Commonwealth: Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth)

Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 No. 33, 2022 An Act to amend legislation relating to critical infrastructure, and for other purposes Contents 1 Short title 2 Commencement 3 Schedules Schedule 1—Amendments AusCheck Act 2007 Criminal Code Act 1995 Security of Critical Infrastructure Act 2018 Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 No. 33, 2022 An Act to amend legislation relating to critical infrastructure, and for other purposes [Assented to 1 April 2022] The Parliament of Australia enacts: 1 Short title This Act is the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022. 2 Commencement (1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. Commencement information Column 1 Column 2 Column 3 Provisions Commencement Date/Details 1. The whole of this Act The day after this Act receives the Royal Assent. 2 April 2022 Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act. (2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act. 3 Schedules Legislation that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms. Schedule 1—Amendments AusCheck Act 2007 1 Subsection 4(1) Insert: critical infrastructure risk management program has the same meaning as in the Security of Critical Infrastructure Act 2018. 2 After paragraph 8(1)(b) Insert: (ba) a critical infrastructure risk management program permits a background check of an individual to be conducted under the AusCheck scheme; or Criminal Code Act 1995 3 Paragraph 476.6(8)(b) of the Criminal Code Omit "section 22", substitute "section 4". Security of Critical Infrastructure Act 2018 4 After paragraph 3(b) Insert: (c) requiring responsible entities for critical infrastructure assets to identify and manage risks relating to those assets; and (d) imposing enhanced cyber security obligations on relevant entities for systems of national significance in order to improve their preparedness for, and ability to respond to, cyber security incidents; and 5 Section 4 After paragraph (a) of the paragraph beginning "The framework consists of the following:", insert: (b) requiring the responsible entity for one or more critical infrastructure assets to have, and comply with, a critical infrastructure risk management program (unless an exemption applies); 6 Section 4 After paragraph (c) of the paragraph beginning "The framework consists of the following:", insert: (d) imposing enhanced cyber security obligations that relate to systems of national significance; 7 Section 4 After the paragraph beginning "The Minister may privately declare", insert: The Minister may privately declare a critical infrastructure asset to be a system of national significance. 7A Section 5 Insert: critical component of a critical infrastructure asset, means a part of the asset, where absence of, damage to, or compromise of, the part of the asset: (a) would prevent the proper function of the asset; or (b) could cause significant damage to the asset; as assessed by the responsible entity for the asset. 8 Section 5 (definition of critical education asset) Repeal the definition, substitute: critical education asset means an asset that: (a) is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher Education Providers; and (b) is used in connection with undertaking a program of research that is critical to: (i) a critical infrastructure sector (other than the higher education and research sector); or (ii) the defence of Australia; or (iii) national security. Note: The rules may prescribe that a specified critical education asset is not a critical infrastructure asset (see section 9). 9 Section 5 (paragraph (c) of the definition of critical energy market operator asset) After "market", insert "or system". 10 Section 5 Insert: critical infrastructure risk management program has the meaning given by section 30AH. 11 Section 5 (definition of critical telecommunications asset) Repeal the definition, substitute: critical telecommunications asset means: (a) a telecommunications network that is: (i) owned or operated by a carrier or a carriage service provider; and (ii) used to supply a carriage service; or (b) a facility (within the meaning of the Telecommunications Act 1997) that is: (i) owned or operated by a carrier or a carriage service provider; and (ii) used to supply a carriage service. Note: The rules may prescribe that a specified critical telecommunications asset is not a critical infrastructure asset (see section 9). 11A Section 5 Insert: critical worker means an individual, where the following conditions are satisfied: (a) the individual is an employee, intern, contractor or subcontractor of the responsible entity for a critical infrastructure asset to which Part 2A applies; (b) the absence or compromise of the individual: (i) would prevent the proper function of the asset; or (ii) could cause significant damage to the asset; as assessed by the responsible entity for the asset; (c) the individual has access to, or control and management of, a critical component of the asset. 12 Section 5 Insert: custodial or depository service has the same meaning as in the Corporations Act 2001. cyber security exercise has the meaning given by section 30CN. 13 Section 5 (definition of data storage or processing service) Repeal the definition, substitute: data storage or processing service means: (a) a service that: (i) enables end‑users to store or back‑up data; and (ii) is provided on a commercial basis; or (b) a data processing service that: (i) involves the use of one or more computers; and (ii) is provided on a commercial basis; or (c) a service that is specified in the rules. However, the rules may prescribe that a specified service is not a data storage or processing service. Note: For prescription by class, see subsection 13(3) of the Legislation Act 2003. 14 Section 5 Insert: designated officer has the meaning given by section 30DQ. evaluation report has the meaning given by section 30CS. external auditor means a person authorised under section 30CT to be an external auditor for the purposes of this Act. 15 Section 5 (definition of higher education and research sector) Repeal the definition, substitute: higher education and research sector means the sector of the Australian economy that involves undertaking a program of research that is: (a) supported financially (in whole or in part) by the Commonwealth; and (b) critical to: (i) a critical infrastructure sector (other than the higher education and research sector); or (ii) national security; or (iii) the defence of Australia. 16 Section 5 Insert: incident response plan has the meaning given by section 30CJ. 17 Section 5 (at the end of the definition of notification provision) Add: ; or (r) subsection 52B(3); or (s) subsection 52D(4). 18 Section 5 (after paragraph (b) of the definition of protected information) Insert: (ba) records or is the fact that an asset is declared under section 52B to be a system of national significance; or 19 Section 5 (after paragraph (bb) of the definition of protected information) Insert: (bc) is, or is included in, a critical infrastructure risk management program that is adopted by an entity in compliance with section 30AC; or (bd) is, or is included in, a report that is given under section 30AG or 30AQ; or 20 Section 5 (after paragraph (be) of the definition of protected information) Insert: (bf) is, or is included in, an incident response plan adopted by an entity in compliance with section 30CD; or (bg) is, or is included in, an evaluation report prepared under section 30CQ or 30CR; or (bh) is, or is included in, a vulnerability assessment report prepared under section 30CZ; or 21 Section 5 (definition of registrable superannuation entity) Repeal the definition. 