Insight,

Exposure draft of the second package of amendments to the Security of Critical Infrastructure legislation has been released

21 December 2021

Our People
AU | EN
Current site :    AU   |   EN
Australia
EN |
Singapore
EN |

Written by Cheng Lim

TLDR

Draft legislation and rules have been released for consultation. The draft legislation implements the second element of the Government’s regulatory framework for the security and resilience of critical infrastructure and systems of national significance. The draft rules will switch on the reporting obligations and cyber security notification obligations for certain classes of critical infrastructure assets.

Draft legislation and rules released for consultation

As foreshadowed in our alert here, on 15 December 2021, the Government released an exposure draft of the second tranche of legislative amendments to the Security of Critical Infrastructure Act 2018. This tranche contains all the elements of the original Security Legislation Amendment (Critical Infrastructure) Bill 2020 (risk management programs, SONs and enhanced cyber security obligations) that were omitted from the Security Legislation Amendment (Critical Infrastructure) Act 2021 in accordance with the recommendations of the Parliamentary Joint Committee on Intelligence and Security. The consultation period ends on 1 Feb 2022. We will release a more detailed alert on the exposure draft early next year.

At the same time, the Government has also released an exposure draft of the rules under the Security of Critical Infrastructure Act 2018 (see https://www.homeaffairs.gov.au/reports-and-pubs/files/critical-infrastructure-consultation-submissions/soci-app-rules-exposure-draft-explanatory-statement.pdf). The consultation period for these rules also ends on 1 Feb 2022.

These rules will ‘switch on’ the reporting requirements (to provide operational, interest and control information for inclusion in the Register of Critical Infrastructure Assets) and the cyber security notification requirements that were implemented in the Security Legislation Amendment (Critical Infrastructure) Act 2021.

Importantly, in relation to the reporting requirements:

  • not all critical infrastructure assets will be subject to the reporting requirements (for example, it will only apply to critical financial market infrastructure assets that are payment systems)
  • there will be a 6 month grace period for compliance with this reporting obligation for entities that are not currently subject to it.

In relation to the cyber security notification obligations:

  • most but not all critical infrastructure assets will be subject to the reporting obligations
  • there will be a 3 month grace period for compliance with this notification obligation.

Businesses should therefore review these rules carefully to ascertain if their critical infrastructure assets will be subject to the reporting requirements and the cyber security notification obligations.

Categories

Meet The Authors

Latest Thinking
Insight
Bendel: Commissioner ‘A loan’ in view that UPE was a loan for Division 7A purposes
The long-awaited High Court decision in Bendel has arrived!

12 June 2026

Insight
Queensland goes all in on critical minerals: Key changes under the SDPWO Amendment Bill 2026
Queensland has fired the legislative starting gun in the race for critical minerals investment.

05 June 2026

Insight
The forfeiture rule and superannuation death benefits: emerging issues for trustees
While the forfeiture rule is a longstanding position in law, its application to superannuation is not always clear.

05 June 2026

Explore Latest Thinking
Our People
Media Centre
About Us
Contact Us
Explore Our Expertise
Explore insights

Advertising and Targeting Cookies