The legal obligations you have if you own, operate, or have direct interests in critical infrastructure assets are outlined by the Security of Critical Infrastructure Act 2018 (SOCI Act). The SOCI Act also outlines how the government can support you if an incident occurs that impacts your critical infrastructure asset.
In the transport sector, the following obligations apply to most asset classes:
- Notify third-party data storage or processing providers that the provider is storing or processing business critical data for a critical infrastructure asset.
- Provide operational and ownership information to the Register of Critical Infrastructure Assets.
- Report cyber security incidents.
Responsible entities for critical freight infrastructure and critical freight services assets must also comply with the Critical Infrastructure Risk Management Program obligation. The Register of Critical Infrastructure Assets obligation is not extended to critical aviation assets.
The kind of asset you are responsible for will determine which obligations you must comply with. To find specific information for your asset, read the current version of the SOCI Act.
If your asset is a System of National Significance, you may also need to meet Enhanced Cyber Security Obligations. These are decided individually for each asset. We will discuss these with you directly.
You can read more about these obligations on our regulatory obligations page.
The SOCI Act also includes Government Assistance measures. These measures outline how the government can help industry respond to cyber security incidents. These measures apply only to incidents that will cause serious harm to Australia’s prosperity, national security, or defence.
Critical transport infrastructure assets
The transport sector includes owners or operators who transport goods or passengers on a commercial basis, including critical port, freight infrastructure, freight services, public transport or aviation assets.