22 Section 5 Insert: related company group means a group of 2 or more bodies corporate, where each member of the group is related to each other member of the group. For this purpose, the question whether a body corporate is related to another body corporate is to be determined in the same manner as that question is determined under the Corporations Act 2001. 23 Section 5 Insert: RSE licensee has the same meaning as in the Superannuation Industry (Supervision) Act 1993. 24 Section 5 (paragraph (a) of the definition of security) Omit "and 12N", substitute ", 12N, 30AG, 30AQ, 30CB, 30CM, 30CR, 30CU and 30CW". 25 Section 5 (paragraph (b) of the definition of security) Omit "and 12N", substitute ", 12N, 30AG, 30AQ, 30CB, 30CM, 30CR, 30CU and 30CW". 26 Section 5 Insert: system information event‑based reporting notice means a notice under subsection 30DC(2). system information periodic reporting notice means a notice under subsection 30DB(2). system information software notice means a notice under subsection 30DJ(2). system of national significance has the meaning given by section 52B. vulnerability assessment has the meaning given by section 30CY. vulnerability assessment report has the meaning given by section 30DA. 27 Subsection 8(2) (at the end of the heading) Add "etc.". 28 Paragraphs 8(2)(b) and (c) Repeal the paragraphs, substitute: (b) the entity is: (i) the entity (the first entity) that entered into the moneylending agreement; or (ii) a subsidiary or holding entity of the first entity; or (iii) a person who is (alone or with others) in a position to determine the investments or policy of the first entity; or (iv) a security trustee who holds or acquires the interest on behalf of the first entity; or (v) a receiver, or a receiver and manager, appointed by, or appointed on instructions from, a person or entity mentioned in any of subparagraphs (i) to (iv). 29 At the end of section 8 Add: Exemption for providers of custodial or depository services (4) Subsection (1) does not apply to an interest in an asset held by an entity if: (a) the entity is the provider of a custodial or depository service; and (b) the entity holds the interest in the asset solely in the entity's capacity as the provider of a custodial or depository service; and (c) the holding of the interest does not put the entity in a position to directly or indirectly influence or control the asset. Exemption for providers of services specified in the rules (5) Subsection (1) does not apply to an interest in an asset held by an entity if: (a) the entity is the provider of a service specified in the rules; and (b) the entity holds the interest in the asset solely in the entity's capacity as the provider of the service; and (c) the holding of the interest does not put the entity in a position to directly or indirectly influence or control the asset. 30 At the end of section 8G Add: (3) Each of the following is a relevant impact of a cyber security incident on a system of national significance: (a) the impact (whether direct or indirect) of the incident on the availability of the system; (b) the impact (whether direct or indirect) of the incident on the integrity of the system; (c) the impact (whether direct or indirect) of the incident on the reliability of the system; (d) the impact (whether direct or indirect) of the incident on the confidentiality of: (i) information about the system; or (ii) if information is stored in the system—the information; or (iii) if the system is computer data—the computer data. 31 After paragraph 12(1)(d) Insert: ; (e) a control room, or any other asset, that is required to operate a gas transmission pipeline covered by paragraph (d). 32 Paragraph 12F(1)(b) After "service that", insert "relates to business critical data and that". 33 Paragraph 12F(1)(b) Omit "on a commercial basis". 34 After paragraph 12F(1)(c) Insert: ; and (d) the asset is not a critical infrastructure asset that is covered by a paragraph of subsection 9(1) (other than paragraph 9(1)(d)). 35 Subparagraph 12F(2)(b)(i) Omit "on a commercial basis". 36 After paragraph 12F(2)(c) Insert: ; and (d) the asset is not a critical infrastructure asset that is covered by a paragraph of subsection 9(1) (other than paragraph 9(1)(d)). 37 Paragraph 12J(1)(a) Omit "a registrable superannuation entity", substitute "an RSE licensee". 38 Paragraph 12J(2)(a) Omit "registrable superannuation entities", substitute "RSE licensees". 39 Paragraph 12J(2)(b) Omit "a registrable superannuation entity", substitute "an RSE licensee". 40 Subparagraph 12K(1)(a)(i) Before "food", insert "essential". 41 Subparagraph 12K(1)(a)(ii) Before "groceries", insert "essential". 42 After paragraph 12KA(1)(b) Insert: ; and (c) is an asset that, in accordance with subsection (3), is critical to the administration of an Australian domain name system. 43 At the end of section 12KA Add: (3) For the purposes of paragraph (1)(c), the rules may prescribe: (a) specified assets that are critical to the administration of an Australian domain name system; or (b) requirements for an asset to be critical to the administration of an Australian domain name system. 44 Paragraph 12L(6)(a) Omit "registrable superannuation entity", substitute "RSE licensee". 45 At the end of section 12L Add: System of national significance (25) If a critical infrastructure asset is a system of national significance, the responsible entity for the system of national significance is the responsible entity for the asset. 46 Subparagraph 18AA(2)(a)(ii) Omit "28 days after the notice is published", substitute "the period specified in the notice". 47 Paragraph 18AA(2)(c) Omit "28‑day". 48 At the end of section 18AA Add: (3) The period specified in the notice must not be shorter than 28 days. 49 After Part 2 Insert: Part 2A—Critical infrastructure risk management programs 30AA Simplified outline of this Part • The responsible entity for one or more critical infrastructure assets must have, and comply with, a critical infrastructure risk management program (unless an exemption applies). • The purpose of a critical infrastructure risk management program is to do the following for each of those assets: (a) identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset; (b) so far as it is reasonably practicable to do so—minimise or eliminate any material risk of such a hazard occurring; (c) so far as it is reasonably practicable to do so—mitigate the relevant impact of such a hazard on the asset. • A responsible entity must give an annual report relating to its critical infrastructure risk management program. If the entity has a board, council or other governing body, the annual report must be approved by the board, council or other governing body. Note: See also section 30AB (application of this Part). 