The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (ERP Act) received Royal Assent on 29 November 2024. Following this, Schedule 5 of the ERP Act commenced on 4 April 2025. This relates to telecommunications security. On this date all components of the ERP Act are in force. Previous telecommunications security obligations in Part 14 of the
Telecommunications Act 1997 (TSSR Reforms) have ceased.
Schedule 5 of the ERP Act and the
Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (TSRMP Rules) together streamline the national security obligations from the TSSR reforms into the all-hazards security setting of the SOCI Act.
For more information, read the
Telecommunications Guidance (1132KB PDF).
The obligations
Obligation to protect critical telecommunications assets
A responsible entity for a critical telecommunications asset must protect the asset from all-hazards, including security risks. This includes maintaining competent supervision and effective control over the asset and complying with the obligation to maintain a written risk management program.
For more information, including about changes made by the ERP Act, see the Telecommunications Guidance
Notification obligation
The responsible entity for a critical telecommunications asset owned or operated by a carrier only must notify the Secretary of Home Affairs of changes or proposed changes to their networks and services that could have a material effect on their capacity to protect the security of their asset.
You must notify the Secretary of any changes, including providing the information set out in Part 4 of the
Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (TSRMP Rules) where relevant.
To notify the Secretary of a change or proposed change, fill out a
change notification form (104KB DOCX). You can then submit the form and supporting documents online using the Notification of change or proposed change web form.
For more information, read pages 15 – 18 of the Telecommunications guidance.
The Submission form only allows 5 attachments. Send any extra attachments by email to telco.security@homeaffairs.gov.au. You may also upload to the secure file sharing service and inform us of your upload by emailing telco.security@homeaffairs.gov.au. If you don't have access to the SFSS send us an email to organise access.
For more information, read our
Notification Requirement factsheet (81KB PDF).
Risk Management Program
Part 2A (251KB PDF)of the SOCI Act sets out the requirement to adopt and maintain a critical infrastructure risk management program (CIRMP). The TSRMP imposes a telecommunications-specific set of CIRMP obligations on responsible entities for a subset of critical telecommunications assets.
Part 3 of the TSRMP Rules specifies additional under paragraph 30AH(1)(c) of the SOCI Act. These obligations reflect those imposed by the CIRMP Rules while outlining other requirements under each type of risk within the TSRMP Rules. The most significant addition is the increased cyber security framework compliance requirements for carrier assets.
See pages 20 – 31 of the Telecommunications Guidance for more information on the TSRMP.
Powers under the SOCI Act
Information gathering power
The Secretary of the Department of Home Affairs has the power to obtain information and documents from the responsible entity for a critical telecommunications asset. They can do this to monitor and investigate compliance with the SOCI Act.
Directions power
The Minister for Home Affairs has the power to direct the responsible entity for a critical telecommunications asset to do, or not do, a specified thing that is reasonably necessary to reduce or eliminate a security risk.
5G security guidance
The Australian Government recently updated guidance about its concerns with the use of high-risk vendor technology in 5G networks. For more information, read the 5G Telecommunications Security Guidance (251KB PDF).
Enquiries
For compliance questions contact
telco.security@homeaffairs.gov.au. For any policy enquiries email
CI.reforms@homeaffairs.gov.au.
