The Australian government has released a new program of work to uplift Australia’s cyber maturity under Horizon 2 of the 2023-2030 Australian Cyber Security Strategy.
As part of this, it has detailed 19 actions and 64 initiatives for government to deliver by the end of 2028 in the Action Plan, with a program of "meaningful, targeted measures".
The actions and initiatives in the Horizon 2 Action Plan will be led or co-led by 12 different Australian Government agencies, supported by numerous contributing agencies.
Horizon 1 began in 2023, when the government's cyber security policy was introduced, and has already seen the government address critical gaps in its cyber shields, build better protections for vulnerable citizens and businesses and support cyber maturity uplift across the region.
In Horizon 2, taking place between 2026 and 2028, the government will aim to make further investments in the broader cyber ecosystem, continuing to scale up the cyber industry and grow a diverse cyber workforce.
SMBs to get new cyber security standard and accreditation scheme
For small and medium businesses, initiatives delivered under Horizon 1 include the Ransomware Playbookm a free online resource that provides guidance to individuals about how to detect and prepare for a ransomware attack, how to respond and report in the event of an attack and what resources are available to support you to recover.
Horizon 1 also included new cyber security requirements for smart devices sold or manufactured in Australia, a Cyber Health Check Tool that provides a basic cyber security assessment for SMBs and a Small Business Cyber Resilience Service, funded by the Australian Government and providing free supports to small businesses, including incident support and cyber ‘first aid’, wellbeing support following an incident, and a private, independent review of a business’ privacy and cyber security posture.
For Horizon 2, the government will establish a new CyberSmart Program to drive cyber security improvements for SMBs, adopting a new cyber security standard and accreditation scheme tailored specifically to the needs and capabilities of small and medium sized businesses.
This will cover the cyber basics and then using a tiered approach, it will grow in maturity as a business grows and cyber resilience improves.
The government stated that it will "engage extensively with industry and other stakeholders" on the development of the program, working to ensure that costs remain low and simplicity is at the forefront.
Related to this, it will also create a CyberSmart Trust Mark to demonstrate that an organisation has been certified under the CyberSmart scheme; establish a CyberSmart Hub as a centralised location for program advice and support; and encourage uptake of the new CyberSmart Program through regulatory and policy levers available to government.
This will include risk-based application of CyberSmart in Commonwealth procurement and supply chain management.
In addition to the CyberSmart Program, other initiatives and reforms include improving the cyber security of modems and routers used in small office settings, and creating a voluntary Code of Practice for edge devices provided by internet service providers, reducing exposure to cyber security risk for smaller entities.
Recent expansion of the Digital ID program to the private sector, reducing the need for individuals to share identity documents and for government agencies and businesses to store them, was rolled out at the end of last month.
New frameworks, policies for large organisations and critical infrastructure
In Horizon 1, the Executive Cyber Council, chaired by the Minister for Cyber Security, was established bringing together C-suite representatives from Australia’s top companies and industry representative groups to strengthen our private/public partnership on cyber security.
Amendments to the Security of Critical Infrastructure Act 2018 were passed to address risks concerning the cyber security of business critical data held by a critical infrastructure asset, bringing security requirements for telecommunications providers into line with other critical infrastructure entities, and the management of secondary consequences of a cyber security incident.
The National Cyber Intel Partnership was also established to encourage larger organisations to share cyber threat intelligence and block cyber threats at scale, with the government running a series of pilots, transitioning outcomes to enhance the Australian Signals Directorate’s threat sharing platform.
The National Office of Cyber Security delivered 12 industry sector-based cyber incident response playbooks to guide how the Australian Government and industry will work together in the event of a cyber security incident.
For Horizon 2, the National Office of Cyber Security Exercise Program will be strengthened and expanded, supporting Systems of National Significance and government supply chains. This will include targeted engagement with supply chain dependencies and delivery of scalable readiness activities across the Australian economy.
Other initiatives and reforms that will support large business and critical infrastructure over Horizon 2will see the government will consult with industry stakeholders and government agencies to enhance legislative and policy levers to ensure ‘upstream entities’ (such as telecommunication providers) can block threats at scale and speed, as well as developing and publishing a Vulnerability Disclosure Policy Toolkit that will support large businesses to develop policies to support identification of vulnerabilities in their organisations.
The government will also implement recommendations from the Data Retention Review to introduce a consistent, whole-of-government approach to data retention, simplifying obligations and guidance for industry, as well as aiming to strengthen public, private and international collaboration on AI and quantum security threats, including leadership of the Five Country Ministerial AI Working Group and improved crisis management frameworks for major AI incidents.
Elsewhere, Horizon 2 will aim to prepare government for post-quantum cryptography through mandatory transition planning, updated security policies, and stronger protections under the Protective Security Policy Framework, and separately, will require all Commonwealth agencies to embed cyber security planning in Digital Investment Plans.
The government stated it will establish a legacy technology baseline for critical systems and prioritising remediation, as well as developing incident playbooks and tabletop simulations to strengthen preparedness and capability for Systems of Government Significance.
Investment will also be targeted to address the highest risks by reviewing technology purchasing arrangements and refining investment indicators to prioritise the most critical cyber security uplift areas.
Legislatively, the government will explore further amendments to the Security of Critical Infrastructure Act 2018, including amendments to Ministerial Directions powers and enhancements to Critical Infrastructure Risk Management Program requirements for high-risk asset classes.
The Trusted Information Sharing Network will continue to encourage greater collaboration and information sharing between critical infrastructure entities and all levels of government, while separately, the government will assess its current subsea cable infrastructure protections to ensure they are fit-for-purpose.
The government will aim to boost business productivity by cutting duplicated cyber security rules and streamlining how industry meets its obligations, delivering a Single Cyber Incident Reporting Interface aligned with the Tell Us Once agenda, replacing fragmented processes with one pathway.
A focused review of the regulatory landscape will intend to identify pressure points and opportunities to centralise reporting, driving consistent definitions, timeframes, and thresholds with the aim of reducing compliance costs, improving regulatory efficiency, and strengthening Australia’s overall cyber resilience.
Following a pilot program commenced under Horizon 1, the government will also explore the feasibility of a national rollout of a framework for the professionalisation of the cyber workforce.




