Commonwealth: Security of Critical Infrastructure Act 2018 (Cth)

Security of Critical Infrastructure Act 2018 No. 29, 2018 Compilation No. 7 Compilation date: 20 December 2024 Includes amendments: Act No. 100, 2024 About this compilation This compilation This is a compilation of the Security of Critical Infrastructure Act 2018 that shows the text of the law as amended and in force on 20 December 2024 (the compilation date). The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law. Uncommenced amendments The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on the Register (www.legislation.gov.au). The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the Register for the compiled law. Application, saving and transitional provisions for provisions and amendments If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes. Editorial changes For more information about any editorial changes made in this compilation, see the endnotes. Modifications If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the Register for the compiled law. Self‑repealing provisions If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes. Contents Part 1—Preliminary Division 1—Preliminary 1 Short title 2 Commencement 3 Object 4 Simplified outline of this Act Division 2—Definitions 5 Definitions 5A Meaning of protected information and relevant information 6 Meaning of interest and control information 7 Meaning of operational information 8 Meaning of direct interest holder 8A Meaning of influence or control 8B Meaning of associate 8C Meanings of subsidiary and holding entity 8D Meaning of critical infrastructure sector 8E Meaning of critical infrastructure sector asset 8F Critical infrastructure sector for a critical infrastructure asset 8G Meaning of relevant impact 9 Meaning of critical infrastructure asset 10 Meaning of critical electricity asset 11 Meaning of critical port 12 Meaning of critical gas asset 12A Meaning of critical liquid fuel asset 12B Meaning of critical freight infrastructure asset 12C Meaning of critical freight services asset 12D Meaning of critical financial market infrastructure asset 12E Meaning of critical broadcasting asset 12F Meaning of critical data storage or processing asset 12G Meaning of critical banking asset 12H Meaning of critical insurance asset 12J Meaning of critical superannuation asset 12K Meaning of critical food and grocery asset 12KA Meaning of critical domain name system 12L Meaning of responsible entity 12M Meaning of cyber security incident 12N Meaning of unauthorised access, modification or impairment 12P Examples of responding to an incident (including a cyber security incident) Division 3—Constitutional provisions and application of this Act 13 Application of this Act 14 Extraterritoriality 15 This Act binds the Crown 16 Concurrent operation of State and Territory laws 17 State constitutional powers Part 2—Register of Critical Infrastructure Assets Division 1—Introduction 18 Simplified outline of this Part 18A Application of this Part 18AA Consultation—rules Division 2—Register of Critical Infrastructure Assets 19 Secretary must keep Register 20 Secretary may add information to Register 21 Secretary may correct or update information in the Register 22 Register not to be made public Division 3—Obligation to give information and notify of events 23 Initial obligation to give information 24 Ongoing obligation to give information and notify of events 25 Information that is not able to be obtained 26 Meaning of notifiable event 27 Rules may exempt from requirement to give notice or information Division 4—Giving of notice or information by agents etc. 28 Requirement for executors and administrators to give notice or information for individuals who die 29 Requirement for corporate liquidators etc. to give notice or information 30 Agents may give notice or information Part 2A—Critical infrastructure risk management programs 30AA Simplified outline of this Part 30AB Application of this Part 30ABA Consultation—rules 30AC Responsible entity must have a critical infrastructure risk management program 30AD Compliance with critical infrastructure risk management program 30AE Review of critical infrastructure risk management program 30AF Update of critical infrastructure risk management program 30AG Responsible entity must submit annual report 30AH Critical infrastructure risk management program 30AI Direction to vary critical infrastructure risk management program 30AJ Variation of critical infrastructure risk management program 30AK Revocation of adoption of critical infrastructure risk management program 30AKA Responsible entity must have regard to certain matters in deciding whether to adopt or vary critical infrastructure risk management program etc. 30AL Consultation—rules made for the purposes of section 30AH or 30AKA 30AM Review of rules 30AN Application, adoption or incorporation of a law of a State or Territory etc. 30ANA Application, adoption or incorporation of certain documents 30ANB Consultation—rules made for the purposes of paragraph 30ANA(2)(f) 30ANC Disallowance of rules Part 2AA—Reporting obligations relating to certain assets that are not covered by a critical infrastructure risk management program 30AP Simplified outline of this Part 30AQ Reporting obligations relating to certain assets that are not covered by a critical infrastructure risk management program Part 2B—Notification of cyber security incidents 30BA Simplified outline of this Part 30BB Application of this Part 30BBA Consultation—rules 30BC Notification of critical cyber security incidents 30BD Notification of other cyber security incidents 30BE Liability 30BEA Significant impact 30BEB Consultation—rules 30BF Relevant Commonwealth body Part 2C—Enhanced cyber security obligations Division 1—Simplified outline of this Part 30CA Simplified outline of this Part Division 2—Statutory incident response planning obligations Subdivision A—Application of statutory incident response planning obligations 30CB Application of statutory incident response planning obligations—determination by the Secretary 30CC Revocation of determination Subdivision B—Statutory incident response planning obligations 30CD Responsible entity must have an incident response plan 30CE Compliance with incident response plan 30CF Review of incident response plan 30CG Update of incident response plan 30CH Copy of incident response plan must be given to the Secretary 30CJ Incident response plan 30CK Variation of incident response plan 30CL Revocation of adoption of incident response plan Division 3—Cyber security exercises 30CM Requirement to undertake cyber security exercise 30CN Cyber security exercise 30CP Compliance with requirement to undertake cyber security exercise 30CQ Internal evaluation report 30CR External evaluation report 30CS Meaning of evaluation report 30CT External auditors Division 4—Vulnerability assessments 30CU Requirement to undertake vulnerability assessment 30CV Compliance with requirement to undertake a vulnerability assessment 30CW Designated officers may undertake a vulnerability assessment 30CX Compliance with requirement to provide reasonable assistance etc. 30CY Vulnerability assessment 30CZ Vulnerability assessment report 30DA Meaning of vulnerability assessment report Division 5—Access to system information Subdivision A—System information reporting notices 30DB Secretary may require periodic reporting of system information 30DC Secretary may require event‑based reporting of system information 30DD Consultation 30DE Duration of system information periodic reporting notice or system information event‑based reporting notice 30DF Compliance with system information periodic reporting notice or system information event‑based reporting notice 30DG Self‑incrimination