Australian E-Commerce Risk Landscape 2026 | Renatus
RESEARCH RISK ASSESSMENT
Retail & Consumer · Australia · 10 Apr 2026

Australian E-Commerce Risk
Landscape 2026

Australian e-commerce is growing — the market is valued at roughly USD 51 billion in 2026 and forecast to reach USD 90 billion by 2031[Mordor Intelligence] — but the risk environment has shifted sharply.

Regulatory pressure that spent years as theoretical is now materialising into enforceable law. The Competition and Consumer Amendment (Unfair Trading Practices) Bill 2026 targets the specific mechanics of online retail: countdown timers, hidden fees, subscription traps, and drip pricing. The ACCC's 2026–27 enforcement priorities, announced in February 2026, make digital markets the explicit focus. Online marketplaces, not bricks-and-mortar chains, are now in the regulator's crosshairs.

Three forces are converging at the same time: regulators are moving from inquiry to enforcement, cybersecurity threats are producing real operational damage at Australian retailers, and new entrants — Temu at 47% consumer penetration and Shein at 30%[Pattern] — are compressing margins before established platforms have resolved their cost structures. The result is a risk environment where the dangers are no longer evenly distributed across likelihood and time horizon. Some are already costing money. The question for investors is not whether risk is present — it is which risks have already started to bite.

Market size (2026) USD 51.2B
Australian e-commerce market, Mordor Intelligence
  1. Regulatory risk has moved from inquiry to enforcement — the law is changing now. The Competition and Consumer Amendment (Unfair Trading Practices) Bill 2026, released in early 2026, prohibits dark patterns, drip pricing, and subscription traps — practices embedded in the operating models of most major Australian online marketplaces[APH].

  2. Cybersecurity incidents are not theoretical — they are already shutting businesses down. The Sydney Tools breach in March 2025 exposed 34 million customer records; MediSecure, compromised via ransomware, entered voluntary administration — both demonstrate that Australian organisations are failing to contain breaches before they become existential[AIC].

  3. Temu and Shein are already inside the Australian market at scale, not approaching it. Temu reached 47% consumer penetration and Shein 30% among Australian online shoppers by 2026, compressing pricing expectations before most domestic platforms have addressed their own cost structures[Pattern].

  4. BNPL compliance obligations are now law, changing the checkout economics of online retail. The Treasury Laws Amendment (Responsible Buy Now Pay Later) Bill passed 29 November 2024, requiring BNPL providers to hold Australian Credit Licences — directly affecting retailers whose conversion rates depend on Afterpay and Zip integrations[APH].

1. Legislative Risk

The Unfair Trading Practices Bill 2026 rewrites the rules for how online retailers can sell.

Dark patterns, drip pricing, and subscription traps are now prohibited by name — not just in principle.

The Competition and Consumer Amendment (Unfair Trading Practices) Bill 2026 — informally called the Digital Economy Bill — amends the Australian Consumer Law to prohibit a specific list of practices that have been standard in online retail for years[APH]. Countdown timers that are not real. Fees that appear only at the final checkout step. Cancel buttons that require five clicks. Subscription services designed to be difficult to exit. These are not vague categories — they are the mechanics of conversion optimisation used by nearly every major Australian marketplace. Compliance will require retailers to audit and rebuild checkout flows, subscription architectures, and pricing disclosure across their platforms.

Key legislation and regulatory changes affecting Australian e-commerce in 2025–2026.
Status as at April 2026.
Competition and Consumer Amendment (Unfair Trading Practices) Bill 2026 (Released early 2026 — before Parliament)

Prohibits dark patterns, drip pricing, countdown timers, confirm-shaming, and subscription cancellation barriers in digital markets. Directly targets online marketplace and retail checkout practices.

