Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth)

Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 No. 100, 2024 An Act to amend the law relating to critical infrastructure and telecommunications, and for related purposes Contents 1 Short title 2 Commencement 3 Schedules Schedule 1—Data storage systems that hold business critical data Security of Critical Infrastructure Act 2018 Schedule 2—Managing consequences of impacts of incidents on critical infrastructure assets Security of Critical Infrastructure Act 2018 Schedule 3—Use and disclosure of protected information Security of Critical Infrastructure Act 2018 Schedule 4—Direction to vary critical infrastructure risk management program Security of Critical Infrastructure Act 2018 Schedule 5—Security regulation for critical telecommunications assets Part 1—Main amendments Security of Critical Infrastructure Act 2018 Part 2—Consequential amendments Australian Security Intelligence Organisation Act 1979 Telecommunications Act 1997 Telecommunications (Interception and Access) Act 1979 Part 3—Contingent amendments Division 1—Amendments contingent on the commencement of Schedule 3 to this Act Security of Critical Infrastructure Act 2018 Division 2—Amendments if Schedule 4 to the Crimes and Other Legislation Amendment (Omnibus No. 1) Act 2024 commences before Part 2 of this Schedule Telecommunications Act 1997 Division 3—Amendments if Schedule 4 to the Crimes and Other Legislation Amendment (Omnibus No. 1) Act 2024 does not commence before Part 2 of this Schedule Crimes and Other Legislation Amendment (Omnibus No. 1) Act 2024 Part 4—Application and saving provisions Schedule 6—Notification of declaration of system of national significance Security of Critical Infrastructure Act 2018 Schedule 7—Notification of certain critical infrastructure or telecommunications security assessments Australian Security Intelligence Organisation Act 1979 Schedule 8—Other amendments Security of Critical Infrastructure Act 2018 Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 No. 100, 2024 An Act to amend the law relating to critical infrastructure and telecommunications, and for related purposes [Assented to 29 November 2024] The Parliament of Australia enacts: 1 Short title This Act is the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024. 2 Commencement (1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. Commencement information Column 1 Column 2 Column 3 Provisions Commencement Date/Details 1. Sections 1 to 3 and anything in this Act not elsewhere covered by this table The day this Act receives the Royal Assent. 29 November 2024 2. Schedules 1 to 4 A single day to be fixed by Proclamation. 20 December 2024 However, if the provisions do not commence within the period of 6 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period. (F2025N00037) 3. Schedule 5, Parts 1 and 2 A single day to be fixed by Proclamation. However, if the provisions do not commence within the period of 12 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period. 4. Schedule 5, Part 3, Division 1 The later of: (a) immediately after the commencement of the provisions covered by table item 2; and (b) immediately after the commencement of the provisions covered by table item 3. 5. Schedule 5, Part 3, Division 2 At the same time as the provisions covered by table item 3. However, the provisions do not commence at all if Schedule 4 to the Crimes and Other Legislation Amendment (Omnibus No. 1) Act 2024 does not commence before that time. 6. Schedule 5, Part 3, Division 3 Immediately before the commencement of Schedule 4 to the Crimes and Other Legislation Amendment (Omnibus No. 1) Act 2024. Never commenced However, the provisions do not commence at all if that Schedule commences before the commencement of the provisions covered by table item 3. 7. Schedule 5, Part 4 At the same time as the provisions covered by table item 3. 8. Schedule 6 At the same time as the provisions covered by table item 2. 20 December 2024 9. Schedule 7 The day after this Act receives the Royal Assent. 30 November 2024 10. Schedule 8 At the same time as the provisions covered by table item 2. 20 December 2024 Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act. (2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act. 3 Schedules Legislation that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms. Schedule 1—Data storage systems that hold business critical data Security of Critical Infrastructure Act 2018 1 Subsection 9(1) (note) Omit "Note", substitute "Note 1". 2 At the end of subsection 9(1) Add: Note 2: Data storage systems that store or process business critical data are part of the critical infrastructure asset: see subsection (7). 