Unprecedented powers: Australia’s new critical infrastructure laws

Night view of highway with city skyline in background.

Corporate Australia and parts of the public sector are currently bracing for increased regulation of critical infrastructure following the passing of a Bill that will soon take effect. 

The new laws, which expand the Security of Critical Infrastructure Act 2018, follow increasing concern over rising cyber security attacks and foreign interference.  

The expanded Act gives the Government the ability to designate many more Australian organisations as ‘critical infrastructure’, subject to a short consultation process. It also gives the Commonwealth Government unprecedented powers to intervene in the security response of private organisations through the use of directions powers.  

Although the Government says it will only exercise these powers in extraordinary circumstances, there is no test or threshold for their use. There are also no legal immunity protections for directors acting in accordance with ministerial direction, raising the possibility of board exposure to shareholder litigation. 

The new legislation also introduces mandatory reporting obligations for cyber security incidents.  

Governance Institute has noted in our engagement with government and regulators the potential for various new and existing notification schemes, including this expanded scheme, the mandatory Notifiable Data Breaches (NDB) under the Privacy Act, and the recently proposed ransomware reporting scheme, to overlap. 

Originally the Bill was much wider in scope, however the Government agreed to pass the measures in two stages after key stakeholders raised significant issues with the drafting and potential impacts. 

For further consultation in the second Bill is a more stringent regulatory framework for organisations that oversee what are deemed to be ‘systems of national significance’, which is likely to be a much smaller subset of organisations deemed to be ‘critical infrastructure’). These measures would include enhanced cyber-security obligations and positive security obligations.  

With a heavily reduced sitting calendar in 2022 and a looming federal election, it is looking unlikely that this second tranche of legislation will pass in the first half of the new year, giving organisations some breathing space to adjust to the first tranche – and prepare to be consulted on possible ministerial declarations on what is deemed to be ‘critical infrastructure’. 

Governance Institute is continuing to consider and engage with the government on related proposals concerning substantial amendments to the Privacy Act and a proposal to introduce a voluntary or mandatory cyber security governance standard for larger organisations.  

Again, there is a need for the various frameworks and regulators to interact in a cohesive way to ensure the compliance burden on organisations is manageable. 

Potentially affected organisations are encouraged to seek legal advice and to prepare to update their governance and risk management frameworks. 

Return to News Update