etc. 30DH Admissibility of report etc. Subdivision B—System information software 30DJ Secretary may require installation of system information software 30DK Consultation 30DL Duration of system information software notice 30DM Compliance with system information software notice 30DN Self‑incrimination etc. 30DP Admissibility of information etc. Division 6—Designated officers 30DQ Designated officer Part 3—Directions by the Minister Division 1—Simplified outline of this Part 31 Simplified outline of this Part Division 2—Directions by the Minister 32 Direction if risk of act or omission that would be prejudicial to security 33 Consultation before giving direction 34 Requirement to comply with direction 35 Exception—acquisition of property 35AAA Directions prevail over inconsistent critical infrastructure risk management programs 35AAB Liability Part 3A—Responding to serious incidents Division 1—Simplified outline of this Part 35AA Simplified outline of this Part Division 2—Ministerial authorisation relating to serious incidents 35AB Ministerial authorisation 35AC Kinds of acts or things that may be specified in an intervention request 35AD Consultation 35AE Form and notification of Ministerial authorisation 35AF Form of application for Ministerial authorisation 35AG Duration of Ministerial authorisation 35AH Revocation of Ministerial authorisation 35AJ Minister to exercise powers personally Division 3—Information gathering directions 35AK Information gathering direction 35AL Form of direction 35AM Compliance with an information gathering direction 35AN Self‑incrimination etc. 35AP Admissibility of information etc. Division 4—Action directions 35AQ Action direction 35AR Form of direction 35AS Revocation of direction 35AT Compliance with direction 35AU Directions prevail over inconsistent critical infrastructure risk management programs 35AV Directions prevail over inconsistent obligations 35AW Liability Division 5—Intervention requests 35AX Intervention request 35AY Form and notification of request 35AZ Compliance with request 35BA Revocation of request 35BB Relevant entity to assist the authorised agency 35BC Constable may assist the authorised agency 35BD Removal and return of computers etc. 35BE Use of force against an individual not authorised 35BF Liability 35BG Evidentiary certificates 35BH Chief executive of the authorised agency to report to the Defence Minister and the Minister 35BJ Approved staff members of the authorised agency Division 6—Reports to the Parliamentary Joint Committee on Intelligence and Security 35BK Reports to the Parliamentary Joint Committee on Intelligence and Security Part 4—Gathering and using information Division 1—Simplified outline of this Part 36 Simplified outline of this Part Division 2—Secretary's power to obtain information or documents 37 Secretary may obtain information or documents from entities 38 Copies of documents 39 Retention of documents 40 Self‑incrimination Division 3—Use and disclosure of protected information Subdivision A—Authorised use and disclosure 41 Authorised use and disclosure—performing functions etc. 42 Authorised use and disclosure—other person's functions etc. 42AA Authorised use and disclosure—availability, integrity, reliability or security of a critical infrastructure asset 42A Authorised use and disclosure—development of proposed amendments of this Act etc. 43 Authorised disclosure relating to law enforcement 43AA Authorised disclosure to Ombudsman official 43A Authorised disclosure to IGIS official 43B Authorised use and disclosure—Ombudsman official 43C Authorised use and disclosure—IGIS official 43D Authorised use and disclosure—ASD 43E Authorised disclosure of protected information by the entity to whom the information relates 43F Authorised use and disclosure—relevant entity's business, professional, commercial or financial affairs 44 Secondary use and disclosure of protected information 44A Authorised APS employees Subdivision B—Offence for unauthorised use or disclosure 45 Offence for unauthorised use or disclosure of protected information 46 Exceptions to offence for unauthorised use or disclosure 47 No requirement to provide information Part 5—Enforcement Division 1—Simplified outline of this Part 48 Simplified outline of this Part Division 2—Civil penalties, enforceable undertakings and injunctions 49 Civil penalties, enforceable undertakings and injunctions Division 3—Monitoring and investigation powers 49A Monitoring powers 49B Investigation powers Division 4—Infringement notices 49C Infringement notices Part 6—Declaration of assets by the Minister Division 1—Simplified outline of this Part 50 Simplified outline of this Part Division 2—Declaration of assets by the Minister 51 Declaration of assets by the Minister 51A Consultation—declaration 52 Notification of change to reporting entities for asset Part 6A—Declaration of systems of national significance by the Minister Division 1—Simplified outline of this Part 52A Simplified outline of this Part Division 2—Declaration of systems of national significance by the Minister 52B Declaration of systems of national significance by the Minister 52C Consultation—declaration 52D Notification if responsible entity for an asset ceases to be the responsible entity 52E Review of declaration 52F Revocation of determination Part 7—Miscellaneous Division 1—Simplified outline of this Part 53 Simplified outline of this Part Division 2—Treatment of certain entities 53A How certain entities hold interests 54 Treatment of partnerships 55 Treatment of trusts and superannuation funds that are trusts 56 Treatment of unincorporated foreign companies Division 3—Matters relating to Secretary's powers 57 Additional power of Secretary 58 Assets ceasing to be critical infrastructure assets 59 Delegation of Secretary's powers Division 4—Periodic reports, reviews and rules etc. 60 Periodic report 60AA Compensation for acquisition of property 60AB Service of notices, directions and instruments by electronic means 60A Independent review 60B Review of this Act 61 Rules Endnotes Endnote 1—About the endnotes Endnote 2—Abbreviation key Endnote 3—Legislation history Endnote 4—Amendment history An Act to create a framework for managing critical infrastructure, and for related purposes Part 1—Preliminary Division 1—Preliminary 1 Short title This Act is the Security of Critical Infrastructure Act 2018. 2 Commencement (1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. Commencement information Column 1 Column 2 Column 3 Provisions Commencement Date/Details 1. The whole of this Act A single day to be fixed by Proclamation. 11 July 2018 However, if the provisions do not commence within the period of 3 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period. Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act. (2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act. 3 Object The object of this Act is to provide a framework for managing risks relating to critical infrastructure, including by: (a) improving the transparency of the ownership and operational control of critical infrastructure in Australia in order to better understand those risks; and (b) facilitating cooperation and collaboration between all levels of government, and regulators, owners and operators of critical infrastructure, in order to identify and manage those risks; and (c) requiring responsible entities for critical infrastructure assets to identify and manage risks relating to those assets; and (d) imposing enhanced cyber security obligations on relevant entities for systems of national significance in order to improve their preparedness for, and ability to respond to, cyber security incidents; and (e) providing a regime for the Commonwealth to respond to serious incidents relating to critical infrastructure assets. 