30AB Application of this Part (1) This Part applies to a critical infrastructure asset if: (a) the asset is specified in the rules; or (b) both: (i) the asset is the subject of a declaration under section 51; and (ii) the declaration determines that this Part applies to the asset. Note: For specification by class, see subsection 13(3) of the Legislation Act 2003. (2) Subsection (1) has effect subject to subsections (3), (4), (5) and (6). Exemptions (3) The rules may provide that, if an asset becomes a critical infrastructure asset, this Part does not apply to the asset during the period: (a) beginning when the asset became a critical infrastructure asset; and (b) ending at a time ascertained in accordance with the rules. (4) If: (a) an entity holds a certificate of hosting certification (strategic level) that relates to one or more services; and (b) the certificate was issued under the scheme that is: (i) administered by the Commonwealth; and (ii) known as the hosting certification framework; and (c) a critical infrastructure asset, or a part of a critical infrastructure asset, is used in connection with the provision of any of those services; and (d) the entity is the responsible entity for the asset; this Part does not apply to the asset. Note: For reporting obligations, see Part 2AA. (5) If: (a) an entity is covered by a provision of a law of the Commonwealth, a State or a Territory; and (b) the provision is specified in the rules; and (c) the entity is the responsible entity for a critical infrastructure asset; this Part does not apply to the asset. Note: For reporting obligations, see Part 2AA. (6) If: (a) a critical infrastructure asset is covered by a provision of a law of the Commonwealth, a State or a Territory; and (b) the provision is specified in the rules; this Part does not apply to the asset. Note: For reporting obligations, see Part 2AA. 30ABA Consultation—rules Scope (1) This section applies to rules made for the purposes of section 30AB. Consultation (2) Before making or amending the rules, the Minister must: (a) cause to be published on the Department's website a notice: (i) setting out the draft rules or amendments; and (ii) inviting persons to make submissions to the Minister about the draft rules or amendments within the period specified in the notice; and (b) give a copy of the notice to each First Minister; and (c) consider any submissions received within the period mentioned in paragraph (a). (3) The period specified in the notice must not be shorter than 28 days. 30AC Responsible entity must have a critical infrastructure risk management program If an entity is the responsible entity for one or more critical infrastructure assets, the entity must: (a) adopt; and (b) maintain; a critical infrastructure risk management program that applies to the entity. Civil penalty: 200 penalty units. 30AD Compliance with critical infrastructure risk management program If: (a) an entity is the responsible entity for one or more critical infrastructure assets; and (b) the entity has adopted a critical infrastructure risk management program that applies to the entity; the entity must comply with: (c) the critical infrastructure risk management program; or (d) if the program has been varied on one or more occasions—the program as varied. Civil penalty: 200 penalty units. 30AE Review of critical infrastructure risk management program If: (a) an entity is the responsible entity for one or more critical infrastructure assets; and (b) the entity has adopted a critical infrastructure risk management program that applies to the entity; the entity must review the program on a regular basis. Civil penalty: 200 penalty units. 30AF Update of critical infrastructure risk management program If: (a) an entity is the responsible entity for one or more critical infrastructure assets; and (b) the entity has adopted a critical infrastructure risk management program that applies to the entity; the entity must take all reasonable steps to ensure that the program is up to date. Civil penalty: 200 penalty units. 30AG Responsible entity must submit annual report Scope (1) This section applies if, during a period (the relevant period) that consists of the whole or a part of a financial year: (a) an entity was the responsible entity for one or more critical infrastructure assets; and (b) the entity had a critical infrastructure risk management program that applied to the entity. Annual report (2) The entity must, within 90 days after the end of the financial year, give: (a) if there is a relevant Commonwealth regulator that has functions relating to the security of those assets—the relevant Commonwealth regulator; or (b) in any other case—the Secretary; a report that: (c) if the entity had the program at the end of the financial year—includes whichever of the following statements is applicable: (i) if the program was up to date at the end of the financial year—a statement to that effect; (ii) if the program was not up to date at the end of the financial year—a statement to that effect; and (d) if a hazard had a significant relevant impact on one or more of those assets during the relevant period—includes a statement that: (i) identifies the hazard; and (ii) evaluates the effectiveness of the program in mitigating the significant relevant impact of the hazard on the assets concerned; and (iii) if the program was varied during the financial year as a result of the occurrence of the hazard—outlines the variation; and (e) is in the approved form; and (f) if the entity has a board, council or other governing body—is approved by the board, council or other governing body, as the case requires. Civil penalty: 150 penalty units. (3) A report given by an entity under subsection (2) is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act. 30AH Critical infrastructure risk management program (1) A critical infrastructure risk management program is a written program: (a) that applies to a particular entity that is the responsible entity for one or more critical infrastructure assets; and (b) the purpose of which is to do the following for each of those assets: (i) identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset; (ii) so far as it is reasonably practicable to do so—minimise or eliminate any material risk of such a hazard occurring; (iii) so far as it is reasonably practicable to do so—mitigate the relevant impact of such a hazard on the asset; and (c) that complies with such requirements (if any) as are specified in the rules. (2) Requirements specified under paragraph (1)(c): (a) may be of general application; or (b) may relate to one or more specified critical infrastructure assets. Note: For specification by class, see subsection 13(3) of the Legislation Act 2003. (3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act 1901. (4) Rules made for the purposes of paragraph (1)(c) may require that a critical infrastructure risk management program include one or more provisions that: (a) permit a background check of an individual to be conducted under the AusCheck scheme; and (b) provide that such a background check must include assessment of information relating to one or more of the matters mentioned in paragraphs 5(a), (b), (c) and (d) of the AusCheck Act 2007, as specified in the rules; and (c) provide that, if such a background check includes an assessment of information relating to the matter mentioned in paragraph 5(a) of the AusCheck Act 2007, the criteria against which that information must be assessed are the criteria specified in the rules; and (d) provide that, if such a background check includes assessment of information relating to the matter mentioned in paragraph 5(d) of the AusCheck Act 2007, the assessment must consist of whichever of the following is specified in the rules: (i) an electronic identity verification check; (ii) an in person identity verification check; (iii) both an electronic identity verification check and an in person identity verification check. (5) Subsection (4) does not limit paragraph (1)(c). (6) In specifying requirements in