6 Jan 2025
Insight
Australia
In 2018, amendments to the Security of Critical Infrastructure Act 2018 (the SoCI Act) introduced some of the most significant reforms aiming at protecting Australia’s critical infrastructure sectors and assets.
This high-level summary provides a simple overview to help demystify the regime’s complexities.
Key takeaways
- The SOCI Act and associated rules are designed to manage security risks relating to Australia’s critical infrastructure including by:
- empowering the Australian Government to exercise information gathering, direction and intervention powers in respect of 11 “critical infrastructure sectors”,1
- imposing reporting and risk management obligations in respect of 22 “critical infrastructure asset” classes; and
- imposing enhanced cyber security obligations on assets designated as “systems of national significance”.
- Despite recent reform, assessing whether and how the regime applies to an organisation can still be complex. The legislation covers a broad range of assets and obligations extend to various participants in the supply chain including “responsible entities”, “reporting entities”, “direct interest holders”, “managed service providers” and “operators”.
- Many Australian corporates are now grappling with multiple regulatory regimes and regulators, in addition to the SOCI Act.
- In this high-level overview, we seek to demystify the regime’s key obligations and powers, and the impacted entities, sectors and assets. We look to simplify the regime, acknowledging that complexity exists below the surface and will invariably require a case-by-case assessment.
Latest reforms
In November 2024, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (2024 SOCI Reform Act) introduced several changes to the SOCI Act, which intended to address gaps in the regulatory framework and enhance the government’s ability to respond to a wide range of incidents.
The changes include:
- clarifying the SOCI Act applies to data storage systems that from part of a primary critical infrastructure asset;
- broadening the government assistance powers to all types of incidents (beyond cyber);
- empowering the regulator to compel a responsible entity to vary its “risk management program”;
- expanding the ability to share “protected information”;2 and
- bringing telecommunications security obligations out of the ‘Telecommunication Sector Security Reforms’ (TSSR) regime under Part 14 of the Telecommunications Act 1997 and under the SOCI Act.
The amendments described in the 2024 SOCI Reform Act will take effect on 30 May 2025 (unless the Act is proclaimed sooner) and, in the case of the telecommunications sector reforms, no later than 30 November 2025.
The above provides a simplified visual presentation of the different “critical infrastructure assets” or “critical infrastructure sectors assets” which are or will be captured by new obligations or powers under the Act (further described below).
Hover over the different obligations or powers to reveal the assets or sectors covered. For more information about how the Act will apply to a specific asset, hover over the box for that asset.
Entities – Who is captured by the reforms?
|
Entity |
Definition |
Key obligations |
|---|---|---|
|
Responsible Entity |
Definitions is asset specific, but generally the responsible entity will be the entity that owns, or is licensed or responsible for operating, the asset. |
Reporting of operational information. Notification of cyber incidents. Risk management plans. |
|
Direct Interest Holder |
Entity that (a) together with any associates of the entity, holds a legal or equitable interest of at least 10% in a critical infrastructure asset (including if any of the interests are held jointly with one or more other entities); or (b) holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset. |
Reporting of interest information. |
|
Reporting Entity |
Responsible Entity. Direct Interest Holder. |
Reporting of interest and operational information |
|
Relevant Entity |
Responsible Entity. Direct Interest Holder. Operator (entity that operates the critical infrastructure asset or part of the asset). Managed service provider (entity that manages (part of) a critical infrastructure asset, aspect of the asset, or the operation of the asset). |
Response to Government information gathering, direction and intervention powers. |
Government information gathering, direction and intervention powers
|
Triggering Cyber Security Event |
Powers and Safeguards |
|---|---|
|
When
|
Minister may authorise the Secretary to issue to a relevant entity for the impacted asset or another specified “critical infrastructure sector asset”***:
|
* The powers will apply in respect of all security incidents (including those caused by cyber, physical, supply chain or personnel hazards) from 30 May 2025 (unless the 2024 SOCI Reform Act is proclaimed sooner).
** What constitutes a “relevant impact” varies, but in relation to a cyber security incident it includes direct or indirect impacts on the availability, integrity or reliability of the asset; or the confidentiality of information about or stored on the asset.
*** “Critical infrastructure sector assets” include “critical infrastructure asset” and any other asset that “relates to” a “critical infrastructure sector”. For example, this could capture IT systems or other equipment supplied to support or service “critical infrastructure assets”.
Positive security obligations
There are three positive security obligations set out under the SOCI Act:
- the provision of “operational” and ownership information to the Register of Critical Infrastructure Assets;
- the notification of actual or imminent cyber security incidents with an actual or likely relevant impact; and
- implementing and complying with a “risk management program”.
Importantly, these obligations only apply to a “critical infrastructure asset” if the obligation has been switched on for that asset (as illustrated in the below infographics). The Government will only switch on the obligations where it considers that sufficient existing alternative regulatory or administrative arrangements are not already in place.
Register of Critical Assets
The Cyber Infrastructure Security Centre (CISC) maintains a confidential Register of Critical Infrastructure Assets.
A “responsible entity” for, or a “direct interest holder” in an applicable “critical infrastructure asset” (each a “reporting entity”) must provide the CISC certain “operational” and “interest and control” information.
