Horizon 2: What Australia’s Next Cyber Security Phase Actually Requires of Technology Leaders

Australia Cyber Security Strategy Horizon 2

TL;DR — Key Points

  • “Horizon 2” is the official government designation for the 2026–28 phase of Australia’s 2023–2030 Cyber Security Strategy. It shifts the national focus from foundational compliance toward scaling cyber maturity across the whole economy — with explicit emphasis on sovereign capabilities, world-class threat sharing, and supply chain security.
  • The formal Horizon 2 Action Plan is still being finalised by government. Technology leaders should not wait for that announcement — the strategic direction and the six Cyber Shields that frame it are already established and should be shaping FY27 programme decisions now.
  • Sovereign capability is not a preference for Australian vendors. It is a set of questions about where security operations are based, who processes threat intelligence, and whether critical security functions can operate independently of foreign jurisdiction risk.
  • Threat sharing is a technical obligation, not a reporting posture. Organisations that have not invested in the capability to collect, normalise, and contribute threat data will find they cannot participate meaningfully when formal requirements land.
  • Supply chain transparency is the element most organisations are least prepared for. A supplier register is not a supplier security programme. The gap between the two is where the next regulatory wave will expose unprepared organisations.

This article provides technology and governance guidance only and does not constitute legal advice. Organisations should confirm their specific obligations with qualified legal counsel.

Australia’s Cyber Security Act 2024 received Royal Assent on 29 November 2024 and, by the time it commenced enforcement in earnest in 2025, represented the most significant overhaul of the country’s cyber security legislative framework in years. It established mandatory reporting for ransomware payments, introduced security standards for connected smart devices, strengthened the obligations of critical infrastructure operators, and created a voluntary information-sharing regime designed to improve the flow of threat intelligence between industry and government. For many organisations, meeting those requirements was challenge enough.

The question for technology leaders heading into FY27 is not whether they have met the Horizon 1 baseline. It is whether they understand what Horizon 2 requires — and whether they have begun building toward it.

What Horizon 2 Is and Why It Matters Now

Horizon 2 (2026–28) is the second phase of Australia’s 2023–2030 Cyber Security Strategy, published by the Department of Home Affairs. The Strategy is structured across three phases: Horizon 1 (2023–25), which focused on strengthening foundational capabilities; Horizon 2 (2026–28), which is defined as scaling cyber maturity across the whole economy; and Horizon 3 (2029–30), which aims to establish Australia as a global leader on the cyber frontier.

The shift from Horizon 1 to Horizon 2 is not incremental. Horizon 1 was primarily about addressing gaps — updating legislation, introducing reporting requirements, establishing baselines. Horizon 2 has a different mandate: it is designed to embed cyber security maturity at scale, across sectors and organisations that were not previously the primary focus of regulatory attention. (Australian Government — 2023–2030 Australian Cyber Security Strategy)

The government’s Charting New Horizons Policy Discussion Paper, released in July 2025 and informed by over 170 public submissions, three public town halls, and twelve industry co-design roundtables, outlines the six Cyber Shields that frame the Strategy: strong businesses and citizens; safe technology; world-class threat sharing and blocking; protected critical infrastructure; sovereign capabilities; and resilient regional and global leadership. For enterprise and government organisations, three of those shields translate directly into FY27 programme requirements — and two of them, sovereign capabilities and threat sharing, are where technology leaders are least operationally prepared.

It is important to be clear about where things stand. As of mid-2026, the formal Horizon 2 Action Plan is still being finalised by government, with specific initiatives and obligations to be announced in due course. That does not mean organisations should wait. The strategic direction is established. The six shields are established. The expectations signalled through the consultation process are sufficiently clear that technology leaders who defer planning until the formal Action Plan lands will find themselves well behind by the time specific obligations are formalised.

Sovereign Capability: What It Actually Means Operationally

The term “sovereign capability” appears regularly in government communications, and its meaning is often flattened in translation. It is not a preference for Australian vendors. It is not a scoring consideration for government procurement panels. In the context of the Cyber Security Strategy, sovereign capability encompasses a specific set of questions about where security operations are based, who holds and processes threat intelligence, whether managed security partners are subject to Australian law and regulatory oversight, and whether an organisation’s critical security functions can continue to operate independently of foreign jurisdiction risk.