rules made for the purposes of paragraph (1)(c), the Minister must have regard to the following matters: (a) any existing regulatory system of the Commonwealth, a State or a Territory that imposes obligations on responsible entities; (b) the costs that are likely to be incurred by responsible entities in complying with those rules; (c) the reasonableness and proportionality of the requirements in relation to the purpose referred to in paragraph (1)(b); (d) such other matters (if any) as the Minister considers relevant. (7) For the purposes of this section, in determining whether a risk is a material risk, regard must be had to: (a) the likelihood of the hazard occurring; and (b) the relevant impact of the hazard on the asset if the hazard were to occur. (8) The rules may provide that a specified risk is taken to be a material risk for the purposes of this section. (9) The rules may provide that the taking of specified action in relation to a critical infrastructure asset is taken to be action that minimises or eliminates any material risk that the occurrence of a specified hazard could have a relevant impact on the asset. Note: For specification by class, see subsection 13(3) of the Legislation Act 2003. (10) The rules may provide that the taking of specified action in relation to a specified critical infrastructure asset is taken to be action that minimises or eliminates any material risk that the occurrence of a specified hazard could have a relevant impact on the asset. Note: For specification by class, see subsection 13(3) of the Legislation Act 2003. (11) The rules may provide that the taking of specified action in relation to a critical infrastructure asset is taken to be action that mitigates the relevant impact of a specified hazard on the asset. Note: For specification by class, see subsection 13(3) of the Legislation Act 2003. (12) The rules may provide that the taking of specified action in relation to a specified critical infrastructure asset is taken to be action that mitigates the relevant impact of a specified hazard on the asset. Note: For specification by class, see subsection 13(3) of the Legislation Act 2003. 30AJ Variation of critical infrastructure risk management program A critical infrastructure risk management program may be varied, so long as the varied program is a critical infrastructure risk management program. 30AK Revocation of adoption of critical infrastructure risk management program If an entity has adopted a critical infrastructure risk management program that applies to the entity, this Part does not prevent the entity from: (a) revoking that adoption; and (b) adopting another critical infrastructure risk management program that applies to the entity. 30AKA Responsible entity must have regard to certain matters in deciding whether to adopt or vary critical infrastructure risk management program etc. Adoption of program (1) If an entity is the responsible entity for one or more critical infrastructure assets, then, in deciding whether to adopt a critical infrastructure risk management program, the entity must have regard to such matters (if any) as are set out in the rules. Civil penalty: 200 penalty units. (2) Subsection (1) does not limit the matters to which the responsible entity may have regard. Review of program (3) If: (a) an entity is the responsible entity for one or more critical infrastructure assets; and (b) the entity has adopted a critical infrastructure risk management program that applies to the entity; then, in reviewing the program in accordance with section 30AE, the entity must have regard to such matters (if any) as are set out in the rules. Civil penalty: 200 penalty units. (4) Subsection (3) does not limit the matters to which the responsible entity may have regard. Variation of program (5) If: (a) an entity is the responsible entity for one or more critical infrastructure assets; and (b) the entity has adopted a critical infrastructure risk management program that applies to the entity; then, in deciding whether to vary the program, the entity must have regard to such matters (if any) as are set out in the rules. Civil penalty: 200 penalty units. (6) Subsection (5) does not limit the matters to which the responsible entity may have regard. Rules (7) Rules made for the purposes of subsection (1), (3) or (5): (a) may be of general application; or (b) may relate to one or more specified critical infrastructure assets. Note: For specification by class, see subsection 13(3) of the Legislation Act 2003. (8) Subsection (7) of this section does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act 1901. 30AL Consultation—rules made for the purposes of section 30AH or 30AKA Scope (1) This section applies to rules made for the purposes of section 30AH or 30AKA. Consultation (2) Before making or amending the rules, the Minister must: (a) cause to be published on the Department's website a notice: (i) setting out the draft rules or amendments; and (ii) inviting persons to make submissions to the Minister about the draft rules or amendments within the period specified in the notice; and (b) give a copy of the notice to each First Minister; and (c) consider any submissions received within the period mentioned in paragraph (a). (3) The period specified in the notice must not be shorter than 28 days. (4) Subsection (2) does not apply if: (a) the Minister is satisfied that there is an imminent threat that a hazard will have a significant relevant impact on a critical infrastructure asset; or (b) the Minister is satisfied that a hazard has had, or is having, a significant relevant impact on a critical infrastructure asset. Note: See also section 30AM (review of rules). 30AM Review of rules Scope (1) This section applies if, because of subsection 30AL(4), subsection 30AL(2) did not apply to the making of: (a) rules; or (b) amendments. Review of rules (2) The Secretary must: (a) if paragraph (1)(a) applies—review the operation, effectiveness and implications of the rules; and (b) if paragraph (1)(b) applies—review the operation, effectiveness and implications of the amendments; and (c) without limiting paragraph (a) or (b), consider whether any amendments should be made; and (d) give the Minister: (i) a report of the review; and (ii) a statement setting out the Secretary's findings. (3) For the purposes of the review, the Secretary must: (a) cause to be published on the Department's website a notice: (i) setting out the rules or amendments concerned; and (ii) inviting persons to make submissions to the Secretary about the rules or amendments concerned within the period specified in the notice; and (b) give a copy of the notice to each First Minister; and (c) consider any submissions received within the period mentioned in paragraph (a). (4) The period specified in the notice must not be shorter than 28 days. (5) The Secretary must complete the review within 60 days after the commencement of the rules or amendments concerned. Minister to table statement of findings (6) The Minister must cause a copy of the statement of findings to be tabled in each House of the Parliament within 15 sitting days of that House after the Minister receives it. 30AN Application, adoption or incorporation of a law of a State or Territory etc. Scope (1) This section applies to rules made for the purposes of section 30AH or 30AKA. Application, adoption or incorporation of a law of a State or Territory (2) Despite subsection 14(2) of the Legislation Act 2003, the rules may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in a law of a State or Territory as in force or existing from time to time. Application, adoption or incorporation of a standard (3) Despite subsection 14(2) of the Legislation Act 2003, the rules may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in a standard proposed or approved by Standards Australia as in force or existing from time to time. Note: The expression Standards Australia is defined in section 2B of the Acts Interpretation Act 1901. 