Amends
Australian Consumer Law
Enforcer
ACCC
Primary targets
Online retailers and marketplaces
Treasury Laws Amendment (Responsible Buy Now Pay Later) Bill 2024 (Passed 29 November 2024 — in force)

Requires BNPL providers to hold Australian Credit Licences. Affects retailers whose conversion rates depend on Afterpay and Zip at checkout.

Enforcer
ASIC
Affected parties
Afterpay, Zip, and merchant integrators
Risk
Checkout conversion if BNPL tightens eligibility
AML/CTF Act Amendments (Commences 31 March 2026 (existing) / 1 July 2026 (new entities))

Expands anti-money laundering and counter-terrorism financing obligations to virtual asset services and newly regulated entities, including high-volume e-commerce platforms.

Enforcer
AUSTRAC
Priority
Enforcement against non-compliance from mid-2026
Signal
AUSTRAC enforcement announcements post-July 2026
Treasury Laws Amendment (Regulating Digital Asset Platforms) Bill 2025 (Draft released 25 September 2025 — consultation phase)

Imposes licensing on digital asset platforms under the Corporations Act. Affects e-commerce platforms handling digital tokens or tokenised payment mechanisms.

Enforcer
ASIC
Status
Draft — not yet passed
Timeframe
Legislative passage expected 2026–2027

The ACCC's 2026–27 enforcement priorities, announced February 2026, explicitly name online marketplaces as a focus area for manipulative and false practices[Baker McKenzie]. Chair Gina Cass-Gottlieb tied this directly to the Digital Platforms Services Inquiry, signalling that the regulator is moving from data-gathering to enforcement action. The ACCC's stated approach — data-driven risk identification — means platforms with volume will attract attention first. Amazon Australia, Catch, and Kogan sit at the top of that list by scale, though the ACCC has not named specific enforcement targets publicly.

Two other legislative changes directly affect e-commerce operations. The Treasury Laws Amendment (Responsible Buy Now Pay Later) Bill, passed 29 November 2024, now requires BNPL providers including Afterpay and Zip to hold Australian Credit Licences and comply with consumer credit protection laws[APH]. Retailers whose checkout conversion depends on BNPL availability face risk if providers tighten eligibility or withdraw products. Separately, AML/CTF reforms commence 31 March 2026 for existing entities and 1 July 2026 for newly regulated parties — adding compliance obligations for platforms handling high-value or high-volume transactions[AUSTRAC].

2. Cybersecurity Risk

Ransomware is the number one threat — and it has already sent one Australian business into administration.

The Sydney Tools breach exposed 34 million records. MediSecure went into voluntary administration. Both happened in 2025.

Ransomware is the primary cybersecurity threat facing Australian e-commerce businesses in 2026, according to the Australian Signals Directorate's Annual Cyber Threat Report 2024–25[ASD]. Attackers encrypt business data and threaten to publish stolen customer records unless a ransom is paid. For e-commerce retailers — who hold customer names, addresses, purchase histories, and payment data — a breach creates simultaneous obligations: regulatory notification, customer communication, potential class-action exposure, and operational disruption. The average cost of a cyber incident for large Australian organisations rose 219% in 2025[PwC]. Online shopping fraud costs an average of AUD 36,633 per incident[AIC].

Cyber risk priorities for Australian e-commerce operators — ranked by threat severity.
Based on ASD Annual Cyber Threat Report 2024–25 and AIC Cybercrime in Australia 2024.
1
Ransomware — data encryption and extortion
Attackers encrypt retailer systems and threaten to publish customer data. MediSecure entered voluntary administration after a ransomware attack stole 6.5TB of records. Named as the #1 threat in ASD's 2024–25 Annual Cyber Threat Report.
2
Third-party supplier compromise
Breaches enter through logistics partners, marketplace API integrations, and payment processors. The Qantas 2025 breach (6 million records) was a third-party compromise. E-commerce retailers with multiple platform integrations face compounded exposure.
3
Customer data exposure — 34 million records
Sydney Tools' March 2025 breach exposed 34 million customer records including purchase histories from 2005. Class-action litigation and regulatory investigation followed. Online shopping fraud averages AUD 36,633 per incident (AIC 2024).
4
Unpatched systems and remote access credential theft
ASD identifies these as the most common attack entry points. E-commerce platforms running multiple integrations often have software components that are not updated centrally — creating exploitable gaps without requiring sophisticated attackers.
5
Mandatory incident reporting obligations
The Cyber Security Act 2024 introduced mandatory reporting requirements for significant cyber incidents. Failure to report adds regulatory liability on top of the breach itself — a double exposure for platforms that delay disclosure.

