--- url: 'https://www.corbado.com/blog/pgpa-act' title: 'What is the PGPA Act and the PGPA rule?' description: 'Stay compliant with the PGPA Act and PGPA Rule: Ensure governance, accountability, and cybersecurity alignment for robust risk management and transparency.' lang: 'en' author: 'Vincent Delitz' date: '2024-12-17T08:53:18.761Z' lastModified: '2026-03-25T07:01:54.277Z' keywords: 'PGPA Act 2013, PGPA Rule 2014, Australian Cyber Regulations' category: 'Authentication' --- # What is the PGPA Act and the PGPA rule? ## Key Facts - The **PGPA Act 2013**, established by the Australian Department of Finance, sets governance, performance and accountability standards for all Commonwealth entities and companies. - **Section 16** of the PGPA Act obliges accountable authorities to implement risk oversight systems, extending naturally to cyber risk assessment, mitigation and monitoring. - **Section 17** mandates internal control systems that safeguard information systems against unauthorized access, data breaches and other cyber threats. - The **PGPA Rule 2014** translates the Act's broad principles into actionable guidelines covering risk management, information management, performance reporting and auditing. - Compliance is mandatory for four entity types: non-corporate Commonwealth entities, corporate Commonwealth entities, wholly-owned Commonwealth companies and **government business enterprises**. ## 1. Introduction The **Public Governance, Performance and Accountability** **(PGPA) Act 2013** serves as a critical legislative framework for governance, performance, and accountability within Australian [government](https://www.corbado.com/passkeys-for-public-sector) and Commonwealth organizations. While the PGPA Act’s primary focus revolves around transparent and efficient resource management, **its principles significantly influence how these entities approach cybersecurity**. In particular, its focus on risk oversight, internal controls, and accountability integrates seamlessly with modern [cyber risk management](https://www.corbado.com/blog/cybersecurity-frameworks) strategies. This blog will focus on: - What are the main compliance implications of the PGPA Act? - What are the most important security implications of the PGPA rule? ## 2. What is the PGPA Act 2013? The PGPA Act 2013, established by the Australian Department of Finance, defines clear standards for the governance, performance, and accountability of Commonwealth entities and companies. Although originally enacted to ensure the sound management of financial resources, the Act’s underlying principles promote robust governance and performance frameworks that extend into other critical areas, including cybersecurity. ### 2.1 Key Areas of the PGPA Act 2013: 1. **Governance:** Enforces stringent governance practices to uphold integrity and responsible stewardship across [government](https://www.corbado.com/passkeys-for-public-sector) and Commonwealth entities. 2. **Performance Management:** Introduces a performance framework to measure the efficiency and effectiveness of these entities. 3. **Accountability:** Demands transparent reporting and disclosure, ensuring decision-makers remain answerable for their actions. 4. **Resource Management:** Mandates prudent use of public resources to guarantee that funds and assets—digital and otherwise—are employed for their intended purposes. 5. **Reporting Requirements:** Requires annual reports detailing overall performance, financial health, and compliance efforts, including risk management outcomes. ### 2.2 Cybersecurity Implications Under the PGPA Act Though the PGPA Act does not explicitly target cybersecurity, its focus on risk management and internal controls inevitably encompasses digital security threats: - **Section 16** of the Act obliges accountable authorities to implement appropriate systems of risk oversight and management. In a modern operational context, this naturally extends to assessing, mitigating, and monitoring cyber risks. - **Section 17** calls for the maintenance of internal control systems, which also play a pivotal role in safeguarding information systems against unauthorized access, data breaches, and other cyber threats. ### 2.3 Who Must Comply with the PGPA Act? Compliance with the PGPA Act is mandatory for specific Commonwealth entities, reflecting the [government](https://www.corbado.com/passkeys-for-public-sector)’s commitment to consistent standards of governance and accountability across these organizations. It applies to all Commonwealth entities, including: - Non-corporate Commonwealth entities (NCEs) - Corporate Commonwealth entities (CCEs) - Wholly-owned Commonwealth companies (CCs) - Government business enterprises (GBEs) **Penalties for Non-Compliance** - Administrative sanctions, such as increased reporting obligations or reduced funding - Legal penalties, including fines or remedial orders - Reputational