4 Simplified outline of this Act This Act creates a framework for managing risks relating to critical infrastructure. The framework consists of the following: (a) the keeping of a register of information in relation to critical infrastructure assets (the register will not be made public); (b) requiring the responsible entity for one or more critical infrastructure assets to have, and comply with, a critical infrastructure risk management program (unless an exemption applies); (c) requiring notification of cyber security incidents; (d) imposing enhanced cyber security obligations that relate to systems of national significance; (e) requiring certain entities relating to a critical infrastructure asset to provide information in relation to the asset, and to notify if certain events occur in relation to the asset; (f) allowing the Minister to require certain entities relating to a critical infrastructure asset to do, or refrain from doing, an act or thing if the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security; (g) allowing the Secretary to require certain entities relating to a critical infrastructure asset to provide certain information or documents; (h) setting up a regime for the Commonwealth to respond to a serious incident that has had, is having, or is likely to have, one or more relevant impacts on one or more critical infrastructure assets; (i) allowing the Secretary to undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset. Certain documents or information obtained, generated or adopted under, or relating to the operation of, this Act is protected information. There are restrictions on when a person may make a record of, use or disclose protected information. Civil penalty provisions of this Act may be enforced using civil penalty orders, injunctions or infringement notices, and enforceable undertakings may be accepted in relation to compliance with civil penalty provisions. The Regulatory Powers Act is applied for these purposes. Certain provisions of this Act are subject to monitoring and investigation under the Regulatory Powers Act. Certain provisions of this Act may be enforced by imposing a criminal penalty. The Minister may privately declare an asset to be a critical infrastructure asset. The Minister may privately declare a critical infrastructure asset to be a system of national significance. The Secretary must give the Minister reports, for presentation to the Parliament, on the operation of this Act. Division 2—Definitions 5 Definitions In this Act: ABN has the same meaning as in the A New Tax System (Australian Business Number) Act 1999. access, in relation to a computer program, means the execution of the computer program. access to computer data means: (a) in a case where the computer data is held in a computer—the display of the data by the computer or any other output of the data from the computer; or (b) in a case where the computer data is held in a computer—the copying or moving of the data to: (i) any other location in the computer; or (ii) another computer; or (iii) a data storage device; or (c) in a case where the computer data is held in a data storage device—the copying or moving of the data to: (i) a computer; or (ii) another data storage device. acquisition of property has the same meaning as in paragraph 51(xxxi) of the Constitution. adverse security assessment has the same meaning as in Part IV of the Australian Security Intelligence Organisation Act 1979. aircraft operator has the same meaning as in the Aviation Transport Security Act 2004. airport has the same meaning as in the Aviation Transport Security Act 2004. airport operator has the same meaning as in the Aviation Transport Security Act 2004. air service has the same meaning as in the Aviation Transport Security Act 2004. appointed officer, for an unincorporated foreign company, means: (a) the secretary of the company; or (b) an officer of the company appointed to hold property on behalf of the company. approved form means a form approved by the Secretary. approved staff member of the authorised agency has the meaning given by section 35BJ. ASD means the Australian Signals Directorate. asset includes: (a) a system; and (b) a network; and (c) a facility; and (d) a computer; and (e) a computer device; and (f) a computer program; and (g) computer data; and (h) premises; and (i) any other thing. associate has the meaning given by section 8B. associated entity has the same meaning as in the Corporations Act 2001. associated transmission facility means: (a) an antenna; or (b) a combiner; or (c) a feeder system; or (d) an apparatus; or (e) an item of equipment; or (f) a structure; or (g) a line; or (h) an electricity cable or wire; that is associated with a radiocommunications transmitter. AusCheck scheme has the same meaning as in the AusCheck Act 2007. Australia, when used in a geographical sense, includes the external Territories. Australian CS facility licence has the same meaning as in the Corporations Act 2001. Australian derivative trade repository licence has the same meaning as in the Corporations Act 2001. Australian market licence has the same meaning as in the Corporations Act 2001. authorised agency means ASD. authorised APS employee means an APS employee in the Department in respect of whom an authorisation under section 44A is in force. authorised deposit‑taking institution has the same meaning as in the Banking Act 1959. background check has the same meaning as in the AusCheck Act 2007. banking business has the same meaning as in the Banking Act 1959. benchmark administrator licence has the same meaning as in the Corporations Act 2001. broadcasting re‑transmission asset means: (a) a radiocommunications transmitter; or (b) a broadcasting transmission tower; or (c) an associated transmission facility; that is used in connection with the transmission of a service to which, as a result of section 212 of the Broadcasting Services Act 1992, the regulatory regime established by that Act does not apply. broadcasting service has the same meaning as in the Broadcasting Services Act 1992. broadcasting transmission asset means: (a) a radiocommunications transmitter; or (b) a broadcasting transmission tower; or (c) an associated transmission facility; that is used, or is capable of being used, in connection with the transmission of: (d) a national broadcasting service; or (e) a commercial radio broadcasting service; or (f) a commercial television broadcasting service. broadcasting transmission tower has the same meaning as in Schedule 4 to the Broadcasting Services Act 1992. business critical data means: (a) personal information (within the meaning of the Privacy Act 1988) that relates to at least 20,000 individuals; or (b) information relating to any research and development in relation to a critical infrastructure asset; or (c) information relating to any systems needed to operate a critical infrastructure asset; or (d) information needed to operate a critical infrastructure asset; or (e) information relating to risk management and business continuity (however described) in relation to a critical infrastructure asset. carriage service has the same meaning as in the Telecommunications Act 1997. carriage service provider has the same meaning as in the Telecommunications Act 1997. carrier has the same meaning as in the Telecommunications Act 1997. chief executive of the authorised agency means the Director‑General of ASD. civil penalty provision has the same meaning as in the Regulatory Powers Act. clearing and settlement facility has the same meaning as in the Corporations Act 2001. commencing day means the day this Act commences. commercial radio broadcasting service has the same meaning as in the Broadcasting