Australia’s critical infrastructure safety regime is again the subject of parliamentary consideration with the second tranche of proposed amendments to the Security of Critical Infrastructure Act 2018 (Act) introduced earlier this month.
As canvassed in our previous articles here and here, Australia has been subject to several cyber attacks targeting the federal parliamentary network and key supply chain businesses since the Act’s introduction. In addition, the COVID-19 pandemic broke during this time, causing widespread disruption to major industries such as health, transport and manufacturing.
These disruptions led to the introduction of the Security Legislation Amendment (Critical Infrastructure Protection) Bill in 2020. Following consultation, this bill was split in two so that critical aspects of the bill could be progressed whilst other aspects of the bill could be the subject of further workshopping between government and industry.
The 2021 Bill, which widened the scope of application of the Act, introduced further reporting requirements and provided additional powers to the Commonwealth, was passed and became law on 2 December 2021.
On 10 February 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (2022 Bill) was introduced to Federal Parliament.
The 2022 Bill proposes to:
The proposed legislation offers the Home Affairs Minister a ‘switch’ mechanism to catch (and release) entities required to prepare a CIRMP from this requirement as the regime settles into place.
It can be expected that entities operating critical electricity assets, critical energy market operator assets, critical gas assets, critical liquid fuels assets, certain critical financial market infrastructure assets, critical data storage or processing assets, critical hospital assets, critical domain name system assets and critical broadcasting assets will be the entities made subject to this obligation shortly after the 2022 Bill becomes law.
The requirement is then expected to apply to critical freight services assets, critical freight infrastructure assets and critical food and grocery assets from or sometime after 1 January 2023.
The CIRMP obligations will require entities to:
The identification of hazards that are a “material risk” will include all hazards – from natural disasters to cyber threats.
The enhanced cyber security obligations in the 2022 Bill will apply to “systems of national significance” (SNSs). Entities may be informed that their system is an SNS by written notice from the Secretary of the Home Affairs Department. If an entity receives this notice, four additional obligations will apply to that entity:
The 2022 Bill has progressed through the House of Representatives and is with the Senate for consideration.
Following successful passage of the 2022 Bill, we can expect to see rules proposed under section 30AB of the Act which will determine which entities will be required to comply with the critical infrastructure risk management program obligations.
We also expect that a further set of rules under the Act will establish when certain requirements introduced by the 2021 amendments will apply and to whom.
If your entity is, as a consequence of the 2021 amendments to the Act, newly caught by the application of the relevant provisions of the Act, you will have until 2 June 2022 to make your first report to the Department.
If you have any questions about this article or how the new amendments to this Act may impact you, we are able to assist and advise on the obligations you may have under the Act. If you would like to learn more about the new risk management regime for critical infrastructure, please register for our upcoming webinar on the latest tranche of amendments to the Act here.
Authors: Jean Lukin
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.