Regulation explainers, risk guides, and practical articles for Australian businesses, professionals, and their advisers.
Regulation & Compliance
The TSRMP Rules commenced on 4 April 2025, switching on SOCI Act risk management obligations for carriers and relevant carriage service providers. Who is in scope, the four hazard vectors a program must address, and the cyber maturity milestones for October 2026 and 2027.
Read articleEnterprise & Export
What Australian businesses that sell or export digital products to Europe need to know about the new mandatory cyber security requirements taking effect in 2027.
Read articleRegulation & Compliance
Consultation on the Exposure Draft of enhanced CIRMP Rules under the SOCI Act has just closed. The headline change for the energy sector: lift cyber maturity to AESCSF SP-2 across all 11 domains by 30 June 2028. Most responsible entities sit at SP-1 today.
Read articleRegulation & Compliance
CPS 234 has been in force since 2019 — but the bar has moved. The tripartite assessment programme has surfaced six common gaps across 300+ regulated entities. FAR has made executive accountability explicit. CPS 230 has added overlapping obligations. Here's where compliance sits now.
Read articleRegulation & Compliance
Hong Kong's Protection of Critical Infrastructures (Computer Systems) Ordinance came into force on 1 January 2026, alongside the Commissioner's Code of Practice. Here's what designated CIOs across the eight covered sectors must do — three obligation categories, supply-chain ripple, penalties up to HK$5 million.
Read articleEU Regulation & Financial Sector
DORA is already in force. What financial entities and ICT providers need to know about the EU's Digital Operational Resilience Act — who is in scope, the five pillars, and what to do now.
Read articlePayment Card Security
The transition window has closed. v4.0.1 is the only active version of the standard and the 51 future-dated requirements have been mandatory since 31 March 2025. Here's what changed, what every assessment is now scoring against, and how to verify your environment is current.
Read articleCyber Threats & Risk
The real costs of a cyber attack — downtime, legal obligations, and why 1 in 5 small businesses don't recover. What you're required to do if it happens.
Read articleRegulation & Compliance
NQF digital technology policies are now mandatory, CCTV requirements have changed, and the way your service handles images of children is under regulatory scrutiny. Here's what approved providers need to do.
Read articleRegulation & Compliance
Disability services report more data breaches than any other industry in Australia. Here's what your NDIS Commission, Privacy Act, and Cyber Security Act obligations require you to do to protect participant data.
Read articleRegulation & Compliance
Bookkeepers hold TFNs, payroll records, and direct access to client banking environments. The TPB's 2024 Code Determination explicitly requires you to protect that data — and a compromised bookkeeper account can expose every client they manage.
Read articleRegulation & Compliance
From 1 July 2026, real estate agents become AML/CTF reporting entities for the first time. Settlement fraud is already active. Here's what the combined risk landscape means for your agency's data security and compliance obligations.
Read articleRegulation & Compliance
ASIC has now won Federal Court penalties against two AFSL holders for cyber security failures. What financial planners and advice licensees must do to meet their Corporations Act obligations.
Read articleRegulation & Compliance
What your ACL, Best Interests Duty, and Privacy Act obligations require — covering client data, aggregator portal risk, settlement fraud, and breach reporting.
Read articleRegulation & Compliance
What your professional conduct obligations actually require — the confidentiality duty, minimum expectations from Law Societies, trust account risks, and the new ransomware reporting obligation.
Read articleRegulation & Compliance
What changed with the 2024 legislation, which obligations are already in force, and what's coming in the next round of reforms — explained for business owners.
Read articleFramework Guide
Australia's most important cyber security baseline — what the eight controls require, what maturity levels mean in practice, and who must comply.
Read articleRegulation & Compliance
What the Tax Practitioners Board Code of Conduct requires from accountants and BAS agents — and what evidence you need if something goes wrong.
Read articleInsurance & Due Diligence
What insurers are actually asking in applications, which controls they check for, and why claims get denied when the answers don't match reality.
Read articleRegulation & Compliance
What GP clinics and allied health providers must do to protect patient data under AHPRA's Code of Conduct — and why the small business exemption doesn't apply.
Read article