Two incidents define the stakes. Sydney Tools, a hardware retailer, suffered a breach in March 2025 that exposed 34 million customer records including names, addresses, and purchase history dating to 2005 — triggering regulatory investigation and class-action risk[AIC]. MediSecure, a healthcare platform, was hit by ransomware that stole 6.5 terabytes of data covering records from 2019 to 2023 — and the company entered voluntary administration as a direct result. Neither of these organisations was a tier-one technology company with inadequate security investment. Both were mid-sized Australian businesses operating digital platforms.

The ASD report identifies the most common attack vectors as unpatched software vulnerabilities and compromised remote access credentials — both failures of operational maintenance rather than sophisticated espionage[ASD]. For e-commerce retailers running third-party logistics integrations, marketplace APIs, and customer data platforms across multiple cloud environments, the attack surface is wide and often poorly inventoried. The Qantas breach in 2025 — six million customer records stolen via a third-party supplier — illustrates that the risk is not contained within first-party systems[PwC]. Any supplier with system access is a potential entry point. Sixty-two percent of Australian business leaders are increasing cyber investment in 2026[PwC] — but investment without architecture review does not close the vulnerabilities already open.

3. Competitive Risk

Temu and Shein are already at scale in Australia — established platforms are fighting a price war they did not budget for.

47% of Australian online shoppers used Temu in 2026. That is not a trajectory. That is a fact.

Temu reached 47% consumer penetration among Australian online shoppers by 2026[Pattern]. Shein reached 30%. Amazon reached 60% — the highest of any single platform. eBay, which held 62% usage as recently as 2023, fell to 51% by 2026[Pattern]. These numbers describe a market that has already restructured around new entrants rather than one that is still adjusting. Temu and Shein do not operate like conventional retailers. They use ultra-low pricing funded by Chinese manufacturing at cost, combined with direct-to-consumer shipping that bypasses Australian warehousing entirely. Established platforms — Catch, MyDeal, Kogan — cannot match those economics without compressing margins that are already thin.

Shopper penetration rates across major Australian e-commerce platforms, 2026.
Percentage of Australian online shoppers using each platform, Pattern 2026 Australia Marketplace Consumer Report.
Amazon Australia
60%
eBay Australia
51%
Temu
47%
Shein
30%

The mechanism is pricing expectation compression. When a consumer can order a comparable product from Temu at one-third the price of a domestic retailer, the domestic retailer's listed price starts to look wrong rather than fair. This dynamic is not new globally — it played out in the United States and United Kingdom before reaching Australia — but the speed of penetration in Australia has been faster than most domestic operators anticipated. Kogan, which built its model on value-priced consumer electronics and general merchandise, is structurally exposed to direct competition from platforms with lower landed costs and no Australian warehousing overhead.

The investor risk is not that Temu and Shein will capture 80% of Australian e-commerce. It is that their presence permanently resets price expectations in the categories — general merchandise, apparel, electronics accessories, homewares — where domestic platforms earn most of their volume. Platforms that cannot differentiate on delivery speed, product authenticity, returns convenience, or local brand relationships will face sustained margin pressure with no clear exit. The signal to watch is whether ASX-listed retailers begin reporting gross margin deterioration in these categories specifically — not just revenue softness.

4. Regulatory Enforcement Risk

The ACCC is using marketplace product safety as an active enforcement tool — not a future threat.