Services Act 1992. commercial television broadcasting service has the same meaning as in the Broadcasting Services Act 1992. communications sector means the sector of the Australian economy that involves: (a) supplying a carriage service; or (b) providing a broadcasting service; or (c) owning or operating assets that are used in connection with the supply of a carriage service; or (d) owning or operating assets that are used in connection with the transmission of a broadcasting service; or (e) administering an Australian domain name system. computer means all or part of: (a) one or more computers; or (b) one or more computer systems; or (c) one or more computer networks; or (d) any combination of the above. computer data means data held in: (a) a computer; or (b) a data storage device. computer device means a device connected to a computer. confidential commercial information means the following: (a) information relating to trade secrets; (b) other information that has a commercial value that would be, or could reasonably be expected to be, destroyed or diminished if the information were communicated. connected includes connection otherwise than by means of physical contact, for example, a connection by means of radiocommunication. constable has the same meaning as in the Crimes Act 1914. corporate entity means an entity other than an individual. credit facility has the meaning given by regulations made for the purposes of paragraph 12BAA(7)(k) of the Australian Securities and Investments Commission Act 2001. credit facility business means a business that offers, or provides services in relation to, a credit facility. critical aviation asset means: (a) an asset that: (i) is used in connection with the provision of an air service; and (ii) is owned or operated by an aircraft operator; or (b) an asset that: (i) is used in connection with the provision of an air service; and (ii) is owned or operated by a regulated air cargo agent; or (c) an asset that is used by an airport operator in connection with the operation of an airport. Note: The rules may prescribe that a specified critical aviation asset is not a critical infrastructure asset (see section 9). critical banking asset has the meaning given by section 12G. Note: The rules may prescribe that a specified critical banking asset is not a critical infrastructure asset (see section 9). critical broadcasting asset has the meaning given by section 12E. Note: The rules may prescribe that a specified critical broadcasting asset is not a critical infrastructure asset (see section 9). critical component of a critical infrastructure asset, means a part of the asset, where absence of, damage to, or compromise of, the part of the asset: (a) would prevent the proper function of the asset; or (b) could cause significant damage to the asset; as assessed by the responsible entity for the asset. critical data storage or processing asset has the meaning given by section 12F. Note: The rules may prescribe that a specified critical data storage or processing asset is not a critical infrastructure asset (see section 9). critical defence capability includes: (a) materiel; and (b) technology; and (c) a platform; and (d) a network; and (e) a system; and (f) a service; that is required in connection with: (g) the defence of Australia; or (h) national security. critical defence industry asset means an asset that: (a) is being, or will be, supplied by an entity to the Defence Department, or the Australian Defence Force, under a contract; and (b) consists of, or enables, a critical defence capability. Note: The rules may prescribe that a specified critical defence industry asset is not a critical infrastructure asset (see section 9). critical domain name system has the meaning given by section 12KA. Note: The rules may prescribe that a specified critical domain name system is not a critical infrastructure asset (see section 9). critical education asset means an asset that: (a) is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher Education Providers; and (b) is used in connection with undertaking a program of research that is critical to: (i) a critical infrastructure sector (other than the higher education and research sector); or (ii) the defence of Australia; or (iii) national security. Note: The rules may prescribe that a specified critical education asset is not a critical infrastructure asset (see section 9). critical electricity asset has the meaning given by section 10. critical energy market operator asset means an asset that: (a) is owned or operated by: (i) Australian Energy Market Operator Limited (ACN 072 010 327); or (ii) Power and Water Corporation; or (iii) Regional Power Corporation; or (iv) Electricity Networks Corporation; and (b) is used in connection with the operation of an energy market or system; and (c) is critical to ensuring the security and reliability of an energy market or system; but does not include: (d) a critical electricity asset; or (e) a critical gas asset; or (f) a critical liquid fuel asset. Note: The rules may prescribe that a specified critical energy market operator asset is not a critical infrastructure asset (see section 9). critical financial market infrastructure asset has the meaning given by section 12D. Note: The rules may prescribe that a specified critical financial market infrastructure asset is not a critical infrastructure asset (see section 9). critical food and grocery asset has the meaning given by section 12K. Note: The rules may prescribe that a specified critical food and grocery asset is not a critical infrastructure asset (see section 9). critical freight infrastructure asset has the meaning given by section 12B. Note: The rules may prescribe that a specified critical freight infrastructure asset is not a critical infrastructure asset (see section 9). critical freight services asset has the meaning given by section 12C. Note: The rules may prescribe that a specified critical freight services asset is not a critical infrastructure asset (see section 9). critical gas asset has the meaning given by section 12. critical hospital means a hospital that has a general intensive care unit. Note: The rules may prescribe that a specified critical hospital is not a critical infrastructure asset (see section 9). critical infrastructure asset has the meaning given by section 9. critical infrastructure risk management program has the meaning given by section 30AH. critical infrastructure sector has the meaning given by section 8D. critical infrastructure sector asset has the meaning given by subsection 8E(1). critical insurance asset has the meaning given by section 12H. Note: The rules may prescribe that a specified critical insurance asset is not a critical infrastructure asset (see section 9). critical liquid fuel asset has the meaning given by section 12A. Note: The rules may prescribe that a specified critical liquid fuel asset is not a critical infrastructure asset (see section 9). critical port has the meaning given by section 11. critical public transport asset means a public transport network or system that: (a) is managed by a single entity; and (b) is capable of handling at least 5 million passenger journeys per month; but does not include a critical aviation asset. Note: The rules may prescribe that a specified critical public transport asset is not a critical infrastructure asset (see section 9). critical superannuation asset has the meaning given by section 12J. Note: The rules may prescribe that a specified critical superannuation asset is not a critical infrastructure asset (see section 9). critical telecommunications asset means: (a) a telecommunications network that is: (i) owned or operated by a carrier or a carriage service provider; and (ii) used to supply