Loading

Reporting and Compliance

​​​​​​​​​​​​​​​​​

Critical infrastructure reporting and compliance

​All critical infrastructure assets must meet their legal obligations under the amended Security of Critical Infrastructure Act 2018 (SOCI Act).

The Minister for Home Affairs finalised the Securit​y of Critical Infrastructure (Application) Rules (LIN 22/026) 2022​ on 6 April 2022. This means the reporting obligations – Register of Critical Infrastructure Assets and Mandatory Cyber Incident Reporting - are in effect as of 8 April 2022.​

Register of Critical Infrastructure Assets (Part 2 of the SOCI Act)​

The amendments to the SOCI Act have expanded the number of asset classes who will be required to provide owner and operator information to the Register of Critical Infrastructure Assets. The Register is managed by the Cyber and Infrastructure Security Centre. The Minister for Home Affairs applied the Register of Critical Infrastructure Assets obligations under Part 2 of the SOCI Act to the following critical asset classes:

  • broadcasting
  • domain name system
  • data storage or processing
  • a critical financial market infrastructure asset that is a payment system
  • food and grocery
  • hospital
  • freight infrastructure
  • freight services
  • public transport
  • liquid fuel
  • energy market operator
  • electricity (that were not within the scope of a critical infrastructure asset prior to the SLACI Act amendments); and
  • gas (that were not within the scope of a critical infrastructure asset prior to the SLACI Act amendments).

The Minister for Home Affairs proposes has exempted:

  • Invicta Sugar Mill, Giru, Queensland
  • Pioneer Sugar Mill, Brandon, Queensland
  • Racecourse Sugar Mill, Racecourse, Mackay, Queensland; and
  • South Johnstone Sugar Mill, South Johnstone, Queensland.

Read the Security of Critical Infrastructure (Application) rules to see whether your asset is considered a critical infrastructure asset and if you need to register it.

Refer to the CISC Factsheet - Register of Critical Infrastructure Assets and the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022​ ​to learn more about this obligation.

There is a grace period of 6 months for critical infrastructure assets who do not already report to the Register to comply with this obligation. Mandatory compliance with Part 2 of the SOCI Act will commence on 8 April 2022.

See the Reporting and Compliance​ pages ​for more information on how t​o register your asset and your ongoing responsibilities.

Mandatory Cyber Incident Reporting

The amendments to the SOCI Act require that specific critical infrastructure assets must report certain types of cyber security incidents.

Cyber incident reporting plays a vital role in developing an aggregated threat picture for the Australian Government to inform proactive and reactive cyber response options – from providing immediate assistance to working with industry to uplift broader security standards.

The Minister for Home Affairs applied obligations under Part 2B of the SOCI Act to the following critical asset classes:

  • broadcasting
  • domain name system
  • data storage or processing
  • banking
  • superannuation
  • insurance
  • financial market infrastructure
  • food and grocery
  • hospital
  • education
  • freight infrastructure
  • freight services
  • public transport
  • liquid fuel
  • energy market operator
  • aviation, that is any of the following:
    • a designated airport
    • an Australian prescribed air service operating screened air services that depart from a designated airport, or
    • a regulated air cargo agent that is also a cargo terminal operator at a designated airport;
  • ports
  • electricity
  • gas; and
  • water.

The Minister for Home Affairs has exempted:

  • Invicta Sugar Mill, Giru, Queensland
  • Pioneer Sugar Mill, Brandon, Queensland
  • Racecourse Sugar Mill, Racecourse, Mackay, Queensland; and
  • South Johnstone Sugar Mill, South Johnstone, Queensland.​

Refer to the CISC Factsheet – Mandatory Cyber Incident Reporting and the Security of Critical Infrastructu​re (Application) Rules (LIN 22/026) 2022​ ​to learn more about this obligation and where and how to report a cyber security incident.

​There is a grace period of 3 months to comply with the Mandatory Cyber Incident Reporting obligation. Mandatory compliance with Part 2B of the SOCI Act will commence on 8​ April 2022.​

Telecommunications Sector

Assets that fall under the critical telecommunication asset class mu​st comply with Part 14 of the Telecommunications Act 1997.

The Telecommunications and Other Legislation Amendment Act 2017, known as the Telecommunications Sector Security Reforms (TSSR), creates a regulatory framework to better manage national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities. See the Telecommunications Sector Security (TSS) page for more information about your obligations.

​​