First Security of Critical Infrastructure Bill is now live

2 minute read + PDF download 21.12.2021 Thomas Crowe, Amanda Khoo, Susan Kantor, Leah Mooney, Paul Kallenbach

On 2 December 2021 the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth) received royal assent and became law in Australia. We explore what it means going forward.

Key takeouts

Recent amendments to the Security of Critical Infrastructure laws extend their operation to a much broader range of sectors.

The amendments also afford the government additional powers to respond to suspected or actual cyber security incidents where they impact on a critical infrastructure asset.

When 'switched on' by the Government, relevant entities will be required to comply with new obligations relating to mandatory reporting of cyber security incidents and maintain a register of critical infrastructure assets.

The security of critical infrastructure (SOCI) laws are a key measure under the Australian Cyber Security Strategy 2020. They are in response to evidence that well-resourced and persistent state-sponsored actors are maliciously targeting critical infrastructure and stealing intellectual property developed in Australia. While Australia has not suffered a catastrophic attack on critical infrastructure, there have been several high profile cyber attacks in the public and private sectors that have had a significant impact.

You can read more about the history of the SOCI laws in our previous article, Changes to critical infrastructure laws in 2021: is your sector impacted? as well as specifically how these changes are affecting Foreign Investment Review Board processes.

During SOCI laws’ passage through Commonwealth Parliament, the Bill was amended, and then separated into two parts. Only the first part of the Bill is now law.

The Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth) (First Bill) amends the scope of the Security of Critical Infrastructure Act 2018 (Cth) (Act), which underpins a framework for managing cyber risks relating to critical infrastructure. The First Bill extends the obligations in the Act to a broader range of sectors – now eleven in total as compared with the previous four. The sectors that are defined as 'critical infrastructure sectors' are now as follows:

communications;
data and storage or processing;
financial services and markets;
water and sewerage;
energy;
healthcare and medical;
higher education and research;
food and grocery;
transport;
space technology;
defence industry;

It also introduces new obligations, empowering the Government to issue information gathering and other directions, as well as request specified agencies to provide support, in certain circumstances, in respect of a cyber security incident (the Government Assistance Measures). In addition, if 'switched on' for a particular sector, the new obligations:

mandate cyber security incident reporting (the Mandatory Reporting Obligation); and
require certain entities to maintain a register of critical infrastructure assets containing specified information (the Asset Register Obligation).

Under the First Bill, the Government Assistance Measures apply to all sectors from the date of royal assent (2 December 2021).

An exposure draft for a second Security Legislation Amendment (Critical Infrastructure) Bill is expected to be released in the coming weeks for consultation with impacted sectors. The Department has been engaging with several sectors in relation to the Second Bill, which will introduce comprehensive risk management program obligations, as well as enhanced cyber security obligations.