24/7/365 First Response Hotline

If you have concerns about a potential cyber incident, contact us 24/7/365 to access our First Response team – we will guide you through a triage process and help you take decisive action on next steps.

response@atmosgroup.com.au
response@atmosgroup.co.nz

Australia

1800 737 667

New Zealand

0800 200 027
06:17

Auckland

04:17

Sydney/Melbourne

04:17

Brisbane

03:47

Adelaide

19:17

London

Pages

No pages found

Resources

No resources found

article

Horizon 2: What the Government's new Cyber Security Action Plan means for your organisation

26 June 2026

|

John Moran, Reece Corbett-Wilkins, Alec Christie, Andrew Brewer

On 11 June 2026, the Australian Government released the Horizon 2 Action Plan under the 2023–2030 Australian Cyber Security Strategy. With 19 actions, 64 initiatives and an additional $89.3 million in funding, it marks a deliberate shift from development to consolidation of the Government’s cyber security policy. Here is what it means for organisations of every size, and how to prepare.

The big picture

The 2023–2030 Australian Cyber Security Strategy is being delivered in three phases, or "horizons." Horizon 1 (2023–2025) built the foundations — the Cyber Security Act 2024, the Executive Cyber Council, mandatory ransomware reporting and updating the defences of Australia’s most critical assets. Horizon 2 (2026–2028) is about scaling cyber maturity across the whole economy. Horizon 3 (2029–2030) is earmarked for Australia to expand the global frontier when it comes to cyber security.

Each of these “horizons” is supported by the release of an “action plan”, a document that sets out the specific actions and initiatives the government will undertake to deliver by the end of the relevant horizon.

Released on 11 June 2026 by the Minister for Cyber Security, the Hon Tony Burke MP, the Horizon 2 Action Plan sets out 19 actions and 64 initiatives. The action plan is backed by $89.3 million in additional funding for the cyber strategy over four years, complementing the $586.9 million that was committed at the commencement of the strategy.

For Horizon 2, the Government has called out three key objectives:

  1. Enabling Australian workers to be a "human firewall" — recognising that human error features in 60% of breaches, and that small and medium businesses are the highest area of risk in the economy for cybercrime, the Action Plan contains a number of initiatives aimed at improving the cyber security training provided to Australia’s workforce as a complement to the technical protections organisations should be implementing.
  2. Protecting our critical infrastructure and government systems — Horizon 2 will focus on further uplifting cyber maturity by strengthening the security, reliability and resilience of government systems and critical infrastructure, moving beyond baseline assurance and reactive response toward proactive, investment-led resilience.
  3. Shaping, securing and embracing digital technology — Horizon 2 demonstrates a commitment by the government to facilitate Australian’s safe adoption of technology, ensuring security is embedded into design, deployment and operation of IoT, enhancing protection for Australia’s critical data and ensuring Australia is adequately prepared for the risk posed by critical emerging technologies such as AI and quantum computing.

The plan is underpinned by a sobering threat picture: cybercrime is estimated to cost the economy around $25 billion a year, the average reported incident cost rose about 50% in a year to roughly $80,000, and a single catastrophic incident could strip an estimated $35 billion — about 1.3% of GDP — from the economy.

What it means for small and medium businesses and not-for-profits

Horizon 2 aims to provide meaningful, practical support behind smaller entities — the businesses and organisations least able to absorb the cost of an incident and which often represent significant vulnerabilities in critical supply chains. Key initiatives include:

  • A new "CyberSmart" standard and certification regime – the government will develop a simple, adaptable cyber security standard tailored to small and medium business through a conformity assessment scheme developed with the Joint Accreditation System of Australia and New Zealand (JAS-ANZ). Certified entities will be able to display a "trust mark" in their dealings with customers and suppliers.
  • A centralised CyberSmart Hub consolidating and uplifting government cyber security guidance for SMEs as well as outlining product- and service-specific advice, developed with technology vendors, so smaller entities can make chose cyber security products and services suited to their needs and cyber maturity level.
  • Embedding new Supply-chain expectations from larger partners — the Government intends to use SOCI Act obligations and procurement levers to drive CyberSmart uptake through the supply chains of critical infrastructure and government. For smaller suppliers – this should mean clearer and more achievable expectations in relation to cyber maturity when pitching to participate in critical and lucrative supply chains.
  • Introduction of minimum standards of cyber security training — developed by the Australian Signals Directorate (ASD) to ensure an appropriate level of governance awareness and training for all staff with access to IT systems.
  • Dedicated not-for-profit uplift — including a not-for-profit community of practice (co-led with the Australian Charities and Not-for-profits Commission) and a tailored program of services to lift sector maturity.
  • Development and implementation of additional cyber security standards for connected technologies — including edge devices (e.g. routers and modems), consumer energy resources (such as rooftop solar and household batteries) and other consumer-grade smart devices.
  • Investment in the domestic cyber industry — through ongoing support for cyber start-ups and small and medium sized businesses to develop innovative solutions to cyber security challenges

The signal for smaller organisations is clear: cyber maturity is becoming a condition of doing business, especially for anyone in a government or critical-infrastructure supply chain. However, the Government has sought to embed cyber security in SMEs through support mechanisms and incentives rather than a heavy-handed regulatory approach. 

