Cyber Security Legislative Reforms

​​​Cyber Security Legislative Reforms

Following extensive consultation since December 2023, the Cyber Security Legislative Package was introduced into the House of Representatives by the Minister for Home Affairs and the Minister for Cyber Security, the Hon Tony Burke MP on 9 October 2024.

The package was then referred to the Parliamentary Joint Committee on Intelligence and Security which concluded its review on 18 November 2024 and was passed in the Senate on 25 November 2024, receiving Royal Assent on 29 November 2024:

• Cyber Security Act 2024 
• Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024
• Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (ERP Act).

Schedules 1, 2, 3, 4 and 6 of the ERP Bill ​commenced by proclamation on 20 December 2024 and address legislative gaps to bring Australia in line with international best practice and take the next step to ensure Australia is on track to become a global leader in cyber security. Schedule 5 will commence by proclamation on 4 April 2025.

Schedule 1 clarifies existing obligations under the Security of Critical Infrastructure Act 2018 (SOCI Act) for critical infrastructure owners and operators to protect certain data storage systems that hold business critical data. For more information, see: Data Storage Systems Factsheet.

Schedule 2 amends Part 3A of the SOCI Act to allow for the Minister for Home Affairs to authorise the Secretary of Home Affairs to issue action and information gathering directions to address the impacts of an all-hazards incident on critical infrastructure, beyond the existing confines of resolving a technical cyber incident. For more information, see: Managing Consequences of Incidents Factsheet.

Schedule 3 establishes a new definition of ‘protected information’ as information that is confidential commercial information or information that if disclosed could cause harm to the public, the security of a critical infrastructure asset or Australia’s national security, defence or socioeconomic stability. For more information, see: Protected Information Factsheet.

Schedule 4 amends the SOCI Act to introduce a power for the regulator to issue a formal written direction to a responsible entity to address seriously deficient elements of any Part 2A risk management program. For more information, see: Direction to Vary Risk Management Program Factsheet.

Schedule 5 uplifts, enhances and clarifies current telecommunications security obligations for critical telecommunications assets, and will commence on 4 April 2025, now that subordinate legislation (rules) has been finalised. For more information, see: Telecommunications Security Factsheet.

Schedule 6 removes the requirement for the Minister for Home Affairs to notify each direct interest holder for a critical infrastructure asset declared to be a System of National Significance (SoNS) and only requires the responsible entity to be notified, and removes the requirement for responsible entities for a SoNS asset to notify the Secretary of Home Affairs of changes to direct interest holders. The responsible entity for a SoNS asset will still be required to notify the Secretary of changes to the responsible entity. For more information, see: Notification of Systems of National Significance Factsheet.

ERP Act Rules and explanatory statements

The Minister for Home Affairs opened formal consultation on the rules from 16 December 2024 to 14 February 2025. The department received 20 submissions, which shaped the rules and explanatory statements. The final Rules are the:

• Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules 2025 (Amending Rules)
• Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (TSRMP Rules) 

The parts of the Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules that clarify existing obligations for entities captured by the Critical Infrastructure Risk Management Program (CIRMP) obligation under the Security of Critical Infrastructure Act 2018 will commence on 4 April 2025.

The Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules and telecommunications-related components of the Amending Rules will commence on 4 April 2025.

The department is committed to working closely with industry to implement these legislative changes, and will continue to work with industry to support the security and uplift of Australia’s critical infrastructure.

In addition to the ERP Act Rules, subordinate legislation to the Cyber Security Act 2024 has been published to the Federal Register of Legislation. For more information on the Cyber Security Rules 2025, visit Cyber Security Act.