Security of Critical Infrastructure Act 2018 (Cth) Reforms in Force
Written By
Partner
Australia
I am a partner in our Sydney office, where I specialise in media and technology disputes and advice.
Senior Associate
Australia
I am a senior associate in our Dispute Resolution Group in Sydney, specialising in media and technology disputes, commercial litigation and privacy and cybersecurity advisory work.
Related
Practices
- Commercial
- Digital Rights & Assets
- International Dispute Resolution
- Finance & Financial Regulation
- Infrastructure
- Privacy and Data Protection
Sectors
- Defence & Security
- Automotive
- Aviation & Aerospace
- Energy & Utilities
- Financial Services
- Retail and Consumer
- Life Sciences and Healthcare
- Technology & Communications
- Media, Entertainment and Sport
Trending Topics
Countries
We recently published an article summarising the changes recently made to the Security of Critical Infrastructure Act 2018 (Cth) which were assented to on 2 December 2021 and will affect entities in the following sectors:
- data storage or processing;
- communications;
- defence;
- energy;
- financial services and markets;
- food and grocery;
- health care and medical;
- higher education and research;
- space technology;
- transport; and
- water and sewerage.
Information from the Cyber and Infrastructure Security Centre (CISC) indicates that the Minister will shortly release draft rules to ‘switch on’ cyber reporting for most of the asset classes, to which a consultation period of at least 28 days will apply. All affected entities are expected to be advised of the consultation process by email.
The CISC has also indicated that a second bill will be introduced in early 2022 which will impose further obligations on entities responsible for or owning critical infrastructure assets in the classes:
- broadcasting;
- domain name systems;
- data storage or processing;
- critical hospitals;
- freight infrastructure;
- payment systems;
- freight services;
- liquid fuel;
- energy market operator;
- electricity
- gas;
- water and sewerage; and
- defence.
Such obligations will include risk management programs, enhanced cyber security obligations and designate ‘Systems of National Significance’. An exposure draft of the second raft of reforms is set to be released in the next few weeks, with the period of consultation likely to run from mid December 2021 to the beginning of February 2022.
Contacts: Sophie Dawson, Julie Cheeseman, Joel Parsons, James Hoy, Jessica Laverty, Emma Croft
