In November 2021, the Australian Parliament passed the first phase of reforms to the SOCI Act. The legislation was given royal assent in December 2021. Subsequently, the Australian Parliament passed the second phase of reforms on 31 March 2022 and the legislation was given assent on 1 April 2022.
The first phase of reforms expands the scope of the SOCI Act by:
The second phase of the reforms introduces obligations to maintain risk management programs and additional cybersecurity obligations on critical infrastructure assets designated as systems of national significance.
The Security of Critical Infrastructure (Critical Infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) commenced on 17 February 2023. Section 4 of CIRMP Rules lists the asset classes for which responsible entities must establish, maintain, and comply with a written risk management program to manage a ‘material risk’ or a ‘hazard’ occurring which could have a relevant impact on their critical infrastructure asset. Responsible entities must, as far as it is reasonably practicable, minimise or eliminate the ‘material risk’ and mitigate the relevant impact of the ‘hazard’.
AusCheck Legislation Amendment (Critical Infrastructure Background Check) Regulations 2023 amended the AusCheck Regulations 2017 to provide for the establishment and operation of the AusCheck background checking scheme in relation to individuals for whom a CIRMP Rules permits a background check.
The grace period for the risk management program obligation has now ended. Responsible entities should have developed and implemented a risk management program as of 18 August 2023. The requirement to have a risk management program does not apply to every critical infrastructure asset, only those listed in s 4 of the CIRMP Rules which includes:
Responsible entities must review and update their risk management program on a regular basis and provide an annual report to the Department of Home Affairs regarding the risk management program within 90 days after the end of the financial year. The first report is required by 28 September 2024.
*Information is accurate up to 27 November 2023