Online marketplaces are explicitly named in ACCC's 2026–27 priorities. Button batteries and lithium-ion products are the specific focus.

The ACCC's 2026–27 enforcement priorities explicitly target online marketplaces for unsafe consumer products[Baker McKenzie]. The two product categories named are button batteries — which cause severe internal injuries in children who swallow them — and lithium-ion batteries, which present fire risk. Both categories are heavily represented in the general merchandise and electronics accessories segments that Kogan, Catch, and Amazon Australia's third-party marketplace sellers trade in. The ACCC's approach is data-driven risk identification: it monitors listings at scale and flags platforms with systemic compliance failures rather than pursuing one-off product recalls.

ACCC product safety enforcement drivers targeting Australian online marketplaces in 2026–27.
Based on ACCC 2026–27 Compliance and Enforcement Priorities, announced February 2026.
Button battery compliance Active enforcement focus
ACCC explicitly targets button battery listings on online marketplaces due to child injury risk. Platforms with third-party sellers in general merchandise and toys face highest exposure.
Lithium-ion battery product safety Active enforcement focus
Lithium-ion battery products — including e-bike batteries, power banks, and charging accessories — are a named ACCC 2026–27 priority following fire incidents. High volume on Kogan, Catch, and Amazon third-party listings.
Australian Product Safety Pledge Compliance obligation
ACCC administers an enhanced Product Safety Pledge requiring marketplaces to monitor listings proactively and remove unsafe products. Non-signatories and Pledge signatories without implementation face enforcement.
International platform collaboration Cross-border enforcement
ACCC named international collaboration — targeting cross-border listings on platforms like Amazon Australia — as a 2026–27 priority to identify products banned in other jurisdictions before they enter Australian retail.
Data-driven risk identification Enforcement method
ACCC uses data-driven monitoring to identify platforms with systemic compliance failures rather than pursuing individual product complaints. Platforms with high third-party seller volume are flagged first.

The Australian Product Safety Pledge, which the ACCC administers, requires marketplace platforms to commit to enhanced monitoring, rapid removal of unsafe listings, and proactive engagement with international counterparts to identify products banned in other jurisdictions before they reach Australian consumers[Ashurst]. Platforms that have not formally signed the Pledge or that have signed but failed to implement monitoring systems face the highest enforcement exposure. The ACCC noted that international collaboration — specifically targeting Amazon Australia for its cross-border listings — is a stated 2026–27 priority. No specific fines have been named publicly as at April 2026, but the regulatory posture has shifted from education to enforcement.

The financial consequences of a product safety enforcement action are not limited to the fine itself. A mandatory recall of a product category sold across thousands of third-party listings requires platform-wide audits, customer notification at scale, and potential compensation obligations. The remediation cost in comparable international cases has run into the tens of millions of dollars. For marketplace-model retailers whose revenue depends on third-party seller volume, restricting or removing entire product categories to achieve compliance creates a direct revenue hole.

Australian GDP growth forecast 2026–27
1.9%
Down from 2.4% in 2025–26. Deloitte Australian Business Outlook.
Leaders citing inflation cost control as top challenge
39%
KPMG 2025 Australian business survey.
Average international shipping cost per parcel
AUD 25
Cross-border e-commerce imports. Mordor Intelligence.

Deloitte forecasts Australian GDP growth at 1.9% for 2026–27, down from 2.4% in 2025–26[Deloitte]. For e-commerce, which is concentrated in discretionary categories — apparel, electronics, homewares, toys — a slowing economy means consumers prioritise essentials and delay non-urgent purchases. The KPMG 2025 business survey found that 39% of business leaders named inflation-driven cost control as the top operational challenge, and 38% cited evolving regulation[KPMG]. These two pressures — squeezed consumer wallets and rising compliance costs — arrive together for online retailers.

