Australia: Cyber Security Centre released executive guidance on cloud shared responsibility model

On 20 October 2025, the Australian Cyber Security Centre (ACSC) released executive guidance on the cloud shared responsibility model for government, critical infrastructure, and large organisations. It explains that cybersecurity duties are shared between cloud service providers (CSPs) and customers, but ultimate responsibility for data remains with the customer. Organisations must understand legislative obligations, know which cloud services they use, and assess risks based on data sensitivity. They should choose CSPs that provide secure-by-default services and transparent security controls. Main areas include access control, phishing-resistant authentication, short-lived credentials, and using trusted devices. Organisations must have tested incident response plans and coordinate with CSPs for alerts. Additional responsibilities cover encryption, logging, backups, secure configuration, and timely software patching.