This includes information about contractual arrangements for operating the asset’s core functionalities or maintaining (i) personal information that is about more than 20,000 individuals or is sensitive information; (ii) information relating to any research and development in relation to, systems needed to operate, risk management and business continuity in relation to, a critical asset.
“Reporting entities” must comply with these obligations from 6 months after the asset becomes a “critical infrastructure asset”.
Notification of cyber security incidents
A “responsible entity” for an applicable “critical infrastructure asset” must report actual or imminent cyber security incidents to the ASD.
If the incident has a “relevant impact” (i.e. directly or indirectly impacts the asset’s availability, integrity or reliability, or the confidentiality of information about or stored on the asset) reporting must occur within 72 hours of the entity becoming aware. This timeframe is reduced to 12 hours if the incident has had, or is having, a “significant impact” on the availability of the asset (i.e. is materially disrupts the provision or availability of essential goods or services). Cyber security incidents can be reported over the phone if a written report is also provided.
“Responsible entities” must comply with these obligations from 3 months after the asset becomes a “critical infrastructure asset”.
"Risk management programs"
A “responsible entity” for an applicable “critical infrastructure asset” must adopt, maintain and comply with a “risk management program” (CIRMP).
A CIRMP is a written program, adopting an “all-hazards” approach to the asset, that:
- identifies each hazard where there as a material risk of a “relevant impact”; and
- minimises, mitigates or eliminates any material risk from the hazard (to the extent reasonably practicable).
The “all-hazards” approach requires consideration of both natural and man-made hazards, including cyber and information security, personnel, supply chain, physical security and natural hazards.
The CIRMP rules specify requirements applicable in respect of CIRMPs, based on the above principles-based outcomes. These include obligations to comply with an information security framework and establish and maintain process to identify and manage risk in respect of “critical workers”.
Responsible entities must, before 28 September annually (starting in 2024), submit an annual report on their program that has been signed by their board, council or other governing body, to the RBA in the case of entities responsible for critical payment systems, the Secretary of the Department of Home Affairs for other critical infrastructure asset in scope. The report must state whether the program was up to date, any variations to the program, and details of how the program was effective in mitigating any relevant impacts that hazards may have had on that asset during that year.
Within a 6-month period starting 29 November 2024 (at the latest from 29 May 2025), the Department of Home Affairs or the RBA will be able to give the responsible entity a written direction to vary the entity’s CIRMP to address a serious deficiency posing a material risk to Australia’s national security, defence or socio- economic stability.
Data storage or processing providers that hold a certificate of hosting certification (at a strategic level) do not need to have a CIRMP however, they must, within 90 days after the end of each financial year, report on their assets and any hazards that had a significant relevant impact on one or more of those assets during the relevant period.
“Telecommunication sector assets”
Telecommunication carriers and carriage service providers are currently subject to sector specific security requirements:
- they must do their best to protect their networks and notify the Secretary of the Department of Home Affairs of changes that may impact their ability to do so under Part 14 of the Telecommunications Act introduced by the Telecommunications Sector Security Reforms (TSSR requirements);
- they are subject to cyber incident notification and asset registration obligations under a carrier licence declaration and service provider determination that mirror the SOCI requirements set out above.
Following reforms in November 2024, the TSSR requirements will be consolidated into the SOCI Act with effect from 30 November 2025 (unless proclaimed sooner). Further, in December 2024, the CISC for consultation draft CIRMP rules for the telecommunication sector, signalling it intends to switch on the CIRMP obligations for that sector.
"Enhanced cyber security obligations"
After following a notification and consultation process, the government may declare a particular asset to be a “system of national significance” (SONS).
A “responsible entity” for a SONS may be required to comply with one or more “enhanced cyber security obligations”, including:
- incident response planning – adopting, maintaining and complying with an incident response plan for its assets;
- cyber security exercises – conducting cyber security exercises testing the entity’s ability and preparedness to respond to and mitigate cyber incidents, including reporting relating to the exercise (and in some circumstances, external audits);
- vulnerability assessments – undertaking a vulnerability assessment in respect of the relevant asset; and/or
- system information – providing the ASD with periodic or event-based reports and / or installing software to transmit system information directly to the ASD.
These obligations apply from the date set by the declaration and may apply to any “critical infrastructure asset”.
Footnotes
- Terms in quote in this briefing are defined term under the SOCI Act.
- It is an offence under s 45 of the SOCI Act for an entity to record, use or disclose ‘protected information’ unless an exception applies. A list of ‘protected information’ is set out in s 5 of the SOCI Act. They include document or information obtained by an entity in the course of performing its duties or functions under the SOCI Act. An entity may only use or disclose protected information in limited circumstances including to comply with their obligations under the SOCI Act. The 2024 reforms introduce a revised definition of ‘protected information’ that employs a harms-based assessment by clarifying that a document or information is considered "protected information" if its disclosure could cause harm or pose a risk to the security of the asset, commercial interests or socioeconomic stability, national security or defence of Australia. Relevant entities will also be able to make a record of, use or disclose protected information for a purpose relating to the continued operation of the critical infrastructure asset; or to mitigate a risk to the availability, integrity, reliability or security of the critical infrastructure asset.
This article was originally published on 29 March 2023 and updated on 6 January 2025
Cyber in Australia
Key contacts
Legal Notice
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2025
Stay in the know
We’ll send you the latest insights and briefings tailored to your needs