Australia: Security of Critical Infrastructure Act 2018 (Cth) Reforms

Latest developments

In November 2021, the Australian Parliament passed the first phase of reforms to the SOCI Act. The legislation was given royal assent in December 2021. Subsequently, the Australian Parliament passed the second phase of reforms on 31 March 2022 and the legislation was given assent on 1 April 2022.

Summary

The first phase of reforms expands the scope of the SOCI Act by:

• Introducing new ‘critical infrastructure sectors’, including the communications and data storage or processing sectors;
• Imposing obligations relating to mandatory cyber- incident reporting (including within 24 and 72 hour timeframes);
• Expanding requirements to provide information to the Register of Critical Infrastructure Assets. However, these obligations will not automatically apply and instead need to be 'switched on' by rules underlying the SOCI Act (subject to grace periods); and
• Granting the government a range of new powers, including to intervene, seek information and compel action in the event of a cybersecurity incident.

The second phase of the reforms introduces obligations to maintain risk management programs and additional cybersecurity obligations on critical infrastructure assets designated as systems of national significance. 

The Security of Critical Infrastructure (Critical Infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) commenced on 17 February 2023. Section 4 of CIRMP Rules lists the asset classes for which responsible entities must establish, maintain, and comply with a written risk management program to manage a ‘material risk’ or a ‘hazard’ occurring which could have a relevant impact on their critical infrastructure asset. Responsible entities must, as far as it is reasonably practicable, minimise or eliminate the ‘material risk’ and mitigate the relevant impact of the ‘hazard’.

AusCheck Legislation Amendment (Critical Infrastructure Background Check) Regulations 2023 amended the AusCheck Regulations 2017 to provide for the establishment and operation of the AusCheck background checking scheme in relation to individuals for whom a CIRMP Rules permits a background check.

How could it be relevant for you?

The grace period for the risk management program obligation has now ended. Responsible entities should have developed and implemented a risk management program as of 18 August 2023. The requirement to have a risk management program does not apply to every critical infrastructure asset, only those listed in s 4 of the CIRMP Rules which includes:

• A critical broadcasting asset;
• A critical domain name system;
• A critical data storage or processing asset;
• A critical electricity asset;
• A critical energy market operator asset;
• A critical gas asset;
• A designated hospital;
• A critical food and grocery asset;
• A critical freight infrastructure asset;
• A critical freight services asset;
• A critical liquid fuel asset;
• A critical payment system; and
• A critical water asset.

Next steps

Responsible entities must review and update their risk management program on a regular basis and provide an annual report to the Department of Home Affairs regarding the risk management program within 90 days after the end of the financial year. The first report is required by 28 September 2024.

*Information is accurate up to 27 November 2023