Australia: Security of Critical Infrastructure Act 2018 – where are all the compliance timeframes?

Entities in key infrastructure sectors across Australia who have been following the expansion of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) may wish to note that all of the expected legislative amendments are now law, and integrated into the SOCI Act. The consolidated version of the SOCI Act is available, as are our initial observations on its operation.

Many entities will be familiar with the suite of positive security obligations imposed by the new SOCI Act on a wide array of industry sectors. As a refresher, these obligations are to:

• report to the Commonwealth's register of critical infrastructure assets (Register)
• implement a Critical Infrastructure Risk Management Program (CIRMP)
• provide cyber security incident reporting to the Australian Signals Directorate
• if your entity is a Systems of National Significance (SoNS), comply with additional reporting or other obligations.

Whether your entity has to comply with these obligations depends on your entity's relationship(s) to 'critical infrastructure assets' (a key defined term in the SOCI Act - see our previous article discussing the term's recent expansion). Determining whether your entity has a relationship to a critical infrastructure asset that triggers these obligations is the first step towards understanding the SOCI Act's impact on your business and ensuring compliance with the regime.

The second step is determining when your entity has to comply with these obligations.

Most of the critical time limits that entities need to know are not contained in the SOCI Act itself. Three out of the above four obligations rely on Ministerial rules to provide this detail, and some of these Ministerial rules are not yet available.

Below is where the legislation stands on major time limits for compliance, at the time of writing.

Reporting to the Register

Any entity responsible for or has a direct interest in critical electricity assets, critical ports, critical water assets or critical gas assets has been subject to this obligation for some time, potentially as early as 2018, when the SOCI Act first came into force.

If you are the responsible entity for any of the following critical infrastructure assets (assets newly captured under the SOCI Act), you must comply with this obligation before 9 October 2022:

• a critical broadcasting asset;
• a critical domain name system;
• a critical data storage or processing asset;
• a critical financial market infrastructure asset that is a payment system;
• a critical food and grocery asset;
• a critical hospital;
• a critical freight infrastructure asset;
• a critical freight services asset;
• a critical public transport asset;
• a critical liquid fuel asset;
• a critical energy market operator asset;
• a critical electricity asset that is newly captured by the SOCI Act; or
• a critical gas asset that is newly captured by the SOCI Act.

Implementing a Critical Infrastructure Risk Management Plan (CIRMP)

The date for compliance is yet to be determined by parliament. There are no rules yet in force that confirm which entities need to comply with this obligation and the date by which compliance must be achieved.

The Department of Home Affairs has published a set of draft rules relating to the CIRMP obligation, but these do not deal with who will be captured by the obligation and when the obligation starts.

Entities should monitor the Department's website closely for updates. We expect the Department will post a draft set of rules dealing with the CIRMP obligation on their website for consultation with industry in the first instance. That consultation period will be a minimum of 28 days.

When enacting the rules that specify the time limit for compliance, it is open to parliament to apply a grace period (for a period determined in the rules).

Literature from the Department suggests that the following assets will be captured by this obligation in the first instance:

• critical broadcasting assets
• critical domain name system
• critical data storage or processing assets
• critical hospitals
• critical energy market operator assets
• critical water assets
• critical electricity assets
• critical gas assets
• critical liquid fuel assets
• critical financial market infrastructure assets that are specified payment systems operator assets
• specified critical defence industry assets.

In a worst-case scenario for industry (which, on the evidence, is unlikely but nevertheless possible), compliance could be made mandatory within approximately one month of notice. This would require the rules to specify compliance from the date of their registration, consultation to be kept minimal and no application of a grace period.

If your entity is responsible for any of the above assets, we recommend you prepare to comply with this obligation now.

Cyber incident security reporting

Generally, if you are:

• a critical broadcasting asset;
• a critical domain name system;
• a critical data storage or processing asset;
• a critical banking asset;
• a critical superannuation asset;
• a critical insurance asset;
• a critical financial market infrastructure asset;
• a critical food and grocery asset;
• a critical hospital;
• a critical education asset;
• a critical freight infrastructure asset;
• a critical freight services asset;
• a critical public transport asset;
• a critical liquid fuel asset;
• a critical energy market operator asset;
• a critical aviation asset mentioned in subsection (2);
• a critical port;
• a critical electricity asset;
• a critical gas asset;
• a critical water asset; or
• a particular type of critical aviation asset (specified in the rules),

your time to ensure compliance with this obligation ended on 8 July 2022.

SoNS obligations

These obligations will only apply to entities that have received written notice that its asset is a SoNS. When these will apply will depend on the date specified in the notice. That date cannot be earlier than 30 days from when the notice was given.

Exceptions and variations to deadlines

While the above gives some broad information as to when these obligations apply, there are various exceptions and variations to these dates under the SOCI Act. Therefore, entities should seek legal advice early to establish their time limits for compliance.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.