The RBA's interest rate decisions feed into this picture through household budget pressure rather than direct e-commerce financing costs. Higher mortgage repayments reduce the discretionary income available for online shopping. The research available does not provide specific RBA rate data tied to e-commerce spending metrics, and no ABS retail trade data was available in the research for this report — a gap that limits the precision of this section. What the data does show is the direction: cost pressures are rising, growth is slowing, and the consumer base for discretionary online retail is under financial stress.

Cross-border shopping adds an additional dimension. International shipping costs average AUD 25 per parcel for e-commerce imports, which deters approximately 60% of Australian consumers from completing cross-border purchases[Mordor Intelligence]. This creates a partial moat for domestic retailers in categories where fulfilment speed and cost matter — but it does not protect them from ultra-low-cost platforms like Temu and Shein that absorb shipping costs within their pricing model. The macroeconomic environment rewards platforms with the lowest total landed cost. Right now, that is not the domestic incumbents.

6. Operational Risk

Rural delivery surcharges and logistics concentration create a structural cost risk that is already in ASX filings.

Australia Post's rural surcharges in Western Australia, the Northern Territory, and Queensland outback are already inflating costs for volume retailers.

Australia's geography is one of the most structurally challenging for e-commerce fulfilment of any developed market. Delivering to regional and remote areas — which represent a significant share of Australian households — costs multiples of the metropolitan rate. Australia Post rural surcharges introduced in 2025 for low-density routes in Western Australia, the Northern Territory, and outback Queensland are already inflating per-order costs for platforms that offer nationwide free shipping as a baseline promise[Mordor Intelligence]. The drag on CAGR from rural surcharges and regulatory costs is estimated at 1.1–1.4 percentage points[Mordor Intelligence].

Regional logistics risk profile for Australian e-commerce delivery.
Based on Mordor Intelligence 2026 and Pattern 2026 Australia Marketplace Consumer Report.
Metropolitan Australia Lowest logistics risk
Dense population, multiple delivery options, Australia Post and StarTrack both compete. Free shipping economically viable for most ticket sizes. Cart abandonment rates manageable.
Outback Queensland / WA / NT
Highest logistics cost pressure Australia Post rural surcharges imposed in 2025. Per-parcel costs multiples of metro rate. Cart abandonment exceeds 40% for orders under AUD 100. Estimated 1.4 percentage point CAGR drag.
Regional coastal cities
Medium logistics risk Moderate delivery costs but limited same-day or next-day alternatives to Australia Post. StarTrack coverage variable. Some platforms restrict free shipping to metro postcodes, reducing regional conversion.
Cross-border imports
Managed by entrants, not incumbents Temu and Shein absorb international shipping costs within their pricing model. Average cross-border parcel cost of AUD 25 deters 60% of consumers from completing purchases — except on platforms that hide the cost in the price.

The research available for this report does not contain specific named data on Australia Post operational capacity, StarTrack pricing schedules, or named retailer ASX filings disclosing logistics cost impacts — a material gap. What the research does confirm is the structural dynamic: cart abandonment rates for orders under AUD 100 exceed 40% in regional markets due to visible shipping costs[Mordor Intelligence]. Platforms that absorb shipping costs to stay competitive in regional Australia are doing so at a direct margin cost. Platforms that charge for shipping in regional Australia lose conversion. Neither outcome is neutral.

The concentration of logistics infrastructure around Australia Post and StarTrack creates a dependency risk that is rarely discussed publicly but is operationally significant. An industrial dispute, a significant capacity constraint, or a pricing reset from either carrier affects virtually every Australian e-commerce retailer simultaneously — there is no equivalent national-scale alternative network. This is not a risk that has materialised in 2025–26 in a way visible from the available research, but it is a background condition that makes the sector structurally less resilient than equivalent markets in the United States or Europe, where multiple national carriers compete on comparable infrastructure.

7. Investor Signals

Five leading indicators that tell an investor the risk environment is shifting — with specific thresholds.

The signals that matter are not the ones that confirm a risk has arrived. They are the ones that give an investor 60–90 days of warning.

