Insight,

Cybersecurity,

The second package of reforms to the Security of Critical Infrastructure Legislation has been passed

01 April 2022

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

TL;DR

The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) has been passed by the Senate and the House of Representatives, incorporating amendments recommended by the Commonwealth's Parliamentary Joint Committee on Intelligence and Security (PJCIS) in their advisory report

We expect that the Act will receive Royal Assent from the Governor-General in the coming days. 

Background

The SLACIP Act implements the outstanding elements of the Australia’s revised critical infrastructure framework, by seeking to:

  • introduce an obligation for entities responsible for critical infrastructure assets to implement a critical infrastructure risk management program (RMP); and
  • impose enhanced cyber security obligations on entities responsible for critical infrastructure assets which are declared by the Minister of Home Affairs (Minister) to be ‘systems of national significance’ (SoNS).

The SLACIP Act comes almost six months after the PJCIS handed down its initial report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SOCI Bill) and the Security of Critical Infrastructure Act 2018 (SOCI Act) where it recommended, among other things, that the SOCI Bill be split into two Bills, with the first Bill forming what would later be passed as the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act), and the second Bill now becoming the SLACIP Act.

In this alert, we explore the key recommendations flowing from the PJCIS report and how these recommendations have been addressed in the recent amendments to the SLACIP Act.

Our previous alerts on the development of critical infrastructure reforms are available here, here and here.

What does it mean for business?

In light of the passage of the SLACIP Act, entities which own or operate critical infrastructure assets should begin considering whether their existing organisational processes will be sufficient to comply with their impending obligations, or whether new measures will need to be put into effect in order to bring themselves into conformity with the minimum requirements contemplated by the Act and the accompanying draft Risk Management Program Rules (Rules). To the extent that an entity does not have adequate risk management procedures in place, the Rules provide for a grace period of 6 months (or 18 months, for specified cyber security frameworks) following the later of commencement of the Rules and the date that an asset becomes a critical infrastructure asset, in which an entity will not need to comply with its obligations in relation to RMPs.

For entities which own or operate critical infrastructure assets that may be declared by the Minister as a SoNS, the relevant entity should take steps to review and, if necessary, strengthen their cyber security capabilities, to ensure that they will be able to meet the standard of cyber preparedness required under the SLACIP Act. Failure to do so may result in the entity incurring fines in the realm of $44,400 (200 penalty units) to $222,000 (1000 penalty units).

Overview of the amendments

The SLACIP Act incorporates the following amendments in response to the key recommendations set out in the PJCIS report:

  • (Definitions of “Critical Worker” and “Critical Component”) – definitions for “critical worker” and “critical component” have been inserted into the SLACIP Act in order to provide some clarity to responsible entities of critical infrastructure assets, particularly around which of their personnel will be subject to the background checks required under an RMP.
  • (Notification to the PJCIS) – subsection 52B(3) of the SLACIP Act has been amended to impose an obligation on the Minister to notify the PJCIS in writing of any declaration of a SoNS, together with the asset sector and entity details pertaining to the relevant critical infrastructure asset.
  • (Periodic reporting of ongoing consultation) – in line with the PJCIS’s recommendation for the Department of Home Affairs (Department) to continue its consultation with industry on the development of the SLACIP Act and the Rules, the SLACIP Act has been amended to insert a new section 60AAA, which requires the Secretary of Home Affairs (Secretary) to periodically report to the Minister every 6 months on the conduct, progress and outcomes of consultations undertaken by the Department with respect to the amendments to the SOCI Act made by the SLACIP Act and the SLACI Act. These reports must also be given to the PJCIS. 
  • (Independent review of the SOCI Act) – the SLACIP Act has been amended to include a requirement for the Minister to cause an independent review into the operation of the SOCI Act to be conducted one year after the SLACIP Act receives Royal Assent, and for the results of this review to be tabled in Parliament. To avoid any confusion that might result from having two statutory review mechanisms exist simultaneously, the SLACIP Act also repeals the existing provision requiring the PJCIS to review the operation, effectiveness and implications of the SOCI Act.

In addition to the above amendments, Parliament has published an Addendum to Explanatory Memorandum which aims to give effect to the other recommendations put forward in the PJCIS report, by clarifying the impact of the SLACIP Act on worker’s rights and the circumstances and scope of the intended operation of the enhanced cyber security obligations which will apply to SoNS. 

Notably, Parliament has declined to reconsider the concept of establishing a legislative basis for merits review in relation to decisions made under the SOCI Act and the SLACIP Act, a suggestion which was originally raised in the PJCIS’s initial report into the SOCI Act and SOCI Bill, and which the PJCIS had reiterated in their latest report.

Next steps

The SLACIP Act will commence the day after it receives Royal Assent from the Governor-General, which will occur shortly. Following that, we expect the Rules to be published as part of the Minister’s mandatory consultation process, which will continue for at least 28 days before the Rules finally come into effect.

Categories

MEET THE AUTHORS

SHOW MORESHOW LESS
LATEST THINKING
Insight
Top 10 Trends for Private Capital in an uncertain world
With sophisticated investors quickly seeking diversification in response to geopolitical risk, Asia Pacific markets are well-positioned to become an attractive hedge.

17 April 2025

Insight
Private Capital Leading the Surge into Data Centres - What have we learned and what next?
Australia and the Asia Pacific Region emerge as a hotbed for data centre investment, as the AI revolution and resulting demand for digital infrastructure surges.

17 April 2025

Insight
Cov-What? Financial covenants in leveraged finance deals
A short primer on the different approaches being taken to financial covenants in leveraged finance deals

17 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies