Regulatory obligations
The Australian Government is committed to protecting Australia’s critical infrastructure to secure the essential services all Australian’s rely on.
The
Security of Critical Infrastructure Act 2018 (SOCI Act) has been amended to strengthen the security and resilience of critical infrastructure and broaden the number of sectors captured as critical infrastructure, including:
- communications
- data storage or processing
- defence industry
- energy
- financial services and markets
- food and grocery
- health care and medical
- higher education and research
- space technology
- transport
- water and sewerage.
The amendments to the SOCI Act provide for:
- additional assets reporting information to the Register of Critical Infrastructure Assets
- mandatory cyber incident reporting
- Government assistance measures.
Critical Infrastructure Risk Management Program – Commenced on 17 February 2023
The Minister for Home Affairs the Hon Clare O’Neil MP (the Minister) has signed the
Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules). The obligation to produce and comply with a critical infrastructure risk management program (CIRMP) for asset classes listed in the CIRMP Rules commenced 17 February 2023.
The RMP Rules and explanatory statement are available below:
The CIRMP Rules were informed by an extensive consultation process. The Minister made changes to the Rules to reflect feedback received through this consultation process. The Cyber and Infrastructure Security Centre (CISC) would like to thank all stakeholders who took the time to prepare a submission or otherwise engage with the CISC.
The Risk Management Program Obligation
The CIRMP is the final of three preventative elements of the Security of Critical Infrastructure Act 2018 as amended in 2021 and 2022. A compliant CIRMP should assist responsible entities in managing the ‘material risks’ of ‘hazards’ which could have a ‘relevant impact’ on their critical infrastructure asset (CI asset). Once these hazards have been identified, the responsible entity must, so far as reasonably practicable to do so, minimise or eliminate the material risk of such a hazard occurring, and mitigate any relevant impact of the hazard on the asset.
Responsible entities for the following critical infrastructure assets classes are required to adopt, maintain and comply with a written CIRMP:
- Broadcasting
- Domain Name Systems
- Data Storage or processing
- Electricity
- Energy Market Operator
- Gas
- Liquid Fuels
- Payment Systems
- Food and Grocery
- Designated Hospitals (listed in Schedule 1 of the CIRMP Rules)
- Critical Freight Infrastructure (Under the SOCI Act only intermodal facilities listed in Schedule 1 of the
Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 are Critical Freight Infrastructure assets)
- Critical Freight Services
- Water
CISC recognises that industry are best placed to identify hazards and determine how to minimise or eliminate material risks.
Responsible entities have broad discretion in how they approach the management of hazards which pose material risks to their CI asset. Where possible, the CISC is committed to working with industry to assist in complying with the CIRMP Obligation.
For further guidance in relation to the CIRMP Obligation please view our
CIRMP guidance materials and factsheets.
Period to comply
The CIRMP rules commenced on 17 February 2023, which marks the beginning of the grace period for CI assets that are currently operational. See below for further details on the period to comply:
- There is a
6-month transition period for responsible entities to adopt a written CIRMP.
- An
additional 12-month period is allowed to assist responsible entities in achieving compliance with the cyber security framework* identified in their written CIRMP.
If a responsible entity’s asset becomes a CI asset after the Rules commence, the responsible entity must meet CIRMP requirements within 6 months of the day the asset became a CI asset.
* Note: The CIRMP Rules specify the cyber security frameworks and relevant requirements. Please refer to our
CIRMP guidance materials for more information.
Annual Report
A responsible entity must submit an annual report that has been approved by their board, council, or other governing body to the relevant regulator. The annual report will provide assurance that a CIRMP is in place and that the entity is taking steps to manage material risks posed by the hazard to the CI asset.
Annual reports will assist the CISC better understand the threat environment in each sector. This enables Government to provide meaningful assistance if subject to a hazard and advise entities on ways to further enhance the security and resilience of CI assets.
Entities must provide an annual report
within 90 days of the end of the
Australian financial year. If an entity is a responsible entity for a CI asset for
all or part of the Australian financial year, they will be required to submit an annual report.
The SOCI Act requires the annual report to be in an approved form and to include the following:
- A declaration that the CIRMP is up to date at the end of the Australian financial year
- Whether a hazard occurred that had a significant relevant impact on an asset during the year
- Whether any variations to the CIRMP were made during the year
- Whether the program was effective in mitigating any significant relevant impact that a hazard may have had on an asset during the year
- An attestation that the information contained within the annual report was approved by the board or governing body of the entity.
The first annual report required under the CIRMP Rules is for the 2023-2024 Australian financial year. As the report must be submitted within 90 days after the end of each financial year the entity had a CIRMP in place, the first annual report must be submitted between 30 June 2024 and 28 September 2024.
The 2022-2023 financial year
While not required, the CISC strongly encourages entities to voluntarily submit an annual report for the 2022-2023 Australian financial year, to provide a ‘pulse-check’ on how you are implementing the CIRMP. The CISC does not expect this voluntary report to be overly complex or detailed – rather, it provides an opportunity to reflect on progress in enhancing risk management procedures.