a carriage service; or (b) a facility (within the meaning of the Telecommunications Act 1997) that is: (i) owned or operated by a carrier or a carriage service provider; and (ii) used to supply a carriage service. Note: The rules may prescribe that a specified critical telecommunications asset is not a critical infrastructure asset (see section 9). critical water asset means one or more water or sewerage systems or networks that: (a) are managed by a single water utility; and (b) ultimately deliver services to at least 100,000 water connections or 100,000 sewerage connections. Note: The rules may prescribe that a specified critical water asset is not a critical infrastructure asset (see section 9). critical worker means an individual, where the following conditions are satisfied: (a) the individual is an employee, intern, contractor or subcontractor of the responsible entity for a critical infrastructure asset to which Part 2A applies; (b) the absence or compromise of the individual: (i) would prevent the proper function of the asset; or (ii) could cause significant damage to the asset; as assessed by the responsible entity for the asset; (c) the individual has access to, or control and management of, a critical component of the asset. custodial or depository service has the same meaning as in the Corporations Act 2001. cyber security exercise has the meaning given by section 30CN. cyber security incident has the meaning given by section 12M. data includes information in any form. data storage means data storage that involves information technology, and includes data back‑up. data storage device means a thing (for example, a disk or file server) containing (whether temporarily or permanently), or designed to contain (whether temporarily or permanently), data for use by a computer. data storage or processing provider means an entity that provides a data storage or processing service. data storage or processing sector means the sector of the Australian economy that involves providing data storage or processing services. data storage or processing service means: (a) a service that: (i) enables end‑users to store or back‑up data; and (ii) is provided on a commercial basis; or (b) a data processing service that: (i) involves the use of one or more computers; and (ii) is provided on a commercial basis; or (c) a service that is specified in the rules. However, the rules may prescribe that a specified service is not a data storage or processing service. Note: For prescription by class, see subsection 13(3) of the Legislation Act 2003. Defence Department means the Department of State that deals with defence and that is administered by the Defence Minister. defence industry sector means the sector of the Australian economy that involves the provision of critical defence capabilities. Defence Minister means the Minister administering section 1 of the Defence Act 1903. derivative trade repository has the same meaning as in the Corporations Act 2001. designated officer has the meaning given by section 30DQ. direct interest holder, in relation to an asset, has the meaning given by section 8. Electricity Networks Corporation means the Electricity Networks Corporation established by section 4 of the Electricity Corporations Act 2005 (WA). electronic communication means a communication of information in any form by means of guided or unguided electromagnetic energy. energy sector means the sector of the Australian economy that involves: (a) the production, transmission, distribution or supply of electricity; or (b) the production, processing, transmission, distribution or supply of gas; or (c) the production, processing, transmission, distribution or supply of liquid fuel. engage in conduct means: (a) do an act or thing; or (b) omit to perform an act or thing. entity means any of the following: (a) an individual, whether or not resident in Australia or an Australian citizen; (b) a body corporate, whether or not formed, or carrying on business, in Australia; (c) a body politic, whether or not an Australian body politic; (d) a partnership, whether or not formed in Australia; (e) a trust, whether or not created in Australia; (f) a superannuation fund, whether or not created in Australia; (g) an unincorporated foreign company. Note: See Division 2 of Part 7 for how this Act applies to partnerships, trusts, superannuation funds and unincorporated foreign companies. evaluation report has the meaning given by section 30CS. external auditor means a person authorised under section 30CT to be an external auditor for the purposes of this Act. financial benchmark has the same meaning as in the Corporations Act 2001. financial market has the same meaning as in Chapter 7 of the Corporations Act 2001. financial services and markets sector means the sector of the Australian economy that involves: (a) carrying on banking business; or (b) operating a superannuation fund; or (c) carrying on insurance business; or (d) carrying on life insurance business; or (e) carrying on health insurance business; or (f) operating a financial market; or (g) operating a clearing and settlement facility; (h) operating a derivative trade repository; or (i) administering a financial benchmark; or (j) operating a payment system; or (k) carrying on business of providing financial services (within the meaning of the Corporations Act 2001); or (l) carrying on credit facility business. First Minister means the Premier of a State, or the Chief Minister of the Australian Capital Territory or the Northern Territory. food means food for human consumption. food and grocery sector means the sector of the Australian economy that involves: (a) manufacturing; or (b) processing; or (c) packaging; or (d) distributing; or (e) supplying; food or groceries on a commercial basis. gas means a substance that: (a) is in a gaseous state at standard temperature and pressure; and (b) consists of naturally occurring hydrocarbons, or a naturally occurring mixture of hydrocarbons and non‑hydrocarbons, the principal constituent of which is methane; and (c) is suitable for consumption. general intensive care unit means an area within a hospital that: (a) is equipped and staffed so that it is capable of providing to a patient: (i) mechanical ventilation for a period of several days; and (ii) invasive cardiovascular monitoring; and (b) is supported by: (i) during normal working hours—at least one specialist, or consultant physician, in the specialty of intensive care, who is immediately available, and exclusively rostered, to that area; and (ii) at all times—at least one medical practitioner who is present in the hospital and immediately available to that area; and (iii) at least 18 hours each day—at least one nurse; and (c) has admission and discharge policies in operation. government business enterprise has the same meaning as in the Public Governance, Performance and Accountability Act 2013. grace period, for an asset, means: (a) for an asset that is, or will be, a critical infrastructure asset at the end of the period of 6 months starting on the commencing day—that 6 month period; or (b) for an asset that becomes a critical infrastructure asset after the end of the period mentioned in paragraph (a)—the period of 6 months starting on the day the asset becomes a critical infrastructure asset. health care includes: (a) services provided by individuals who practise in any of the following professions or occupations: (i) dental (including the profession of a dentist, dental therapist, dental hygienist, dental prosthetist and oral health therapist); (ii) medical; (iii) medical radiation practice; (iv) nursing; (v) midwifery; (vi) occupational therapy; (vii) optometry; (viii) pharmacy; (ix) physiotherapy; (x) podiatry; (xi) psychology; (xii) a