New security rules for investors in critical infrastructure in Australia

Current site :    AU   |   EN
China Hong Kong SAR
United Kingdom
United States

This article was written by Louis Chiam, Malcolm Brennan, Intan Eow and Liqing Mao.

Investors and operators of critical infrastructure in Australia will soon need to comply with new security rules.  The new rules, introduced as part of the Australian Government's new Critical Infrastructure Centre, will apply to most infrastructure in telecommunication, ports, water, electricity and natural gas.

The Security of Critical Infrastructure Act 2018 (the Act) has just been passed and will soon commence on 11 July 2018.

The rules impose new obligations in 2 broad areas: a new register of owners and operators and potential new security requirements.

Register of owners and operators

The rules require owners and operators of critical infrastructure to file their details on a register with the Critical Infrastructure Centre.  There are complex rules that may require disclosure of some upstream investors (including ultimately offshore investors) and some operator and management agreements. 

As this relates to a high profile Government policy on security, it is likely the Australian Government will take a very strict approach to compliance.  It is important, both for legal compliance and reputational reasons, that all international investors ensure they comply fully with these requirements.

The Act applies to the following reporting entities:

  • a responsible entity must provide the operational information in relation to the assets.  Such information includes the arrangements under which each operator operates the asset and arrangements under which data is maintained; and
  • a direct interest holder must provide the interest and control information in relation to the entity and the asset.  Such information includes:
    • the direct interest holder's influence or control in relation to the assets;
    • the ability of its nominee to access networks or systems necessary for the operation or control of the assets; and
    • information on its direct and indirect controlling entities, and their influence or control in relation to the direct interest holder or an intermediate entity.

The Act has a six-month grace period for reporting entities to report information about critical infrastructure assets to be included in the Register of Critical Infrastructure Assets.  This grace period ends on 11 January 2019.

Potential new security requirements

Further, the Minister has a wide power of direction (the "last resort" power) to require a reporting entity to do or refrain from doing an act if the Minister is satisfied that there is a risk that such an act or omission would be prejudicial to security.

There is no detail publicly available on what these additional requirements may be, but they could extend to matters such as use of non-Australian information technology suppliers, data storage and offshore access to data.

Critical Infrastructure Centre

The Act follows the Australian government's recent launch of the Critical Infrastructure Centre, now housed in the newly established Department of Home Affairs. The Centre is intended to bring together expertise and capability from across the Australian government to manage national security risks from foreign involvement in Australia's critical infrastructure.  It focuses on the risks of sabotage, espionage and coercion in the five priority sectors of telecommunications, electricity, gas, water and ports. 

Despite the Centre's focus on foreign involvement, the Foreign Investment Review Board (FIRB) continues to be responsible for Australia's foreign investment review process.  But FIRB will work cooperatively with the Critical Infrastructure Centre in assessing foreign acquisitions of critical infrastructure.

For more details, you may refer to our previous KWM Insight Critical infrastructure security – what lies ahead for electricity, ports and water and Espionage, sabotage and infrastructure: what you need to know about the Security of Critical Infrastructure Bill.

On 2 August 2022, the Aged Care and Other Legislation Amendment (Royal Commission Response) Bill 2022 was passed (Aged Care Bill), introducing important regulatory changes to Australia’s aged care sector. The Bill makes numerous legislative amendments, including to the Aged Care Act 1997 (Cth) (Aged Care Act) and the Aged Care (Transitional Provisions) Act 1997 (Cth) (Transitional Provisions Act), and responds to various recommendations made by the Royal Commission into Aged Care Quality and Safety (Royal Commission) Final Report (Report). The Report identified the provision of substandard aged care services and perceived systemic failures in the aged care sector.[1]

08 August 2022

The Federal Court has refused an application to stay proceedings to quantify compensation for patent infringement (quantum proceedings) pending the outcome of separate parallel proceedings challenging the validity of the infringed patent on new grounds. The case is significant as intellectual property cases are regularly bifurcated with liability determined separately damages or an account of profits. A patentee may also bring consecutive infringement cases and therefore have two separate cases considering invalidity issues for the same patent running in parallel.

03 August 2022

Since the introduction of a nationwide Marketing Authorization Holder (MAH) system in 2019, licenses have linked directly to therapeutic products rather than manufacturers.

03 August 2022