Written by Cheng Lim
Draft legislation and rules have been released for consultation. The draft legislation implements the second element of the Government’s regulatory framework for the security and resilience of critical infrastructure and systems of national significance. The draft rules will switch on the reporting obligations and cyber security notification obligations for certain classes of critical infrastructure assets.
Draft legislation and rules released for consultation
As foreshadowed in our alert here, on 15 December 2021, the Government released an exposure draft of the second tranche of legislative amendments to the Security of Critical Infrastructure Act 2018. This tranche contains all the elements of the original Security Legislation Amendment (Critical Infrastructure) Bill 2020 (risk management programs, SONs and enhanced cyber security obligations) that were omitted from the Security Legislation Amendment (Critical Infrastructure) Act 2021 in accordance with the recommendations of the Parliamentary Joint Committee on Intelligence and Security. The consultation period ends on 1 Feb 2022. We will release a more detailed alert on the exposure draft early next year.
At the same time, the Government has also released an exposure draft of the rules under the Security of Critical Infrastructure Act 2018 (see https://www.homeaffairs.gov.au/reports-and-pubs/files/critical-infrastructure-consultation-submissions/soci-app-rules-exposure-draft-explanatory-statement.pdf). The consultation period for these rules also ends on 1 Feb 2022.
These rules will ‘switch on’ the reporting requirements (to provide operational, interest and control information for inclusion in the Register of Critical Infrastructure Assets) and the cyber security notification requirements that were implemented in the Security Legislation Amendment (Critical Infrastructure) Act 2021.
Importantly, in relation to the reporting requirements:
- not all critical infrastructure assets will be subject to the reporting requirements (for example, it will only apply to critical financial market infrastructure assets that are payment systems)
- there will be a 6 month grace period for compliance with this reporting obligation for entities that are not currently subject to it.
In relation to the cyber security notification obligations:
- most but not all critical infrastructure assets will be subject to the reporting obligations
- there will be a 3 month grace period for compliance with this notification obligation.
Businesses should therefore review these rules carefully to ascertain if their critical infrastructure assets will be subject to the reporting requirements and the cyber security notification obligations.