Administered by

  • HOME
  • CONTACT US
  • ABOUT THIS SITE
  • DISCLAIMER
  • Supported by
  • Australian Renewable Energy Agency (ARENA)
English (UK)
US English (US)
GB English (UK)

  • EXPLORE KNOWLEDGE BASE

  • CERI Knowledge Base

    • About the CERI knowledge base

      • Introduction to Australia’s electricity markets

        • Australian consumer insights

          • CER technical and interoperability standards

            • Connecting a customer to an electricity network

              • Connecting a generator to a distribution network

                • Utility interconnection (CSIP-AUS)

                  • Dynamic network export and generation control schemes

                    • Network load control schemes

                      • Network tariffs and network support services

                        • Participating in the National Electricity Market

                          • Participating in a frequency control market

                            • Participating in the RERT

                              • Participating in the Wholesale Electricity Market (Western Australia)

                                • Participating in the I-NTEM (NT)

                                  • Cyber security and data privacy arrangements

                                    • Consumer protection frameworks

                                    Cybersecurity and data privacy arrangements

                                    Last Updated on 5 March 2026

                                    SUGGEST AN EDIT

                                    LIKE THIS PAGE?

                                    Table of Contents

                                    Privacy and Data Protection Frameworks Cyber security standards and frameworks Regulatory obligations Data sovereignty and residency Emerging issues and future directions

                                    CER product developers operating in Australia face a rapidly evolving landscape of cybersecurity and data privacy obligations. Understanding and meeting these expectations is essential for market access, compliance, and building trust with partners and consumers.

                                    This section of the knowledge base explores current and emerging requirements and best practices that apply to CER product developers in the Australian market.

                                    Privacy and Data Protection Frameworks

                                    • Australian Privacy Act & APPs: The Privacy Act (1988) and the Australian Privacy Principles (APPs) set strict standards for collecting, using, and disclosing personal information, including energy data that can identify individuals or households. Developers must ensure transparency, limit data collection to what is necessary, and implement robust security controls such as encryption and data masking.
                                    • Consumer Data Right: The CDR regime gives consumers rights to access and share their energy data securely with accredited third parties. Product developers seeking to leverage CDR data must undergo accreditation, obtain explicit consumer consent, and comply with rigorous privacy and security safeguards, including data minimisation, breach notification, and deletion requirements.

                                    Cyber security standards and frameworks

                                    • Australian Energy Sector Cyber Security Framework: AESCSF provides a maturity model and assessment tool for benchmarking cyber security posture. CER developers are encouraged to self-assess against at least the Lite Framework, focusing on governance, operational resilience, and technical controls.
                                    • Essential Eight: The Australian Signals Directorate’s (ASD’s) Essential Eight outlines baseline IT security measures, including application control, patching, multi-factor authentication, and regular backups. While not mandated, these are highly relevant for securing IT components and interfaces in CER solutions.
                                    • OT Security Controls: For device-level security, developers should implement secure boot, firmware validation, cryptographic authentication, network segmentation, and continuous monitoring. Adherence to standards like IEC 62443 is increasingly expected.

                                    Regulatory obligations

                                    • Security of Critical Infrastructure Act: The SOCI Act Imposes obligations on critical asset owners, including incident reporting, risk management, and supply chain security. While CER suppliers may not be directly regulated, compliance requirements often cascade contractually from network operators and retailers.
                                    • Cyber Security Act 2024: Mandates secure-by-design principles for all network-connected technologies, including CER. Developers must implement strong authentication, encryption, secure update processes, and supply chain assurance, with penalties for non-compliance.

                                    Data sovereignty and residency

                                    • Local Storage and Access: DNSPs and other critical infrastructure operators often require that operational and sensitive data be stored and accessed only within Australia, with strict controls on offshore access and cloud services. State-level requirements (e.g., in NSW) may impose additional obligations.

                                    Emerging issues and future directions

                                    • AI and Data Governance: The use of AI in energy data processing introduces new compliance challenges, including transparency, data retention, and restrictions on public AI models. Expect stricter requirements as regulation evolves.
                                    • Post-quantum cryptography: CER developers are encouraged to begin transition planning for post-quantum cryptography to safeguard digital infrastructure against future vulnerabilities.
                                    • Continuous Improvement: Participation in industry consultations, regular self-assessment, and staying updated with regulatory changes are essential for ongoing compliance and market competitiveness.

                                    CER product developers must embed privacy and security by design, align with both national and state-level requirements, and be prepared for ongoing regulatory change. Proactive engagement with frameworks like AESCSF, Essential Eight as well as robust supply chain and data governance practices, are critical for future-proofing technology stacks and building a trusted reputation in the Australian market.

                                    cybersecurity data protection

                                    Copyright 2026 – CERI.

                                    Knowledge Base Software powered by Helpjuice

                                    Expand