30ANA Application, adoption or incorporation of certain documents Application, adoption or incorporation of a relevant document (1) Despite subsection 14(2) of the Legislation Act 2003, rules made for the purposes of section 30AH or 30AKA of this Act may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in a relevant document as in force or existing from time to time. Relevant document (2) For the purposes of this section, relevant document means: (a) the document titled Essential Eight Maturity Model and published by the Australian Signals Directorate; or (b) the document titled Framework for Improving Critical Infrastructure Cybersecurity and published by the National Institute of Standards and Technology of the United States of America; or (c) the document titled Cybersecurity Capability Maturity Model and published by the Department of Energy of the United States of America; or (d) the document titled The 2020‑21 AESCSF Framework Core and published by Australian Energy Market Operator Limited (ACN 072 010 327); or (e) the document titled Cyber Supply Chain Risk Management and published by the Australian Signals Directorate; or (f) a document specified in the rules. (3) Subsection 13(3) of the Legislation Act 2003 does not apply to paragraph (2)(f) of this section. 30ANB Consultation—rules made for the purposes of paragraph 30ANA(2)(f) Scope (1) This section applies to rules made for the purposes of paragraph 30ANA(2)(f). Consultation (2) Before making or amending the rules, the Minister must: (a) cause to be published on the Department's website a notice: (i) setting out the draft rules or amendments; and (ii) inviting persons to make submissions to the Minister about the draft rules or amendments within the period specified in the notice; and (b) give a copy of the notice to each First Minister; and (c) consider any submissions received within the period mentioned in paragraph (a). (3) The period specified in the notice must not be shorter than 28 days. 30ANC Disallowance of rules Scope (1) This section applies to rules made for the purposes of paragraph 30ANA(2)(f). Disallowance (2) Either House of the Parliament may, following a motion upon notice, pass a resolution disallowing the rules. For the resolution to be effective: (a) the notice must be given in that House within 15 sitting days of that House after the copy of the rules was tabled in that House under section 38 of the Legislation Act 2003; and (b) the resolution must be passed, in pursuance of the motion, within 15 sitting days of that House after the giving of that notice. (3) If neither House passes such a resolution, the rules take effect on the day immediately after the last day upon which such a resolution could have been passed if it were assumed that notice of a motion to disallow the rules was given in each House on the last day of the 15 sitting day period of that House mentioned in paragraph (2)(a). (4) If: (a) notice of a motion to disallow the rules is given in a House of the Parliament within 15 sitting days of that House after the copy of the rules was tabled in that House under section 38 of the Legislation Act 2003; and (b) at the end of 15 sitting days of that House after the giving of that notice of motion: (i) the notice has not been withdrawn and the motion has not been called on; or (ii) the motion has been called on, moved and (where relevant) seconded and has not been withdrawn or otherwise disposed of; the rules are then taken to have been disallowed, and subsection (3) does not apply to the rules. (5) Section 42 (disallowance) of the Legislation Act 2003 does not apply to the rules. Note 1: The 15 sitting day notice period mentioned in paragraph (2)(a) of this section is the same as the 15 sitting day notice period mentioned in paragraph 42(1)(a) of the Legislation Act 2003. Note 2: The 15 sitting day disallowance period mentioned in paragraph (2)(b) of this section is the same as the 15 sitting day disallowance period mentioned in paragraph 42(1)(b) of the Legislation Act 2003. Part 2AA—Reporting obligations relating to certain assets that are not covered by a critical infrastructure risk management program 30AP Simplified outline of this Part • A responsible entity must give an annual report relating to certain assets that are not covered by a critical infrastructure risk management program. If the entity has a board, council or other governing body, the annual report must be approved by the board, council or other governing body. 30AQ Reporting obligations relating to certain assets that are not covered by a critical infrastructure risk management program Scope (1) This section applies if, during a period (the relevant period) that consists of the whole or a part of a financial year, an entity was the responsible entity for one or more critical infrastructure assets that are covered by subsection 30AB(4), (5) or (6). Annual report (2) The entity must, within 90 days after the end of the financial year, give: (a) if there is a relevant Commonwealth regulator that has functions relating to the security of those assets—the relevant Commonwealth regulator; or (b) in any other case—the Secretary; a report that: (c) sets out the reason why those assets are covered by subsection 30AB(4), (5) or (6); and (d) if a hazard had a significant relevant impact on one or more of those assets during the relevant period—includes a statement that: (i) identifies the hazard; and (ii) evaluates the effectiveness of the action (if any) taken by the entity for the purposes of mitigating the significant relevant impact of the hazard on the assets concerned; and (e) is in the approved form; and (f) if the entity has a board, council or other governing body—is approved by the board, council or other governing body, as the case requires. Civil penalty: 150 penalty units. (3) A report given by an entity under subsection (2) is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act. 50 Subparagraph 30BBA(2)(a)(ii) Omit "28 days after the notice is published", substitute "the period specified in the notice". 51 Paragraph 30BBA(2)(c) Omit "28‑day". 52 Subparagraph 30BBA(2)(d)(ii) Omit "28‑day". 53 At the end of section 30BBA Add: (3) The period specified in the notice must not be shorter than 28 days. 54 At the end of subsection 30BE Add: (3) If: (a) an entity is or was subject to a requirement under section 30BC or 30BD; and (b) the entity is or was a member of a related company group; then: (c) another member of the related company group is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the requirement; and (d) an officer, employee or agent of another member of the related company group is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the requirement. (4) If: (a) an entity (the first entity) is or was subject to a requirement under section 30BC or 30BD; and (b) another entity (the contracted service provider) is or was: (i) a party to a contract with the first entity; and (ii) responsible under the contract for the provision of services to the first entity; then: (c) the contracted service provider is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the requirement; and (d) an officer, employee or agent of the contracted service provider is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the requirement. 55 Paragraph 30BEB(2)(b) Omit "28 days after the notice is given", substitute "the period specified in the notice". 56 Paragraphs 30BEB(2)(c) and (d) Omit "28‑day". 57 At the end of section 30BEB Add: (3) The period specified in the notice must not be shorter than 28 days. 58 After Part 2B Insert: Part 2C—Enhanced cyber security obligations Division 1—Simplified outline of this Part 30CA Simplified outline of this Part • This Part sets out enhanced cyber security obligations that relate to systems of national significance. • The responsible entity for a system of national significance may be subject to statutory incident response planning obligations. • The responsible entity for a system of national significance may be required to undertake a cyber security exercise. • The responsible entity for a system of national significance may be required to undertake a vulnerability assessment. • If a computer is a system of national significance, or is needed to operate a system of national significance, a relevant entity for the system may be required to: (a) give ASD periodic reports of system information; or (b) give ASD event‑based reports of system information; or (c) install software that transmits system information to ASD. Note: For a declaration of a system of national significance, see section 52B. Division 2—Statutory incident response planning obligations Subdivision A—Application of statutory incident response planning obligations 30CB Application of statutory incident response planning obligations—determination by the Secretary (1) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, determine that the statutory incident response planning obligations apply to the entity in relation to: (a) the system; and (b) cyber security incidents. (2) A determination under this section takes effect at the time specified in the determination. (3) The specified time must not be earlier than the end of the 30‑day period that began when the notice was given. (4) In deciding whether to give a notice to an entity under this section in relation to a system of national significance, the Secretary must have regard to: (a) the costs that are likely to be incurred by the entity in complying with Subdivision B; and (b) the reasonableness and proportionality of applying the statutory incident response planning obligations to the entity in relation to: (i) the system; and (ii) cyber security incidents; and (c) such other matters (if any) as the Secretary considers relevant. (5) Before giving a notice to an entity under this section in relation to a system of national significance, the Secretary must consult: (a) the entity; and (b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system—the relevant Commonwealth regulator. (6) A determination under this section is not a legislative instrument. 30CC Revocation of determination Scope (1) This section applies if: (a) a determination is in force under section 30CB; and (b) notice of the determination was given to a particular entity. Power to revoke determination (2) The Secretary may, by written notice given to the entity, revoke the determination. Application of the Acts Interpretation Act 1901 (3) This section does not, by implication, affect the application of subsection 33(3) of the Acts Interpretation Act 1901 to an instrument made under a provision of this Act (other than this Division). Subdivision B—Statutory incident response planning obligations 30CD Responsible entity must have an incident response plan If: (a) an entity is the responsible entity for a system of national significance; and (b) the statutory incident response planning obligations apply to the entity in relation to: (i) the system; and (ii) cyber security incidents; the entity must: (c) adopt; and (d) maintain; an incident response plan that applies to the entity in relation to: (e) the system; and (f) cyber security incidents. Civil penalty: 200 penalty units. 30CE Compliance with incident response plan If: (a) an entity is the responsible entity for a system of national significance; and (b) the entity has adopted an incident response plan that applies to the entity; the entity must comply with: (c) the incident response plan; or (d) if the plan has been varied on one or more occasions—the plan as varied. Civil penalty: 200 penalty units. 30CF Review of incident response plan If: (a) an entity is the responsible entity for a system of national significance; and (b) the entity has adopted an incident response plan that applies to the entity; the entity must review the plan on a regular basis. Civil penalty: 200 penalty units. 30CG Update of incident response plan If: (a) an entity is the responsible entity for a system of national significance; and (b) the entity has adopted an incident response plan that applies to the entity; the entity must take all reasonable steps to ensure that the plan is up to date. Civil penalty: 200 penalty units. 30CH Copy of incident response plan must be given to the Secretary (1) If: (a) an entity is the responsible entity for a system of national significance; and (b) the entity adopts an incident response plan that applies to the entity; the entity must: (c) provide a copy of the incident response plan to the Secretary; and (d) do so as soon as practicable after the adoption. Civil penalty: 200 penalty units. (2) If: (a) an entity is the responsible entity for a system of national significance; and (b) the entity varies an incident response plan that applies to the entity; the entity must: (c) provide a copy of the varied incident response plan to the Secretary; and (d) do so as soon as practicable after the variation. Civil penalty: 200 penalty units. 30CJ Incident response plan (1) An incident response plan is a written plan: (a) that applies to an entity that is the responsible entity for a system of national significance; and (b) that relates to the system; and (c) that relates to cyber security incidents; and (d) the purpose of which is to plan for responding to cyber security incidents that could have a relevant impact on the system; and (e) that complies with such requirements (if any) as are specified in the rules. (2) Requirements specified under paragraph (1)(e): (a) may be of general application; or (b) may relate to one or more specified systems of national significance; or (c) may relate to one or more specified types of cyber security incidents. Note: For specification by class, see subsection 13(3) of the Legislation Act 2003. (3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act 1901. 30CK Variation of incident response plan An incident response plan may be varied, so long as the varied plan is an incident response plan. 30CL Revocation of adoption of incident response plan If an entity has adopted an incident response plan that applies to the entity, this Division does not prevent the entity from: (a) revoking that adoption; and (b) adopting another incident response plan that applies to the entity. Division 3—Cyber security exercises 30CM Requirement to undertake cyber security exercise (1) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to: (a) undertake a cyber security exercise in relation to: (i) the system; and (ii) all types of cyber security incidents; and (b) do so within the period specified in the notice. (2) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to: (a) undertake a cyber security exercise in relation to: (i) the system; and (ii) one or more specified types of cyber security incidents; and (b) do so within the period specified in the notice. (3) The period specified in a notice under subsection (1) or (2) must not be earlier than the end of the 30‑day period that began when the notice was given. (4) A notice under subsection (1) or (2) may also require the entity to do any or all of the following things: (a) allow one or more specified designated officers to observe the cyber security exercise; (b) provide those designated officers with access to premises for the purposes of observing the cyber security exercise; (c) provide those designated officers with reasonable assistance and facilities that are reasonably necessary to allow those designated officers to observe the cyber security exercise; (d) allow those designated officers to make such records as are reasonably necessary for the purposes of monitoring compliance with the notice; (e) give those designated officers reasonable notice of the time when the cyber security exercise will begin. (5) In deciding whether to give a notice to an entity under subsection (1) or (2), the Secretary must have regard to: (a) the costs that are likely to be incurred by the entity in complying with the notice; and (b) the reasonableness and proportionality of the requirement in the notice; and (c) such other matters (if any) as the Secretary considers relevant. (6) Before giving a notice to an entity under subsection (1) or (2) in relation to a system of national significance, the Secretary must consult: (a) the entity; and (b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system—the relevant Commonwealth regulator. 30CN Cyber security exercise (1) A cyber security exercise is an exercise: (a) that is undertaken by the responsible entity for a system of national significance; and (b) that relates to the system; and (c) that either: (i) relates to all types of cyber security incidents; or (ii) relates to one or more specified types of cyber security incidents; and (d) if the exercise relates to all types of cyber security incidents—the purpose of which is to: (i) test the entity's ability to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and (ii) test the entity's preparedness to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and (iii) test the entity's ability to mitigate the relevant impacts that all types of cyber security incidents could have on the system; and (e) if the exercise relates to one or more specified types of cyber security incidents—the purpose of which is to: (i) test the entity's ability to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and (ii) test the entity's preparedness to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and (iii) test the entity's ability to mitigate the relevant impacts that those types of cyber security incidents could have on the system; and (f) that complies with such requirements (if any) as are specified in the rules. (2) Requirements specified under paragraph (1)(f): (a) may be of general application; or (b) may relate to one or more specified systems of national significance; or (c) may relate to one or more specified types of cyber security incidents. Note: For specification by class, see subsection 13(3) of the Legislation Act 2003. (3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act 1901. 30CP Compliance with requirement to undertake cyber security exercise An entity must comply with a notice given to the entity under section 30CM. Civil penalty: 200 penalty units. 30CQ Internal evaluation report (1) If an entity undertakes a cyber security exercise under section 30CM, the entity must: (a) do both of the following: (i) prepare an evaluation report relating to the cyber security exercise; (ii) give a copy of the report to the Secretary; and (b) do so: (i) within 30 days after the completion of the exercise; or (ii) if the Secretary allows a longer period—within that longer period. Civil penalty: 200 penalty units. (2) An evaluation report prepared by an entity under subsection (1) is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act (other than subsection (1) of this section or subsection 30CR(6)). 30CR External evaluation report Scope (1) This section applies if an entity has undertaken a cyber security exercise under section 30CM, and: (a) all of the following conditions are satisfied: (i) the entity has prepared, or purported to prepare, an evaluation report under section 30CQ relating to the exercise; (ii) the entity has given a copy of the report to the Secretary; (iii) the Secretary has reasonable grounds to believe that the report was not prepared appropriately; or (b) the entity has contravened section 30CQ. Requirement (2) The Secretary may, by written notice given to the entity, require the entity to: (a) appoint an external auditor; and (b) arrange for the external auditor to prepare an evaluation report (the new evaluation report) relating to the exercise; and (c) arrange for the external auditor to give the new evaluation report to the entity; and (d) give the Secretary a copy of the new evaluation report within: (i) the period specified in the notice; or (ii) if the Secretary allows a longer period—that longer period. (3) The notice must specify: (a) the matters to be covered by the new evaluation report; and (b) the form of the new evaluation report and the kinds of details it is to contain. Consultation (4) Before giving a notice to an entity under this section in connection with a cyber security exercise that relates to a system of national significance, the Secretary must consult: (a) the entity; and (b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system—the relevant Commonwealth regulator. Eligibility for appointment as an external auditor (5) An individual is not eligible to be appointed as an external auditor by the entity if the individual is an officer, employee or agent of the entity. Compliance (6) An entity must comply with a requirement under subsection (2). Civil penalty: 200 penalty units. Immunity (7) The new evaluation report is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act (other than subsection (6)). 30CS Meaning of evaluation report An evaluation report, in relation to a cyber security exercise that was undertaken in relation to a system of national significance, is a written report: (a) if the exercise relates to all types of cyber security incidents—the purpose of which is to: (i) evaluate the entity's ability to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and (ii) evaluate the entity's preparedness to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and (iii) evaluate the entity's ability to mitigate the relevant impacts that all types of cyber security incidents could have on the system; and (b) if the exercise relates to one or more specified types of cyber security incidents—the purpose of which is to: (i) evaluate the entity's ability to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and (ii) evaluate the entity's preparedness to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and (iii) evaluate the entity's ability to mitigate the relevant impacts that those types of cyber security incidents could have on the system; and (c) that complies with such requirements (if any) as are specified in the rules. 