Security of Critical Infrastructure
Overview
The Australian Government’s Critical Infrastructure Resilience Strategy defines critical infrastructure as: “those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security".
Background
There has been a substantial increase in foreign involvement in Australia’s critical infrastructure in a broader context of increased cyber connectivity and dependency on global supply chains. Such global interrelationships have led Australia to be especially susceptible to malicious activity, including sabotage, espionage, and coercion.
To address these risks, the Australian Government established an enhanced regulatory framework, with the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) as its foundation. This framework has been progressively expanded through several key amendments:
Legal Framework
Commonwealth Legislation
- The Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) applies to entities that operate or have interests in a critical infrastructure asset, and is intended to cover 22 asset classes across 11 sectors (as defined in s 9 through s 12N) including: communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage.
- The critical infrastructure sectors and asset classes that are captured by the expanded legislation are listed here.
- The Act's objectives (s 3) are to improve the Commonwealth's ability to respond to national security risks that may affect Australia’s critical infrastructure by increasing the transparency of ownership and operational control of such infrastructure, and promoting cooperation between various levels of government, regulators and critical infrastructure owners.
- The core components of the Act are:
- A register of critical infrastructure assets (Part 2) to which owners, operators or direct interest holders of critical infrastructure assets, must supply information about interests, operation, control and ownership of those assets (s 18A);
- Mandatory cyber incident reporting (Part 2B) for an owner/operator of a critical infrastructure asset to report cyber security incidents to the Australian Cyber Security Centre (s 30BC, s 30BD); See also Directors' Duties.
- Government assistance (Part 3A) to certain critical infrastructure entities in response to significant incidents affecting Australian systems;
- An information gathering power held by the Secretary of the Department of Home Affairs requiring an owner/operator of a critical infrastructure asset to provide particular information (see, for example, the information-gathering direction power in s 35AK); and
- A directions power held by the Minister for Home Affairs instructing an owner/operator of a critical infrastructure asset to do, or not do, something that reduces a national security risk (s 32), with non-compliance attracting a penalty.
The SOCI Act was significantly updated by the
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (
ERP Act). The key amendments are detailed below.
Data Storage Systems Holding Business Critical Data
The
ERP Act clarifies that certain data storage systems are considered part of a primary critical infrastructure asset, ensuring they are covered by the Act's obligations.
A new subsection,
s 9(7) of the
SOCI Act, specifies that a data storage system is taken to be part of a critical infrastructure asset if:
- the responsible entity for the critical asset owns or operates the data storage system;
- the system is used in connection with the critical asset;
- the system stores or processes 'business critical data'; and
- a hazard that materially risks the data storage system could also have a 'relevant impact' (e.g., on the availability, integrity, or reliability) on the primary critical asset.
This change means these systems must now be included in the entity's Critical Infrastructure Risk Management Program (CIRMP). This reform was, in part, a response to incidents like the Optus and Medibank attacks where affected systems fell outside the previous scope of the
SOCI Act.
All-Hazards Government Assistance Powers
- The ERP Act expands the government's assistance powers under Part 3A of the SOCI Act from covering only "serious cyber security incidents" to encompass all "serious incidents" that impact critical infrastructure. This 'all-hazards' approach includes events like terrorist attacks and natural disasters.
- This empowers the Minister to authorise the Secretary of Home Affairs to issue information-gathering directions (s 35AK) and action directions (s 35AQ) in response to a wider range of threats.
- The power is a 'last resort' measure, to be used only when no other Commonwealth, State, or Territory regulatory system can provide a practical and effective response.
- However, the power for the government to intervene directly via the Australian Signals Directorate (ASD) remains limited to "cyber security incidents" only (s 35AB(10)(aa)).
- The ERP Act introduces a new, harms-based definition of "protected information" to clarify when information can be shared, aiming to facilitate better collaboration between industry and government.
- Under the new s 5A of the SOCI Act, information is only "protected" if its disclosure could reasonably be expected to cause specific harm, such as prejudicing national security, social or economic stability, or if it contains confidential commercial information.
- The amendments explicitly authorise entities to use and disclose protected information for purposes related to the continued operation of their asset or to mitigate risk (s 42AA), and for their own business, professional, commercial, or financial affairs where the information was obtained for the purpose of complying with the SOCI Act (s 43F).
Directions to Vary a Critical Infrastructure Risk Management Program (CIRMP)
- The ERP Act introduces a new power for the Secretary of Home Affairs or a relevant Commonwealth regulator to direct a responsible entity to vary its CIRMP if it is found to have a "serious deficiency".
- A "serious deficiency" is defined as one that poses a material risk to national security, defence, or the social or economic stability of Australia (SOCI Act, s 30AI(3)).
- Before issuing a direction, the regulator must notify the entity and provide 14 days for a submission. Failure to comply with a final direction carries a civil penalty of 250 penalty units (SOCI Act, s 30AI(5)).
Enhanced Security for Telecommunications Assets
- The ERP Act integrates and enhances security obligations for the telecommunications sector by inserting a new Part 2D into the SOCI Act, largely moving these obligations from the Telecommunications Act 1997. These changes commenced on 4 April 2025.
- Responsible entities for prescribed critical telecommunications assets have a primary obligation to protect the asset from all hazards (so far as is reasonably practicable) to ensure the confidentiality, integrity, and availability of the asset (SOCI Act, s 30EB(2)). Failure to comply carries a civil penalty of 1,500 penalty units (s 30EB(2)).
- Entities must also notify the Secretary of Home Affairs of any actual or proposed changes to their service or system that are likely to have a material adverse effect on their capacity to comply with this security obligation (SOCI Act, s 30EC(2)). Failure to notify carries a civil penalty of 300 penalty units.
- These obligations are further detailed in the Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (TSRMP Rules).
Systems of National Significance (SoNS) Notifications
- The ERP Act streamlines administrative requirements for SoNS by removing the obligation for the Minister to notify direct interest holders (only the responsible entity needs to be notified) when an asset is declared a SoNS (SOCI Act, s 52B(3) as amended).
- It also removes the requirement for direct interest holders to report when they cease their interest; this obligation now rests only with the responsible entity (SOCI Act, s 52D as amended).
- The Consumer Data Right (CDR) regime, established under Part IVD of the Competition and Consumer Act 2010 (Cth), provides consumers with greater control over their data. It is currently active in the banking and energy sectors, and is being expanded to the non-bank lending sector from mid-2026, with telecommunications also designated to follow.
- The CDR enables consumers to direct data holders (e.g., their bank) to share their data with 'accredited persons' (also known as Accredited Data Recipients or ADRs), with the aim of promoting competition and innovation.
- The regime has evolved beyond just data sharing. A key development is "action initiation", which enables consumers to consent to an accredited person initiating actions on their behalf, such as making a payment or switching providers.
- The Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) (CDR Rules) set out the operational details of the CDR. These rules were amended on 3 March 2025 to formalise the expansion to non-bank lenders.
- A core component of the CDR framework is the information security obligation under Schedule 2 of the CDR Rules. This requires accredited persons to have robust governance and controls in place to protect CDR data from misuse, interference, loss, and unauthorised access, modification, or disclosure. To become accredited, entities must undergo an independent audit of these controls.
See the
Directors' Duties section for a related discussion of the
Corporations Act 2001 (Cth). The duties of directors are particularly relevant to ensuring the entity complies with mandatory reporting obligations, including the cyber incident reporting obligations under Part 2B of the
SOCI Act and the ransomware payment reporting obligations under Part 3 of the
Cyber Security Act 2024 (Cth).
- Under the Privacy Act 1988 (Cth) (Privacy Act), personal information must be kept secure from misuse, interference, loss, and from unauthorised access, modification, or disclosure (Australian Privacy Principle 11). The Privacy and Other Legislation Amendment Act 2024 (the "Amendment Act") clarified that the "reasonable steps" required to protect information explicitly include "technical and organisational measures" (Privacy Act 1988, Schedule 1, cl 11.3).
