Loading...
Taking longer than expected.
Reload the pageTaking longer than expected.
Reload the pageEvery AI compliance obligation and deadline for Australian organisations, in one place, with links to the primary sources. Australia governs AI through laws and standards that already apply - not a single AI Act - so this tracker maps the obligations that actually bind you and when they bite.
Upcoming obligations are listed first, ordered by the soonest deadline. Every entry links to a named government or regulator source so you can verify it yourself.
Status
Sector
Showing 7 of 7 obligations
28 March 2026
Maximum penalties for breaches of the Australian Consumer Law, including misleading or deceptive conduct such as overstated AI claims ("AI washing"), increase to AUD 100 million per contravention (or higher alternative measures). The increased penalties apply to conduct from 28 March 2026.
What to do
Review marketing, product, and procurement claims about AI capabilities for accuracy and substantiation so they do not mislead consumers under the strengthened penalty regime.
10 December 2026
New transparency obligations introduced by the Privacy and Other Legislation Amendment Act 2024 (new APP 1.7 to 1.9) require an entity's privacy policy to disclose where it uses computer programs to make, or substantially help make, decisions that could significantly affect the rights or interests of an individual. The obligations are scheduled to commence on 10 December 2026.
What to do
Inventory the automated and AI-assisted decisions that significantly affect individuals, then update your privacy policy to disclose the kinds of personal information used and the kinds of decisions made by those computer programs before the commencement date.
Announced (establishment under way)
The National AI Plan announced the establishment of an Australian AI Safety Institute to monitor AI risks and support Australia's approach to AI safety. Establishment is under way.
What to do
No action is required yet. Watch for the Institute's outputs and guidance as it stands up, as these may inform future voluntary or mandatory expectations.
Published 21 October 2025
The National AI Centre's voluntary "Guidance for AI Adoption" (published 21 October 2025) sets out six essential practices for organisations adopting AI and is now the primary voluntary reference in Australia. It streamlines the ten guardrails of the earlier 2024 Voluntary AI Safety Standard into these six practices.
What to do
Use the six essential practices as a voluntary baseline for your AI governance program, mapping your existing controls to them.
In force 1 July 2025 (service-provider arrangements transition 1 July 2026)
Prudential Standard CPS 230 requires APRA-regulated entities to manage operational risk, maintain critical operations through disruptions, and manage the risks arising from service providers. Material service provider arrangements - which can include AI and large-language-model vendors that support critical operations - must be identified, risk-assessed, and governed under a service-provider management policy.
What to do
Assess whether any AI or LLM vendors support a critical operation, classify material service provider arrangements, and bring those arrangements under your CPS 230 service-provider management policy and register ahead of the 1 July 2026 transition for existing contracts.
In force since 1 July 2019
Prudential Standard CPS 234 requires APRA-regulated entities to maintain information-security capability commensurate with the threats to their information assets. Read onto AI systems, this means treating AI models, training data, and inference pipelines as information assets that fall within the entity's information-security controls, classification, and testing - an interpretive application of an existing, technology-neutral standard.
What to do
Extend your information-asset register and information-security controls to cover AI models, training and fine-tuning data, prompts, and inference APIs, and include them in your control-testing and incident-notification processes.
December 2025
Australia's December 2025 National AI Plan declined to introduce mandatory, AI-specific guardrails. It favours applying existing technology-neutral law (such as privacy, consumer, and prudential law), voluntary guidance, and the establishment of a new AI Safety Institute over a dedicated Australian AI Act.
What to do
There is no new mandatory AI-specific obligation to action from the Plan itself. Continue to comply with the existing laws that already apply to AI and track the voluntary guidance the Plan points to.
This tracker covers the AI-relevant laws, prudential standards, and voluntary guidance that apply to Australian organisations. Some entries (for example, how APRA's information-security standard reads onto AI assets) are an interpretive application of an existing, technology-neutral instrument rather than an AI-specific rule. We flag those in the summary and let the linked primary source carry the detail.
This is general information, not legal advice. Dates and obligations change. Always verify each item against the linked primary source before you act, and seek professional advice for your specific circumstances.
Last reviewed 9 June 2026.
Areebi gives Australian regulated organisations a secure control plane for enterprise AI - audit logging, data-loss prevention, policy enforcement, and decision-authority controls that map to the obligations on this page.