Australian suppliers: ASRS mandatory climate reporting, Modern Slavery Act, NDB Scheme, and ASX requirements.
Australia has introduced mandatory climate-related financial disclosures through the Australian Sustainability Reporting Standards (ASRS). Combined with Modern Slavery Act obligations, the Notifiable Data Breaches (NDB) Scheme under the Privacy Act, and ASX listing requirements, Australian businesses face a comprehensive sustainability and cyber reporting landscape.
Key regulations in Australia
ASRS โ Australian Sustainability Reporting Standards
Australia's Treasury has finalised ASRS 1 and ASRS 2, based on IFRS S1 and S2. Large Australian companies must disclose climate-related risks, opportunities, and GHG emissions. Scope 3 emissions (including supply chain) must be disclosed from Phase 1. Suppliers will receive data requests from covered companies.
Modern Slavery Act 2018
Australian entities with annual revenue of $100 million or more must submit an annual Modern Slavery Statement to the Australian Border Force. Statements must describe the risks of modern slavery in operations and supply chains, and actions taken to address those risks. Suppliers will receive due diligence questionnaires.
ASX Corporate Governance Principles
ASX Corporate Governance Council Principles recommend that listed entities disclose material exposure to environmental and social risks. Many ASX-listed companies are voluntarily disclosing Scope 3 emissions and requesting supply chain data ahead of mandatory requirements.
NDB Scheme โ Notifiable Data Breaches (Privacy Act 1988)
Australia's Notifiable Data Breaches (NDB) Scheme requires organisations covered by the Privacy Act to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable โ and within 30 days of becoming aware of an eligible data breach. An eligible breach is one that is likely to result in serious harm to affected individuals. The Privacy Act Review (2023) and subsequent reforms propose strengthening breach notification timelines. Organisations must have a data breach response plan in place.
SOCI Act โ Security of Critical Infrastructure Act 2018 (Amended 2022)
The Security of Critical Infrastructure Act 2018, significantly expanded by the 2022 amendments, requires operators of critical infrastructure assets across 11 sectors (electricity, gas, water, ports, airports, banking, superannuation, health, food, education, data storage) to report serious cyber incidents to the Australian Signals Directorate (ASD) within 12 hours, and other cyber incidents within 72 hours. Suppliers to critical infrastructure operators may be required to meet cybersecurity standards under supply chain risk management obligations.
What this means for you as a supplier
Australian suppliers face obligations across climate, modern slavery, and cyber domains. ASRS Scope 3 requirements mean your emissions will be included in customers' mandatory reports. The NDB Scheme requires breach notification within 30 days. Organisations supplying to critical infrastructure sectors face SOCI Act supply chain security requirements. Prepare your GHG inventory, modern slavery documentation, and cyber incident response plan together.
Key dates
February 2018
NDB Scheme in force โ 30-day mandatory data breach notification to OAIC
April 2022
SOCI Act amendments โ 12-hour serious incident reporting for critical infrastructure
FY 2025
ASRS Phase 1 โ largest Australian entities must report climate data
FY 2026
ASRS Phase 2 โ smaller large entities in scope
FY 2027
ASRS Phase 3 โ all large entities must report
Annually
Modern Slavery Act statements โ supply chain due diligence questionnaires
Last reviewed: April 2026. This guide is for general information only and does not constitute legal advice. Regulations change โ verify current requirements with a qualified adviser.
Received a Modern Slavery or ASRS questionnaire?
ESG Stress Free guides Australian suppliers through Modern Slavery Act, ASRS reporting, and NDB Scheme cyber obligations.