Loading
pop-up content starts
pop-up content ends

Engagement on critical infrastructure reforms

​​​​​A strong and effective government-industry partnership is central to achieving the Australian Government’s vision for critical infrastructure security and resilience. Building on industry engagement during the development of amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act), we have consulted widely with government and industry partners in developing asset definitions and risk management program rules. We aim to ensure that vital services to Australia’s security, economic prosperity and way of life are included. We also seek to reduce the regulatory burden on industry.

Update on the SOC​​I Reforms

Group Manager Hamish Hansford, from the Cyber and Infrastructure Security Centre will be holding a virtual town hall this Wednesday 13 April 2022 at 12.00pm – 12.30pm AEST to update you on:

  • the most recent amendments to the SOCI Act,
  • what obligations have now commenced under the SOCI Act amendments,
  • plans for future consultation and
  • what this will mean for your entity.

Join the meeting

If you are unable to attend, material will be available on the CISC website (including guidance material, factsheets, resources and educational material) and we will continue engaging with you on these changes.​​​

New obligations – Register of Critical Infrastructure Assets and mandatory cyber incident reporting

On 2 December 2021, the SOCI Act was amended to apply obligations to certain assets, including new assets defined in the SOCI Act and the Asset Definition Rules (more on the Asset Definition Rules below). Government assistance measures now apply to all critical infrastructure assets (Part 3A of the SOCI Act).

Additionally, the Minister has now made the Security of Critical Infrastructure (Application) rules (LIN 22/026) 2022​ on 6 April 2022, which took effect on 8 April 2022. Two positive security obligations now apply to certain set of critical infrastructure assets:

  1. the provision of operational and ownership information to the Register of Critical Infrastructure Assets (Part 2 of the SOCI Act) for certain new assets (as below); and
  2. mandatory cyber incident reporting (Part 2B of the SOCI Act) for certain assets (as below).

See the copy of the legislative instrument and the explanatory statement.

Register of Critical Infrastructure Assets – operational and ownership information

Following a consultation period from 15 December 2021 to 1 February 2022, the Minister for Home Affairs applied the Register of Critical Infrastructure Assets obligations under Part 2 of the SOCI Act to certain critical asset classes. The asset classes listed below have up to 6 months to provide information to the Register:

  • broadcasting
  • domain name system
  • data storage or processing
  • a critical financial market infrastructure asset that is a payment system
  • food and grocery
  • hospital
  • freight infrastructure
  • freight services
  • public transport
  • liquid fuel
  • energy market operator
  • electricity (that were not within the scope of a critical infrastructure asset prior to the SLACI Act amendments); and
  • gas (that were not within the scope of a critical infrastructure asset prior to the SLACI Act amendments).

The Minister for Home Affairs has exempted:

  • Invicta Sugar Mill, Giru, Queensland
  • Pioneer Sugar Mill, Brandon, Queensland
  • Racecourse Sugar Mill, Racecourse, Mackay, Queensland; and
  • South Johnstone Sugar Mill, South Johnstone, Queensland.

A factsheet on the Register of Critical Infrastructure Assets (239KB PDF)​​ is also available.

Mandatory cyber incident reporting

The Minister for Home Affairs applied obligations under Part 2B of the SOCI Act to certain ​asset classes. The asset classes listed below have a grace period of up to 3 months from 8 April 2022​ to commence mandatory reporting of cyber security incidents to the Australian Cyber Security Centre (ACSC). We would strongly encourage all asset classes to ​voluntarily provide that reporting to the ASCS now​:

  • broadcasting
  • domain name system
  • data storage or processing
  • banking
  • superannuation
  • insurance
  • financial market infrastructure
  • food and grocery
  • hospital
  • education
  • freight infrastructure
  • freight services
  • public transport
  • liquid fuel
  • energy market operator
  • aviation, that is any of the following:
    • a designated airport
    • an Australian prescribed air service operating screened air services that depart from a designated airport, or
    • a regulated air cargo agent that is also a cargo terminal operator at a designated airport;
  • ports
  • electricity
  • gas; and
  • water.

The Minister for Home Affairs proposes to exempt:

  • Invicta Sugar Mill, Giru, Queensland
  • Pioneer Sugar Mill, Brandon, Queensland
  • Racecourse Sugar Mill, Racecourse, Mackay, Queensland; and
  • South Johnstone Sugar Mill, South Johnstone, Queensland.

A factsheet on the mandatory cyber incident reporting obligations (319KB PDF​)​ is also available.

Critical infrastructure asset definition rules

On 23 April 2021, we released a policy paper, initiating extensive consultation with industry, commonwealth, state and territory government partners, to draft definitions for the following 12 asset classes:

  • critical banking assets
  • critical broadcasting assets
  • critical domain name systems
  • critical electricity assets
  • critical financial market infrastructure assets
  • critical food and grocery assets
  • critical freight infrastructure assets
  • critical freight services assets
  • critical gas assets
  • critical insurance assets
  • critical liquid fuel assets
  • critical superannuation assets.

In response to feedback, we revised the proposed asset definitions and on 8 December 2021, following amendments to the SOCI Act, the Minister for Home Affairs made the Critical Infrastructure Asset Definition Rules. See the legislative instrument.

A new approach to the reforms

On 29 September 2021, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) released its report and supporting recommendations on the Security Legislation Amendment (Critical Infrastructure) Bill 2021.

The Committee recommended that the reforms be implemented in a two-step approach, with the first bill to be legislated in the shortest time possible.

The first bill focuses on cyber incident responses, either through reporting or in incident response.

The first bill:

  • extends the definition of critical infrastructure from 4 to 11 sectors
  • enables the extension of the existing reporting requirements in relation to the Register of Critical Infrastructure Assets to the new classes of critical infrastructure assets
  • enables the mandatory cyber incident reporting obligations for specified critical infrastructure entities to Commonwealth entities, including the Australian Signals Directorate’s Australian Cyber Security Centre
  • ​legislates government assistance measures by providing powers to respond to security incidents which seriously prejudice Australia’s prosperity, national security or defence.

The Security Legislation Amendment (Critical Infrastructure) 2021 Act amended the SOCI Act on 2 December 2021. Following this, the Minister for Home Affairs introduced rules to define thresholds which can determine which additional entities are captured by the amended legislation.

The remaining elements of the reforms were deferred for a second, separate bill. The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 , which is currently before Parliament, focuses on additional protective measures being introduced in the reforms to uplift the security and resilience of Australia’s critical infrastructure assets. The Bill passed the House of Representatives on 16 February 2022 and is currently under review by the Parliamentary Joint Committee on Intelligence and Security.

The second bill will:

  • introduce an additional Positive Security Obligation, the Risk Management Program, which will be applied to entities responsible for critical infrastructure.
  • ​introduce Enhanced Cyber Security Obligations, including vulnerability reporting, cyber incident response planning and exercises, for entities responsible for assets most critical to the nation (known as systems of national significance).

We note industry has previously raised concerns regarding the need for clarity on what will be expected of them in a risk management program. Based on this feedback, we have revised our approach to the risk management program and adopted a set of principle-based rules for all sectors.

We believe this new approach will reduce regulatory burden and provide industry with certainty and more flexibility to align their risk management program with existing standards and obligations.

Resources and Useful Links

For fact sheets and further information about these changes, copies of relevant legislation, and other useful links and resources, visit the Cyber and Infrastructure Security Centre Resources and Help

For further queries, contact CI.reforms@homeaffairs.gov.au.