3 At the end of section 9 Add: Data storage systems (7) If, under this section, an asset is a critical infrastructure asset, then a data storage system in respect of which all of the following requirements are satisfied is taken to be part of the critical infrastructure asset: (a) the responsible entity for the critical infrastructure asset owns or operates the data storage system; (b) the data storage system is used, or is to be used, in connection with the critical infrastructure asset; (c) business critical data is stored, or is processed in or by, the data storage system (whether or not other information is also stored, or is processed in or by, the data storage system); (d) for a hazard where there is a material risk that the occurrence of the hazard could have an impact on the data storage system, there is also a material risk that the occurrence of the hazard could have a relevant impact on the critical infrastructure asset. Note: The effect of this subsection is, for example, that: (a) obligations under Part 2 in relation to a critical infrastructure asset will also need to take into account the data storage system; and (b) a critical infrastructure risk management program under Part 2A in relation to a critical infrastructure asset will also need to cover the data storage system; and (c) notification obligations under Part 2B of cyber security incidents relating to any relevant impact on a critical infrastructure asset will also need to take into account any relevant impact on the data storage system. 4 Application provision The amendments made by this Schedule apply in relation to the following: (a) assets that are critical infrastructure assets (including systems of national significance) immediately before the commencement of this item; (b) assets that become critical infrastructure assets (including systems of national significance) on or after the day on which this item commences; whether the data storage systems came into existence before, on or after the day on which this item commences. Schedule 2—Managing consequences of impacts of incidents on critical infrastructure assets Security of Critical Infrastructure Act 2018 1 Paragraph 3(e) Omit "serious cyber security incidents", substitute "serious incidents relating to critical infrastructure assets". 2 Section 4 Omit "serious cyber security incidents", substitute "a serious incident that has had, is having, or is likely to have, one or more relevant impacts on one or more critical infrastructure assets". 3 Subsections 8G(2) and (3) Omit "a cyber security incident", substitute "an incident (including a cyber security incident)". 4 Section 12P (heading) Omit "a cyber security incident", substitute "an incident (including a cyber security incident)". 5 Section 12P Omit "a cyber security incident", substitute "an incident (including a cyber security incident)". 6 Part 3A (heading) Repeal the heading, substitute: Part 3A—Responding to serious incidents 7 Section 35AA Repeal the section, substitute: 35AA Simplified outline of this Part • This Part sets up a regime for the Commonwealth to respond to a serious incident that has had, is having, or is likely to have, one or more relevant impacts on one or more critical infrastructure assets. • The Minister may, in order to respond to the incident, do any or all of the following things: (a) authorise the Secretary to give information‑gathering directions to relevant entities for the assets; (b) authorise the Secretary to give action directions to relevant entities for the assets; (c) if the incident is a cyber security incident—authorise the Secretary to give intervention requests to the authorised agency. • An information‑gathering direction requires the relevant entities to give information to the Secretary. • An action direction requires the relevant entities to do, or refrain from doing, a specified act or thing. • An intervention request is a request that the authorised agency do one or more specified acts or things in relation to the assets. 8 Division 2 of Part 3A (heading) Repeal the heading, substitute: Division 2—Ministerial authorisation relating to serious incidents 9 Paragraph 35AB(1)(a) Omit "a cyber security incident", substitute "an incident". 10 Paragraph 35AB(1)(b) Omit "a relevant impact on a critical infrastructure asset (the primary asset)", substitute "one or more relevant impacts on one or more critical infrastructure assets (each of which is a primary asset)". 11 Paragraph 35AB(1A)(a) Omit "a cyber security incident", substitute "an incident". 12 Paragraph 35AB(1A)(b) Omit "a relevant impact on a critical infrastructure asset (the primary asset)", substitute "one or more relevant impacts on one or more critical infrastructure assets (each of which is a primary asset)". 13 Paragraph 35AB(2)(a) Omit "to a specified entity under section 35AK that relate to the incident and the primary asset", substitute "under section 35AK, relating to the incident and one or more primary assets, to one or more relevant entities". 14 Paragraph 35AB(2)(b) Omit "to a specified entity under section 35AK that relate to the incident and a specified critical infrastructure sector asset", substitute "under section 35AK, relating to the incident and one or more specified critical infrastructure sector assets, to one or more relevant entities". 15 Paragraph 35AB(2)(c) Omit "a specified entity a specified direction under section 35AQ that relates to the incident and the primary asset", substitute "one or more specified entities a specified direction under section 35AQ that relates to the incident and one or more specified primary assets". 16 Paragraph 35AB(2)(d) Omit "a specified entity a specified direction under section 35AQ that relates to the incident and a specified critical infrastructure sector asset", substitute "one or more specified entities a specified direction under section 35AQ that relates to the incident and one or more specified critical infrastructure sector assets". 