Log in

Australian Cyber Law Map

You are here: Cyber Law » Australian Cyber Law Map » Telecommunications

Telecommunications

11 June 2025 - 16:47 | Version 15 |

Overview

The telecommunications sector is one of Australia's most critical infrastructure sectors and is subject to a comprehensive regulatory regime. Following recent reforms in 2024, the primary security obligations for telecommunications carriers and carriage service providers are now consolidated under the Security of Critical Infrastructure Act 2018 (Cth) (see the Security of Critical Infrastructure page). This change, driven by the 2023-2030 Australian Cyber Security Strategy, was designed to align the telecommunications sector with the 'all-hazards' risk management approach applied to other critical infrastructure sectors and to address legislative gaps by replacing a series of temporary measures that were due to sunset in 2025. This framework exists alongside long-standing obligations under the Telecommunications Act 1997 (Cth), which primarily govern service provision, consumer safeguards, and lawful access and interception.

Background

The Australian telecommunications sector has long been subject to specific security obligations. For many years, the core security framework was the Telecommunications Sector Security Reforms (TSSR), which were introduced into Part 14 of the Telecommunications Act 1997 (Cth) by the Telecommunications and Other Legislation Amendment Act 2017 (Cth). The TSSR imposed a duty on carriers, carriage service providers, and carriage service intermediaries to do their best to protect their networks and facilities from unauthorised access and interference. It also established a notification framework requiring providers to inform the government of planned changes to their networks and services that could impact security.

However, as part of the 2023-2030 Australian Cyber Security Strategy, the Commonwealth Government identified the need to streamline the regulation of critical infrastructure. A key action was to consolidate the telecommunications security obligations into the broader framework of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). This was achieved through the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (ERP Act), which created a more consistent 'all-hazards' regulatory approach for the sector.

The legal framework governing the Australian telecommunications sector is complex, with key obligations now spread across two main pieces of Commonwealth legislation. While the Telecommunications Act 1997 (Cth) remains the foundational legislation for the industry, the Security of Critical Infrastructure Act 2018 (Cth) now contains the primary security obligations for the sector.

Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act)

Following the commencement of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (ERP Act) on 4 April 2025, the core security obligations for telecommunications providers were consolidated into the SOCI Act.

  • New Security Obligations (Part 2D): The ERP Act inserted a new Part 2D into the SOCI Act, which imposes an enhanced 'all-hazards' security duty on responsible entities for critical telecommunications assets. This requires them to take all reasonably practicable steps to protect their assets from hazards that could impact their confidentiality, integrity, and availability (s 30EB). This security obligation now explicitly includes maintaining "competent supervision of and effective control over the asset", which goes beyond the previous TSSR requirements and places a greater onus on entities to manage outsourced and offshored arrangements. Failure to comply carries a significant civil penalty of 1,500 penalty units.
  • Notification of Changes: Responsible entities must notify the Secretary of Home Affairs of any actual or proposed changes to their services or systems that are likely to have a material adverse effect on their capacity to comply with their security obligations (s 30EC). The Secretary can then request further information and assess if the change poses a risk to security.
  • Ministerial Directions: The Minister retains the power to direct a carrier or carriage service provider not to use or supply a carriage service if the Minister considers that its use would be prejudicial to security (s 30EF).
  • Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (TSRMP Rules): These obligations are further detailed in these specific Rules. The TSRMP Rules largely mirror the existing Critical Infrastructure Risk Management Program (CIRMP) Rules for other sectors, but include additional requirements to address telecommunications-specific risks, such as the compromise, theft, or manipulation of communications.

Telecommunications Act 1997 (Cth)

While the core security duties have moved to the SOCI Act, the Telecommunications Act 1997 continues to provide the main regulatory framework for the industry. Key ongoing provisions include:
  • Industry Regulation and Consumer Safeguards: The Act sets out the licensing regime for carriers and the rules governing the provision of telecommunications services to the public. It includes consumer protection measures such as the Universal Service Obligation (USO) and the Customer Service Guarantee (CSG).
  • Powers of the ACMA: It establishes the powers of the Australian Communications and Media Authority (ACMA) as the industry's primary day-to-day regulator for non-security matters.
  • Preventing Illegal Use: The Act imposes a duty on carriers and carriage service providers to do their best to prevent their networks from being used to commit offences (Part 14).
Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act)
  • This Act governs the interception of and access to telecommunications content and data by law enforcement and national security agencies.
    • Interception Capabilities: The TIA Act requires carriers and carriage service providers to have and maintain the capability to allow law enforcement agencies to execute interception warrants on their networks.
    • Data Retention: Part 5-1A of the TIA Act requires carriers to retain specific types of telecommunications data (metadata, but not content) for a period of two years to assist with law enforcement investigations.
  • Telecommunications data retained under this Part 5-1A is 'personal information' for the purposes of the Privacy Act 1988 (Cth).
  • See Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4.

