On 1 July 2026, five separate regulators will each wake up responsible for enforcing a major new framework that did not exist a year ago. Nobody designed it to happen that way.
Each reform now hitting implementation has its own history – its own sequence of reviews, consultations, political defeats, and eventual passage. What makes 2026 unusual is that years of deferred reform are coming due at the same time.
The AML/CTF (anti-money laundering and counter-terrorism financing) Tranche 2 expansion is the most instructive example. Australia was first put on notice about its failure to extend anti-money laundering obligations to lawyers, accountants, and real estate agents in 2005 – nearly twenty years before the legislation finally passed.
A 2015 Financial Action Task Force (FATF) mutual evaluation – the peer review process through which the body assesses whether member countries meet its standards – identified the gap explicitly. Legislative attempts stalled repeatedly: the global financial crisis intervened in 2007, professional lobby opposition succeeded in 2012, and a statutory review in 2016 produced recommendations that sat unimplemented for years.
The amendment bill finally passed Parliament on 29 November 2024 with, as one observer noted, the air of “last-minute panic” to avoid FATF grey-listing (the international consequence for jurisdictions deemed non-compliant with global AML standards). Enrolment opened on 31 March 2026. Obligations go live on 1 July.
That pattern, featuring decades of policy intent, years of stalling, a final legislative push, and then a hard commencement date, is common to almost everything arriving at once this year.
The merger control regime the Australian Competition and Consumer Commission (ACCC) spent more than two decades advocating for went live in January. The National Environmental Protection Agency reforms required multiple failed attempts at the Environment Protection and Biodiversity Conservation Act (EPBC) revision before the current legislation passed. Mandatory climate disclosure, described by Australian Securities and Investments Commission (ASIC) Chair Joe Longo as “the biggest changes to financial reporting and disclosure standards in a generation”, was first seriously canvassed in regulatory circles years before the 2024 Act.
The cost of complying with federal regulation has grown from $65 billion in 2013 to $160 billion today – roughly 5.8 per cent of GDP.
None of these reforms was designed to land together. They arrived together because Australia’s legislative system processed a generation’s worth of reform ambition within a compressed window – and all the commencement clocks started running at roughly the same time.
The backdrop against which this lands is not comfortable.
Research by Mandala Partners for the Australian Institute of Company Directors, released in March 2026, found that the cost of complying with federal regulation has grown from $65 billion in 2013 to $160 billion today – roughly 5.8 per cent of GDP. Board time spent on compliance has doubled, from 24 per cent to 55 per cent, in a decade. Australia ranks second among advanced economies – behind only Japan – for administrative and regulatory burden.
None of that context halts what is coming. It simply changes the conditions under which it lands.
What is going live, and when
March 2026 – the machinery starts
The first major commencement of the year arrived on 4 March, when Australia’s mandatory cybersecurity standards for consumer smart devices took effect under the Cyber Security Act 2024. Manufacturers and suppliers of internet-connected products – smart TVs, cameras, routers, smart locks, home automation equipment – must now meet three baseline obligations: no universal default passwords, a published vulnerability reporting channel, and disclosed software support periods. Products manufactured before that date are exempt; everything after is not.
The enforcement question is pointed: the rules sit with the Department of Home Affairs, a national security agency, rather than a product safety regulator with market surveillance experience. Whether that architecture produces credible enforcement – or whether the standard becomes, in practice, a paper obligation – will become clear over the next twelve months.
31 March brought the first tranche of AML/CTF programme changes. Existing reporting entities – banks, financial services firms, remittance providers – faced updated programme and governance obligations under the amended Anti-Money Laundering and Counter-Terrorism Financing Act, while the Australian Transaction Reports and Analysis Centre (AUSTRAC) simultaneously opened enrolment to approximately 90,000 lawyers, accountants, real estate agents, and dealers in precious metals and stones entering the regime for the first time.
April 2026 – the competition architecture shifts
From 1 April, Australia’s mandatory merger control regime – in force since January – expanded its notification thresholds to include cumulative tests. A deal can now trigger notification based on combined party size and transaction value, even where either measure alone would fall below the threshold.
This is designed to catch the “creeping acquisition” problem – serial small purchases that cumulatively reshape markets without ever triggering oversight – that motivated advocates for reform for two decades. The regime also includes a public register of all notified transactions, giving regulators, competitors, and the public visibility that the old voluntary system never provided.
