Categories

Telecommunications providers must act now to ensure compliance with the below major regulatory changes coming into force from as early as 30 June 2025:

  • Telecommunications (Consumer Complaints Handling) Industry Standard Amendment 2025 (No. 1) – Commencing 30 June 2025
  • Telecommunications (Customer Communications for Outages) Industry Standard Variation 2025 – Commencing 30 June 2025
  • Telecommunications (Domestic, Family and Sexual Violence Consumer Protections) Industry Standard 2025 – Commencing 1 July 2025

We have updated template packs provided on the IAA Member Portal to assist Members with their compliance obligations, but it is important Members understand new requirements arising from recent regulatory reform.

1. Expanded Complaints Handling Framework

From 30 June, telco providers will have to comply with new obligations in relation to handling complaints from consumers including:

  • New “Network Outage Complaint” Category:
    A new “network outage complaint” is now explicitly defined to align with the Telecommunications (Customer Communications for Outages) Industry Standard 2024. If a consumer reports loss of service and the provider suspects a network outage is occurring (either a major outage or significant local outage), the report must be treated as a formal network outage complaint
  • Network Outage Complaints Handling Process:
    Providers must establish a separate, documented process for handling network outage complaints and publish it on their website. IAA’s Template Complaints Handling Policy has been updated to include network outage complaints, and is available on the IAA Member Portal.
  • Resolution Standards for Network Outage Complaints:
    A network outage complaint is resolved once:
    • Service is restored, and
    • A bulk resolution offer (e.g. compensation or credit) is communicated (if offered)
  • Natural Disaster Exclusion:
    Complaints related to outages triggered solely by natural disasters may be handled through standard complaint processes instead.
  • Improved Accessibility:
    The ACMA have also introduced other changes unrelated to network outage complaints in relation to making complaints and complaints handling process more accessible. This includes, amongst other things, maintaining a direct link on the telco’s homepage and the help or support section of its website to display a list or table of each of the contact details the provider makes available to receive complaints, along with a statement that these contact points can be used to make a complaint.

2. Enhanced Communications During Outages

The Telecommunications (Customer Communications for Outages) Industry Standard has also been updated to introduce obligations in relation to ‘significant local outages’, which commence 30 June. Please note, obligations already exist in relation to ‘major outages’.

Variation Highlights:

  • New defined term – ‘significant local outages’
    ‘Significant local outage’ is defined as unplanned adverse impact to your telco network that results in an end-user unable to establish and maintain a carriage service which affects:
    • ≥1,000 SIOs in regional Australia for a period of over 6 hours;
    • ≥250 SIOs in remote Australia for a period of over 3 hours.
  • Notification obligations in relation to a significant local outage
    Carriers and CSPs must notify and communicate with select persons and groups at different stages including initial notification, regular updates, updates of material changes, and service restoration. IAA provides updated template kits including template notifications and communications that carriers and CSPs can send out in relation to both major outages and significant local outages in the IAA Member Portal.
  • Written Procedures
    Telcos must update their public-facing Network Outage Communications Policy to include their procedures in relation to a significant local outage. A template policy is also included in the Template Kit provided by IAA.

3. New Protections for Persons Affected by Domestic, Family & Sexual Violence

ACMA has introduced a new industry standard to establish protections for persons affected by domestic, family and sexual violence. While the Standard commences from 1 July, telcos will have a longer timeframe to comply with many of the requirements. Below are only the compliance requirements that begin from 1 July:

  • Reversal of service limitation for affected persons (s 13(3)-(5)):
    If a service has been limited (e.g. suspended or disconnected), and the affected person urgently requests reversal due to a DFV safety risk, the telco must urgently reverse it on first contact, or offer an equivalent service if reversal isn’t practical. However, reversal isn’t required where doing so would breach another Commonwealth law (e.g. emergency call service obligations).
    Must not require affected persons to engage with perpetrator (s 15(1)):
    Telcos must not require a person affected by DFV to contact or interact with the perpetrator of the DFV or the perpetrator’s authorised representative.
  • Information about support offered (s 16)
    Telcos must publish information on their website about the support they offer to people affected by domestic and family violence. If they don’t yet offer specific support, they must publish contact details for external support organisations and indicate when their own support services will become available.
  • DFV Policy (s 19-20)
    Telcos must develop and implement a domestic and family violence (DFV) policy, that is approved by the telco’s most senior executive, and develop supporting procedures that meet specific standards. Large providers have 6 months, and small providers 9 months from 1 July to comply.
  • General DFV Training (s 21)
    All personnel must receive DFV training, which can be delivered internally or via an expert 3rd party. Large providers have 9 months, and small providers 12 months from 1 July to complete training, with annual refreshers of the training to be completed.
  • Specialised DFV Training for Customer-Facing Staff (s 22)
    Personnel in customer service, or likely to deal with DFV issues must complete specialised DFV training which covers applying the telco’s DFV policy and procedures, nature of DFV and its relationship to telco services, how to identify affected persons, intersectionality and DFV, engaging with affected persons, and recognising and prioritising safety of affected persons and the safety of personnel engaging with perpetrators. The specialised DFV training can be tailored to the role of the personnel, and may be delivered internally or via an expert 3rd party. Large providers have 9 months, and small providers 12 months from 1 July to complete training, with annual refreshers of the training to be completed.
  • Consultation requirements (s 32)
    From 1 July, telcos must consult with and consider feedback from DFV support services and either people with lived experience or organisations representing at-risk groups when developing DFV policies and procedures (s 19), and training (s 21-22). Large providers must consult directly; small providers may do so via an industry body.

    A large provider means a provider with at least 30,000 SIOs, and a small prover is a provider with less than 30,000 SIO.

Please note, IAA is considering whether and how to undertake the consultation requirements on behalf of our members that fall under the ‘small provider’ category. If you are interested in being represented by IAA, please let us know by contacting policy@internet.asn.au.

What Telcos Must Do

Compliance Area

Required Actions

Complaints Handling (30 June)

Update processes and policies to handle and display network outage complaints separately.

Update website to specify points of contact to make complaints.

Ensure staff are trained to appropriately handle any network outage complaints as such.

Network Outage Communications (30 June)

Update internal processes to ensure communications are sent in relation to significant local outages.

Update public facing policy to include communications processes in relation to significant local outages.

DFSV Protections (1 July)

Ensuring staff understand all obligations that will commence from 1 July that relate to persons affected by DFV – e.g. not requiring affected persons to contact perpetrators, reversing service limitations.

Updating website to specify support information.

Undertaking consultation requirements to develop DFV Policy, procedures and training.

Training staff.

If you have any questions about the any of the new regulation, please contact us at policy@internet.asn.au.

Written by: Sophia Joo | Senior Policy Officer & Company Secretary

With the federal election over and a returning Labor Government, we anticipate busy times ahead. Regulatory reform for the telco sector is already well underway with the:

  • Security of Critical Infrastructure (SOCI) obligations – commenced 4 April;
  • new ACMA rules relating to network outages involving communication requirements and changes to your complaints handling policy – commencing 30 June; and
  • changes to the TIO’s complaints handling processes – commencing 1 July.

We’re proud to say that our advocacy work has had some impact in reducing some of the burdens on industry. We’ve managed to ensure the positive security obligations under the SOCI framework will be limited to carriage service providers with over 20,000 services in operation (or those that supply to government). Our consistent engagement with the ACMA has also resulted in the regulator releasing more educative information alongside new regulation.

You can read more about the SOCI obligations in this newsletter article, the ACMA rules on its website and the TIO changes on the TIO Portal. We are also working on developing updated legal templates that are compliant with the new ACMA rules and will make them available on the IAA Member Portal in due course so please keep posted!

In March, a telecommunications consumer protections Bill was tabled at Parliament to introduce the CSP Register, give the ACMA directly enforceable powers and increase penalties for non-compliance. Though this lapsed due to the election, we anticipate this will be prioritised by the new or returning Communications Minister.

Other things to watch out for includes a new domestic, family and sexual violence industry standard for telcos which we think may land any day now, as well as the revised TCP Code which we understand will soon be submitted to the ACMA for registration.

