft of an unfair trading practices prohibition. The draft legislation proposes to introduce three new provisions:

  1. a general prohibition on unfair trading practices (including a 'grey list' of conduct that may contravene the general prohibition);
  2. specific protections against unfair subscription practices, requiring businesses to improve disclosure of key information about the subscription and simplify cancellation processes; and
  3. specific additional protections against 'drip pricing' conduct, requiring businesses to disclose hidden costs through the purchase process.

In a departure from previously stated positions, the general prohibition would not apply to business-to-business (B2B) conduct involving small business. However, the specific protections against unfair subscription contracts will apply to subscription contracts with small business customers. The government plans to consult on the extent to which the broader regime should apply to B2B conduct.

Whilst the regime would apply to all sectors and trading mediums, the prohibitions are more likely to be used to enforce against conduct in digital and online environments, including the use of 'dark patterns' (i.e. user interfaces or choice architecture alleged to confuse, obstruct or manipulate users to act against their commercial interests).

The core provision of the regime prohibits conduct that does or is likely to unreasonably manipulate the consumer or distort the decision-making environment, and causes or is likely to cause any form of detriment (including non-financial detriment such as wasted time). The explanatory materials expressly identify the use of dark patterns that unfairly nudge or pressure consumers into unintended actions as conduct that would be more likely to contravene the general prohibition, as currently drafted.

The specific prohibitions also target conduct prevalent in digital and online retailing markets. Providers of goods or services under a subscription contract would be required to ensure transparent disclosure of key subscription terms at the time of offer and at regular intervals during the subscription. Further, methods for customers to end subscription contracts would need to be accessible and simple. Compulsory transaction fees (or their calculation methods, as appropriate) would also need to be transparently disclosed with the price for goods or services at all times before purchase.

If adopted, the new laws would come into force on 1 July 2027.

Announcing its compliance and enforcement priorities for 2026–27, the ACCC has forewarned that, once in force, it will 'step up' and actively enforce the unfair trading practices laws against 'manipulative and false practices' by suppliers in digital markets.

As drafted, the proposed unfair trading laws could have significant implications on the practices of a range of businesses operating in digital or online retailing markets. In particular, businesses with a multi-jurisdictional footprint may face the added complexity of ensuring that their practices are compliant with the new laws in Australia, as well as a patchwork of other rules across the world. Suppliers operating in digital or online retailing markets in Australia should evaluate their practices and seek legal advice well before the new laws comes into force.

Online Safety and Social Media

Recent and upcoming changes to the Online Safety Act 2021 (Cth), and the online safety codes and standards which sit beneath that Act, have resulted in a significant increase in obligations, which may apply to online services that are made available in Australia. Providers of online services should consider whether and to what extent each of the following online safety regimes apply to their service, noting current high levels of regulator and public interest (including at an international level) in relation to this ground-breaking legislation.

Social media minimum age obligation

In December 2025, the Online Safety Amendment (Social Media Minimum Age) Act 2024 (Cth) took effect, introducing world-leading minimum age requirements for certain social media services, known as the social media minimum age obligation (SMMA). These restrictions require 'age-restricted social media services', (that is, services with the sole or a significant purpose of enabling online social interaction between end-users), to take reasonable steps to prevent users aged under 16 from holding accounts on that service. Certain categories of services are exempt from the SMMA, including those with the sole or primary purpose of health or education, online gaming, or enabling communication via messaging or email.

There is no formal requirement to complete a SMMA self-assessment or submit this to the eSafety Commissioner. However, it is recommended that services allowing end-users to interact with one another use the eSafety Commissioner's online tool to determine whether they are likely to be captured by the SMMA, and reassess their position whenever any additional social features are added to their service.

The eSafety Commissioner's regulatory guidance outlines the compliance actions that will be considered to be 'reasonable steps' for the purpose of the SMMA. In particular, services must detect and deactivate existing accounts held by under 16s, employ age assurance technologies to prevent under 16s from creating new accounts, prevent circumvention, and minimise the collection of personal information (see our previous insight, Under-16 social media ban: eSafety Commissioner's regulatory guidelines, for further details).

Online Safety Codes and Standards

In 2025, the eSafety Commissioner registered online safety codes and standards targeted at eight sections of industry, including internet carriage services, search engines, social media services, relevant electronic services (services that enable instant messaging), and designated internet services (online services that don't fall into any other category). These regulations were released in two phases, with providers being required to comply with one Phase 1 code or standard, and one Phase 2 code.

The Phase 1 'Unlawful Material Codes and Standards' target the generation, storage, and sharing of illegal content on services made available in Australia, including child sexual assault material and pro-terror material. The Phase 2 'Age-Restricted Material Codes' aim to protect Australian children under 18 from seeing material that is 'lawful but awful', including, for example, pornography and self-harm material (including disordered eating material).

These regulations impose obligations on services on a risk-tier basis, meaning the requirements placed on service providers are proportionate to the risk their service is considered to present. To ensure compliance, service providers must first determine which code or standard applies for each of Phase 1 and Phase 2, and then undertake the required risk assessment before actioning any required compliance uplifts. The obligations range from easy uplifts such as mandatory additions to the terms of service, to significant technical efforts such as implementing age assurance to restrict access to services / portions of services for under 18s.

Full compliance with Phase 1 was expected by mid-2025, while full compliance with Phase 2 will generally be expected by March 2026 (depending on which Code applies). In December 2025, the eSafety Commissioner released updated regulatory guidance for both Phase 1 and Phase 2, which provides helpful information about determining which obligations apply and how it expects compliance be actioned. However, we recommend service providers seek tailored advice to navigate this complicated area of regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Lawyers Weekly Law firm of the year 2021
 		Employer of Choice for Gender Equality (WGEA)
[View Source]
Authors
Photo of James North
James North
Photo of Eugenia Kolivos
Eugenia Kolivos
Photo of Jodie Burger
Jodie Burger
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More