The 1 July wall
The most concentrated moment of this implementation year is 1 July 2026. On that single date, five substantial new regulatory obligations go live simultaneously across five different sectors, administered by five different agencies.
A sixth – Payday Super, which shifts superannuation payments from quarterly to per-payroll-cycle – arrives on the same date but sits primarily with the Australian Taxation Office (ATO) and the Fair Work system rather than the dedicated regulatory agencies.
AML/CTF – 90,000 new regulated entities
From 1 July, Tranche 2 entities must have an approved AML/CTF programme in place, customer due diligence workflows operational, sanctions screening live, and staff training completed. The enrolment deadline for new entities is 29 July.
AUSTRAC faces an extraordinary supervisory challenge: it must simultaneously overhaul programmes for existing regulated entities and onboard – from scratch – entire industries with no prior AML experience or compliance infrastructure.
Its response has been to treat the transition as a confidence-building exercise rather than a test of enforcement will: the agency has developed “programme starter kits” for small businesses entering the regime – a design choice that acknowledges small accountancy and real estate firms cannot be expected to replicate the compliance architecture of major banks. AUSTRAC has also deferred certain customer due diligence obligations for legacy clients by three years, creating a sequenced compliance path rather than a single cliff edge.
What AUSTRAC is doing, in effect, is using time as a supervisory tool.
What AUSTRAC is doing, in effect, is using time as a supervisory tool. Whether 90,000 new entities can build meaningful compliance programmes within weeks of first regulatory contact is an open question. But the approach signals something important about how regulators might manage implementation crunch more broadly: not by demanding simultaneous full compliance, but by sequencing obligations around realistic capability timelines.
The question is whether other agencies overseeing 1 July obligations have the same latitude – or the willingness to use it.
Climate disclosure – Group 2 entities
From 1 July, the mandatory sustainability reporting regime expands from large corporations to medium-sized entities meeting at least two of four criteria: 250 employees, $200 million revenue, $500 million total assets, or $5 billion assets under management for asset owners.
These entities must produce climate reports aligned with Australian Accounting Standards Board (AASB) S2, Australia’s mandatory climate disclosure standard, including governance disclosures, climate scenario analysis against two temperature pathways, and Scope 1 and 2 emissions data subject to limited assurance.
Unlike the Group 1 entities that entered the regime in January 2025 – large companies with dedicated sustainability teams and existing exposure to frameworks aligned with the Task Force on Climate-related Financial Disclosures (TCFD) – Group 2 entities are joining from a standing start. Many lack the internal data infrastructure to produce credible scenario analysis, and their boards typically have less climate governance experience.
ASIC described the Group 1 rollout as the regime’s “foundational phase”; the Group 2 expansion is where scale meets limited capacity. ASIC is simultaneously reviewing Year 1 sustainability reports from Group 1 companies for greenwashing, managing the crypto licensing regime, and running a litigation programme it flagged as a 2026 priority. The supervision question for Group 2 is not just whether entities can comply – it is whether ASIC can provide the guidance and oversight that a much larger, less experienced cohort actually needs.
NEPA launches amid federal-state tensions
On 1 July, Australia’s first National Environmental Protection Agency (NEPA) commences operations under the National Environmental Protection Agency Act 2025 – the most comprehensive reform of Australia’s national environmental laws since the EPBC Act in 1999.
NEPA’s mandate is threefold: enforcement and compliance with national environmental laws; coordination of environmental assessments between federal and state governments; and environmental monitoring and auditing. The transitional provisions are detailed and have been amended in the Senate, but the core principle is a “smooth transition” of existing staff and functions from the relevant Commonwealth departments. In practice, a brand-new agency inheriting functions, staff, and pending approval processes from multiple predecessor bodies faces the institutional challenge that every new regulatory body faces: asserting a distinct culture and posture while managing a backlog it did not create.
The practical complication for industry is jurisdictional overlap. In states like NSW, operators will now face two independent environmental regulators – the new federal NEPA and the existing state EPA – with obligations that may not yet be fully coordinated. Minter Ellison has advised NSW operators to “prepare now” precisely because the dual-regulator landscape creates compliance uncertainty that transitional arrangements do not yet fully resolve. That uncertainty is, itself, a day-one implementation problem.
Supermarket price gouging ban
From 1 July, it will be unlawful for Coles and Woolworths – currently the only retailers with revenue above the $30 billion threshold – to charge prices “significantly excessive when compared to the cost to the retailer, plus a reasonable margin”. The ACCC is the enforcement agency, with maximum penalties of the greater of $10 million, three times the benefit derived, or 10 per cent of annual turnover.
