Legislative information and reforms

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​Regulatory obligations​

The Australian Government is committed to protecting Australia’s critical infrastructure to secure the essential services all Australian’s rely on.

The Security of Critical Infrastructure Act 2018 (SOCI Act) aims to strengthen the security and resilience of critical infrastructure through capturing a range of assets relevant to the following critical infrastructure sectors:​

  • communications
  • data storage or processing
  • defence industry
  • energy
  • financial services and markets
  • food and grocery
  • health care and medical
  • higher education and research
  • space technology
  • transport
  • water and sewerage.

The SOCI Act also provides key obligations for the owners and operators of certain critical infrastructure assets. These include:

  • the requirement to report information to the Register of Critical Infrastructure Assets
  • mandatory cyber incident reporting requirements
  • the requirement to produce and comply with a Critical Infrastructure Risk Management Program (CIRMP).

Critical ​Infrastructure Risk Management Program Rule​​s – Commenced on 17 February 2023​

Hi everyone,

The grace period for the Critical Infrastructure Risk Management Program obligation has now ended.

If it applies to you, owners and operators of critical infrastructure entities must now have developed, and implemented, a Risk Management Program.

You have until the 18th of August 2024 to meet the requirements of the cyber security framework identified in the Risk Management Program.

You must then submit a first Board-approved annual report no later than the 28th of September 2024.

Complying with the Critical Infrastructure Risk Management Program obligation will assist in managing the material risks that a hazard might have on your asset.

Once identified, a responsible entity must then eliminate or minimise that hazard occurring, and put mitigations in place.

Now that the grace period has ended, wherever your business is at in terms of its maturity, we’re still here to help.

We have for example, extensive guidance available on our website, and you can get in touch with us directly using the contact details on the screen.

Together, we can continue to protect Australia’s critical infrastructure… now, and into the future.

T​he Minister for Home Affairs the Hon Clare O’Neil MP (the Minister) signed the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) and the CIRMP Rules commenced on 17 February 2023. 

The CIRMP Rules and explanatory statement are available below:

The CIRMP Rules were informed by an extensive consultation process. The Minister made changes to the CIRMP Rules to reflect feedback received through this consultation process. The Cyber and Infrastructure Security Centre (CISC) would like to thank all stakeholders who took the time to prepare a submission or otherwise engage with the CISC. ​

Compliance with the obligation​

In an increasingly complex and interconnected world, full of unprecedented global threats, Australia’s critical infrastructure must grapple with a number of risks.

Including, environmental hazards, cyber incidents, personnel and physical security risks and supply chain disruption. 

The Critical Infrastructure Risk Management Program - or CIRMP- is a key measure that will support the ongoing resilience of Australia’s critical infrastructure.

Under the CIRMP, critical infrastructure owners and operators are required to identify the risks and hazards that might have an impact on their asset.

The responsible entity must then, so far as it’s reasonably practicable to do so, take steps to minimise or eliminate that risk- for example, an entity may consider installing fire suppression systems, or regularly patching networks with the latest software and hardware.

We know industry is best placed to identify the most relevant hazards; that’s why the CIRMP Rules are principles- based and allow for broad discretion in how you approach the management of hazards.

We’re here to help. If you have any questions about the CIRMP Rules visit the Cyber and Infrastructure Security Centre’s website.

Together, we can continue to protect Australia’s critical infrastructure; here, now and into the future.

A compliant CIRMP should assist responsible entities to manage the ‘material risks’ of ‘hazards’ which could have a ‘relevant impact’ on their critical infrastructure asset (CI asset). Once these hazards have been identified, the responsible entity must, so far as reasonably practicable to do so, minimise or eliminate the material risk of such a hazard occurring, and mitigate any relevant impact of the hazard on the asset.​

Responsible entities for the following critical infrastructure assets classes are required to adopt, maintain and comply with a written CIRMP:

  • Broadcasting
  • Domain Name Systems
  • Data Storage or processing
  • Electricity
  • Energy Market Operator
  • Gas
  • Liquid Fuels
  • Payment Systems
  • Food and Grocery
  • Designated Hospitals (listed in Schedule 1 of the CIRMP Rules)
  • Critical Freight Infrastructure (Under the SOCI Act only intermodal facilities listed in Schedule 1 of the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 are Critical Freight Infrastructure assets)
  • Critical Freight Services
  • Water

CISC recognises that industry are best placed to identify hazards and determine how to minimise or eliminate material risks.

Responsible entities have broad discretion in how they approach the management of hazards which pose material risks to their CI asset. Where possible, the CISC is committed to working with industry to assist in complying with the CIRMP Obligation.

For further guidance in relation to the CIRMP Obligation please view our CIRMP guidance materials, factsheets and CIRMP Flyer.

Period to comply

The CIRMP rules commenced on 17 February 2023, which marked the beginning of the six month grace period for CI assets that were operational on this date. See below for further details on the period to comply:

  • Responsible entities that were operational on 17 February 2023 are expected to have developed and implemented a written CIRMP by 18 August 2023.
  • Responsible entities must have implemented the cyber security framework*identified in their written CIRMP by 18 August 2024.

If an asset becomes a CI asset after the commencement of the CIRMP Rules, the responsible entity must have developed and implemented a written CIRMP within 6 months of the day the asset became a CI asset.​

* Note: The CIRMP Rules specify the cyber security frameworks and relevant requirements. Please refer to our CIRMP guidance materials for more information.

