Compliance for Software & SaaS
Tech companies — captured by Privacy Act, Online Safety Act, AI Voluntary Standard, and SOCI if critical-infrastructure-aligned.
Published obligations that apply to software & saas (6)
- criticalCWLTHAdopt Essential Eight Maturity Level 2 (federal subcontractors)
Federal government contractors handling OFFICIAL: Sensitive must meet Right Fit For Risk (RFFR) including E8 ML2.
- criticalCWLTHComply with online safety industry codes (Phase 1 + 2)
Eight industry sections covered by binding codes under the Online Safety Act 2021.
- criticalCWLTHReport cyber security incidents to ASD (SOCI)
Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.
- highCWLTHComply with Basic Online Safety Expectations + industry codes
Social media services, app distribution services, and other captured providers must meet the BOSE and industry codes.
- mediumCWLTHAdopt the Voluntary AI Safety Standard (DISR 2024)
10 voluntary guardrails for safe + responsible AI deployment; mandatory regime in development.
- mediumCWLTHMandatory AI guardrails for high-risk AI (in development)
Australian Mandatory Guardrails for High Risk AI Settings — Treasury consultation in 2024/2025.