17 Paragraph 35AB(2)(e) Omit "a specified request under section 35AX that relates to the incident and the primary asset", substitute "one or more specified requests under section 35AX that relate to the incident and one or more specified primary assets". 18 Paragraph 35AB(2)(f) Omit "a specified request under section 35AX that relates to the incident and a specified critical infrastructure sector asset", substitute "one or more specified requests under section 35AX that relate to the incident and one or more specified critical infrastructure sector assets". 19 Subsection 35AB(2) (at the end of note 3) Add "The Minister must not give an authorisation under paragraph (2)(e) or (f) unless the Minister is satisfied that the incident is a cyber security incident: see subsection (10).". 20 Paragraph 35AB(5)(a) After "the asset", insert "or assets". 21 Subsection 35AB(7) After "paragraph (2)(c) or (d)", insert "in relation to a specified entity". 22 Subsection 35AB(7) (note) Omit "a cyber security incident", substitute "an incident (including a cyber security incident)". 23 Subparagraph 35AB(8)(a)(ii) After "the asset", insert "or assets". 24 Subsection 35AB(9) After "paragraph (2)(c) or (d)", insert "in relation to a specified entity". 25 After subsection 35AB(9) Insert: (9A) Without limiting paragraph (2)(c) or (d), a direction referred to in that paragraph may require a specified entity to disclose specified personal information (within the meaning of the Privacy Act 1988) held by the entity to another specified entity for a specified purpose. (9B) However, the Minister must not give a Ministerial authorisation under paragraph (2)(c) or (d), to the extent that it authorises the giving of a direction covered by subsection (9A), unless the Minister has obtained the agreement of the Minister administering the Privacy Act 1988. 26 Subsection 35AB(10) After "paragraph (2)(e) or (f)", insert "that relates to the incident and an asset". 27 Before paragraph 35AB(10)(a) Insert: (aa) the incident is a cyber security incident; and 28 Paragraphs 35AB(10)(b) and (c) Omit "concerned". 29 Paragraph 35AB(11)(a) Omit "concerned". 30 Section 35AC Omit "to a Ministerial authorisation of a request", substitute "to a proposed Ministerial authorisation under paragraph 35AB(2)(e) or (f) in relation to an asset". 31 Paragraphs 35AC(a) to (j) Omit "to which the Ministerial authorisation relates" (wherever occurring). 32 Subsection 35AD(1) After "paragraph 35AB(2)(c) or (d)", insert "in relation to an entity". 33 Paragraphs 35AE(2)(a), (3)(a), (4)(a), (5)(a), (6)(a), (7)(a) and (8)(a) Omit "a cyber security incident", substitute "an incident". 34 Paragraph 35AF(2)(a) Omit "a cyber security incident", substitute "an incident". 35 Paragraph 35AG(1)(a) Omit "a cyber security incident", substitute "an incident". 36 Paragraphs 35AH(1)(a), (6)(a) and (7)(a) Omit "a cyber security incident", substitute "an incident". 37 Paragraph 35AK(1)(a) Omit "a cyber security incident", substitute "an incident". 38 Subsection 35AQ(2) (note) Omit "a cyber security incident", substitute "an incident that has had, is having, or is likely to have, a relevant impact on one or more critical infrastructure assets". 39 Subsection 35AS(3) Omit "cyber security incident", substitute "incident". 40 Subsection 35AX(2) (note) Omit "section 35AB", substitute "subsection 35AB(10)". 41 At the end of subsection 35BA(1) Add "and an asset". 42 Subsection 35BK(1) Omit "a cyber security incident", substitute "an incident". 43 Application and saving provisions (1) The amendments of Part 3A of the Security of Critical Infrastructure Act 2018 made by this Schedule apply in relation to the giving of an authorisation under subsection 35AB(2) of that Act on or after the day on which this item commences in relation to an application by the Secretary under that subsection on or after that day. (2) The Security of Critical Infrastructure Act 2018, as in force immediately before the commencement of this item, continues to apply on and after that commencement in relation to the following: (a) an authorisation given under subsection 35AB(2) of that Act before the day on which this item commences; (b) an application by the Secretary under that subsection before that day. Schedule 3—Use and disclosure of protected information Security of Critical Infrastructure Act 2018 1 Section 4 Omit "Certain information obtained or generated under, or relating to the operation of, this Act is protected information", substitute "Certain documents or information obtained, generated or adopted under, or relating to the operation of, this Act is protected information". 2 Section 5 Insert: authorised APS employee means an APS employee in the Department in respect of whom an authorisation under section 44A is in force. confidential commercial information means the following: (a) information relating to trade secrets; (b) other information that has a commercial value that would be, or could reasonably be expected to be, destroyed or diminished if the information were communicated. 