There is no single piece of Australian legislation that says “all businesses must complete cyber security training.” That is the answer most people are looking for when they search this question, and technically, it is correct.
But it misses the point.
The Privacy Act 1988 requires businesses that handle personal information to take reasonable steps to protect it. Australian Privacy Principle 11 (APP 11) sets this expectation clearly. And when the Office of the Australian Information Commissioner (OAIC) assesses whether a business met that standard, one of the first things they look at is what the business did to address the human side of the risk.
Training is not named in the legislation. But it is one of the most practical and demonstrable ways to show that reasonable steps were taken.
Businesses that treat this as optional because it is not explicitly required are making a decision they may not be able to defend later.
Most businesses searching “is cyber security training required in Australia” are looking for permission to skip it. They want confirmation that it is not compulsory so they can deprioritise it.
Businesses have limited time and budget. If something is not explicitly required, it falls down the list.
But the question is framed incorrectly. The real question is not “is training required?” It is “can I demonstrate that I took reasonable steps to protect the information my business holds?”
If the answer to that second question depends on training, and for most businesses it does, then training is not optional in practice. It is optional only in the narrowest legal sense.
The Privacy Act does not prescribe specific controls. It does not list software, tools, or training programs that businesses must use. Instead, it sets a principle-based expectation: take reasonable steps.
What counts as “reasonable” depends on the business. The OAIC considers factors like:
For a business that holds client records, employee data, financial information, or health data, reasonable steps almost certainly includes some form of structured training. Not because the law names it, but because it would be difficult to argue that a business took reasonable steps while doing nothing to address how staff handle information.
“Training is not in the legislation, so it is not required.”
This is technically true and practically dangerous. The legislation sets a standard. Training is one of the most straightforward ways to meet it. Skipping it because it is not named does not remove the expectation. It removes the evidence.
“We told staff to be careful.”
Verbal instructions are not structured training. They are not documented, not measurable, and not evidence. If something goes wrong, “we told them” is not a defensible position.
“Our IT provider handles security.”
IT providers manage infrastructure. They do not manage staff behaviour, policy awareness, or role-based obligations. These are separate responsibilities and they sit with the business, not the provider.
“We did a session when they started.”
A single onboarding session does not demonstrate ongoing commitment. Compliance expectations are continuous. A session from twelve or eighteen months ago has limited value as current evidence.
The risk is not a fine for failing to complete training. There is no specific penalty for not training staff.
The risk is what happens when something goes wrong and the business cannot show what it did to prevent it.
After a data breach, the OAIC assesses whether the business met its obligations. If there is no evidence of structured training, that is a gap in the reasonable steps argument.
During an insurance claim, cyber insurers are asking harder questions about what controls were in place. If the business cannot demonstrate training, the claim may be challenged.
In client due diligence, larger organisations and government agencies increasingly expect suppliers and partners to demonstrate compliance frameworks. No training means a weaker position.
At the board level, directors are expected to understand and oversee material risks. Cyber is now a material risk for most businesses. If the board cannot explain what the business does to manage the human element, that is a governance gap.
A finance team processes client payments and handles banking details daily. No one on the team has received any structured cyber training. There is no policy they have been asked to acknowledge. There is no record of any guidance specific to handling financial data.
One team member receives a convincing email that appears to come from a client requesting a change to payment details. They update the records and process the next payment to a fraudulent account.
The business reports the incident. When asked what training the finance team had received, the answer is none. When asked what process existed for verifying payment changes, the answer is informal. When asked what evidence exists of any structured approach to managing this risk, the answer is unclear.
The training was not legally required. But its absence made the incident more likely, and the business less defensible.
A business that takes training seriously does not need to build a compliance department. It needs a structured, repeatable approach.
That means:
This is not about ticking a legal box. It is about building a position the business can stand behind if it is ever tested.
Cyber security training is not a legal requirement in Australia in the way that a tax return or a workplace safety plan is. There is no penalty for not completing it.
But the Privacy Act expects businesses to take reasonable steps. And when something goes wrong, the absence of structured training is one of the hardest gaps to explain.
The businesses that handle this well are not doing it because they were told to. They are doing it because they understand that compliance is not about the letter of the law. It is about being able to show what you did and why.
If your business handles personal information and has no structured training in place, the gap is not legal. It is practical. And it will surface when someone asks what you did.
