Security of Critical Infrastructure Act 2018 (Cth) Reforms in Force

• data storage or processing;
• communications;
• defence;
• energy;
• financial services and markets;
• food and grocery;
• health care and medical;
• higher education and research;
• space technology;
• transport; and
• water and sewerage.

Information from the Cyber and Infrastructure Security Centre (CISC) indicates that the Minister will shortly release draft rules to ‘switch on’ cyber reporting for most of the asset classes, to which a consultation period of at least 28 days will apply. All affected entities are expected to be advised of the consultation process by email.

The CISC has also indicated that a second bill will be introduced in early 2022 which will impose further obligations on entities responsible for or owning critical infrastructure assets in the classes:

• broadcasting;
• domain name systems;
• data storage or processing;
• critical hospitals;
• freight infrastructure;
• payment systems;
• freight services;
• liquid fuel;
• energy market operator;
• electricity
• gas;
• water and sewerage; and
• defence.

Such obligations will include risk management programs, enhanced cyber security obligations and designate ‘Systems of National Significance’. An exposure draft of the second raft of reforms is set to be released in the next few weeks, with the period of consultation likely to run from mid December 2021 to the beginning of February 2022.

Contacts: Sophie Dawson, Julie Cheeseman, Joel Parsons, James Hoy, Jessica Laverty, Emma Croft