profession or occupation specified in the rules; and (b) treatment and maintenance as a patient at a hospital. health care and medical sector means the sector of the Australian economy that involves: (a) the provision of health care; or (b) the production, distribution or supply of medical supplies. health insurance business has the same meaning as in the Private Health Insurance Act 2007. higher education and research sector means the sector of the Australian economy that involves undertaking a program of research that is: (a) supported financially (in whole or in part) by the Commonwealth; and (b) critical to: (i) a critical infrastructure sector (other than the higher education and research sector); or (ii) national security; or (iii) the defence of Australia. higher education provider has the same meaning as in the Tertiary Education Quality and Standards Agency Act 2011. holding entity has the meaning given by subsection 8C(2). hospital has the same meaning as in the Private Health Insurance Act 2007. IGIS official means: (a) the Inspector‑General of Intelligence and Security; or (b) any other person covered by subsection 32(1) of the Inspector‑General of Intelligence and Security Act 1986. impairment of electronic communication to or from a computer includes: (a) the prevention of any such communication; and (b) the impairment of any such communication on an electronic link or network used by the computer; but does not include a mere interception of any such communication. incident response plan has the meaning given by section 30CJ. influence or control has a meaning affected by section 8A. inland waters means waters within Australia other than waters of the sea. insurance business has the same meaning as in the Insurance Act 1973. interest in an asset means a legal or equitable interest in the asset. interest and control information, in relation to an entity and an asset, has the meaning given by section 6. international relations means political, military and economic relations with foreign governments and international organisations. internet carriage service means a listed carriage service that enables end‑users to access the internet. life insurance business has the same meaning as in the Life Insurance Act 1995. liquid fuel has the same meaning as in the Liquid Fuel Emergency Act 1984. listed carriage service has the same meaning as in the Telecommunications Act 1997. local hospital network has the same meaning as in the National Health Reform Act 2011. managed service provider, in relation to an asset, means an entity that: (a) manages: (i) the asset; or (ii) a part of the asset; or (b) manages an aspect of: (i) the asset; or (ii) a part of the asset; or (c) manages an aspect of the operation of: (i) the asset; or (ii) a part of the asset. medical supplies includes: (a) goods for therapeutic use; and (b) things specified in the rules. Ministerial authorisation means an authorisation under section 35AB. modification: (a) in respect of computer data—means: (i) the alteration or removal of the data; or (ii) an addition to the data; or (b) in respect of a computer program—means: (i) the alteration or removal of the program; or (ii) an addition to the program. moneylending agreement has the meaning given by subsection 8(3). national broadcasting service has the same meaning as in the Broadcasting Services Act 1992. National Register of Higher Education Providers means the register established and maintained under section 198 of the Tertiary Education Quality and Standards Agency Act 2011. national security means Australia's defence, security or international relations. notifiable event has the meaning given by section 26. notification provision means: (a) subsection 35AE(3); or (b) subsection 35AE(4); or (c) subsection 35AE(5); or (d) subsection 35AE(6); or (e) subsection 35AE(7); or (f) subsection 35AE(8); or (g) subsection 35AH(5); or (h) subsection 35AH(6); or (i) subsection 35AH(7); or (j) subsection 35AY(3); or (k) subsection 35AY(4); or (l) subsection 35AY(5); or (m) subsection 35AY(6); or (n) subsection 35AY(7); or (o) subsection 35AY(8); or (p) subsection 51(3); or (q) subsection 52(4); or (r) subsection 52B(3). Ombudsman official means: (a) the Ombudsman; or (b) a Deputy Commonwealth Ombudsman; or (c) a person who is a member of the staff referred to in subsection 31(1) of the Ombudsman Act 1976. operational information, in relation to an asset, has the meaning given by section 7. operator, of an asset, means: (a) for a critical port—a port facility operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003) of a port facility within the port; or (b) for a critical infrastructure asset other than a critical port—an entity that operates the asset or part of the asset. Note: For some assets, an operator of the asset is also the responsible entity for the asset. payment system has the same meaning as in the Payment Systems (Regulation) Act 1998. port facility has the same meaning as in the Maritime Transport and Offshore Facilities Security Act 2003. Power and Water Corporation means the Power and Water Corporation established by section 4 of the Power and Water Corporation Act 1987 (NT). protected information has the meaning given by section 5A. radiocommunications transmitter has the same meaning as in the Radiocommunications Act 1992. regional centre means a city, or a town that has a population of 10,000 or more people. Regional Power Corporation means the Regional Power Corporation established by section 4 of the Electricity Corporations Act 2005 (WA). Register means the Register of Critical Infrastructure Assets kept by the Secretary under section 19. regulated air cargo agent has the same meaning as in the Aviation Transport Security Act 2004. Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014. related body corporate has the same meaning as in the Corporations Act 2001. related company group means a group of 2 or more bodies corporate, where each member of the group is related to each other member of the group. For this purpose, the question whether a body corporate is related to another body corporate is to be determined in the same manner as that question is determined under the Corporations Act 2001. relevant Commonwealth regulator means: (a) a Department that is specified in the rules; or (b) a body that is: (i) established by a law of the Commonwealth; and (ii) specified in the rules. relevant entity, in relation to an asset, means an entity that: (a) is the responsible entity for the asset; or (b) is a direct interest holder in relation to the asset; or (c) is an operator of the asset; or (d) is a managed service provider for the asset. relevant impact has the meaning given by section 8G. relevant information has the meaning given by section 5A. relevant official has the meaning given by section 30AI. reporting entity, for an asset, means either of the following: (a) the responsible entity for the asset; (b) a direct interest holder in relation to the asset. Note: An entity may be both the responsible entity for an asset and a direct interest holder in relation to the asset. responsible entity, for an asset, has the meaning given by section 12L. RSE licensee has the same meaning as in the Superannuation Industry (Supervision) Act 1993. rules means the rules made by the Minister under section 61. Secretary means the Secretary of the Department. security (other than in references to national security): (a) subject to paragraph (b)—has the same meaning as in the Australian Security Intelligence Organisation Act 1979; and (b) in the definitions of critical energy market operator asset and protected information and sections 10, 12, 12A, 12D, 12G, 12H, 12J, 12M, 12N, 30AG, 30AQ, 30CB, 30CM, 30CR, 30CU, 30CW and 42AA—has