Guidance Material
For additional information on the CIRMP Obligation, you may also wish to review the below guidance documents;
Our compliance approach
The CISC will regulate the CIRMP Obligation for all asset classes. There is one exception which is final payment systems. This asset class will be regulated by the Reserve Bank of Australia. For further information on requirements for this CI asset class please visit the
Reserve Bank of Australia website.
The CISC is committed to working in partnership with all levels of government and industry to support the wider security uplift of Australian critical infrastructure. For some critical infrastructure entities, we recognise that implementation of a CIRMP will be an extensive task. Wherever your business is in terms of maturity, the CISC will assist whenever possible.
For further information on CISC’s approach to regulation please view the
Cyber and Infrastructure Centre Compliance and Enforcement Strategy (2022).
Further engagement
If you would like to arrange a meeting with the CISC to discuss the CIRMP Obligation, please contact ci.reforms@homeaffairs.gov.au.
AusCheck Background Checking Scheme
For specific inquiries relating to the AusCheck background checking scheme for critical personnel, please refer to the
AusCheck website.
Alternatively, please contact AusCheck directly at
AusCheck.CI@homeaffairs.gov.au
Resources and useful Links
For fact sheets and further information about the CIRMP Obligation, copies of relevant legislation, and other useful links and resources, please visit our
resources page.
If you need any more information please contact the Cyber and Infrastructure Security Centre on: 1300 272 524, via email to enquiries@CISC.gov.au or through our
Twitter and
LinkedIn pages.
Register of Critical Infrastructure Assets
The Register of Critical Infrastructure Assets requires reporting entities, who are either direct interest holders or the responsible entity of critical infrastructure assets, to provide to Government ownership, operational, interest and control information.
All current critical infrastructure assets covered by the SOCI Act must continue to meet their legal obligation to provide information to the Australian Government’s Register of Critical Infrastructure Assets managed by the CISC, as required under the SOCI Act. This information includes changes to who owns, controls and has access to a particular critical infrastructure asset. For more information see Reporting and compliance.
Owner and operator reporting and compliance requirements may change when the legislation comes into force. Owners and operators should check if they have new reporting and compliance requirements under the SOCI Act. For more information see:
Mandatory cyber incident reporting
Responsible entities for critical infrastructure assets will be required to report critical and other cyber security incidents to the Australian Cyber Security Centre’s online cyber incident reporting portal, found at
Cyber.gov.au. For more information see
CISC Factsheet - Cyber Security Incident Reporting (320KB PDF).
Government Assistance Measures
Cyber incidents can risk serious prejudice to Australia’s national interests. The public expects that the Australian Government will protect the nation if a cyber incident affects Australia’s critical infrastructure. In such circumstances, it is crucial that the Government has last resort powers to respond to the incident and mitigate its impact.
If your asset experiences a serious cyberattack and you have not been able to respond effectively, the Government may provide assistance as a last resort. This will only happen if the attack seriously risks Australia’s national interests and if legal requirements are met. In a last resort situation we may require you to provide us with further information about the incident, respond to the incident in a particular way or enable us to respond to the incident.
Government Assistance Measures will allow Government to provide assistance immediately prior to, during or following a significant cyber security incident to ensure the continued provision of essential services, including to:
- gather information to determine if another power should be exercised
- direct an entity to do, or not do, a specified act
- request an authorised agency provide support.
Government Assistance is the Government’s way of responding to serious cyber incidents that affect Australia’s critical infrastructure. For more information see
CISC Factsheet - Cyber Incident Response Government Assistance Measures (466KB PDF).
Future regulatory options
Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022
On 10 February the
Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the SLACIP Bill) was introduced into Parliament. For further information, see the
SLACIP Bill.
The SLACIP Bill proposes further amendments to the SOCI Act to enact a framework for risk management programs, declarations of systems of national significance and enhanced cyber security obligations.
Transport Security Amendment (Critical Infrastructure) Bill 2020
The
Transport Security Amendment (Critical Infrastructure) Bill 2020 (TSACI Bill) was introduced to parliament on 17 February, 2022. For further information, see the
TSACI Bill.
The TSACI Bill proposes a number of legislative reforms to the
Aviation Transport Security Act 2004 (ATSA) and the
Maritime Transport and Offshore Facilities Security Act 2003 (MTOFSA). The proposed reforms will implement an enhanced critical infrastructure security regulatory regime for the aviation and maritime transport sectors and mirror the positive security obligations in the SOCI Act.
The TSACI Bill seeks to transition the regulatory framework for the aviation and maritime transport sectors from a focus on unlawful interference (terrorism) to encompass an enhanced ‘all hazards’ regulatory framework. The enhanced framework will encompass any threat that could impact on the confidentiality, integrity, availability, or reliability of an industry participant’s operations.
For more information on the aviation and maritime critical infrastructure reforms, see the
Cyber and Infrastructure Security Centre home page.