For entities deemed to be responsible for certain newly defined critical infrastructure assets in Australia, a new legislative framework in about to be expanded for the management of information in relation to those critical infrastructure assets and the mandatory notification of cyber security incidents.

On 22 November 2021, the Security Legislation Amendments (Critical Infrastructure) Bill 2021 (Cth) passed both Houses of Parliament and will become law upon the Governor-General's assent, with Schedule 1, Parts 1 and 2 commencing one day after receiving Royal Assent (New Act).

This New Act will significantly expand the market sectors regulated under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act 2018) and is intended to expedite the extension of Federal Government powers to address increasing security threats to Australia's critical infrastructure assets deemed vital for maintaining the Australia's sovereign security and in managing national security risks of sabotage, espionage and coercion posed by foreign involvement.

The changes substantially widen the scope of what has been considered to be 'critical infrastructure' and increase the Federal Government's power to impose obligations on responsible entities in relation to 'critical infrastructure' assets and sectors. These new security obligations are no longer limited to the original four industry sectors of electricity, gas, ports and water under the SOCI Act 2018 and have been expanded to include eleven new critical infrastructure sectors broadly defined as:

  • Communications sector;
  • Data storage or processing sector;
  • Financial services and markets sector;
  • Water and sewerage sector;
  • Energy sector;
  • Health care and medical sector;
  • Higher education and research sector;
  • Food and grocery sector;
  • Transport sector;
  • Space technology sector; and
  • Defence industry sector.

Notably, many of these sectors would not traditionally be recognised as infrastructure intensive sectors. The New Act will assume that all assets and systems of a responsible entity are critical infrastructure assets so as to be subject to the reporting obligations and government powers, unless excluded by the sector specific rules. These sector-specific rules are yet to be released and may reduce the scope of assets to be regulated under the New Act and hence the regulatory burden.

The New Act defines critical infrastructure assets relating to each new infrastructure sector under schedule 1, Part 1. For example, for the purposes of the New Act, a critical education asset is taken to relate to the higher education and research sector, with meaning of a critical education asset being a university that is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher Education Providers. Similarly, for the purposes of the New Act, a critical data storage or processing asset is taken to relate to the data storage or processing sector. The definition of a critical data storage or processing asset meaning if it is owned or operated by an entity that is a data storage or processing provider and it is used wholly or primarily to provide a data storage or processing service on a commercial basis to an end-user that is the Commonwealth, a State, a Territory, or bodies corporate of the Commonwealth, State or Territory.

Similar definitions apply to the critical infrastructure assets of each newly prescribed critical infrastructure sector and their associated responsible entities.

The new legislation also imposes new reporting and notification obligations upon responsible entities (as owners and operators of the critical infrastructure assets) for each of these new critical infrastructure sectors. Such responsible entities must notify the Australian Signals Directorate (ASD) of cyber security incidents which have a 'significant impact' on a critical infrastructure asset within 12 hours. A 'significant impact' is an incident which has materially disrupted the availability of essential goods or services provided using the asset (or as otherwise specified in sector-specific rules). All other cyber security incidents must be reported within 72 hours.

In some instances, the New Act goes beyond assets owned by a responsible entity and captures a responsible entity's supply chain, such as cloud storage or data processing providers. Responsible entities will need to review vendor contracts to ensure they contemplate and cover compliance with the new government powers. This may include requiring vendors to provide assistance to responsible entities in responding to directions from the government and the ASD (for instance providing information on a cyber security incident or facilitating access to a critical asset).

Civil penalty provisions of this New Act may be enforced using civil penalty orders, injunctions or infringement notices, and enforceable undertakings may be accepted in relation to compliance with civil penalty provisions. The Regulatory Powers (Standard Provisions) Act 2014 (Cth) is applied for these purposes with certain provisions of the New Act also subject to monitoring and investigation. Certain provisions of this New Act may also be enforced by imposing a criminal penalty.

It is important to understand if the new regime applies to your assets or sector and how to comply with the new rules.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.