The Public Policy Advisory Panel will be meeting later this month to discuss all the above and more so please let us know if you have any concerns, or if you’d like to join the discussion!

And as always, please get in touch to share any thoughts on any of the open consultations below and/or previous submissions as we really appreciate your feedback.

Open consultations

Completed submissions

The subordinate legislation under the Security of Critical Infrastructure Act (SOCI Act) and the new Cyber Security Act affecting the telecommunications sector commenced on 4 April 2025.

These instruments introduce new rules for the telco industry, as well as changes to existing obligations, consolidating security regulations that were previously contained under the Telecommunications Act framework into the SOCI legislative framework. Below is a summary of the regulations.

Telecommunications Security and Risk Management Program Rules Telco entities that hold a carrier licence or supply over 20,000 carriage services, or supply services to Commonwealth Government entities are subject to more stringent obligations under the new TSRMP Rules.
This involves:

  • implementing and maintaining a risk management program by 4 October 2025;
  • compliance with at least maturity level 1 of a cyber security framework by 4 October 2026 (further obligations for carriers to comply with maturity level 2 by 4 October 2027);
  • obligation to ‘protect your asset’ as far as it is reasonably practicable to do so.Carriers have further obligations to notify the Department of Home Affairs of any changes to your asset that is likely to have a material adverse effect on your ability to protect your asset


Asset Register and Mandatory Cyber Incident Reporting Rules
Rules requiring telco entities to register their critical assets, and notify the Department of a cyber incident have been folded into the SOCI framework.

However, these rules now only apply to entities with a carrier licence, or meet the ‘relevant carriage service provider asset’ threshold of over 20,000 services in operation, or supply to the Commonwealth Government.

SOCI rules affecting all telcos

Even if you are not a carrier or don’t meet the ‘relevant carriage service provider asset’ threshold, telecommunications assets are still captured under the SOCI Act as critical infrastructure. This means you may still have obligations to:

  • notify your data storage or processing provider that it is storing or processing your business critical data; and
  • following Ministerial directions in relation to serious incidents affecting your asset.


Subordinate cyber security rules

New security standards for smart devices were introduced in March 2025 with the rules commencing 4 March 2026. The rules apply to both manufacturers and suppliers of ‘relevant connectable products’ and is therefore likely to affect telco entities.

The standards introduce 3 rules for manufacturers in relation to their products, including ensuring each device has a unique password or allowing the consumer to create own password, ways for consumers to report security issues and clearly providing information on the support period for security updates.

The manufacturer must also prepare a Statement of Compliance in respect of the rules. Suppliers must then provide this Statement of Compliance with any relevant connectable products they supply to consumers in Australia and must retain the Statement for at least 5 years.

IAA recently held a webinar on IoT Security on 3 April, which included a discussion on the new rules.

Additionally, from 30 May 2025, all entities with an annual turnover of at least $3 million must report ransomware payments to the Department within 72 hours of the ransom being paid.

Please refer to the below summaries and guidance material provided by the Department in respect of these new rules:


IAA will also soon publish a template risk management plan that Members can utilise to assist with their compliance efforts on the IAA Member Portal.

You can also join the Trusted Information Sharing Network for access to further critical infrastructure information and resources.

Please contact us if you have any questions about these new rules.

Join our briefing with Q&A for IAA Members regarding our updated Master Service Agreement and Membership Agreement.

To ensure compliance with current legislation and good governance, we have reviewed our Master Service Agreement (MSA) and Membership Agreement (MA). With the assistance of our lawyers, we have conducted a meticulous review and updated the terms of these agreements to ensure compliance with the latest legal requirements.

Please note, we are **not** terminating either of our existing agreements. However, in accordance with clause 24.2 of the MSA, any changes to the Agreement must be in writing and signed by the parties.

In addition, our team has taken this opportunity to streamline processes to benefit our Members by allowing electronic execution of the agreements through the IAA Member Portal, as well as consolidating outdated documents – including the Disconnect Policy, Acceptable Use Policy, Code of Conduct – Members Services, Pricing Policy and Services Schedules – into the MSA. This consolidation simplifies our contractual framework and aligns our terms with current operational practices.

