The Australian government has directed all non-corporate Commonwealth entities to remove Russian cybersecurity company Kaspersky Lab’s products and web services from their systems, citing security risks. The directive, issued under the Protective Security Policy Framework (PSPF), applies to entities governed by the Public Governance, Performance and Accountability Act 2013.
According to the Department of Home Affairs, the directive follows an assessment of potential threats related to foreign interference, espionage, and data exposure. The government determined that Kaspersky’s data collection practices and its obligations under foreign laws present an “unacceptable security risk” to Australian networks and information.
Entities subject to the directive must identify and remove all instances of Kaspersky products from government systems and devices by 1 April 2025. They must also take measures to prevent any future installations. Compliance confirmation must be reported to the Commonwealth Security Policy Branch within the Department of Home Affairs.
A provision for an exemption allows the use of Kaspersky software under specific circumstances, limited to national security and regulatory functions. Entities requesting an exemption must demonstrate a legitimate business need, apply necessary risk mitigation measures, and comply with conditions set out in Policy Explanatory Note 002/25.
In response to the directive, Kaspersky denied the security concerns cited by the Australian government. A company spokesperson told BleepingComputer that the allegations are “not based on specific evidence” and criticised the decision, arguing that no due process was followed. The company has previously rejected similar actions by other governments, attributing restrictions to geopolitical factors rather than technical risks.
Australia follows global trend of restrictions
The ban aligns with measures taken by several other countries regarding Kaspersky’s security products. The US prohibited the use of Kaspersky software on federal systems in 2017, later expanding the ban in September 2024 to cover all US businesses and consumers. The US Department of Commerce’s Bureau of Industry and Security (BIS) placed Kaspersky and its business units AO Kaspersky Lab, OOO Kaspersky Group, and UK-based Kaspersky Labs Limited on its Entity List, identifying them as national security risks due to alleged ties to Russian intelligence and military operations.
Following the US expansion of restrictions, Kaspersky closed its UK office in October 2024 and announced job cuts. In a statement, Kaspersky spokesperson Francesco Tius confirmed that the company was shifting its UK operations to its partner network.
Germany and Canada have also taken steps to limit Kaspersky’s presence in government systems. The German government advised companies against using Kaspersky products after Russia’s invasion of Ukraine. In October 2023, Canada banned Kaspersky security products from government-issued mobile devices.
Read more: US government bans sales of Kaspersky antivirus software