ASX earnings announcements from Kogan (ASX: KG1), Woolworths (ASX: WOW), and Wesfarmers (ASX: WES, operator of Big W Online) are the most direct early warning system for margin pressure. The specific language to watch for is mentions of Australia Post rural surcharges, ACCC marketplace fee cap proposals, or BNPL conversion softness[Mordor Intelligence]. A single company flagging this is noise. Two or more flagging the same dynamic in the same quarter is a structural signal. eBay Australia's usage decline from 62% to 51% between 2023 and 2026[Pattern] was visible in marketplace engagement metrics before it appeared in financial results.

Investor monitoring framework: signals, thresholds, and monitoring cadence for Australian e-commerce risk.
Synthesised from ACCC, ASD, Deloitte, ABS, and Pattern research.
ASX Earnings Watch
Quarterly
Kogan (KG1), Woolworths (WOW), Wesfarmers (WES)
Monitor for language on rural surcharges, BNPL conversion softness, or gross margin deterioration in general merchandise and apparel.
Two or more retailers flagging the same dynamic in one quarter signals a structural shift, not company-specific underperformance.
ACCC Media Releases
Continuous
ACCC (accc.gov.au/media-releases)
Filter for digital markets, online retail, and consumer protection. Investigation announcements precede formal proceedings by months.
An investigation announcement moves before a fine. Investors who monitor ACCC releases have 60–90 days of lead time over those who wait for financial results.
ABS Monthly Retail Trade
Monthly — first Thursday
ABS (abs.gov.au)
Watch for e-commerce subsector year-on-year growth falling below 10% against a 1.9% GDP backdrop.
A reading below 10% YoY in e-commerce growth confirms demand deterioration — not just competitive share shifts between platforms.
Consumer Sentiment Index
Monthly
Westpac-Melbourne Institute
A reading below 90 correlates with material discretionary spending pullback and BNPL uptake softening.
Afterpay has 3.5 million Australian users. Sentiment below 90 historically precedes BNPL volume decline and higher fashion return rates — both margin drains.
Australia Post Tariff Updates
Quarterly
Australia Post / StarTrack (australiapost.com.au)
Monitor B2C rate cards and rural surcharge levels against the 2025 baseline.
A further surcharge increase above the 2025 rural baseline flows into per-order economics within one billing cycle for volume retailers with nationwide free shipping promises.

ACCC media releases are the clearest leading indicator for regulatory enforcement risk. The ACCC announces investigation targets publicly before commencing formal proceedings. An announcement that a named Australian online marketplace is under investigation for dark patterns, drip pricing, or unsafe product listings will trigger stock price movement and operational remediation costs before any fine is issued. The relevant URL to monitor is accc.gov.au/media-releases — filtering for digital markets, online retail, and consumer protection. ABS Monthly Retail Trade data (released on the first Thursday of each month) provides the macro demand signal: a reading showing e-commerce subsector growth falling below 10% year-on-year, against a 1.9% GDP backdrop[Deloitte], would confirm demand-side deterioration rather than competitive share loss.

The consumer confidence threshold that historically correlates with material spending pullback in discretionary categories is a Westpac-Melbourne Institute Consumer Sentiment Index reading below 90. At that level, BNPL uptake by Afterpay's 3.5 million Australian users[Mordor Intelligence] tends to soften, and fashion return rates — already a margin drain — rise further. The fifth signal is logistics pricing: Australia Post quarterly tariff updates at australiapost.com.au. A further rural surcharge increase above the 2025 baseline, or a StarTrack rate card revision affecting B2C delivery, will flow directly into per-order economics within one billing cycle for most platforms.

Intelligence Brief

Key things to remember

1

The Unfair Trading Practices Bill 2026 makes standard checkout optimisation illegal — most Australian marketplaces will need to rebuild their purchase flows.

