Industry Research and Development (Small Business Cyber Resilience Service Program) Instrument 2024

The Industry Research and Development (Small Business Cyber Resilience Service Program) Instrument 2024 is a Commonwealth legislative instrument made under the Industry Research and Development Act 1986. Its main job is to prescribe the Small Business Cyber Resilience Service Program for the purposes of that Act.

In practical terms, this means the program has been formally established as a prescribed program under the legislation. The instrument says the program provides funding for expert advice and assistance to small businesses on cyber security matters, with that advice delivered by telephone or by way of the internet. It also states the program's purpose, which is to build the cyber security capability and resilience of small businesses and support them to recover after experiencing a cyber incident.

This is important context for businesses, but it is equally important not to overread the instrument. It is not a detailed rulebook for business conduct. It does not create a new compliance regime for small businesses, and it does not say that businesses must use the program.

The instrument refers to small businesses. That is the group the program is directed to. If you are a business owner looking for cyber security support, that is the first practical indicator that the program may be relevant to you.

However, the instrument does not define small business. It also does not set out any employee threshold, turnover threshold, industry category, location rule, or other eligibility test. Because of that, businesses should be careful not to assume they qualify based on common government definitions used elsewhere. This instrument does not supply those details.

The instrument also does not expressly identify excluded businesses. It does not say whether larger businesses, related entities, charities, incorporated associations, sole traders, partnerships or companies are in or out. Those questions may be answered in program materials outside the instrument, but they are not answered here.

Section 5 of the instrument gives the clearest practical description of the program. It says the program provides funding for the provision of expert advice and assistance delivered by telephone, or by way of the internet, to small businesses on matters relating to cyber security.

That tells businesses several useful things. First, the program is about advice and assistance, not direct regulation. Second, the support is intended to be delivered remotely, either by phone or online. Third, the subject matter is cyber security. Fourth, the program is aimed at helping small businesses both improve capability and resilience and recover after a cyber incident.

What the instrument does not say is just as important. It does not list the kinds of advice that must be available. It does not promise a particular response time, number of sessions, funding amount, or outcome. It does not say whether the service includes incident triage, technical remediation, training, policy review, or referrals. Those operational details are outside the text of the instrument.

So, if your business is deciding whether this program is suitable, the instrument confirms the broad purpose and delivery channel, but not the detailed service offering.

This instrument does not create legal trigger points in the sense of mandatory reporting deadlines, compulsory notices, or events that force a business to act. Participation is voluntary on the face of the instrument.

Still, there are practical situations where a business may want to check whether the program is relevant. The instrument itself points to two broad use cases. The first is building cyber security capability and resilience before something goes wrong. The second is supporting recovery after a business has experienced a cyber incident.

That means a business may want to look into the program if it is reviewing its cyber practices, wants external guidance on cyber security issues, or has already experienced an incident and needs support with recovery. But those are practical reasons to consider the program, not legal obligations created by this instrument.

The key point for businesses is that this instrument does not impose direct operational obligations on them. It does not require a business to apply, participate, keep records, report incidents, adopt cyber controls, or implement advice received through the program.

Its legal function is narrower. It prescribes the program under the Act, describes the funded service at a high level, and states the program's purpose. Businesses should therefore read this instrument as an authorising framework for the program, not as a source of mandatory compliance steps.

That said, businesses should still be careful about relying on the instrument alone. If you are considering using the program, you should check current program information to confirm whether the service is available to you, what support is actually offered, and what any participation conditions may be. Those matters are not set out in the instrument itself.

The instrument is titled the Industry Research and Development (Small Business Cyber Resilience Service Program) Instrument 2024. It was made on 1 March 2024, registered on 4 March 2024, and commenced on the day after registration, which was 5 March 2024.

The legislation record shows it is in force. It is administered by the Department of Industry, Science and Resources. The instrument states that it is made under the Industry Research and Development Act 1986.

The instrument also specifies, for the purposes of subsection 33(3) of the Act, the constitutional legislative power relating to postal, telegraphic, telephonic, and other like services within paragraph 51(v) of the Constitution. For most businesses, that point is background legal architecture rather than a practical compliance issue.

Because the instrument is short and high level, businesses should do a few checks before making decisions based on it. The text confirms that a prescribed program exists and describes its broad purpose, but it does not answer many of the practical questions a business would usually ask before engaging with a government service.

If you are considering the program, confirm whether your business falls within the current program settings, what support is currently available, how access works, and whether there are any conditions or limits. Also check whether there have been later amendments or related materials that affect how the program operates in practice.

This page should therefore be read as a legal explainer of the instrument itself, not as a complete operational guide to the service.

The key operative provisions are the commencement clause, the authority clause, section 5 on the prescribed program, and section 6 on specified legislative power. Section 5 is the main practical provision for businesses because it states what the program funds and what the program is intended to achieve.

The official legislation record identifies the instrument as F2024L00266 and shows it as in force. Businesses wanting the exact legal text should read the current version on the Federal Register of Legislation.