Please review IAA’s new MSA and MA

Following a busy end to 2024, the policy team has had an equally hectic start to 2025!

There are several consultations currently underway that will have a significant impact on the telecommunications sector. Namely, the review of the Telecommunications Consumer Protections Code by Communications Alliance, as well as rules for the telco sector under Security of Critical Infrastructure Act. These subordinate rules will apply to carriers and carriage service providers that have over 20,000 services in operation or supplies to the government. If this is you or your organisation, then we highly recommend you attend the Town Hall that the Department will be running on 11 February to find out more information and ask any questions. You can read more about the open consultations below, and let us know if you have any concerns you’d like us to include in our submission!

The policy team has also had its hands full onboarding our new PPAP members! We received a record number of applications, and you can read more about our new PPAP members in this newsletter item. The interest in PPAP is a testament to the growth of the advocacy work that IAA has been doing to improve policy for the telco sector, and we thank all our Members for their interest in and support of our policy work. PPAP meetings are open to guests, so please let us know if you would like to attend. We will also provide regulatory updates at each in-person event this year, so make sure to attend!

As always, please get in touch to share your thoughts on any of the open and/or previous submissions below. We really appreciate your input.

Open consultations:

Telecommunications Service Provider (Customer Identity Authentication) Determination 2022 | ACMA | 14 February 2025

The ACMA proposes to amend its requirements related to identity verification. Proposed changes include the introduction of new authentication methods, the removal of biometric data as a primary authentication method, exceptions to sending notifications about high-risk transactions and record keeping requirements.

Consultation on Subordinate Legislation to the Cyber Security Act and Security of Critical Infrastructure Act 2018 | Department of Home Affairs | 14 February 2025

Following amendments to the Security of Critical Infrastructure Act, and the passage of the Cyber Security Act in late 2024, the Department of Home Affairs is consulting on various subordinate legislation related to rules governing the new Cyber Incident Review Board, ransomware reporting requirements; security of smart devices, data storage systems as a critical infrastructure asset, and most importantly, the risk management program rules for the telecommunications sector. All carriers and CSPs with 20,000+ active services in operation or those that knowingly supply to government will be subject to the positive security obligations, including the risk management program rules.

C628: Telecommunications Consumer Protections Code Review | Communications Alliance | 28 February 2025

Communications Alliance is conducting its periodic review of the TCP Code, and the latest iteration is now open for public consultation. The TCP Code is a significant instrument that applies to most of IAA’s Members. There are many proposed changes, including enhanced rules regarding the identification and protection of vulnerable customers, providing at least 2 fee-free payment methods, the requirement to perform credit checks for consumers for contracts that could result in a debt of +$150, providing a (near) real time customer support channel, flexibility regarding direct billing payments, and compliance processes.

Completed submissions:

Member Guidance – Reasonable steps to inform consumers and occupiers of IDR and EDR | TIO

 Scams Prevention Framework Bill | Treasury

SLAID Act Review | INSLM

NBN Co Amendment (Commitment to Public Ownership) Bill 2024 | Senate Standing Committees on Environment and Communications

Unfair Trading Practices Consultation Paper | Treasury

Online Safety Amendment (Social Media Minimum Age) Bill 2024 | Senate Standing Committees on Environment and Communications

Following our recruitment process in late 2024, we’ve successfully grown the IAA Public Policy Advisory Panel (PPAP). We have four returning members who have renewed their terms, as well as five new faces and we’re chuffed to work with the expanded PPAP as we face a busy year ahead.

With a diverse representation of Corporate, Professional and Affiliate Members, as well as different backgrounds and interests, we’re excited about the quality of discussions we’ll have as each panel member brings their unique insight on important policy matters.

Our first PPAP meeting of 2025 will be held on 5 February 2025 and new panel members will have their work cut out for them as we dive straight into discussions of the TCP Code and telco security regulations, which are currently open for consultation!

Welcome to our new PPAP panelists:

Craig Lester
Jean Linis-Dinco
Mark Newton
Sanjeev Israni
Trace Wu

You can read more about PPAP on the IAA website!

If you have any questions about the PPAP, or IAA’s advocacy work in general, please get in touch at policy@internet.asn.au.

