The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) came into effect on 2 April 2022.
The SLACIP Act amends the
Security of Critical Infrastructure Act 2018 (SOCI Act) to introduce the following key measures
- A new obligation for responsible entities to create and maintain a critical infrastructure risk management program, and
- A new framework for enhanced cyber security obligations required for operators of systems of national significance (Australia’s most important critical infrastructure assets – SoNS)
The reforms in the SLACIP Act seek to make risk management, preparedness, prevention and resilience, business as usual for the owners and operators of critical infrastructure assets and to improve information exchange between industry and government to build a more comprehensive understanding of threats. These reforms will give Australians reassurance that our essential services are resilient and protected.
The Department recognises that engagement and education will be crucial to the success of these reforms and is committed to working with entities to ensure these reforms are understood and can be practically implemented.
The Department has prepared the following factsheets to assist entities to understand the obligations in the SLACIP Act:
These factsheets will be supplemented by additional, more detailed guidance material developed with industry, on all proposed and current aspects of the SOCI Act. Mechanisms like the
Trusted Information Sharing Network for Critical Infrastructure Resilience (TISN) are important forums for cross-sector dialogue, and will be key in the Department’s ongoing dialogue with industry.
Parliamentary Joint Committee on Intelligence and Security Report on the SLACIP Bill
On 10 February 2022, the Minster for Home Affairs introduced the SLACIP Bill to Parliament and referred it to the PJCIS. The PJCIS received public submissions and conducted a public hearing on the SLACIP Bill. The PJCIS published their
Advisory report on the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 on 25 March 2022. Visit the
PJCIS SLACIP Bill inquiry page for more information.
The SLACIP Act is the second tranche of reforms to the SOCI Act. Having identified the need for an enhanced regulatory framework, the Government enacted the first tranche of reforms through the
Security Legislation Amendment (Critical Infrastructure) Act 2021 (the SLACI Act), building on existing requirements under the SOCI Act. The SLACI Act commenced from 2 December 2021.
Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 Exposure Draft
From 15 December 2021 until Tuesday 1 February 2022, the Department of Home Affairs undertook consultation and sought submissions on the following:
During this consultation period, the Department held three Town Halls; engaging with over 1300 industry stakeholders. It received 70 formal submissions on the Exposure Draft and accompanying Explanatory Document.
A final Town Hall was held on 4 February 2022 following closure of submissions. The Department discussed key themes arising from submissions. In consultations over the period, it canvassed potential areas for further amendments to the SLACIP Bill. It also outlined next steps for these reforms. Slides from that session are
available to view online. Public submissions will be published here in due course. More information on the reforms will be available at
https://www.cisc.gov.au/.
The Department received 70 submissions on the exposure draft of the SLACIP Bill. Twenty-eight submissions remain confidential and are not publicly available. Publicly available submissions are available below:
Risk management program rules
Part 2A of the SOCI Act requires responsible entities to have, and follow, a critical infrastructure risk management program. The
draft risk management program rules (the draft rules) containing the detailed requirements of the risk management program obligation in the SOCI Act are available to stakeholders for information purposes only. This document is a policy document only and should not be considered the final legal rules.
The draft rules set requirements for responsible entities to mitigate and minimise material risks that arise from hazards. Responsible entities must consider all hazards in their risk management program. These rules cover a range of specified hazards including, but not limited to:
- cyber and information security hazards
- supply chain hazards
- physical and natural hazards, and
- personnel hazards.
The draft rules will help to protect critical infrastructure assets and their:
- availability
- integrity
- reliability, and
- confidentiality.
We have developed these draft rules with industry during an extensive consultation process. Now the SLACIP Act has passed, the Minister can decide to make these rules enforceable. Before making the rules, the Minister will publish the draft rules on the Department’s website and seek submissions on those rules for a period of no less than 28 days. Further information is available on the on the
Engagement on critical infrastructure reforms page.
If you have any questions on the draft rules, or any other aspect of the critical infrastructure reforms, please email CI.Reforms@homeaffairs.gov.au.