For technology leaders, this translates into an assessment exercise rather than a procurement decision. The relevant questions are: If your managed security operations centre is operated by or through an entity subject to foreign law, can a foreign government compel that entity to act in ways that conflict with your obligations under Australian law? Where does your threat intelligence reside, who has access to it, and under which legal jurisdiction is that access governed? If a geopolitical event disrupted access to internationally hosted security tooling or operations, how quickly could you restore equivalent capability from a domestically grounded source?

These are not hypothetical concerns. The ASD’s ACSC Annual Cyber Threat Report 2024–25 documents that incidents classified at the most severe levels involved organisations including federal and state governments, large organisations, academia and supply chains — a pattern consistent with state-sponsored actors targeting networks for strategic positioning rather than immediate financial gain. (ASD’s ACSC Annual Cyber Threat Report 2024–25)

The sovereign capability dimension of Horizon 2 asks technology leaders to be able to answer these questions with confidence. For those who cannot, FY27 is the planning window to close that gap.

Orro operates as an Australian-owned provider with Australian-based security operations and an Australian-operated detection capability through the National Cyber Defence Centre (NCDC). That model is directly responsive to the sovereign capability questions the regulatory environment is now asking — built around principles of Australian ownership, operational transparency, and compliance with domestic law. It is noted here as a factual statement of operational alignment, not as a product recommendation — organisations should evaluate their own arrangements against the questions above and seek appropriate guidance.

Evidence Snapshot — Policy Realities of the Australia Cyber Security Strategy Horizon 2 Shift

11% — Increase in cyber security incidents reported to ASD’s ACSC in FY2024–25, with the most severe incidents involving governments, large organisations, academia, and supply chains.
ASD’s ACSC Annual Cyber Threat Report 2024–25

28% — Increase in publicly reported common vulnerabilities and exposures in FY2024–25, compounding the challenge for organisations without structured exposure management programmes.
ASD’s ACSC Annual Cyber Threat Report 2024–25

Six Cyber Shields — The architectural framework through which the 2023–2030 Australian Cyber Security Strategy delivers national resilience. Horizon 2 extends this framework from foundational protection toward whole-of-economy cyber maturity, with sovereign capabilities and world-class threat sharing designated as explicit priority shields.
Department of Home Affairs — 2023–2030 Australian Cyber Security Strategy

Threat Sharing: The Operational Requirement Most Organisations Underestimate

Shield 3 of the Cyber Security Strategy — world-class threat sharing and blocking — is already the subject of significant government investment through the ASD’s ACSC and associated intelligence-sharing frameworks. In Horizon 2, the government is considering expanding the remit of this shield to capture whole-of-economy cyber defence and resilience, beyond the technical solutions already in place for critical infrastructure. (Department of Home Affairs — Charting New Horizons: Developing Horizon 2)

The significance of that expansion is frequently underestimated by organisations that think of threat sharing as a reporting obligation. It is not. Reporting is the passive end of the activity — submitting an incident report through ReportCyber after an event has occurred. Active threat sharing, the kind the Horizon 2 framework is moving toward, requires the technical infrastructure to collect telemetry, normalise it into formats compatible with national intelligence functions, and contribute it in ways that are useful to others. That capability does not emerge from a policy decision. It requires investment in logging infrastructure, detection tooling, and operational processes that most organisations have not yet built to the standard required for meaningful contribution.

The gap this creates is not one of intent — most organisations would readily agree that contributing to national threat intelligence is worthwhile. The gap is one of technical readiness. Organisations that have not yet achieved baseline logging and detection maturity, or that rely on managed security arrangements without clear contractual provisions for data sharing, will find they cannot participate meaningfully when the expanded threat-sharing framework takes shape.

The FY27 priority for most organisations is therefore not to develop an advanced threat-sharing programme from scratch, but to honestly assess what their current logging, detection, and incident management capability can actually produce — and whether that would meet the standard of contribution the Horizon 2 framework is shaping toward. Orro’s active threat hunting and detection capability through the NCDC provides a reference point for what operationally mature threat intelligence collection looks like in practice.

Supply Chain Transparency: The Gap Most Organisations Have Not Closed

Supply chain security appears as a recurring theme across both the Cyber Security Act’s implementation and the Horizon 2 strategic direction — and with good reason. The ASD’s ACSC notes that an organisation’s supply chain can often be its weakest link, with malicious actors exploiting trusted vendor relationships to steal information or deliver malware at points the end consumer cannot directly observe. (ASD’s ACSC Annual Cyber Threat Report 2024–25)

The Horizon 2 strategic direction signals that supply chain transparency will become a more formal expectation — particularly for organisations operating critical infrastructure or supplying services to government. What that requires goes considerably further than most current governance frameworks address.