What it means for large organisations, critical infrastructure and government entities

For larger and regulated entities, Horizon 2 deepens existing obligations and adds a stronger emphasis on supply-chain, legacy-technology and emerging-technology risk. Key initiatives include:

  • Uplifts to Australian Government cyber security — through strengthened procurement arrangements for IT goods and services, strengthening logging and monitoring requirements, establishing a baseline for legacy-technology risk for critical systems and amendments to Australian government cyber security policies to address emerging and contemporary cyber security risks.
  • Potential Security of Critical Infrastructure Act (SOCI) reform — the government is currently exploring amendments to the Ministerial Directions powers and has just announced enhancements to Critical Infrastructure Risk Management Program (CIRMP) requirements for high-risk asset classes. The Action Plan also suggests the Government may explore reforms to match those initiatives designed to improve Australian Government cyber maturity (i.e. requiring responsible entities for critical infrastructure assets to further embed cyber security considerations in procurement decisions and conform with minimum logging and monitoring requirements).
  • Mandated quantum-readiness and post-quantum cryptography transition planning — for both Government and critical infrastructure entities through the Protective Security Policy Framework (PSPF) for government and SOCI amendments for critical infrastructure greater.
  • Legislative amendments to enable threat blocking at scale — these would enable telecommunications, and other ‘upstream’ digital services providers, to block cyber threats at scale and speed to better defend customers.
  • Implementation of a proper a single cyber regulatory reporting interface — reducing the compliance burden of providing information regarding a singular cyber incident to multiple regulators separately. The Government has flagged this may include amending the existing portal on cyber.gov.au and harmonisation of cyber regulation to create a ‘tell government once’ experience.
  • Elevating information sharing — and partnership with critical infrastructure owners, operators and their supply chains to improve cyber security outcomes, including through enhancements to the Trusted Information Sharing Network.
  • Expansion of the national cyber exercise program — delivered through the National Office of Cyber Security, addressing more cross-sectoral scenarios and sectors not previously tested by the program.
  • Data governance measures — finalising an Industry Data Classification Framework, developing a Code of Practice for commercial data transactions, implementation outcomes from the Government’s Data Retention Review, and piloting a risk-assessment framework for datasets of national significance (beginning with human genomic and clinical-trial data).

How to prepare — and how Atmos can help

Most Horizon 2 initiatives are still at the development phase and are due to be rolled out before the end of 2028, which makes the period ahead the right time to get in front of them. As a specialist cyber, privacy and digital-risk firm, Atmos brings together lawyers, cyber security professionals and technologists to help you turn the plan into a practical roadmap across the full lifecycle:

  • Cyber Risk Advisory— benchmarking your posture against current best-in-market cyber security standards to anticipate standards forthcoming reforms including CyberSmart, SOCI amendments and alterations to the PSPF.
  • Data, privacy and AI governance — aligning data classification, retention and AI access controls with the latest frameworks, and planning for quantum-transition obligations.
  • Supply chain and third-party risk management — updating supplier and customer contracts to anticipate new certification, vendor-risk and procurement expectations cascading through supply chains.
  • Tabletops, simulations, response planning and threat intelligence — preparing boards and executives for heightened expectations about managing supply chain, legacy systems and emerging technology risks by developing and updating incident response playbooks, conducting relevant tabletop exercises and receiving the lates threat intelligence briefings.
  • Response and Recovery — Atmos is always here to restore and strengthen your organisation’s resilience after an event.
  • Disputes, investigations and crisis communications — end-to-end support if a dispute, class action or regulatory inquiry arises.

What's next

The Government has signalled ongoing consultation and co-design in relation to the initiatives in Horizon 2, and is holding a public town hall on Thursday 2 July 2026 to discuss delivery of the Action Plan. We will continue to track developments — including the detail of the CyberSmart standard, the secure-by-design device requirements and the SOCI Act amendments — as they are released.

To discuss what Horizon 2 means for your organisation get in touch below.