13 July 2022
5 min read
#Corporate & Commercial Law, #Data & Privacy
Published by:
Entities in key infrastructure sectors across Australia who have been following the expansion of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) may wish to note that all of the expected legislative amendments are now law, and integrated into the SOCI Act. The consolidated version of the SOCI Act is available, as are our initial observations on its operation.
Many entities will be familiar with the suite of positive security obligations imposed by the new SOCI Act on a wide array of industry sectors. As a refresher, these obligations are to:
Whether your entity has to comply with these obligations depends on your entity’s relationship(s) to ‘critical infrastructure assets’ (a key defined term in the SOCI Act – see our previous article discussing the term’s recent expansion). Determining whether your entity has a relationship to a critical infrastructure asset that triggers these obligations is the first step towards understanding the SOCI Act’s impact on your business and ensuring compliance with the regime.
The second step is determining when your entity has to comply with these obligations.
Most of the critical time limits that entities need to know are not contained in the SOCI Act itself. Three out of the above four obligations rely on Ministerial rules to provide this detail, and some of these Ministerial rules are not yet available.
Below is where the legislation stands on major time limits for compliance, at the time of writing.
Any entity responsible for or has a direct interest in critical electricity assets, critical ports, critical water assets or critical gas assets has been subject to this obligation for some time, potentially as early as 2018, when the SOCI Act first came into force.
If you are the responsible entity for any of the following critical infrastructure assets (assets newly captured under the SOCI Act), you must comply with this obligation before 9 October 2022:
The date for compliance is yet to be determined by parliament. There are no rules yet in force that confirm which entities need to comply with this obligation and the date by which compliance must be achieved.
The Department of Home Affairs has published a set of draft rules relating to the CIRMP obligation, but these do not deal with who will be captured by the obligation and when the obligation starts.
Entities should monitor the Department’s website closely for updates. We expect the Department will post a draft set of rules dealing with the CIRMP obligation on their website for consultation with industry in the first instance. That consultation period will be a minimum of 28 days.
When enacting the rules that specify the time limit for compliance, it is open to parliament to apply a grace period (for a period determined in the rules).
Literature from the Department suggests that the following assets will be captured by this obligation in the first instance:
In a worst-case scenario for industry (which, on the evidence, is unlikely but nevertheless possible), compliance could be made mandatory within approximately one month of notice. This would require the rules to specify compliance from the date of their registration, consultation to be kept minimal and no application of a grace period.
If your entity is responsible for any of the above assets, we recommend you prepare to comply with this obligation now.
Generally, if you are:
your time to ensure compliance with this obligation ended on 8 July 2022.
These obligations will only apply to entities that have received written notice that its asset is a SoNS. When these will apply will depend on the date specified in the notice. That date cannot be earlier than 30 days from when the notice was given.
While the above gives some broad information as to when these obligations apply, there are various exceptions and variations to these dates under the SOCI Act. Therefore, entities should seek legal advice early to establish their time limits for compliance.
We work with public and private sector entities in the development, operation and security of major projects, including critical infrastructure. If you have any queries about this article or how the new legislation may impact you, please contact us below or get in touch with our team here.
Authors: Carl Hinze, Andrew Hynd, Jeanne Vallade & Jean Lukin
Disclaimer
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.
Published by: