07 May 2021

Critical Infrastructure reforms – New asset definitions released

This article was written by Kirsten Bowe, Johnathon Hall, Oceane Pearse.

The Department of Home Affairs has released an initial draft of the Critical Infrastructure Asset Definition Rules (the draft Rules) for public consultation.  The draft Rules provide further insight into the proposed assessment process for determining whether an asset is to be considered a “critical asset” under the to-be-amended Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act), including rules tailored to capture specific assets.

The draft rules are in addition to the “critical asset” definitions to be introduced by the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (the Critical Infrastructure Bill) anticipated to be introduced to Parliament in mid-2021.

Our previous alerts on the purpose of the reforms and the content of the Critical Infrastructure Bill are available here and here.

The Department of Home Affairs is accepting public submissions on the draft Critical Infrastructure Asset Definition Rules until 4.00 AEST on Friday, 14 May 2021

Sector assessment – additional rules for “critical asset” classifications

The draft Rules provide further clarity on the definition of “critical asset” for 12 of the 22 asset classes identified in the Critical Infrastructure Bill.  These rules are proposed to complement the sector-specific definitions in the Critical Infrastructure Bill by specifying assets that will be “critical assets” (including in some cases assets that would not otherwise be captured by the definition in the Critical Infrastructure Bill) or prescribing the requirements to be met by an asset to make it a “critical asset”.  

The remaining 10 classes are proposed to require no further rules.  This means that whether assets within those sectors are “critical assets” for the purposes of the amended SOCI Act is to be determined by reference to the asset definitions to be introduced by the Critical Infrastructure Bill.  These classes are outlined below for completeness.

Classes with proposed rules

Specific asset rules

Many of the qualifiers proposed in the draft Rules are asset-specific and are proposed with the intention of ensuring a particular asset is considered a “critical asset”.  These assets are addressed by name in commentary contained the draft Rules and fall within the following classes:

  • Critical broadcasting assets – assets owned by TXAustralia.
  • Critical domain name systems – the .au country code Top Level Domain (ccTLD) as a whole (distinguishable from an individual .au site).
  • Critical liquid fuel assets – the Geelong and Lytton refineries, and a collection of liquid fuel pipelines across Australia (see Page 11 of the draft Rules for the full list).
  • Critical financial market infrastructure assets – the Mastercard, Visa and EFTPOS systems, and the New Payments Platform.
  • Critical food and grocery assets – the Woolworths Group, Coles Group, Aldi, Costco and Metcash Group.
  • Critical education assets – the Australian National University.
  • Critical freight infrastructure – 49 intermodal terminals (see Appendix B of the draft Rules for the full list).

Broader asset rules

The remaining qualifiers proposed in the draft Rules are broader qualifiers intended to expand the scope of assets considered “critical assets” by introducing additional criteria.  The effect of these rules is that assets, which are not “critical assets” under the definitions in Critical Infrastructure Bill, will be considered “critical assets” for the purposes of any obligations in the amended SOCI Act.

Asset class

Additional qualifier

Critical electricity assets

Electricity generators with a nameplate generation capacity greater than or equal to 30 megawatts which are connected to a wholesale electricity market are proposed to be considered a “critical electricity asset”.  The reference in the current rules to ‘synchronous’ will also be removed to capture renewable generators.

Critical banking assets

Any authorised deposit institution and their related body corporates with total assets above $50 billion.

Critical financial market infrastructure assets

Financial markets operated by a domestic Tier 1 market licensee which, for at least two consecutive quarters, have a turnover metric threshold test of at least one of:

  • 35% market share of Cash Market Products;
  • $4 billion average daily value of Cash Market Products;
  • $15 billion average daily notional value of Futures Markets Contracts transactions; or
  • $30 billion average daily notional value of transactions that are neither Cash Market Products nor Futures Markets Contracts.

All clearing and settlement facilities that are operated under a clearing and settlement facility licence granted under the Corporations Act 2001 (Cth) by holders incorporated in Australia and subject to financial stability standards determined by the RBA.

Critical insurance assets

For insurance assets, assets in the following classes have defined thresholds for being considered “critical assets”:

  • Life insurance – entities with total assets over $5 billion.
  • Health insurance – entities with total assets over $0.5 billion.
  • Insurance (if not one of the above) – entities with total assets over $2 billion.

Critical superannuation assets

Any registerable superannuation entity licensees with total assets over $20 billion.

Critical freight service assets

Any national logistics providers with an annual revenue of over $150 million. This is intended to capture the Toll Group, Aurizon, DHL Global Forwarding and Linfox, but is not limited to those entities.

Additional defined terms

The draft Rules also propose to introduce a limited set of definitions for terms undefined in the Critical Infrastructure Bill to provide further clarity to the proposed “critical asset” definitions.  In the current draft Rules, this is limited to defining “derivative trade repositories” as assets which:

  • hold an Australia derivative trade repository licence; and
  • where the derivative trade repository has at least $20 trillion average daily notional value of outstanding transactions for all asset classes for at least two consecutive quarters.

Classes with no further rules

The draft Rules consider that the 10 remaining critical infrastructure asset classes are fully defined in the Critical Infrastructure Bill and therefore require no further rules.  These classes include;

  • critical telecommunications assets;
  • critical data storage and processing assets;
  • critical water assets;
  • critical energy market operator assets;
  • critical hospital assets;
  • critical education assets;
  • critical port assets;
  • critical public transport assets;
  • critical aviation assets; and
  • critical defence industry assets.

Next Steps

The submissions received by the Department will inform the final draft Rules submitted to the Minister for Home Affairs, who holds the final discretion for determining the application of the critical infrastructure obligations across the impacted sectors.  Changes to the draft Rules could result in changes in draft thresholds, the inclusion of other specific assets that are not captured under the draft Rules or Critical Infrastructure Bill and the inclusion of additional rules for any of the 22 classes of assets.

The Department of Home Affairs is accepting public submissions on the draft Critical Infrastructure Asset Definition Rules until 4.00 AEST on Friday, 14 May 2021. Further information about the consultation process for Critical Infrastructure Asset Definition Rules is available here.


In our annual Directions Report released 6 May, the majority of respondents were not sure how proposed changes to the Security of Critical Infrastructure Act will impact organisations – will the new asset definitions help provide clarity? You can check out our Directions Report here.




Key contacts

Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    The Commonwealth proposes to expand its digital identity system to allow greater participation by States, Territories and the private sector in order to give more government agencies and businesses a...

    15 October 2021

    New mandatory ransomware incident notification requirements for large Australian businesses, new and stronger criminal offences applicable to cybercriminals.

    14 October 2021

    Picture this… Your business has just suffered a major safety incident. Details are still emerging. Rumours are swirling, media are bombarding you with questions. Your reputation is on the line and to...

    12 October 2021

    We hear from our KWM people about how the Community Impact programme resonates with them.

    08 October 2021

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.