Cloud Service Providers (CSPs)

  • Cloud Service Providers are a fundamental part of the telecommunications ecosystem, as they use telecommunications networks to deliver their services and often host data and services for telecommunications clients.
  • Previously, the security obligations applicable to CSPs were primarily considered under the framework of the Telecommunications Act 1997 (Cth) and the Telecommunications Sector Security Reforms (TSSR). Whether a CSP was captured depended on whether its specific services met the definition of a "carriage service provider" or "content service provider".
  • However, following the reforms in the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (ERP Act), the regulatory landscape has changed significantly. CSPs are now primarily regulated through the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) in three key ways:
  1. As "Critical Data Storage or Processing Assets": A CSP is directly regulated as a responsible entity under the SOCI Act if it is declared a "critical data storage or processing asset". This typically occurs if the CSP holds data for a government agency or another critical infrastructure entity. In this case, the CSP must comply with all relevant SOCI Act obligations, including the requirement to have a Critical Infrastructure Risk Management Program (CIRMP).
  2. As Part of a Telecommunications Asset: Following the ERP Act 2024 amendments, a data storage system (such as a cloud service) that holds "business-critical data" for a critical telecommunications asset is now considered part of that primary asset (SOCI Act, s 9(7)). This ensures that secondary data storage assets, virtual assets, and other assets that support (rather than form part of) a telecommunications network are captured by the SOCI Act framework.
  3. As a Supply Chain Hazard: The SOCI Act's risk management program rules explicitly require responsible entities to manage "supply chain hazards". This includes identifying and mitigating risks arising from reliance on third-party suppliers like CSPs.

Regulatory & Policy Framework

The security policies and rules for the telecommunications sector are now primarily issued under the authority of the SOCI Act.

  • Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (Cth) (TSRMP Rules): These are the key subordinate laws that now govern telecommunications security. The TSRMP Rules specify the detailed requirements that responsible entities for critical telecommunications assets must comply with when establishing and maintaining their Critical Infrastructure Risk Management Program (CIRMP) under the SOCI Act. For carriers, these rules also mandate achieving a specific maturity level against a recognised framework (such as the Essential Eight) by October 2027.
  • Security of Critical Infrastructure (Application) Rules 2022 (Cth): These rules define which specific assets are captured by the various obligations under the SOCI Act. The Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules 2025 amended these rules to explicitly include critical telecommunications assets owned by carriers and 'relevant CSPs' (being those with more than 20,000 active services or which supply services to Government), bringing them formally under the SOCI Act's remit.

Relevant Organisations

The regulation of the telecommunications sector is now split between two key bodies, reflecting the separation of general industry regulation from national security obligations.
  • Cyber and Infrastructure Security Centre (CISC): Located within the Department of Home Affairs, the CISC is now the primary regulator for the security of all critical infrastructure, including critical telecommunications assets. It is responsible for administering the obligations under the Security of Critical Infrastructure Act 2018 (Cth).
  • Australian Communications and Media Authority (ACMA): The ACMA remains the day-to-day technical and industry regulator for the telecommunications sector under the Telecommunications Act 1997 (Cth). Its role focuses on matters such as licensing, spectrum management, consumer safeguards, and technical standards. The ACMA refers matters relating to security threats to the Department of Home Affairs and the CISC.

Inquiries & Consultations

The legislative framework that consolidated telecommunications security obligations under the Security of Critical Infrastructure Act 2018 (Cth) was developed following extensive public and industry consultation.

  • 2023-2030 Australian Cyber Security Strategy Consultation: The initial proposals to streamline telecommunications security regulation were canvassed in the public consultation paper for the 2023-2030 Australian Cyber Security Strategy.
  • Consultation on the ERP Act and supporting Rules: Following the introduction of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024, the Department of Home Affairs conducted further detailed consultation on the specific legislative changes and the supporting subordinate legislation. This included public consultation on the exposure drafts of the Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules 2025 and the Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 between December 2024 and February 2025. This process involved industry town halls, deep-dive sessions, and the consideration of written submissions from a wide range of stakeholders.

Industry Materials

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine