SOCI Act update: Key Cyber Security and Critical Infrastructure Rules have been registered

Tell me in 2 minutes

Following a period of consultation on rules to support the Government’s Omnibus Cyber Security and Critical Infrastructure package discussed here, 4 of the 6 proposed rules have now been registered.

The Cyber Security Incident Review Board Rules and the Ransomware Payment Reporting Rules will commence on 30 May 2025, while the Security Standards for Smart Devices Rules will commence on 4 March 2026.

The Telecommunications Security and Risk Management Rules, which extend obligations to prepare a critical incident risk management program (CIRMP) under the Security of Critical Infrastructure Act 2018 (SOCI Act) to certain critical telecommunications assets will commence on 4 April 2025.

Context

The Australian Government’s Cybersecurity and Critical Infrastructure legislative package summarised here and here received assent on 27 November 2024.

With the exception of certain changes to telecommunications security obligations for critical telecommunications assets, the Cybersecurity and Critical Infrastructure legislative package came into force on 20 December 2024. The telecommunications package is set to commence on 4 April 2025.

On 16 December 2025, CISC began consulting on a suite of rules intended to support the implementation of the legislative package. The period of consultation closed on 14 February, following which CISC has finalised and registered 4 of the 6 proposed rules. Those rules are:

• Cyber Security (Security Standards for Smart Devices) Rules 2025 (Cth)
• Cyber Security (Ransomware Payment Reporting) Rules 2025 (Cth)
• Cyber Security (Cyber Security Incident Review Board) Rules 2025 (Cth)
• Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (Cth).

Security Standards for Smart Devices

These rules specify security standards for products that can directly or indirectly connect to the internet (relevant connectable products) and will be acquired in Australia by consumers in specified circumstances. Desktop computers, laptops, tablet computers, smartphones, therapeutic goods, and road vehicles are excluded from the standard.

The standards require that:

• default passwords for relevant connectable products’ hardware and software comply with certain conditions that reduce password vulnerability;
• product manufacturers publish how to report product security issues; and
• product manufacturers publish when products will receive security updates.

Product manufacturers must also prepare a statement of compliance with the standard which they must retain for at least 5 years. This has changed from the initial draft rule, which required that the statement of compliance be retained for at least 10 years. The rule is otherwise registered in substantially the form provided by CISC in draft.

Although the rules were registered on 4 March 2025, they will not commence for 12 months. CISC states that this delay in commencement is intended to allow industry to become acquainted with their obligations, and to enable government to develop and published guidance materials for industry and consumers.

Ransomware Payment Reporting Rules

These rules confirm that the turnover threshold for an entity to report ransomware payments under the Cyber Security Act 2024 (Cth) (Cyber Security Act) is AUD $3 million.

They also set out the information that a reporting business entity must include in a ransomware payment report in relation to a ransomware payment under Part 3 of the Cyber Security Act. This includes:

• contact details
• impact of the incident on the entity, including:
  • when the incident is estimated to have occurred and when the entity became aware of the incident;
  • the impact of the incident on the entity’s infrastructure and customers;
  • the variants (if any) of ransomware or other malware used, the vulnerabilities in the entity’s system that were exploited;
  • information that could assist the response to, mitigation or resolution of the incident by a Commonwealth body or State body;
• the amount of the ransom demanded and the amount paid, as well as the methods of payment demanded or made; and
• information about communications with the threat actor relating to the incident, demands and payment.

Although substantially the same as the draft proposed by CISC, the registered rule provides additional clarity in specifying that where a non-monetary ransomware payment is demanded, a description of that non-monetary benefit should be included in the reporting business entity’s ransomware payment report.

Cyber Security Incident Review Board

These rules outline the procedural requirements for reviews of cyber security incidents conducted by the Cyber Incident Review Board (Board) under the Cyber Security Act, including:

• the establishment of review panels for each review and the contents of the terms of reference for reviews and public notification of the proposed conduct of reviews;
• appointment, resignation and termination of Board members;
• appointment, resignation and termination of members of the Expert Panel established by the Board; and
• the Board’s meeting procedures.

The rules have been registered with only minor changes to the drafting of language describing the Chair and the Board members.

It is intended that following commencement of the rule on 30 May 2025, the Minister for Home Affairs will be able to make appointments to the Board and the Board will establish an Expert Panel.

Telecommunications Security and Risk Management Program Rules

These rules set out security obligations for critical telecommunications assets under amendments made to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) at the end of 2024. Among other things, those amendments moved security and notification obligations from Part 14 of the Telecommunications Act 1997 (Cth) (Telecommunications Act) (and licence conditions under that Act) into a new Part 2D of the SOCI Act, with enhancements to align the regulatory frameworks and clarify telecommunications-specific obligations.

The rule has been registered with only minor changes to the drafting for clarity as against the initial rule proposed by CISC. A summary of the obligations implemented by the rule is provided here.

The obligation to have and maintain a CIRMP in respect of ‘relevant CI assets’, commences on 4 October 2025 (6 months after 4 April 2025) for relevant CI assets that exist as at 4 April 2025. For assets that become a relevant CI asset after 4 April 2025, it commences 6 months after they become a relevant CI asset.

Security of Critical Infrastructure Amendment Rules

As a result of the period of consultation on the suite of rules, the Minister for Home Affairs also intends to register further rules that clarify existing obligations for entities captured by the obligation to prepare a CIRMP under the SOCI Act.

The Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules 2025 (Amending Rules) are intended to commence on 4 April 2025. These rules are likely to consolidate the changes proposed to be implemented by the:

• Security of Critical Infrastructure (Application) Amendment (Critical Telecommunications Assets) Rules 2024 (Cth)
• Security of Critical Infrastructure (Critical infrastructure risk management program) Amendment (Data Storage Systems) Rules 2024 (Cth),

which were each provided as exposure drafts at the commencement of the consultation period. However, no exposure draft of the consolidated Amending Rules has been published.