- Additionally, the Privacy Act mandates public reporting of serious data breaches under the Notifiable Data Breaches (NDB) scheme (Part IIIC). The Amendment Act also introduced a new framework allowing the Minister to make an "eligible data breach declaration" to authorise information sharing between entities to prevent or reduce a risk of harm following a breach (Privacy Act 1988, Part IIIC, Division 5).
- The Privacy Act regulator, the Office of the Australian Information Commissioner (OAIC), has significantly enhanced enforcement powers following the 2024 reforms. The OAIC can now issue infringement notices and compliance notices for certain breaches, and a new tiered civil penalty regime allows the Federal Court to impose penalties for both "serious" and non-serious interferences with privacy. The Court also has expanded powers to make other orders, including awarding compensation to affected individuals (Privacy Act 1988, Part VIB).
- Australian companies processing or controlling the data of individuals in the European Union (EU) are also subject to a ‘security of processing’ obligation and data breach notification requirements under the General Data Protection Regulation (GDPR). Recent reforms to Australia's cross-border data flow rules (APP 8) are a step towards greater alignment with international frameworks like the GDPR.
- State and territory government agencies are excluded from the Privacy Act but tend to be subject to separate Acts. For example, NSW public sector agencies, statutory bodies, universities, and local councils are subject to the Privacy and Personal Information Protection Act 1998 (NSW).
- For a broader discussion of this Act, see Privacy Law.
- This act amended the Foreign Acquisitions and Takeovers Act 1975 (Cth) (FATA) so that definitions associated with critical infrastructure in SOCI are now included in the FATA. This change may have implications for cloud service providers, including Software as a Service (SaaS), with foreign ownership, or who are subject to an acquisition or takeover by a foreign entity. Foreign investment in a responsible entity or a direct interest in a critical infrastructure asset is now subject to notification to the Foreign Investment Review Board (FIRB). FIRB can undertake ‘own motion’ review of transactions if it has national security concerns. Changes in ownership and control, including changes in personnel, may impact eg a cloud services provider’s authority to operate in an assessment and authorisation context.
State Government Legislation
The examples below are intended to be illustrative, not exhaustive, demonstrating the complexity of this regime.
It is important to note the interaction between state-based laws and the Commonwealth
SOCI Act. The Commonwealth Government's assistance powers in Part 3A of the
SOCI Act (as amended by the
ERP Act 2024) are designed as a 'last resort' measure. Before exercising these powers to respond to a serious incident, the Commonwealth Minister must be satisfied that no other existing regulatory system, including state or territory laws, can provide a practical and effective response. The state-based legislation listed below, therefore, represents the types of existing frameworks that are considered the primary response mechanisms.
NSW Government
NSW Sector Specific - Energy
Qld Sector Specific - Water
Water Supply (Safety and Reliability) Act 2008 (Qld) (
WASR): This Act, administered by the Department of Resources, includes cyber security reporting requirements for drinking water providers.
Sector Specific Legislation and Frameworks
Financial services and markets
Energy
Transport
Water
Telecommunications
Cross-Sector Laws
- A cross-sector law is a law that applies in multiple sectors of the economy, applying to businesses, and not a specific sector or sub-sector. In addition to the Security of Critical Infrastructure Act 2018 (Cth), additional obligations may arise under privacy law, the law of directors’ duties, the Australian Consumer Law, telecommunications legislation, the Crimes Act 1914 (Cth) and in some cases, the Public Governance, Performance and Accountability Act 2013 (Cth).
- The Telecommunications Sector Security Reforms imposed a set of security obligations on telecommunications service providers that may be applicable to certain cloud service providers. Obligations may also arise under the Telecommunications (Interception and Access) Act 1979 (Cth). For further details, see Telecommunications.
- The Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 added new offences to the criminal code. See Computer-Based Crime.