Annual Report

Responsible entities for CI assets subject to the CIRMP obligation must submit an annual report that has been approved by their board, council, or other governing body to the relevant regulator. The annual report will provide assurance that a CIRMP is in place and that the entity is taking steps to manage material risks posed by the hazard to the CI asset.

Annual reports will assist the CISC to better understand the threat environment in each sector. This enables Government to provide meaningful assistance if subject to a hazard and advise entities on ways to further enhance the security and resilience of CI assets.

Entities must provide an annual report within 90 days of the end of the Australian financial year. If an entity is a responsible entity for a CI asset for all or part of the Australian financial year, they will be required to submit an annual report. 

The SOCI Act requires the annual report to be in an approved form and to include the following:

  • A declaration that the CIRMP is up to ​date at the end of the Australian financial year
  • Whether a hazard occurred that had a significant relevant impact on an asset during the year
  • Whether any variations to the CIRMP were made during the year
  • Whether the program was effective in mitigating any significant relevant impact that a hazard may have had on an asset during the year
  • An attestation that the information contained within the annual report was approved by the board or governing ody of the entity.

The first annual report required under the CIRMP Rules is for the 2023-2024 Australian financial year. As the report must be submitted within 90 days after the end of each financial year the entity had a CIRMP in place, the first annual report must be submitted between 30 June 2024 and 28 September 2024.

The 2022-2023 financial year

While not required, the CISC strongly encourages entities to voluntarily submit an annual report for the 2022-2023 Australian financial year, to provide a ‘pulse-check’ on how you are implementing the CIRMP. The CISC does not expect this voluntary report to be overly complex or detailed – rather, it provides an opportunity to reflect on progress in enhancing risk management procedures.

​​Our compliance approach

The CISC is the regulator for the CIRMP obligation for all asset classes. There is one exception which is payment systems. This asset class is by the Reserve Bank of Australia. For further information on requirements for this CI asset class please visit the Reserve Bank of Australia website.

The CISC is committed to working in partnership with all levels of government and industry to support the wider security uplift of Australian critical infrastructure. For some critical infrastructure entities, we recognise that implementation of a CIRMP will be an extensive task. Wherever your business is in terms of maturity, the CISC will assist whenever possible.

For further information on CISC’s approach to regulation please view the Cyber and Infrastructure Centre Compliance and Enforcement Strategy (2022) (606KB PDF).

Further engagement

If you would like to arrange a meeting with the CISC to discuss the CIRMP Obligation, please contact ​ci.reforms@homeaffairs.gov.au.

AusCheck Background Checking Scheme

For specific inquiries relating to the AusCheck background checking scheme for critical personnel, please refer to the AusCheck website.

Alternatively, please contact AusCheck directly at AusCheck.CI@homeaffairs.gov.au

Resources and useful Links

For fact sheets and further information about the CIRMP Obligation, copies of relevant legislation, and other useful links and resources, please visit our resources page.

If you need any more information please contact the Cyber and Infrastructure Security Centre on: 1300 272 524, via email to enquiries@CISC.gov.au or through our Twitter and LinkedIn pages.​

Register of Critical Infrastructure Assets

The Register of Critical Infrastructure Assets requires reporting entities, who are either direct interest holders or the responsible entity of critical infrastructure assets, to provide to Government ownership, operational, interest and control information.

All current critical infrastructure assets covered by the SOCI Act must continue to meet their legal obligation to provide information to the Australian Government’s Register of Critical Infrastructure Assets managed by the CIS​C, as required under the SOCI Act. This information includes changes to who owns, controls and has access to a particular critical infrastructure asset. For more information see ​Reporting and compliance.

Owner and operator reporting and compliance requirements may change when the legislation comes into force. Owners and operators should check if they have new reporting and compliance requirements under the SOCI Act. For more information see:

Mandatory cyber incident reporting

Responsible entities for critical infrastructure assets will be required to report critical and other cyber security incidents to the Australian Cyber Security Centre’s online cyber incident reporting portal, found at Cyber.gov.au. For more information see CISC Factsheet - Cyber Security Incident Reporting (320KB PDF).

Government Assistance Measures

Cyber incidents can risk serious prejudice to Australia’s national interests. The public expects that the Australian Government will protect the nation if a cyber incident affects Australia’s critical infrastructure. In such circumstances, it is crucial that the Government has last resort powers to respond to the incident and mitigate its impact.

If your asset experiences a serious cyberattack and you have not been able to respond effectively, the Government may provide assistance as a last resort. This will only happen if the attack seriously risks Australia’s national interests and if legal requirements are met. In a last resort situation we may require you to provide us with further information about the incident, respond to the incident in a particular way or enable us to respond to the incident.

Government Assistance Measures will allow Government to provide assistance immediately prior to, during or following a significant cyber security incident to ensure the continued provision of essential services, including to:

  • gather information to determine if another power should be exercised
  • direct an entity to do, or not do, a specified act
  • request an authorised agency provide support.

Government Assistance is the Government’s way of responding to serious cyber incidents that affect Australia’s critical infrastructure. For more information see CISC Factsheet - Cyber Incident Response Government Assistance Measures (466KB PDF).