This is a conceptually significant departure from Australia’s traditional competition framework, which has focused on protecting competitive processes rather than regulating prices directly. It places the ACCC in the position of determining what a “reasonable margin” is for a given grocery product – a genuinely novel enforcement task for which the ACCC has no direct precedent. Utility price regulation exists in Australia, but grocery margin assessment is different in structure, data intensity, and the speed at which input costs change.
The ACCC’s 2026–27 enforcement priorities include supermarket pricing explicitly alongside digital platforms, cartels, domestic aviation, and product safety. That list – which also encompasses the new merger regime and a mandate to designate digital platforms under an incoming competition regime – reflects an agency carrying an unusually broad frontline workload.
Scams Prevention Framework – first sector obligations
Also from 1 July, banks, telecommunications providers, and designated digital platforms face their first obligations under the Scams Prevention Framework, which passed Parliament in February 2025. Regulated entities must take “reasonable steps to prevent, detect, report, disrupt and respond to scams,” with governance frameworks and consumer verification processes embedded from day one.
The enforcement architecture is deliberately multi-regulator: ASIC for banking, the Australian Communications and Media Authority (ACMA) for telecommunications, and the ACCC for digital platforms.
Full external dispute resolution through the Australian Financial Complaints Authority (AFCA) does not commence until January 2027 – meaning there will be a six-month window in which sector obligations are live, but a consumer who suffers harm cannot yet access a single external body to resolve a complaint. Whether that gap produces practical problems, or whether existing AFCA jurisdiction is sufficient as a bridge, is one of the Scams Prevention Framework’s first real-world tests.
CPS 230 – the last contract deadline
CPS 230 – APRA’s operational resilience standard – came into force on 1 July 2025. But its transitional contract deadline – requiring all pre-existing material service provider contracts to either be renewed under CPS 230-compliant terms, or comply regardless – runs out on 1 July 2026.
For major banks, insurers, and superannuation funds, this has meant a multi-year renegotiation programme across hundreds of vendor relationships: cloud providers, software platforms, outsourced operations. The 1 July 2026 contract deadline is, in effect, the real implementation date for the third-party risk provisions that give CPS 230 most of its operational weight.
The year is not over yet
The second half of the year brings two further obligations with direct operational implications for regulated entities and the agencies that oversee them.
From around August, Australia’s digital assets licensing regime – the Corporations Amendment (Digital Assets Framework) Bill 2025, which cleared the Senate committee in March with bipartisan support – is expected to require crypto exchanges and custody providers to hold Australian Financial Services Licences, bringing the sector under ASIC supervision for the first time. The transitional arrangements will determine how many providers can operate through the changeover and how aggressively ASIC moves against unlicensed platforms.
10 December is the commencement date for automated decision-making transparency obligations under the Privacy and Other Legislation Amendment Act 2024. From that date, organisations using automated systems to make decisions that “significantly affect” individuals must disclose this on request.
The Office of the Australian Information Commissioner (OAIC) has been monitoring readiness; early assessments suggest many entities have not yet mapped which systems will be caught. The obligation reads simply enough. Applying it is another matter, particularly for agencies and businesses whose AI-assisted processes were not originally designed with disclosure in mind.
What it means for regulators and regulated entities
For regulated entities, the immediate task is triage. Not every 1 July obligation carries equal legal risk, supervisory intensity, or public visibility. But landing all at once – multiple new programmes, multiple new regulators, multiple new governance requirements within a single financial year – is something no compliance calendar was designed to handle.
For regulators, the AUSTRAC model is worth studying. Its explicit sequencing logic – clear end-state, phased obligations, capability investment before enforcement – reflects a deliberate judgment that demanding simultaneous full compliance from 90,000 new entities would generate cosmetic compliance rather than genuine risk reduction. Other agencies facing their own version of 1 July do not all have the same latitude. But the approach – using time as a supervisory tool, treating first-year implementation as a capacity-building exercise rather than an enforcement trigger – is transferable.
No single agency owns the aggregate. Nobody asked, before all of this was set in motion, whether the total weight of what is arriving this year is something the regulatory system – both its agencies and its regulated sectors – can absorb without the quality of implementation suffering across the board. That question is being answered now, whether or not anyone is keeping score. The results will shape how Australia approaches the next round of reform – and whether anyone thinks harder about timing before the clocks start running again.