Impact of Foreign Laws
Australian entities that operate globally or form part of an international supply chain must navigate a complex and evolving landscape of foreign laws concerning the security of critical infrastructure. For example, the European Union's
NIS2 Directive expands the scope of regulated sectors and imposes stricter risk management and reporting obligations, which can have an extra-territorial effect on Australian entities providing services in the EU. Similarly, the United Kingdom maintains and updates its own
Network and Information Systems (NIS) Regulations. In the United States, state-level rules such as the
New York State Department of Financial Services' Cybersecurity Regulation (23 NYCRR 500) mandate specific security programs for financial institutions. Major trading partners like China impose stringent obligations on operators of ‘critical information infrastructure’ under its national
Cybersecurity Law.
Regulatory and Policy Framework
Engagement with cyber security and critical infrastructure happens across multiple agencies and regulators at the federal level, state and territory level, including sector specific regulators. The network of regulators and agencies with responsibility for operationalising cyber security and critical infrastructure policy is complex and contains multiple interdependencies. Regulators and agencies have their own cyber security requirements and obligations that they must meet. They collaborate and cooperate through a range of mechanisms, including inter-governmental committees, industry advisory committees, formal processes outlined in legislation, and memoranda of understanding between agencies.
Core Framework
Of the numerous documents that constitute the regulatory and policy framework, the following should be particularly noted due to their overall importance, frequency of citation and/or presence of mandatory requirements. The importance of adhering to these frameworks is reinforced by new powers in the SOCI Act, which allow a regulator to direct an entity to vary its Critical Infrastructure Risk Management Program (CIRMP) if it has a "serious deficiency" (SOCI Act, s 30AI).
- APRA Prudential Standards
- Prudential Standard CPS 230 – Operational Risk Management: This is a significant new cross-industry standard from APRA effective as of 1 July 2025. It is designed to strengthen the management of operational risks, ensure entities can maintain critical operations through severe disruptions, and manage risks arising from service providers. It explicitly includes technology and data-related risks within its scope.
- Prudential Standard CPS 234 – Information Security: This standard remains in effect and works alongside CPS 230. It sets out mandatory requirements for all APRA-regulated entities to maintain information security capability commensurate with the threats faced and to notify APRA of material information security incidents. CPG 234 provides the associated practice guide.
- Australian Government Information Security Manual (ISM)
- Produced by the Australian Cyber Security Centre (ACSC), the ISM is a cyber security framework that organisations can apply to protect their systems and data. It is updated periodically, with the most recent version being March 2025. Compliance is generally mandatory for businesses contracting with the Australian Government.
- Essential 8 Strategies to Mitigate Cyber Security Incidents ("Essential Eight")
- This is a prioritised, best-practice guideline from the ACSC. It outlines a framework and maturity model that organisations can use to assess and improve their cyber security posture. The maturity model was most recently updated in November 2023 to address the current threat landscape.
- Protective Security Policy Framework (PSPF)
- Managed by the Attorney-General’s Department, the PSPF provides security guidelines for Australian government entities covering governance, information, personnel, and physical security. The framework was updated in October 2024 to introduce a stronger focus on establishing holistic Insider Risk Management programs. Non-corporate Commonwealth entities must apply the PSPF.
Framework of Relevant Entities
Core Organisations
The following organisations should be particularly noted due to their critical role in cyber security relating to critical infrastructure.
Australian Cyber Security Centre (ACSC)
- The cyber security and critical infrastructure reforms of the last five years have elevated the role of the Australian Signals Directorate, which operates and supports the ACSC. The ACSC is Australia’s lead cyber security agency, issuing guidance, threat reports, policy and information to individuals, families, and businesses. It does not have a formal regulatory role for critical infrastructure. The ACSC also provides high-level guidance on how to approach the issue of supply chain management in a cyber security context.
- The ACSC is the Chair of the National Cyber Security Committee, which coordinates the inter-jurisdictional technical response of Australian governments to cyber incidents.