its ordinary meaning. security regulated port has the same meaning as in the Maritime Transport and Offshore Facilities Security Act 2003. Note: Security regulated ports are declared under section 13 of the Maritime Transport and Offshore Facilities Security Act 2003. senior officer of a corporate entity means: (a) for a body corporate—a director of the body corporate; or (b) for a unit trust: (i) the trustee of which is an individual—the trustee; and (ii) the trustee of which is a body corporate—a director of the trustee; and (iii) in any case—any other individual involved in the central management and control of the trust; or (c) an individual who is, or an individual in a group of individuals who are, in a position to determine the investments or policy of the entity or a trustee of the entity; or (d) an individual who makes, or participates in making, decisions that affect the whole, or a substantial part of, the business of the entity; or (e) an individual who has the capacity to affect significantly the financial standing of the entity. serious deficiency has the meaning given by section 30AI. significant financial benchmark has the same meaning as in the Corporations Act 2001. space technology sector means the sector of the Australian economy that involves the commercial provision of space‑related services. Note: The following are examples of space‑related services: (a) position, navigation and timing services in relation to space objects; (b) space situational awareness services; (c) space weather monitoring and forecasting; (d) communications, tracking, telemetry and control in relation to space objects; (e) remote sensing earth observations from space; (f) facilitating access to space. staff member, in relation to the authorised agency, means a staff member of ASD (within the meaning of the Intelligence Services Act 2001). subsidiary has the meaning given by subsection 8C(1). superannuation fund has the meaning given by section 10 of the Superannuation Industry (Supervision) Act 1993. system information event‑based reporting notice means a notice under subsection 30DC(2). system information periodic reporting notice means a notice under subsection 30DB(2). system information software notice means a notice under subsection 30DJ(2). system of national significance has the meaning given by section 52B. technical assistance notice has the same meaning as in Part 15 of the Telecommunications Act 1997. technical assistance request has the same meaning as in Part 15 of the Telecommunications Act 1997. technical capability notice has the same meaning as in Part 15 of the Telecommunications Act 1997. telecommunications network has the same meaning as in the Telecommunications Act 1997. therapeutic use has the same meaning as in the Therapeutic Goods Act 1989. this Act includes the rules. transport sector means the sector of the Australian economy that involves: (a) owning or operating assets that are used in connection with the transport of goods or passengers on a commercial basis; or (b) the transport of goods or passengers on a commercial basis. unauthorised access, modification or impairment has the meaning given by section 12N. unincorporated foreign company means a body covered by paragraph (b) of the definition of foreign company in section 9 of the Corporations Act 2001. vulnerability assessment has the meaning given by section 30CY. vulnerability assessment report has the meaning given by section 30DA. water and sewerage sector means the sector of the Australian economy that involves: (a) operating water or sewerage systems or networks; or (b) manufacturing or supplying goods, or providing services, for use in connection with the operation of water or sewerage systems or networks. water utility means an entity that holds a licence, approval or authorisation (however described), under a law of the Commonwealth, a State or a Territory, to provide water services or sewerage services, or both. 5A Meaning of protected information and relevant information Protected information (1) Protected information is relevant information: (a) the disclosure of which would or could reasonably be expected to prejudice national security or the defence of Australia; or (b) the disclosure of which would or could reasonably be expected to prejudice the social or economic stability of Australia or its people; or (c) that contains, or is, confidential commercial information; or (d) the disclosure of which would or could reasonably be expected to prejudice the availability, integrity, reliability or security of a critical infrastructure asset. (2) A document or information is protected information if it: (a) was a document or information to which subsection (1) applied; and (b) is obtained by a person by way of an authorised disclosure under Division 3 of Part 4 or in accordance with section 46. Relevant information (3) Relevant information is: (a) a document or information that is obtained or generated by a person in the course of exercising powers, or performing duties or functions, under this Act; or (b) a document or information that is obtained, generated or adopted by an entity for the purposes of complying with this Act; including, but not limited to, a document or information that: (c) records or is the fact that an asset is declared under section 51 to be a critical infrastructure asset; or (d) records or is the fact that an asset is declared under section 52B to be a system of national significance; or (e) records or is the fact that the Minister has: (i) given a Ministerial authorisation; or (ii) revoked a Ministerial authorisation; or (f) is, or is included in, a critical infrastructure risk management program that is adopted by an entity in compliance with section 30AC; or (g) is, or is included in, a report that is given under section 30AG or 30AQ; or (h) is, or is included in, a report under section 30BC or 30BD; or (i) is, or is included in, an incident response plan adopted by an entity in compliance with section 30CD; or (j) is, or is included in, an evaluation report prepared under section 30CQ or 30CR; or (k) is, or is included in, a vulnerability assessment report prepared under section 30CZ; or (l) is, or is included in, a report prepared in compliance with: (i) a system information periodic reporting notice; or (ii) a system information event‑based reporting notice; or (m) records or is the fact that the Minister has: (i) given a direction under subsection 32(2); or (ii) revoked such a direction; or (n) records or is the fact that the Secretary has: (i) given a direction under section 35AK; or (ii) revoked such a direction; or (o) records or is the fact that the Secretary has: (i) given a direction under section 35AQ; or (ii) revoked such a direction; or (p) records or is the fact that the Secretary has: (i) given a request under section 35AX; or (ii) revoked such a request. 