Insight,

Cybersecurity,

CISC is consulting on rules to be made under Omnibus Cyber Security and Critical Infrastructure Package

24 January 2025

Our People
AU | EN
Current site :    AU   |   EN
Australia
EN |
Singapore
EN |

Tell me in 2 minutes

The Cyber and Infrastructure Security Centre (CISC) is consulting on proposed new rules to support the implementation of the Government’s recently assented Omnibus Cyber Security and Critical Infrastructure Package. Consultation closes on 14 February 2025.

Context

The Australian Government’s Cybersecurity and Critical Infrastructure legislative package summarised here and here received assent on 27 November 2024.

The Cyber and Infrastructure Security Centre (CISC) is now consulting on subordinate legislation that the Government proposes to make to assist with implementation of its legislative package. Submissions to the consultation must be lodged here by 14 February 2025.

What are the proposed rules?

The CISC is seeking feedback on 6 proposed rules:

Cyber Security (Security Standards for Smart Devices) Rules 2024 (Cth)

These rules specify security standards for products that can directly or indirectly connect to the internet (relevant connectable products) and will be acquired in Australia by consumers. Desktop computers, laptops, tablet computers, smartphones, therapeutic goods, and road vehicles are excluded from the standard.

The standards require that:

  • default passwords for relevant connectable products’ hardware and software comply with certain conditions that reduce password vulnerability;
  • product manufacturers publish how to report product security issues; and
  • product manufacturers publish when products will receive security updates.

Product manufacturers must also prepare a statement of compliance with the standard which they must retain for at least 10 years.

Cyber Security (Ransomware Reporting) Rules 2024 (Cth)

These rules confirm that the turnover threshold for an entity to report ransomware payments under the Cyber Security Act 2024 (Cth) (Cyber Security Act) is AUD $3 million.

They also set out the information that a reporting business entity must include in a ransomware payment report under Part 3 of the Cyber Security Act. This includes:

  • contact details
  • impact of the incident on the entity, including:
    • when the incident is estimated to have occurred and when the entity became aware of the incident;
    • the impact of the incident on the entity’s infrastructure and customers;
    • the variants (if any) of ransomware or other malware used, the vulnerabilities in the entity’s system that were exploited;
    • information that could assist the response to, mitigation or resolution of the incident by a Commonwealth body or State body;
  • the amount of the ransom demanded and the amount paid, as well as the methods of payment demanded or made; and
  • information about communications with the threat actor relating to the incident, demands and payment.

Cyber Security (Cyber Incident Review Board) Rules 2024 (Cth)

These rules outline the procedural requirements for reviews of cyber security incidents conducted by the Cyber Incident Review Board (Board) under the Cyber Security Act, including:

  • the establishment of review panels for each review and the contents of the terms of reference for reviews and public notification of the proposed conduct of reviews;
  • appointment, resignation and termination of standing members of the Board;
  • appointment, resignation and termination of members of the Expert Panel established by the Board; and
  • the Board’s meeting procedures.

Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2024 (Cth)

These rules set out security obligations for critical telecommunications assets under amendments made to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) at the end of 2024. Among other things, those amendments moved security and notification obligations from Part 14 of the Telecommunications Act 1997 (Cth) (Telecommunications Act) (and licence conditions under that Act) into a new Part 2D of the SOCI Act, with enhancements to align the regulatory frameworks and clarify telecommunications-specific obligations.

In particular, they:

  • apply the current obligation to have and maintain a critical infrastructure risk management program (CIRMP) under Part 2A (Critical Infrastructure Risk Management Programs) of the SOCI Act to ‘relevant CI assets’, being critical telecommunications assets owned or operated by a carrier, or by a carriage service provider that provides broadband, fixed telephone, public mobile telecommunications or voice services to 20,000 customers or to a Commonwealth entity. This obligation commences 6 months after the rules commence, or 6 months after an asset becomes a relevant CI asset.
  • identify a set of specific material risks that need to be addressed in a CIRMP for a relevant CI asset. These risks include:
    • a stoppage or major slowdown of the relevant CI asset’s function for an unmanageable period;
    • substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the relevant CI asset;
    • the storage, transmission or processing of information relevant to the operation of the relevant CI asset outside of Australia;
    • remote access to operational control or operational monitoring systems; or
    • unauthorised use which compromises the security and function of a relevant CI asset, including by a major supplier, critical worker or managed service provider.
  • set out other requirements for a CRIMP for a relevant CI asset (which are generally consistent with those applicable to other critical infrastructure assets under the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023). However:
    • responsible entities for CI assets must establish and maintain a process in their CIRMP to comply with one of a number of specified cyber security frameworks or equivalent (eg ISO 27001, NIST, Essential Eight maturity level 1) within 12 months after the CIRMP obligation comes into force (6 months after the rules commence); and
    • carriers that are responsible entities for CI assets additionally have to comply with a higher level of maturity with the applicable frameworks within 24 months.

Finally, these rules specify the kinds of information that must be provided by carriers when notifying CISC of changes and proposed changes to telecommunications services or systems under section 30EC of the SOCI Act (which was previously contained in the Telecommunications Act).

Security of Critical Infrastructure (Application) Amendment (Critical Telecommunications Assets) Rules 2024 (Cth)

These rules amend the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 (Cth). They extend the definition of critical infrastructure assets subject to Part 2 (Register of critical infrastructure assets) and Part 2B (Notification of cyber security incidents) of the SOCI Act to include applicable critical telecommunications assets (relevant CI assets as defined above).

Security of Critical Infrastructure (Critical infrastructure risk management program) Amendment (Data Storage Systems) Rules 2024 (Cth)

These rules clarify that an entity’s CIRMP must address risks arising out of data storage systems that, by virtue of the recent amendments to the SOCI Act, are considered to form part of a critical infrastructure asset.

It also clarifies that if a single entity is responsible for two different kinds of critical infrastructure specified in two separate instruments, the entity can apply the same CIRMP to both critical infrastructure assets.

More Information and Town Halls

The CISC conducted a town hall on 16 December 2024 that provided an overview of the 6 proposed rules. A recording of this town hall is available here.

Additionally, the CISC is currently conducting a series of public deep dive sessions regarding the 6 rules, including the following upcoming sessions:

  • 28 January 2025, 1:30pm – 2:30pm – Cyber Incident Review Board (registration link)
  • 30 January 2025, 1pm – 2pm – Telecommunications Security and Risk Management Program (registration link)
  • 3 February 2025, 1pm – 2pm – Security Standards for smart devices (registration link)
  • 5 February 2025, 1pm – 2pm – Ransomware reporting (registration link)
  • 7 February 2025, 1pm – 2pm – Cyber Incident Review Board (registration link)
  • 11 February 2025, 1pm – 2pm – Telecommunications Security and Risk Management Program (registration link).
Data & Tech: Navigating a connected world

Guiding you through the complexities of the digital landscape.

Categories

Meet The Authors

Latest Thinking
Insight
Bendel: Commissioner ‘A loan’ in view that UPE was a loan for Division 7A purposes
The long-awaited High Court decision in Bendel has arrived!

12 June 2026

Insight
Queensland goes all in on critical minerals: Key changes under the SDPWO Amendment Bill 2026
Queensland has fired the legislative starting gun in the race for critical minerals investment.

05 June 2026

Insight
The forfeiture rule and superannuation death benefits: emerging issues for trustees
While the forfeiture rule is a longstanding position in law, its application to superannuation is not always clear.

05 June 2026

Explore Latest Thinking
Our People
Media Centre
About Us
Contact Us
Explore Our Expertise
Explore insights

Advertising and Targeting Cookies