- (Note: This Committee should be distinguished from the statutory role of the National Cyber Security Coordinator established under the Cyber Security Act 2024).
- CERT Australia is the national computer emergency response team, sitting within the ACSC, and provides advice and support on cyber threats and vulnerabilities to the owners and operators of Australia's critical infrastructure and other systems of national interest.
- The ACSC also operates Joint Cyber Security Centres (JCSC) in Sydney, Melbourne, Brisbane, Perth and Adelaide. These coordinate the complex dependencies between the Australian, state and territory levels of government on cyber security, from incident response to cross-jurisdictional coordination in the event of a national cyber incident.
Cyber and Infrastructure Security Centre (CISC)
All Organisations
Engagement with cyber security and critical infrastructure happens across multiple agencies and regulators at the federal and state levels. The following are key organisations involved and the core regulatory and policy frameworks they produce and oversee.
- Attorney-General's Department (AGD)
- Sub-agencies and Related Schemes:
- Australian Competition and Consumer Commission (ACCC)
- The competition regulator for critical infrastructure markets and a cyber security partner with the ACSC.
- Runs Scamwatch.
- Australian Criminal Intelligence Commission (ACIC)
- Australian Cyber Security Growth Network (AustCyber)
- Australia's Cyber Security Sector Competitiveness Plan (2022)
- Australian Prudential Regulation Authority (APRA)
- Sets mandatory information security requirements that all APRA-regulated entities must comply with.
- Australian Renewable Energy Agency (ARENA)
- ARENA has Memoranda of Understanding with other energy market bodies and is a key member of the Distributed Energy Integration Program (DEIP).
- Australian Securities and Investment Commission (ASIC)
- Australian Transaction Reports and Analysis Centre (AUSTRAC)
- Council of Financial Regulators (CFR)
- Department of Defence (DoD)
- Australian Signals Directorate (ASD):
- Australia's foreign signals intelligence, cyber warfare, and cyber security agency.
- Australian Cyber Security Centre (ACSC): The operational arm of the ASD and Australia's lead cyber security agency. It provides guidance, threat reports, and policy information but does not have a formal regulatory role for critical infrastructure. Key frameworks include the Australian Government Information Security Manual (ISM) and the Essential 8 Strategies to Mitigate Cyber Security Incidents.
- CERT Australia: The national computer emergency response team, sitting within the ACSC.
- Joint Cyber Security Centres (JCSC): Located in major cities to coordinate between government, industry, and academia.
- Infosec Registered Assessors Program (IRAP).
- Department of Home Affairs (DHA).
- The central policy department for cyber and critical infrastructure security.
- Oversees national security and emergency management policy.
- 2023-2030 Australian Cyber Security Strategy
- Protective Security Policy Framework (PSPF) (2018): Consists of policies providing security guidelines for Australian government entities and contracted service providers.
- Critical Infrastructure Program for Modelling and Analysis (CIPMA): Utilises data models to work with government and industry to help prevent, prepare for, respond to, and recover from disruptions.
- Australian Security Intelligence Organisation (ASIO)
- Cyber and Infrastructure Security Centre (CISC): The primary regulator for the SOCI Act.
- Department of Infrastructure, Transport, Regional Development, Communications, Sport and the Arts (DITRDCSA)
- Digital Transformation Agency (DTA)
- Provides strategy for government digital services, including the Hosting Certification Framework, Secure Cloud Strategy, and Whole of Government Hosting Strategy.
- NSW Government
- Cyber Security NSW:
- Cyber Security Policy (2021); Cyber Security Strategy (2021).
- Other Frameworks and Bodies: Infrastructure Data Management Framework; Information Management Framework; Information and Privacy Commission (NSW) (IPC).
- Queensland Government
- Treasury
- Foreign Investment Review Board (FIRB): Reviews foreign investment proposals involving critical infrastructure for national security implications and publishes specific Guidance for Critical Infrastructure.
Inquiries and Consultations
Industry Materials