Loading

Our regulatory principles and approach

​​​​​​​Principles

The following five principles guide us in carrying out our regulatory activities to ensure we achieve positive security outcomes. They inform how we exercise our regulatory powers and rules engage with industry stakeholders and regulated entities.

Focus on risk

We focus our attention and resources on higher risk areas to ensure the resilience and security of the sectors we regulate.

Promote voluntary compliance

Where appropriate, we adopt a consultative approach with industry stakeholders. We solicit feedback to inform continuous improvement within the critical infrastructure sectors. Finally, we provide education and guidance to help industry partners understand their legislative obligations.

Be accountable, fair and transparent

We avoid unnecessarily impacting the efficient and effective operations of responsible entities. We make timely decisions based on legislative requirements.

Act consistently

We deliver equitable decision-making across a variety of critical infrastructure sectors and situations.

Act proportionately

When exercising enforcement powers we consider the:

  • security implications of the non-compliance
  • seriousness of the non-compliance
  • compliance history and regulatory posture of the entity
  • need for deterrence
  • facts of the matter at hand
  • impact on Australia’s reputation or Australian interests overseas.

Approach

Wherever possible, we work in partnership with industry to help regulated entities understand and manage their own risk. We facilitate information sharing between government and industry. Information sharing is an effective way to build organisational and sectoral resilience with minimal government intervention.

Our vision for regulated entities is for owners and operators to voluntarily comply with the Security of Critical Infrastructure Act 2018. We intend to work together with industry to support the effective management of security risks across critical infrastructure sectors.

We recognise that both education and enforcement mechanisms are necessary to provide an effective and flexible regulatory system. These mechanisms should not unnecessarily impede the efficient and effective operations of responsible entities. A range of regulatory options are available to address non-compliance, including:

  • education and engagement
  • non-compliance and observation notices
  • corrective action plans
  • infringement notices
  • directions
  • enforceable undertakings
  • enforcement orders
  • suspension or revocation of authorisations
  • prosecution.

We will assess any reported or detected breach of legislation and adopt the approach most likely to promote the legislation’s objectives.

Review

We will continually review our activities based on the results and impact on industry. We may also develop new activities or amend existing ones as the risk environment evolves over time.

Integrity

We take integrity and fairness seriously when undertaking compliance activities. Our officers carry out various compliance functions across the Group.

Regulator performance

Through the Deregulation Agenda, the Australian Government commits to ensuring that this regulation is as effective and efficient as possible. We will achieve this through:

  • improving the accountability and transparency of regulator performance
  • sharing best practice
  • building regulator capability
  • driving a culture of regulator excellence.

The Regulator Performance Guide sets out the Government’s expectations for regulator performance and reporting. It lists the following principles of regulator best practice:

  • Continuous improvement and building trust.
  • Risk based and data driven.
  • Collaboration and engagement.

Entities with regulatory functions are empowered to apply the principles of regulator best practice. They should do this in a way that is appropriate to their organisation and consistent with Australian Government and stakeholder expectations.

Regulation of the Security of Critical Infrastructure Act 2018

In 2024, we are changing our compliance regulatory posture to align with Security of Critical Infrastructure Act 2018 (SOCI Act).

We are responsible for the regulation of critical infrastructure assets under the SOCI Act. We also commit to working with industry to protect the essential services all Australians rely on by uplifting the security and resilience of critical infrastructure.

The SOCI Act imposes many security obligations on critical infrastructure entities to achieve this security uplift. This includes the:

  • Register of Critical Infrastructure Assets obligation
  • Risk Management obligation
  • Notification of Data Service Providers obligation
  • Mandatory Cyber Incident Reporting obligation.

Entities responsible for Systems of National Significance may have additional Enhanced Cyber Security Obligations applied to their assets.

Our compliance focus for 2023–24 is on education and awareness raising, except for any detected egregious non-compliance. We have extended this to assist industry understand and comply with their SOCI obligations. During the third and fourth quarters of 2023-24, the CISC will undertake a limited series of trial audits testing industry compliance with SOCI Act obligations. This will inform and guide the commencement of compliance audit activities in 2024-25.

In 2024-25, our SOCI Compliance Regulatory Posture will aim to balance education and awareness raising activities, with compliance activities. This aims to effectively drive an uplift in regulated entity compliance.

Effective compliance activities will support the objective of the SOCI Act to provide a framework for managing risks relating to critical infrastructure. Helping industry understand the implications of these obligations and ensuring compliance is not just a matter of legal obligation, it’s a requirement to protect the essential services all Australians rely on.

Our 2024-25 Compliance Regulatory Posture relating to Enhanced Cyber Security Obligations will continue to focus on partnering with the entities responsible for Systems of National Significance. This will ensure they understand and are able to comply with their obligations.

This advice about our regulatory posture is consistent with our intent to continue to build our relationships with stakeholders and to be a transparent and effective regulator.