Australia’s latest Security of Critical Infrastructure Act amendments explained

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Act) forms part of Australia’s cybersecurity law package 2024 and  amends the Security of Critical Infrastructure Act 2018 (SOCI Act). The Act aims to address gaps identified in the expanded regulatory framework and enhance the government’s ability to respond to a wide range of incidents.

Key amendments to the SOCI Act

The Act will make six key amendments to enhance the security and resilience of Australia’s CI sectors.

First, it clarifies that the SOCI Act applies to data storage systems that form part of a primary CI asset. 

Second, it broadens the government assistance framework, so that it can be used in response to all types of incidents, not limited to cyber-related incidents – which reflects the SOCI Act’s ‘all hazards’ approach to risk  

Third, it amends the definition of ‘protected information’ and the operation of disclosure provisions, to allow greater cross-industry collaboration and intra-government sharing, especially in response to major incidents. 

Fourth, it empowers regulators to compel a responsible entity for a CI asset to remedy a seriously deficient risk management program in circumstances where there is a risk to national security, or the defence or social and economic stability of Australia. 

Fifth, it incorporates elements of the telecommunications sector security reforms (TSSR), including security and notification obligations, from Part 14 of the Telecommunications Act 1997 (Cth) into the SOCI Act. These enhancements aim to align regulatory frameworks and clarify telecommunications-specific obligations. 

Sixth, it removes some notification and reporting obligations in connection with direct interest holders, reducing administrative burden without compromising security. 

Clarification of data storage systems 

The amendments aim to strengthen and standardise obligations across CI assets by explicitly clarifying the circumstances in which certain data storage systems form part of the primary CI asset and, therefore, are the responsibility of the responsible entity for that primary asset.

The Act creates a new section 9(7), which specifies that a data storage system will form a part of the primary CI asset if it meets the following criteria: the responsible entity for the CI asset owns or operates the data storage system; the data storage system is used, or intended to be used, in connection with the CI asset; the system stores or processes 'business critical data’, as defined in the SOCI Act, even if it also processes other types of information; and  there is a material risk that a hazard affecting the data storage system could also have a 'relevant impact' on the CI asset.

According to the explanatory memorandum for the Act, explicitly outlining that these data storage systems form part of the primary CI asset ensures they are considered holistically as part of a responsible entity’s SOCI Act obligations. The intent is not to capture all non-operational systems holding business critical data, but only those where vulnerabilities could significantly impact CI assets. Examples provided include systems holding operational data such as network blueprints, encryption keys, algorithms, operational system code, and tactics, techniques, and procedures. 

These changes will come into force within six months now that the Act has received Royal Assent – by the end of May 2025. The Act also includes a mechanism to enable the obligations to come into force sooner. 

To prepare for these changes, organisations that are responsible entities for CI assets should: 

• review their vendor assessment processes: data storage and processing systems may now form part of a CI asset, which may affect a responsible entity’s reporting and asset register obligations under the SOCI Act and their critical risk infrastructure management plan (CIRMP). Organisations that are a responsible entity of a CI asset should assess whether any data storage system used by the CI asset falls within the new section 9(7); 
• validate section 12F(3) notifications: the amendments do not impact the existing provisions in section 12F of the SOCI Act regarding the definition of critical data storage or processing assets, or the obligation on responsible entities in section 12F(3) to provide notice to data storage or processing assets. Therefore, responsible entities should review and validate that all relevant data storage and processing providers who process their business critical data have been given a section 12F(3) notice, and consider if any of these data storage systems now form part of the overall CI assets as a result of the new section 9(7). 

Suppliers of services that support CI assets should check if they are data storage and processing providers: if they have received a section 12F notice directly or through their service contract, they should assess whether they are operating a data storage or processing asset – and, therefore, if they are the responsible entity of that data storage or processing asset – or if it instead the service is a data storage system that is captured by section 9(7) and forms part of the primary CI asset. 

The outcome of the assessment will inform how responsible entities and their service providers address SOCI Act obligations including CIRMP requirements.

Extended government assistance powers – beyond cyber incidents

With the aim of improving the national response to significant incidents impacting CI, the current regime sets up a framework for the government to respond to serious incidents that have had, are having, or are likely to have, one or more relevant impacts on CI assets. 

The Act extends existing government assistance powers, which are currently mechanisms to assist with an immediate response to serious cybersecurity incidents, to include non-cyber incidents. This extension enables the use of the framework in response to incidents affecting the availability, integrity, and reliability of CI assets, including events like terrorist attacks and natural disasters such as floods or bushfires. 

The provision for government assistance in the event of incidents is a crucial aspect of the Act. The changes would also come into force within six months of Royal Assent. The Act also includes a mechanism to enable the obligations to come into force sooner.