Dark patterns including countdown timers, drip pricing, and confirm-shaming are prohibited by name in the Bill released in early 2026 — practices embedded in virtually every major Australian e-commerce checkout[APH].

2

MediSecure entered voluntary administration after a ransomware attack — Australian e-commerce operators face the same structural vulnerability.

MediSecure had 6.5TB of data stolen and could not recover financially; Sydney Tools' March 2025 breach exposed 34 million records and triggered class-action risk — both demonstrate that a single cyber incident can be an existential event for a mid-sized Australian digital platform[AIC].

3

Temu reached 47% shopper penetration in Australia by 2026 — eBay lost 11 percentage points of penetration in three years.

eBay Australia fell from 62% usage in 2023 to 51% in 2026 as Temu (47%) and Shein (30%) absorbed discretionary shoppers in general merchandise and apparel — the categories where domestic platforms earn most of their volume[Pattern].

4

BNPL is now regulated like consumer credit — Afterpay and Zip must hold Australian Credit Licences as of November 2024.

The Treasury Laws Amendment (Responsible Buy Now Pay Later) Bill passed 29 November 2024, and any tightening of eligibility criteria by BNPL providers will directly reduce conversion rates for online retailers whose checkout depends on BNPL availability[APH].

5

AML/CTF obligations expand to newly regulated entities including virtual asset services from 1 July 2026.

AUSTRAC's 2025–26 regulatory priorities confirm enforcement focus from mid-2026 — e-commerce platforms handling digital tokens, high-value transactions, or cryptocurrency payments face compliance obligations that did not exist in their operating model twelve months ago[AUSTRAC].

6

The ACCC uses data-driven platform monitoring — volume is not protection, it is exposure.

The ACCC's 2026–27 approach identifies systemic compliance failures across platform listings rather than investigating individual product complaints — meaning the largest marketplaces by third-party seller volume face the highest enforcement probability[Baker McKenzie].

7

Cart abandonment in regional Australia exceeds 40% for orders under AUD 100 — and rural surcharges are still rising.

Australia Post's 2025 rural surcharges in Western Australia, the Northern Territory, and outback Queensland are already inflating per-order costs; Mordor Intelligence estimates a 1.4 percentage point CAGR drag from rural logistics costs — a structural disadvantage for platforms with national free-shipping commitments[Mordor Intelligence].

8

Average cyber crime costs for large Australian organisations rose 219% in 2025 — yet supply chain entry points remain largely unaudited.

The Qantas 2025 breach — six million records stolen via a third-party supplier — and the Sydney Tools incident demonstrate that the attack surface for Australian digital retailers extends through every logistics, payments, and marketplace integration in their technical stack[PwC].

About About this report

This report maps the specific, evidenced risks facing Australian e-commerce retailers and investors in 2025 and 2026, distinguishing between risks already materialising and those still emerging.

Investors with exposure to Australian e-commerce, including ASX-listed retailers, private market positions, and adjacent financial services businesses.

Ren synthesised research from government legislative sources, ACCC enforcement announcements, the Australian Signals Directorate's 2024–25 Annual Cyber Threat Report, Deloitte's Australian business outlook, and industry data from Mordor Intelligence, IBISWorld, and Pattern's 2026 Australia Marketplace Consumer Report.

Primary data is from 2025–2026; market size projections are from Mordor Intelligence (2026); some cybersecurity incident data references events from early 2025.

Sources Sources & Methodology

Research conducted 10 Apr 2026. All statistics carry inline citation markers.