From events to consultations, it’s been as busy as ever for our Policy Team!

You may have noticed IAA being highlighted in CommsDay for taking a stance on important regulatory issues. Whether it be for our CEO setting the record straight on the TCP Code at a major industry event, or our response to the one of our many consultations such as the Senate Committee’s inquiry into the privacy reform, we’re dedicated to representing our Members and to improving the telecommunications regulatory landscape.

As we’ve reported in previous newsletters, the co-regulation approach for telecommunications policy is coming under attack and as Narelle noted in her presentation at the CommsDay Wholesale Forum, there seems to be some ‘arguably disinformation’ floating around on what co-regulatory codes like the TCP Code actually mean. Rest assured, we’ll continue to advocate for the continuation of co-regulation for the telco sector to ensure that regulation affecting the industry is developed by those who actually operate and understand telco systems!

Our Policy Officer and Board Chair also gave a lightning talk at AusNOG to give an update on recent and upcoming regulatory changes, as well as to spread awareness about IAA’s important advocacy work, and how to get involved via the IAA Public Policy Advisory Panel (PPAP).

Speaking of which, the PPAP met for its quarterly meeting on 22 August. Discussions centred around the TIO and its recent changes to its reclassifications approach, which we reported in the last August newsletter. We are now accepting applications to the PPAP.

Completed Submissions:

Upcoming Submissions:

Are you passionate about shaping the way the internet is run? IAA needs your expertise to drive impactful advocacy!

Our Public Policy Advisory Panel (PPAP) is an important body that helps IAA cut through the maze of regulations, providing critical insights that inform our policy positions and advocacy work.

With the terms of many of our current PPAP members ending in early 2025, we’re calling on you to play your part in improving the telco regulatory landscape!

We’re looking for dedicated individuals from our Professional, Corporate and Affiliate Members, for three-year terms, acting in a voluntary capacity.

As a panel member, we invite you to attend quarterly online meetings with the potential for one in-person meeting per year. As part of the panel you’ll:

  • Contribute to IAA’s responses to government and industry inquiries.
  • Help us influence regulation changes and inform topical internet matters.

Find out more and apply to join now via the IAA website by 8:00pm AEDT, 5 December and let’s navigate the future of internet policy together!

Formed in 2022, the IAA Public Policy Advisory Panel is an advisory body of IAA Members that help inform IAA’s public policy and advocacy work related to the telecommunications sector.

Involvement in policy and legislative reform in the Internet and broader telecommunications landscape is a critical part of IAA’s work. Indeed, the Western Australia Internet Association, IAA’s precursor, started as an advocacy body. That’s why we hold the Panel to be so important to our advocacy work.

The Panel meets quarterly to discuss live and upcoming policy issues affecting the Internet industry. The feedback provided by our Members via the Panel greatly informs our responses to the various consultations held by Government and regulatory bodies on matters that affect our industry, and therefore you, our Members!

We have found the Panel immensely helpful for our advocacy work since its formation and believe it has had a genuine impact in shaping telecommunications/Internet policy. For example, we couldn’t have participated as meaningfully during the NBN Co SAU reform process without the input of our Panel, the outcome of which we believe resulted in an SAU that is fairer for smaller RSPs, especially on matters related to NNI.

IAA is also regularly invited by government and regulators to be the voice for smaller communications providers in the industry. More recently, we have been championing our Members in discussions surrounding the security and resilience of telecommunications as part of Australia’s critical infrastructure ecosystem. The Panel has again been of great help, serving as a sounding board for proposed reforms.

Most recently during our last quarterly meeting in June, Panel Members engaged in spirited discussion over the TIO’s complaints handling processes and TCP Code reforms, and more broadly, our concerns about growing calls for direct regulation from regulators, consumer groups and government.

As the telco sector faces increasing regulatory pressures, it’s more important than ever to make sure that the voices of smaller ISPs are heard and able to influence policy makers. We greatly appreciate the Panel and encourage IAA Members to get involved to contribute to IAA’s advocacy efforts.

If you would like to know more about the Panel, please reach out at policy@internet.asn.au.

Sign up to IAA's mailing list

Complete this form to receive all our latest news, events and updates.