To prepare for the changes organisations should:

• understand the scope of government assistance: they should familiarise themselves with the types of support available from the government during an incident. This includes understanding the resources, expertise, and technical assistance that the government can provide. Organisations should also be aware of the conditions under which this assistance can be requested and the process for doing so and have appropriate internal policies and procedures to accommodate these requests; 
• develop collaboration plans: they should establish plans for working with government agencies during an incident to ensure a coordinated response. This involves setting up communication channels with relevant government bodies, defining roles and responsibilities, and conducting joint exercises to test and refine these plans. Effective collaboration can significantly enhance the efficiency and effectiveness of the incident response. 

Updates to protected information and disclosure framework 

The updates to the current protected information and disclosure provisions in the SOCI Act which carry significant penalties, including imprisonment, aim to clarify when protected information can be shared or used for purposes that are not explicitly currently authorised by the SOCI Act, thereby enhancing the effectiveness and timeliness of information-sharing under the SOCI Act.

The amendments aim to address concerns from government and industry that the current SOCI Act provisions sometimes unnecessarily limit the ability of entities to use or disclose information effectively, which could lead to serious penalties.

The key amendments of the Act provide more guidance on when and how protected information can be shared, especially for maintaining and protecting CI, adopting a harms assessment approach. Specifically, the Act:

• creates a new concept of ‘relevant information’, which essentially mirrors the current definition of ‘protected information’; and 
• amends the definition of ‘protected information’ to limit the circumstances in which relevant information can be shared, based on potential harm, including risks to public safety, asset security, commercial interests, and national security. 

The Act clarifies government information sharing powers and provides an assurance to owners and operators of CI assets that government agencies will treat commercially sensitive information in the same manner as security sensitive information – it does this by including a reference to commercially confidential information in the definition of protected information.

In preparing for these changes’ organisations should: 

• understand the impact of the new protected information and disclosure provisions: they should review the amendments to understand their implications, including what information will be considered protected and how it can be used and disclosed; 
• understand the scope of government sharing: they should familiarise themselves with the types of intergovernmental information sharing that will be permitted and understand how commercially sensitive information will be handled; 
• review and update policies and processes: they should ensure information protection and disclosure policies align with the new harms-based definition of and approach to protected information. 

Direction to vary risk management programs

This measure introduces a new power for government bodies and regulators to direct an entity to address serious deficiencies in an existing CIRMP. The change aims to address gaps in the powers available to regulators to enforce CI risk management obligations and applies to CIRMPs identified as having a ‘serious’ deficiency, meaning a deficiency that poses a material risk to Australia’s national security, defence, or socio-economic stability. The amendments will create a requirement for responsible entities to include the receipt of a direction and the remedy of the identified deficiency in their annual report. 

The introduction of these new powers also provides for consultation requirements, attempting to enshrine a collaborative approach where regulators work with responsible entities to address risks. The directions power should only be used where consultation has not yielded the required outcome. The changes also include periods for response and compliance, and new civil penalties for non-compliance with a direction. 

To prepare for these changes’ organisations should: 

• enhance their CIRMPs: they should review their CIRMPs and consider whether the regulator has previously raised any concerns, and whether those concerns have been addressed. Any potential deficiencies should be addressed; 
• establish a response plan: they should develop a clear plan for how to respond if a regulator raises concerns about their CIRMP. This should include steps for engaging in the consultation process, addressing identified deficiencies, and documenting actions taken; 
• document compliance: to enable prompt responses and effective engagement with the regulator, they should ensure that steps taken to comply, along with any potential gaps in or impediments to compliance, are thoroughly understood and  documented.  

Other changes

The Act also contains a series of other notable changes to existing legislation and practices in Australia.

For example, it introduces stronger security regulation for critical telecommunication assets, uplifting and aligning existing security obligations in the Telecommunications Act with those in the SOCI Act. By transferring these obligations, the government aims to maintain its ability to oversee and intervene to ensure national security outcomes while clarifying security obligations within a single regulatory framework. 

The Act also addresses two administrative requirements concerning ‘systems of national significance’, or SoNS. They aim to protect the identity of SoNS and avoid the risk of incorrect or inappropriate information disclosures to, or about, entities other than the responsible entity, which is restricted under the SOCI Act.

Those changes remove the requirement for the minister to notify direct interest holders when a CI asset is designated as a SoNS, requiring notification to the responsible entity only. They also remove the requirement for direct interest holders to notify the secretary of state for the Department of Home Affairs when they cease to be a direct interest holder for a CI asset, requiring only the responsible entity to notify the minister.