Tier 1 — Primary sources
Annual Cyber Threat Report 2024–25 · Australian Signals Directorate (ASD) · 2025 · Government security report · Cybersecurity risk section — ransomware threat assessment, attack vector identification
Competition and Consumer Amendment (Unfair Trading Practices) Bill 2026 — Bills Search Results · Australian Parliament House · Early 2026 · Government legislation · Regulatory risk section — dark patterns, drip pricing, unfair trading prohibitions
Regulatory Expectations and Priorities 2025–26 · AUSTRAC · 2025 · Government regulatory guidance · Regulatory risk section — AML/CTF reforms and commencement dates
Business Outlook Press Release · Deloitte Australia · 2026 · Economic forecasting report · Macroeconomic risk section — GDP growth forecasts 2026–27
Cybercrime in Australia 2024 (Statistical Report 53, v2) · Australian Institute of Criminology (AIC) · August 2025 · Government research report · Cybersecurity section — Sydney Tools breach, online shopping fraud costs, MediSecure
Treasury Laws Amendment (Responsible Buy Now Pay Later and Other Measures) Bill 2024 · Australian Parliament House · 29 November 2024 · Government legislation · Regulatory risk section — BNPL Credit Licence requirements
Tier 2 — Supporting sources
Australia E-Commerce Market Report 2026 · Mordor Intelligence · 2026 · Industry research report · Market size figures, rural logistics cost data, cart abandonment rates, CAGR estimates, BNPL user figures
Online Shopping Industry Report — Australia · IBISWorld · 2025 · Industry research report · Background market growth rates
Australia: ACCC's 2026-27 Compliance and Enforcement Priorities · Baker McKenzie · February 2026 · Legal analysis of regulatory announcement · ACCC enforcement priorities — product safety, digital markets, dark patterns
The Year Ahead: ACCC Focuses on 11 Priorities · Ashurst · 2026 · Legal analysis of regulatory announcement · ACCC product safety pledge and enforcement posture
Cyber Threats 2025: What Businesses Need to Know · PwC Australia · 2025 · Industry analysis · Cyber incident cost increases (219%), Qantas third-party breach, cyber investment intentions
Tier 3 — Additional sources
2026 Australia Marketplace Consumer Report · Pattern · 2026 · Commercial research report · Platform penetration data — Amazon, eBay, Temu, Shein — and eBay usage decline 2023–2026
Australia's Digital Economy on Notice · JD Supra · 2026 · Legal commentary · Supplementary context on Digital Economy Bill provisions
KPMG Australian Business Outlook Survey 2025 · KPMG · 2025 · Business survey · Macroeconomic section — inflation cost control and regulatory challenge percentages
Conflicting sources

Platform penetration and market share — Pattern 2026 Report: Amazon at 60% penetration, eBay at 51%, Temu at 47% vs No corroborating Tier 1 or Tier 2 source available for these specific figures. Pattern figures used as the only available source. Confidence for competitive section capped at MEDIUM. Figures should be treated as indicative rather than definitive.

Data gaps

No ABS retail trade data (monthly or annual) was available in the research. Macroeconomic and demand risk sections rely on Deloitte and Mordor Intelligence estimates rather than official government trade statistics. Confidence for macroeconomic section capped at MEDIUM.

No ASX filings, annual reports, or earnings transcripts from Kogan (KG1), Woolworths (WOW), Wesfarmers (WES), The Iconic, or Catch were available. Financial performance data, margin trends, and company-specific risk disclosures are absent from this report.

No Australia Post Inside Australian Online Shopping report data was available. Logistics cost data relies on Mordor Intelligence estimates. Rural surcharge specifics are attributed to Mordor Intelligence without an original Australia Post source.

No specific ACCC enforcement actions against named e-commerce companies were available as at April 2026. The regulatory risk section describes the enforcement posture and legislative framework but cannot name companies under active investigation.

Currency risk (AUD exchange rate impacts on import-reliant retailers) is not quantified. No RBA rate data tied to e-commerce consumer spending was available in the research provided.

Market concentration data — revenue share by platform, marketplace GMV, or platform-specific financial metrics — is absent. The competitive section relies on consumer penetration rates from Pattern rather than revenue or GMV concentration data.

This report is produced for informational purposes only. It does not constitute financial, legal, or investment advice. All data is sourced from publicly available information as at the date of research. Renatus Ventures makes no representations as to the completeness or accuracy of third-party data.