There is no single piece of Australian legislation that says “all businesses must complete cyber security training.” That is the answer most people are looking for when they search this question, and technically, it is correct.
But it misses the point.
The Privacy Act 1988 requires businesses that handle personal information to take reasonable steps to protect it. Australian Privacy Principle 11 (APP 11) sets this expectation clearly. And when the Office of the Australian Information Commissioner (OAIC) assesses whether a business met that standard, one of the first things they look at is what the business did to address the human side of the risk — including whether it had a structured compliance system in place.
Structured compliance obligations are not named in the legislation. But meeting them through a practical system is one of the most demonstrable ways to show that reasonable steps were taken.
Businesses that treat this as optional because it is not explicitly required are making a decision they may not be able to defend later.
Most businesses searching “is cyber security training required in Australia” are looking for permission to skip it. They want confirmation that it is not compulsory so they can deprioritise it.
Businesses have limited time and budget. If something is not explicitly required, it falls down the list.
But the question is framed incorrectly. The real question is not “is training required?” It is “can I demonstrate that I took reasonable steps to protect the information my business holds?” That is a compliance obligation, and it requires a system to prove it.
If the answer to that question depends on structured compliance activity — and for most businesses it does — then skipping it is not optional in practice. It is optional only in the narrowest legal sense.
The Privacy Act does not prescribe specific controls. It does not list software, tools, or compliance programs that businesses must use. Instead, it sets a principle-based expectation: take reasonable steps.
What counts as “reasonable” depends on the business. The OAIC considers factors like:
For a business that holds client records, employee data, financial information, or health data, reasonable steps almost certainly include a structured compliance system that covers how staff handle information. Not because the law names a specific platform, but because it would be difficult to argue that a business took reasonable steps while doing nothing to manage its compliance obligations around people and data.
“Training is not in the legislation, so it is not required.”
This is technically true and practically dangerous. The legislation sets a compliance standard. Structured accountability — through a system that assigns, tracks, and evidences obligations — is one of the most straightforward ways to meet it. Skipping it because it is not named does not remove the expectation. It removes the evidence.
“We told staff to be careful.”
Verbal instructions are not structured compliance. They are not documented, not measurable, and not evidence. If something goes wrong, “we told them” is not a defensible position.
“Our IT provider handles security.”
IT providers manage infrastructure. They do not manage staff behaviour, policy obligations, or role-based accountability. These are separate compliance responsibilities and they sit with the business, not the provider.
“We did a session when they started.”
A single onboarding session does not demonstrate ongoing commitment. Compliance obligations are continuous. A session from twelve or eighteen months ago has limited value as current evidence of an active system.
The risk is not a fine for failing to complete training. There is no specific penalty for not having a compliance program in place.
The risk is what happens when something goes wrong and the business cannot show what it did to prevent it.
After a data breach, the OAIC assesses whether the business met its obligations. If there is no evidence of a structured compliance system addressing the human layer, that is a gap in the reasonable steps argument.
During an insurance claim, cyber insurers are asking harder questions about what controls were in place. If the business cannot demonstrate active compliance effort, the claim may be challenged.
In client due diligence, larger organisations and government agencies increasingly expect suppliers and partners to demonstrate compliance frameworks. No structured system means a weaker position.
At the board level, directors are expected to understand and oversee material risks. Cyber is now a material risk for most businesses. If the board cannot explain what compliance system the business uses to manage the human element, that is a governance gap.
A finance team processes client payments and handles banking details daily. No one on the team has completed any structured compliance pathway. There is no policy they have been asked to acknowledge. There is no record of any guidance specific to handling financial data.
One team member receives a convincing email that appears to come from a client requesting a change to payment details. They update the records and process the next payment to a fraudulent account.
The business reports the incident. When asked what compliance obligations the finance team had fulfilled, the answer is none. When asked what process existed for verifying payment changes, the answer is informal. When asked what evidence exists of any structured system for managing this risk, the answer is unclear.
The compliance activity was not legally required. But its absence made the incident more likely, and the business less defensible.
A business that takes compliance seriously does not need to build a compliance department. It needs a structured, repeatable system.
That means:
This is not about ticking a legal box. It is about building a compliance position the business can stand behind if it is ever tested.
Cyber security training is not a legal requirement in Australia in the way that a tax return or a workplace safety plan is. There is no penalty for not completing it.
But the Privacy Act expects businesses to take reasonable steps. And when something goes wrong, the absence of a structured compliance system is one of the hardest gaps to explain.
The businesses that handle this well are not doing it because they were told to. They are doing it because they understand that compliance is not about the letter of the law. It is about being able to show what you did, what system you used, and why your obligations were met.
If your business handles personal information and has no structured compliance platform in place, the gap is not legal. It is practical. And it will surface when someone asks what you did.
