The short answer is yes, I believe so, re: mandatory requirements.
I found this AFR article from last year, but I don't know the
current status of the planned legislation.

https://www.copyright link/politics/federal/major-expansion-of-mandatory-cyber-security-requirements-on-way-20200901-p55r7z
w w w . a f r . c o m /

Major expansion of mandatory cyber-security requirements on way

Sep 5, 2020 – 12.00am

Mandatory cyber breach obligations are being planned for a raft of new business sectors and suppliers under wide-ranging critical infrastructure legislation being fast tracked into federal Parliament.

The proposed legislation will also empower the Commonwealth government for the first time to directly intervene through its own counter-cyber operations, where there is an immediate and serious cyber threat to Australia’s economy, security or sovereignty.

The legislation will require owners and operators of a vastly expanded list of critical infrastructure to "be legally obliged to manage risks that may impact business continuity and Australia’s economy, security and sovereignty."

The major expansion of security obligations for Australian businesses comes as ASIC has begun its first cyber prosecution – using general Corporations Act powers – signalling a new regulatory approach to cyber security issues.

The Department of Home Affairs is completing a quick-fire consultation with 11 sectors on the bill that will require designated firms and operators to ensure their own digital, personal and physical systems and their suppliers' systems meet minimum prescribed protective standards.

The department has told operators "prompt action is required" and the bill will be brought directly to the Parliament without any exposure draft. The government is looking to have the bill passed before Christmas.

According to King & Wood Mallesons partner Cheng Lim, the current critical infrastructure regulatory framework applies only to specific entities in the electricity, gas, water and maritime ports sectors.

"The proposed reforms will significantly expand the scope of the framework, introducing security obligations to nine new sectors: banking and finance; communications; data and the cloud; defence; education, research and innovation; food and grocery; health; space; and transport."

Academic research

Many of these sectors – including food, grocery and transport – are regulated by the states, representing a significant expansion of Commonwealth regulation into these sectors.

Also included are academic research facilities. The changes follow the introduction of a bill to regulate bilateral agreements that universities and the states have with overseas entities, notably in China.

According to the Home Affairs consultation paper, operators of the expanded list of critical infrastructure (CI) caught by the legislation are to be divided into three groups: CI entities, Regulated CI Entities, and Systems of national significance.

Operators will be categorised dependent on the potential for a domino effect if their function were compromised and the consequence of compromise.

All CI entities will be subject to "government assistance" in their cyber operations, including being directed to mitigate a current or imminent cyber attack.

"Under no circumstances will entities be directed or authorised to take actions against the perpetrator (including ‘hack backs’)."

This will be reserved to government, which through a declaration of an emergency will have powers to use its cyber operations in the Australian Signals Directorate and ASIO to take direct action.

Regulated entities and system operators will be required to legally comply with a "Positive Security Obligation" to identify, manage and mitigate against the risks of "all hazards".

National threat intelligence

This will include physically securing spaces where sensitive information and assets are used, transmitted, stored or discussed. Operators will also be required to vet "ongoing suitability of its personnel".

The obligation will extend to supply chain risks, drawing a vast array of small and medium business into the new security net.

System operators will be required to provide near real-time network information to the federal government's "national threat picture". This will initially be voluntary, but the bill will give powers to make it mandatory.

This will include incident reports, significantly expanding the current requirement which only applies to breaches that involve personal information.

Compliance will be through a board-approved reporting mechanism submitted annually or as otherwise agreed. "This recognises that the Board of the regulated entity is ultimately responsible for ensuring that risk is managed appropriately."

Enforcement will include audits, security notices and direct intervention, as well as penalties for non-compliance.

The ASIC litigation against IOOF wealth firm RI Advice Group alleges basic cyber hygiene breaches, claiming the firm and its adviser failed to implement "adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cyber security and cyber resilience".

"If this litigation signals a new regulatory approach to cyber security issues in Australia, it is important to consider the powers of other regulators to bring enforcement action in similar circumstances," Mr Lim said in a note to clients.

He said this could include financial regulator APRA taking action against deposit-taking organisations. Consumer regulator ACCC could follow the lead of the US Federal Trade Commission and bring proceedings under the Australian Consumer Law if an entity with inadequate cyber security represented that customer data was secure.

Action could also be brought against firms for breaches of personal information under the Privacy Act.

All IMHO, DYOR