30CT External auditors (1) The Secretary may, by writing, authorise a specified individual to be an external auditor for the purposes of this Act. Note: For specification by class, see subsection 33(3AB) of the Acts Interpretation Act 1901. (2) An authorisation under subsection (1) is not a legislative instrument. Division 4—Vulnerability assessments 30CU Requirement to undertake vulnerability assessment (1) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to: (a) undertake, or cause to be undertaken, a vulnerability assessment in relation to: (i) the system; and (ii) all types of cyber security incidents; and (b) do so within the period specified in the notice. (2) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to: (a) undertake, or cause to be undertaken, a vulnerability assessment in relation to: (i) the system; and (ii) one or more specified types of cyber security incidents; and (b) do so within the period specified in the notice. (3) In deciding whether to give a notice to an entity under subsection (1) or (2), the Secretary must have regard to: (a) the costs that are likely to be incurred by the entity in complying with the notice; and (b) the reasonableness and proportionality of the requirement in the notice; and (c) such other matters (if any) as the Secretary considers relevant. (4) Before giving a notice to an entity under subsection (1) or (2) in relation to the system of national significance, the Secretary must consult: (a) the entity; and (b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system—the relevant Commonwealth regulator. 30CV Compliance with requirement to undertake a vulnerability assessment An entity must comply with a notice given to the entity under section 30CU. Civil penalty: 200 penalty units. 30CW Designated officers may undertake a vulnerability assessment Scope (1) This section applies if: (a) an entity is the responsible entity for a system of national significance; and (b) either: (i) the Secretary has reasonable grounds to believe that if the entity were to be given a notice under subsection 30CU(1) or (2), the entity would not be capable of complying with the notice; or (ii) the entity has not complied with a notice given to the entity under subsection 30CU(1) or (2). Request (2) The Secretary may give a designated officer a written request to: (a) undertake a vulnerability assessment in relation to: (i) the system; and (ii) all types of cyber security incidents; and (b) do so within the period specified in the request. (3) The Secretary may give a designated officer a written request to: (a) undertake a vulnerability assessment in relation to: (i) the system; and (ii) one or more specified types of cyber security incidents; and (b) do so within the period specified in the request. (4) Before giving a request under subsection (2) or (3) in relation to the system of national significance, the Secretary must consult: (a) the entity; and (b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system—the relevant Commonwealth regulator. Requirement (5) If a request under subsection (2) or (3) is given to a designated officer, the Secretary may, by written notice given to the entity, require the entity to do any or all of the following things: (a) provide the designated officer with access to premises for the purposes of undertaking the vulnerability assessment; (b) provide the designated officer with access to computers for the purposes of undertaking the vulnerability assessment; (c) provide the designated officer with reasonable assistance and facilities that are reasonably necessary to allow the designated officer to undertake the vulnerability assessment. Notification of request (6) If a request under subsection (2) or (3) is given to a designated officer, the Secretary must give a copy of the request to the entity. 30CX Compliance with requirement to provide reasonable assistance etc. An entity must comply with a notice given to the entity under subsection 30CW(5). Civil penalty: 200 penalty units. 30CY Vulnerability assessment (1) A vulnerability assessment is an assessment: (a) that relates to a system of national significance; and (b) that either: (i) relates to all types of cyber security incidents; or (ii) relates to one or more specified types of cyber security incidents; and (c) if the assessment relates to all types of cyber security incidents—the purpose of which is to test the vulnerability of the system to all types of cyber security incidents; and (d) if the assessment relates to one or more specified types of cyber security incidents—the purpose of which is to test the vulnerability of the system to those types of cyber security incidents; and (e) that complies with such requirements (if any) as are specified in the rules. (2) Requirements specified under paragraph (1)(e): (a) may be of general application; or (b) may relate to one or more specified systems of national significance; or (c) may relate to one or more specified types of cyber security incidents. Note: For specification by class, see subsection 13(3) of the Legislation Act 2003. (3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act 1901. 30CZ Vulnerability assessment report (1) If an entity undertakes, or causes to be undertaken, a vulnerability assessment under section 30CU, the entity must: (a) do both of the following: (i) prepare, or cause to be prepared, a vulnerability assessment report relating to the assessment; (ii) give a copy of the report to the Secretary; and (b) do so: (i) within 30 days after the completion of the assessment; or (ii) if the Secretary allows a longer period—within that longer period. Civil penalty: 200 penalty units. (2) If a designated officer undertakes a vulnerability assessment in accordance with a request given to the designated officer under section 30CW, the designated officer must: (a) do both of the following: (i) prepare a vulnerability assessment report relating to the assessment; (ii) give a copy of the report to the Secretary; and (b) do so: (i) within 30 days after the completion of the assessment; or (ii) if the Secretary allows a longer period—within that longer period. (3) If an entity prepares, or causes to be prepared, a report under subsection (1), the report is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act (other than subsection (1)). 30DA Meaning of vulnerability assessment report A vulnerability assessment report, in relation to a vulnerability assessment that was undertaken in relation to a system of national significance, is a written report: (a) if the assessment relates to all types of cyber security incidents—the purpose of which is to assess the vulnerability of the system to all types of cyber security incidents; and (b) if the assessment relates to one or more specified types of cyber security incidents—the purpose of which is to assess the vulnerability of the system to those types of cyber security incidents; and (c) that complies with such requirements (if any) as are specified in the rules. Division 5—Access to system information Subdivision A—System information reporting notices 30DB Secretary may require periodic reporting of system information Scope (1) This section applies if: (a) a computer: (i) is needed to operate a system of national significance; or (ii) is a system of national significance; and (b) the Secretary believes on reasonable grounds that a relevant entity for the system of national significance is technically capable of preparing periodic reports consisting of information that: (i) relates to the operation of the computer; and (ii) may assist with determining whether a power under this Act should be exercised in relation to the system of nati