The legal obligations you have if you own, operate, or have direct interests in critical infrastructure assets are outlined in the
Security of Critical Infrastructure Act 2018 (SOCI Act). The SOCI Act also outlines how the government can support you if an incident occurs that impacts your critical infrastructure asset.
In the higher education and research sector, responsible entities for all asset classes must:
- notify their third-party data storage or processing provider that the provider is storing or processing business critical data for a critical infrastructure asset
- comply with the mandatory cyber incident reporting obligation.
Critical education assets do not currently need to comply with the other positive security obligations.
If you own or operate a System of National Significance, you may be subject to
Enhanced Cyber Security Obligations (ECSO).
The SOCI Act also includes
Government Assistance measures. These measures outline how the Government can help industry respond to cyber security incidents. These measures only apply to incidents that will cause serious harm to Australia’s prosperity, national security, or defence.
Higher education and research critical infrastructure assets
A critical education asset is a university that:
- is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher Education Providers; and
- is used in connection with undertaking a program of research that is critical to:
- a critical infrastructure sector (other than the higher education and research sector); or
- the defence of Australia; or
- national security.
Note: The rules may prescribe that a specified critical education asset is not a critical infrastructure asset (see section 9).
This includes the Australian National University, as outlined in the
Security of Critical Infrastructure (Australian National University) Rules (LIN 22/041) 2022.
