Digital service providers to use TLS version 1.3
To strengthen the security of ATO systems, protect taxpayers, and align with whole-of-government cryptographic standards, we will no longer accept Transport Layer Security (TLS) version 1.2 on inbound channels.
From 31 January 2026, digital service providers (DSPs) must use TLS version 1.3 in their software that interacts with ATO systems, such as:
- ATO digital wholesale services (SBR1 and SBR2)
- ATO API Portal.
This change is part of a broader effort to mitigate risks associated with legacy encryption protocols. TLS 1.2 is considered vulnerable to downgrade attacks, weak cipher negotiation, and compromised forward secrecy. Continued use may expose sensitive data to interception, particularly in scenarios involving static RSA key exchange or outdated cryptographic libraries.
The Australian Signals Directorate (ASD) no longer considers TLS 1.2 suitable as an ASD-Approved Cryptographic Protocol (AACP). The following information security manual (ISM) control now applies – ISM-0481 (September 2025): Only AACPs or high assurance cryptographic protocols are used by cryptographic equipment, applications and libraries. For further information regarding ISM controls and TLS, refer to the Australian Government – Guidelines for using cryptographyExternal Link.
Information for taxpayers
If you use software to interact with us, we recommend contacting your DSP to confirm their software uses TLS 1.3 to communicate with ATO systems and that your operating system is compatible. Supported systems include:
- Windows 11 or higher
- MAC OS 10.15 or higher
- Windows Server 2022.