6 Meaning of interest and control information (1) The following information is interest and control information in relation to an entity (the first entity) and an asset (subject to subsection (3)): (a) the name of the first entity; (b) if applicable, the ABN of the first entity, or other similar business number (however described) if the first entity was incorporated, formed or created (however described) outside Australia; (c) for an entity other than an individual: (i) the address of the first entity's head office or principal place of business; and (ii) the country in which the first entity was incorporated, formed or created (however described); (d) for an entity that is an individual: (i) the residential address of the first entity; and (ii) the country in which the first entity usually resides; and (iii) the country or countries of which the first entity is a citizen; (e) the type and level of the interest the first entity holds in the asset; (f) information about the influence or control the first entity is in a position to directly or indirectly exercise in relation to the asset; (g) information about the ability of a person, who has been appointed by the first entity to the body that governs the asset, to directly access networks or systems that are necessary for the operation or control of the asset; (h) the name of each other entity that is in a position to directly or indirectly influence or control: (i) the first entity; or (ii) any entity covered by a previous application of this paragraph; (ha) in relation to each entity (the higher entity) covered by paragraph (h): (i) the information in paragraphs (b) to (d), and (e) if appropriate, as if a reference in those paragraphs to the first entity were a reference to the higher entity; and (ii) information about the influence or control the higher entity is in a position to directly or indirectly exercise in relation to the first entity or any entity covered by paragraph (h); (i) information prescribed by the rules for the purposes of this paragraph. Note 1: For example, if Holding Entity 1 holds a 10% interest in the first entity, and Holding Entity 2 holds a 10% interest in Holding Entity 1, the information mentioned in paragraphs (1)(h) and (ha) relating to those holding entities, would be given to the Secretary. Note 2: For the definition of influence or control, see section 8A. Note 3: For interests held by trusts, partnerships, superannuation funds and unincorporated foreign companies, see section 53A. (2) Information under subsection (1) may include personal information (within the meaning of the Privacy Act 1988). Interest and control information provided by States and Territories (3) If the first entity is a Governor, First Minister, Administrator or Minister of a State or Territory who is a direct interest holder in relation to an asset because of paragraph 8(1)(b), the first entity is not required to provide any interest and control information. (4) However, subsection (3) does not affect the obligation of the State or Territory to provide interest and control information in relation to the asset if the State or Territory is also a direct interest holder in relation to the asset because of paragraph 8(1)(a) or (b). Interest and control information provided by the Commonwealth (5) If the first entity: (a) is the Governor‑General, the Prime Minister or a Minister; and (b) is a direct interest holder in relation to an asset because of paragraph 8(1)(b); the first entity is not required to provide any interest and control information. Note: The expression Minister is defined in section 2B of the Acts Interpretation Act 1901. (6) However, subsection (5) does not affect the obligation of the Commonwealth to provide interest and control information in relation to the asset if the Commonwealth is also a direct interest holder in relation to the asset because of paragraph 8(1)(a) or (b). 7 Meaning of operational information (1) The following information is operational information in relation to an asset: (a) the location of the asset; (b) a description of the area the asset services; (c) the following information about each entity that is the responsible entity for, or an operator of, the asset: (i) the name of the entity; (ii) if applicable, the ABN of the entity, or other similar business number (however described) if the entity was incorporated, formed or created (however described) outside Australia; (iii) the address of the entity's head office or principal place of business; (iv) the country in which the entity was incorporated, formed or created (however described); (d) the following information about the chief executive officer (however described) of the responsible entity for the asset: (i) the full name of the officer; (ii) the country or countries of which the officer is a citizen; (e) a description of the arrangements under which each operator operates the asset or a part of the asset; (f) a description of the arrangements under which data prescribed by the rules relating to the asset is maintained; (g) information prescribed by the rules for the purposes of this paragraph. Note: For paragraph (e), this would include if the control system of the asset is managed by a separate body. (2) Information under subsection (1) may include personal information (within the meaning of the Privacy Act 1988). 8 Meaning of direct interest holder (1) An entity is a direct interest holder in relation to an asset if the entity: (a) together with any associates of the entity, holds an interest of at least 10% in the asset (including if any of the interests are held jointly with one or more other entities); or (b) holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset. Note: For interests held by trusts, partnerships, superannuation funds and unincorporated foreign companies, see section 53A. Exemption for moneylenders etc. (2) Subsection (1) does not apply to an interest in an asset held by an entity if: (a) the entity holds the interest in the asset: (i) solely by way of security for the purposes of a moneylending agreement; or (ii) solely as a result of enforcing a security for the purposes of a moneylending agreement; and (b) the entity is: (i) the entity (the first entity) that entered into the moneylending agreement; or (ii) a subsidiary or holding entity of the first entity; or (iii) a person who is (alone or with others) in a position to determine the investments or policy of the first entity; or (iv) a security trustee who holds or acquires the interest on behalf of the first entity; or (v) a receiver, or a receiver and manager, appointed by, or appointed on instructions from, a person or entity mentioned in any of subparagraphs (i) to (iv). (3) A moneylending agreement is: (a) an agreement entered into in good faith, on ordinary commercial terms and in the ordinary course of carrying on a business (a moneylending business) of lending money or otherwise providing financial accommodation, except an agreement dealing with any matter unrelated to the carrying on of that business; or (b) if the entity: (i) is carrying on a moneylending business; or (ii) is a subsidiary or holding entity of a corporate entity that is carrying on a moneylending business; an agreement to acquire an interest arising from a moneylending agreement (within the meaning of paragraph (a)). Exemption for providers of custodial or depository services (4) Subsection (1) does not apply to an interest in an asset held by an entity if: (a) the entity is the provider of a custodial or depository service; and (b) the entity holds the interest in the asset solely in the entity's capacity as the provider of a custodial or depository service; and (c) the holding of the interest does not put the entity in a position to directly or indirectly influence or control the asset. Exemption for providers of services specified in the rules (5) Subsection (1) does not apply to an interest in an asset held by an entity if: (a) the entity is the provider of a service specified in the rules; and (b) the entity holds the interest in the asset solely in the entity's capacity as the provider of the service; and (c) the holding of the interest does not put the entity in a position to directly or indirectly influence or control the asset. 8A Meaning of influence or control (1) An entity is in a position to directly or indirectly influence or control an asset if: (a) the entity is in a position to exercise voting or veto rights in relation to the body that governs the asset; or (b) the entity is in a position to make decisions that materially impact on the running of, or strategic direction in relation to, the asset;