Most Australian organisations of scale have some form of supplier register. Far fewer have supplier security assessment programmes that could withstand regulatory scrutiny. The distinction matters: a register tells you who your suppliers are. A security assessment programme tells you what security posture they maintain, what access they have to your environment and data, what their incident notification obligations are to you, and what recourse you have when their security posture deteriorates. These are materially different capabilities, and the gap between them is where supply chain incidents occur.

A credible supplier security programme for the Horizon 2 environment should be able to answer the following for each significant supplier relationship: What access does this supplier have to our systems, data, or operational environment? What security standards are they contractually obligated to meet? When did we last assess their compliance with those standards, and how? What is our notification and response process if they suffer a compromise that affects us? Organisations that cannot answer these questions for their top-tier supplier relationships are carrying risk that the regulatory environment will increasingly ask them to account for.

The practical sequencing for FY27 is to start with the supplier relationships that carry the highest access and impact — suppliers with privileged access to operational systems, data custodians, managed service providers — rather than attempting to apply comprehensive assessments across the full supplier base at once. Prioritise depth over breadth, and build the assessment capability before the mandate arrives in formal obligations.

FY27 Is the Planning Window

The Horizon 2 transition is not a future consideration pending a government announcement. The strategic direction is set. The six shields are established. The Charting New Horizons consultation has concluded and the government’s co-design process is complete. The formal Action Plan will add specificity and obligations — it will not change the direction.

Technology leaders who treat FY27 as the year to get their sovereign capability posture right, build the technical foundations for meaningful threat sharing, and close the gap between a supplier register and a supplier security programme will be in a fundamentally different position to those who wait for the mandate before planning begins. The organisations that responded to Horizon 1 proactively — building capability ahead of the legislative requirements rather than scrambling to meet them on enforcement day — are the ones better positioned now.

The same logic applies to Horizon 2. The window to build is open. The time to act is before it closes.

Begin your Security Maturity Assessment →

Align your infrastructure with Horizon 2 expectations

GET YOUR ASSESSMENT

This article provides technology and governance guidance only and does not constitute legal advice. Organisations should seek qualified legal counsel to confirm their specific obligations under the Cyber Security Act 2024, the Security of Critical Infrastructure Act 2018, and associated regulations.

Further Reading & Sources

This article provides technology and governance guidance only and does not constitute legal advice. Organisations should seek qualified legal counsel to confirm their specific obligations under the Cyber Security Act 2024, the Security of Critical Infrastructure Act 2018, and associated regulations.

Department of Home Affairs — Cyber Security Act 2024
homeaffairs.gov.au/cyber-security-subsite/Pages/cyber-security-act.aspx

Department of Home Affairs — 2023–2030 Australian Cyber Security Strategy
homeaffairs.gov.au — 2023–2030 Australian Cyber Security Strategy

Department of Home Affairs — Horizon 2: Expanding Our Reach (2026–2028)
homeaffairs.gov.au/horizon-2

Department of Home Affairs — Charting New Horizons: Developing Horizon 2 of the 2023–2030 Australian Cyber Security Strategy (Policy Discussion Paper)
homeaffairs.gov.au — Charting New Horizons Discussion Paper (PDF)

ASD’s ACSC Annual Cyber Threat Report 2024–25
cyber.gov.au — Annual Cyber Threat Report 2024–25

OAIC — Privacy Act obligations relevant to threat sharing and data handling
oaic.gov.au

Cyber Security Act 2024 — Federal Register of Legislation
legislation.gov.au

Related Insights

3 May 2022

The New Role of Boards in Driving Cyber Resilience

A dramatic increase in cyber crime and growing corporate accountability for related loss means the battle to protect a company’s digital assets is about to become an intensely personal one for Australia’s corporate custodians. Manuel Salazar from Orro explores.
4 March 2024

Orro launches ‘Securely Connected Everything’ podcast, delivering insight for organisations seeking secure IT solutions

3 July 2023

Penetration Testing

Simulate cyber attacks on your network to identify vulnerabilities and increase cyber awareness.