damage, undermining trust and potentially impacting [stakeholder](https://www.corbado.com/blog/passkeys-stakeholder) confidence ## 3. What is the PGPA Rule 2014? The Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) complements the Act by **translating its broad principles into actionable guidelines**. While not explicitly cybersecurity-focused, these detailed provisions offer valuable direction for strengthening governance, performance, and accountability measures that directly affect cyber defense strategies. ### 3.1 Key Provisions of the PGPA Rule (From a Cybersecurity Perspective): 1. **Risk Management:** Requires entities to identify, assess, and manage risks—cyber threats included. Integrating cybersecurity into the enterprise-wide risk management framework ensures ongoing monitoring and mitigation of emerging digital risks. 2. **Information Management:** Stresses the importance of safeguarding sensitive information. Entities must employ robust controls to protect against unauthorized access, data loss, or tampering. 3. **Performance & Accountability Reporting:** Mandates annual reporting that can encompass cybersecurity performance, including how well entities manage cyber threats and maintain system resilience. 4. **Auditing:** Requires both internal and external audits of financial and performance statements. Cybersecurity measures and compliance can also be audited, providing assurance that policies are effective and properly implemented. ### 3.2 Aligning the PGPA Act with Other Australian Cyber Regulations The PGPA Act complements existing Australian cyber regulations by establishing a governance environment that supports robust cybersecurity practices. For example, it enhances the implementation of: - **Security of Critical Infrastructure (SOCI) Act 2018:** Focuses on safeguarding critical systems and infrastructure. - **Australian Government Information Security Manual (ISM):** Offers guidelines for securing government information and systems. - **Protective Security Policy Framework (PSPF):** Provides a scalable policy framework to safeguard people, information, and physical assets. By promoting a culture of accountability and continuous risk management, the PGPA Act encourages the integration of cybersecurity best practices. The result is a more resilient cybersecurity infrastructure, as organizations must not only comply with explicit cyber regulations but also embed these measures into their core governance and performance frameworks. ## 4. Conclusion While primarily centered on governance, performance, and accountability, the PGPA Act 2013 and the supporting PGPA Rule 2014 significantly influence cybersecurity strategies across Commonwealth entities. By emphasizing risk management, transparent reporting, and sound governance, the PGPA framework drives a more proactive and integrated approach to securing digital assets. Organizations that align their cybersecurity programs with the PGPA Act not only meet compliance obligations but also build a strong defense against evolving cyber threats—ultimately ensuring the integrity, reliability, and trustworthiness of their operations. ## Frequently Asked Questions ### What penalties can Commonwealth entities face for not complying with the PGPA Act? Non-compliant entities may face administrative sanctions such as increased reporting obligations or reduced funding. Penalties also include legal consequences such as fines or remedial orders, as well as reputational damage that can undermine stakeholder confidence. ### What is the difference between the PGPA Act 2013 and the PGPA Rule 2014? The PGPA Act 2013 establishes broad governance, performance and accountability standards for Commonwealth entities, while the PGPA Rule 2014 translates those principles into specific, actionable guidelines. The Rule adds concrete provisions around risk management, information management, performance reporting and auditing that give organizations operational direction. ### How does the PGPA framework fit alongside other Australian cybersecurity regulations like the SOCI Act? The PGPA Act complements specific Australian cyber regulations by establishing a governance environment that supports robust cybersecurity practices. It enhances implementation of the Security of Critical Infrastructure Act 2018, the Australian Government Information Security Manual and the Protective Security Policy Framework by embedding accountability and continuous risk management into core governance frameworks. ### Does the PGPA Act explicitly require cybersecurity controls or only general risk management? The PGPA Act does not explicitly target cybersecurity, but its risk management and internal control provisions naturally extend to digital threats in a modern operational context. Section 16 covers risk oversight and Section 17 covers internal controls, both of which apply directly to protecting information systems against cyber threats.