Insight,

Exposure draft of the second package of amendments to the Security of Critical Infrastructure legislation has been released

AU | EN
Current site :    AU   |   EN
Australia
Belgium
China
China Hong Kong SAR
Germany
Italy
Japan
Singapore
Spain
UAE
United Kingdom
United States
Global

Written by Cheng Lim

TLDR

Draft legislation and rules have been released for consultation. The draft legislation implements the second element of the Government’s regulatory framework for the security and resilience of critical infrastructure and systems of national significance. The draft rules will switch on the reporting obligations and cyber security notification obligations for certain classes of critical infrastructure assets.

Draft legislation and rules released for consultation

As foreshadowed in our alert here, on 15 December 2021, the Government released an exposure draft of the second tranche of legislative amendments to the Security of Critical Infrastructure Act 2018. This tranche contains all the elements of the original Security Legislation Amendment (Critical Infrastructure) Bill 2020 (risk management programs, SONs and enhanced cyber security obligations) that were omitted from the Security Legislation Amendment (Critical Infrastructure) Act 2021 in accordance with the recommendations of the Parliamentary Joint Committee on Intelligence and Security. The consultation period ends on 1 Feb 2022. We will release a more detailed alert on the exposure draft early next year.

At the same time, the Government has also released an exposure draft of the rules under the Security of Critical Infrastructure Act 2018 (see https://www.homeaffairs.gov.au/reports-and-pubs/files/critical-infrastructure-consultation-submissions/soci-app-rules-exposure-draft-explanatory-statement.pdf). The consultation period for these rules also ends on 1 Feb 2022.

These rules will ‘switch on’ the reporting requirements (to provide operational, interest and control information for inclusion in the Register of Critical Infrastructure Assets) and the cyber security notification requirements that were implemented in the Security Legislation Amendment (Critical Infrastructure) Act 2021.

Importantly, in relation to the reporting requirements:

  • not all critical infrastructure assets will be subject to the reporting requirements (for example, it will only apply to critical financial market infrastructure assets that are payment systems)
  • there will be a 6 month grace period for compliance with this reporting obligation for entities that are not currently subject to it.

In relation to the cyber security notification obligations:

  • most but not all critical infrastructure assets will be subject to the reporting obligations
  • there will be a 3 month grace period for compliance with this notification obligation.

Businesses should therefore review these rules carefully to ascertain if their critical infrastructure assets will be subject to the reporting requirements and the cyber security notification obligations.

LATEST THINKING
Insight
The UN Secretary-General António Guterres delivered a stark warning on April 27: “We cannot afford slow movers, fake movers or any form of greenwashing.”

24 May 2022

Insight
While we wait to hear which party will form our next government, here is a table of the key tax measures announced by the Coalition and ALP, along with the expected fiscal impact over the next 4 years.

21 May 2022

Insight
New regulations in China designed to encourage innovation in clinical trials have made it easier to test human samples in a lab setting.

19 May 2022