Loading

Reporting and Compliance

​​​​​​​​​​​​​​​​​​​​​​​​​

Critical infrastructure reporting and compliance

​All critical infrastructure assets must meet their legal obligations under the amended Security of Critical Infrastructure Act 2018 (SOCI Act).

The Minister for Home Affairs finalised the Securit​y of Critical Infrastructure (Application) Rules (LIN 22/026) 2022​ on 6 April 2022. This means the reporting obligations – Register of Critical Infrastructure Assets and Mandatory Cyber Incident Reporting - are in effect as of 8 April 2022.​

Register of Critical Infrastructure Assets (Part 2 of the SOCI Act)​

The amendments to the SOCI Act have expanded the number of asset classes who will be required to provide owner and operator information to the Register of Critical Infrastructure Assets. The Register is managed by the Cyber and Infrastructure Security Centre. The Minister for Home Affairs applied the Register of Critical Infrastructure Assets obligations under Part 2 of the SOCI Act to the following critical asset classes:

  • broadcasting
  • domain name system
  • data storage or processing
  • a critical financial market infrastructure asset that is a payment system
  • food and grocery
  • hospital
  • freight infrastructure
  • freight services
  • public transport
  • liquid fuel
  • energy market operator
  • electricity (that were not within the scope of a critical infrastructure asset prior to the SLACI Act amendments); and
  • gas (that were not within the scope of a critical infrastructure asset prior to the SLACI Act amendments).

The Minister for Home Affairs proposes has exempted:

  • Invicta Sugar Mill, Giru, Queensland
  • Pioneer Sugar Mill, Brandon, Queensland
  • Racecourse Sugar Mill, Racecourse, Mackay, Queensland; and
  • South Johnstone Sugar Mill, South Johnstone, Queensland.

Read the Security of Critical Infrastructure (Application) rules to see whether your asset is considered a critical infrastructure asset and if you need to register it.

Refer to the CISC Factsheet - Register of Critical Infrastructure Assets and the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022​ ​to learn more about this obligation.

There is a grace period of 6 months for critical infrastructure assets who do not already report to the Register to comply with this obligation. Mandatory compliance with Part 2 of the SOCI Act will commence on 8 April 2022.

See the Reporting and Compliance​ pages ​for more information on how t​o register your asset and your ongoing responsibilities.

Mandatory Cyber Incident Reporting

The amendments to the SOCI Act require that specific critical infrastructure assets must report certain types of cyber security incidents.

Cyber incident reporting plays a vital role in developing an aggregated threat picture for the Australian Government to inform proactive and reactive cyber response options – from providing immediate assistance to working with industry to uplift broader security standards.

The Minister for Home Affairs applied obligations under Part 2B of the SOCI Act to the following critical asset classes:

  • broadcasting
  • domain name system
  • data storage or processing
  • banking
  • superannuation
  • insurance
  • financial market infrastructure
  • food and grocery
  • hospital
  • education
  • freight infrastructure
  • freight services
  • public transport
  • liquid fuel
  • energy market operator
  • aviation, that is any of the following:
    • a designated airport
    • an Australian prescribed air service operating screened air services that depart from a designated airport, or
    • a regulated air cargo agent that is also a cargo terminal operator at a designated airport;
  • ports
  • electricity
  • gas; and
  • water.

The Minister for Home Affairs has exempted:

  • Invicta Sugar Mill, Giru, Queensland
  • Pioneer Sugar Mill, Brandon, Queensland
  • Racecourse Sugar Mill, Racecourse, Mackay, Queensland; and
  • South Johnstone Sugar Mill, South Johnstone, Queensland.​

Refer to the CISC Factsheet – Mandatory Cyber Incident Reporting and the Security of Critical Infrastructu​re (Application) Rules (LIN 22/026) 2022​ ​to learn more about this obligation and where and how to report a cyber security incident.

​There is a grace period of 3 months to comply with the Mandatory Cyber Incident Reporting obligation. Mandatory compliance with Part 2B of the SOCI Act will commence on 8​ April 2022.​

Telecommunications Sector

Assets that fall under the critical telecommunication asset class mu​st comply with Part 14 of the Telecommunications Act 1997.

The Telecommunications and Other Legislation Amendment Act 2017, known as the Telecommunications Sector Security Reforms (TSSR), creates a regulatory framework to better manage national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities. See the Telecommunications Sector Security (TSS) page for more information about your obligations.

​​

Transport Security Compliance

Compliance Posture

Hi, my name is Richard Farmer, Assistant Secretary of the Regulatory Compliance Branch. My branch plays a critical role within the Cyber and Infrastructure Security Centre by regulating one of the 11 Critical sectors of our economy, being Transport, specifically aviation and maritime transport security.

 

Our compliance posture is underpinned by the Centre’s Compliance and Enforcement Strategy. This strategy outlines the Centre’s regulatory approach and seeks to work in partnership with industry, to ensure the regulated entities understand and manage their own risk.

 

The Centre’s vision for regulated entities is one of voluntary compliance from owners and operators, with the Centre as an industry resource, where Industry and government work cooperatively together to ensure security risks are effectively managed.

 

Our regulatory principles, set by the strategy, guide us in carrying out our regulatory activities to ensure security outcomes are achieved, exercising our regulatory powers and rules, while also engaging with industry stakeholders, participants and regulated entities.

 

The following five principles guide us in our activities:

  • Taking a risk-based approach to compliance and enforcement, focusing our attention and resources on areas of highest risk,
  • promoting voluntary compliance where possible, adopting a consultative, educational and guidance approach
  • being accountable, fair and transparent
  • acting consistently in our decision making
  • acting proportionately on all entities when exercising enforcement powers.

 

At all times the Centre takes into account the:

  • security implications of the non-compliance
  • the seriousness of the non-compliance
  • the compliance history and regulatory posture of the entity
  • the need for deterrence
  • the facts of the matter at hand
  • the impact on Australia’s reputation or Australian interests overseas.

 

The Centre recognises that both educative and enforcement mechanisms are necessary to provide an effective and flexible regulatory system.

 

The Centre therefore has a range of regulatory options that are available to address non-compliance which includes:

  • education and engagement
  • non-compliance and observation notices
  • corrective action plans
  • infringement notices
  • directions
  • enforceable undertakings
  • enforcement orders
  • suspension or revocation of authorisations
  • prosecution

 

The Centre will assess any reported or detected breach of legislation, and adopt the approach most likely to promote the legislation’s objectives, including encouraging voluntary compliance or taking enforcement action where appropriate.

 

The Centre is committed to ensuring that regulation is as effective and efficient as possible and will continually review its activities based on the results and impact on industry, developing new activities or amend existing ones, as the risk environment evolves over time.

 

I look forward to working with you in improving Australia’s security and prosperity.

​​

​​​
​​​​​​​