3 Section 5 (definition of protected information) Repeal the definition, substitute: protected information has the meaning given by section 5A. 4 Section 5 Insert: relevant information has the meaning given by section 5A. 5 Section 5 (paragraph (a) of the definition of security) Repeal the paragraph, substitute: (a) subject to paragraph (b)—has the same meaning as in the Australian Security Intelligence Organisation Act 1979; and 6 Section 5 (paragraph (b) of the definition of security) Omit "definition of critical energy market operator asset", substitute "definitions of critical energy market operator asset and protected information". 7 Section 5 (paragraph (b) of the definition of security) Omit "and 30CW", substitute ", 30CW and 42AA". 8 After section 5 Insert: 5A Meaning of protected information and relevant information Protected information (1) Protected information is relevant information: (a) the disclosure of which would or could reasonably be expected to prejudice national security or the defence of Australia; or (b) the disclosure of which would or could reasonably be expected to prejudice the social or economic stability of Australia or its people; or (c) that contains, or is, confidential commercial information; or (d) the disclosure of which would or could reasonably be expected to prejudice the availability, integrity, reliability or security of a critical infrastructure asset. (2) A document or information is protected information if it: (a) was a document or information to which subsection (1) applied; and (b) is obtained by a person by way of an authorised disclosure under Division 3 of Part 4 or in accordance with section 46. Relevant information (3) Relevant information is: (a) a document or information that is obtained or generated by a person in the course of exercising powers, or performing duties or functions, under this Act; or (b) a document or information that is obtained, generated or adopted by an entity for the purposes of complying with this Act; including, but not limited to, a document or information that: (c) records or is the fact that an asset is declared under section 51 to be a critical infrastructure asset; or (d) records or is the fact that an asset is declared under section 52B to be a system of national significance; or (e) records or is the fact that the Minister has: (i) given a Ministerial authorisation; or (ii) revoked a Ministerial authorisation; or (f) is, or is included in, a critical infrastructure risk management program that is adopted by an entity in compliance with section 30AC; or (g) is, or is included in, a report that is given under section 30AG or 30AQ; or (h) is, or is included in, a report under section 30BC or 30BD; or (i) is, or is included in, an incident response plan adopted by an entity in compliance with section 30CD; or (j) is, or is included in, an evaluation report prepared under section 30CQ or 30CR; or (k) is, or is included in, a vulnerability assessment report prepared under section 30CZ; or (l) is, or is included in, a report prepared in compliance with: (i) a system information periodic reporting notice; or (ii) a system information event‑based reporting notice; or (m) records or is the fact that the Minister has: (i) given a direction under subsection 32(2); or (ii) revoked such a direction; or (n) records or is the fact that the Secretary has: (i) given a direction under section 35AK; or (ii) revoked such a direction; or (o) records or is the fact that the Secretary has: (i) given a direction under section 35AQ; or (ii) revoked such a direction; or (p) records or is the fact that the Secretary has: (i) given a request under section 35AX; or (ii) revoked such a request. 9 Section 36 (note) Omit "section 5", substitute "section 5A". 10 Subsections 42(1) and (2) After "Secretary", insert ", or an authorised APS employee,". 11 After subparagraph 42(2)(a)(vii) Insert: (viia) emergency management; 12 Paragraph 42(2)(b) Repeal the paragraph, substitute: (b) a Minister of a State, the Australian Capital Territory, or the Northern Territory, who has responsibility for: (i) law enforcement; or (ii) emergency management; or (iii) the regulation or oversight of the relevant critical infrastructure sector to which the protected information relates; 13 At the end of section 42 Add: (3) An authorised APS employee may disclose protected information under this section, and make a record of or use protected information for the purpose of that disclosure, only if doing so is in accordance with an authorisation under section 44A. 14 After section 42 Insert: 42AA Authorised use and disclosure—availability, integrity, reliability or security of a critical infrastructure asset A relevant entity (other than the Commonwealth) for a critical infrastructure asset may make a record of, use or disclose protected information if the entity makes the record, or uses or discloses the information: (a) for a purpose relating to the continued operation of the critical infrastructure asset; or (b) to mitigate a risk to the availability, integrity, reliability or security of the critical infrastructure asset. Note: This section is an authorisation for the purposes of other laws, including the Australian Privacy Principles. 15 Section 42A Before "The", insert "(1)". 16 Section 42A After "Secretary", insert ", or an authorised APS employee,". 17 At the end of section 42A Add: (2) An authorised APS employee may disclose protected information under this section, and make a record of or use protected information for the purpose of that disclosure, only if doing so is in accordance with an authorisation under section 44A. 18 Section 43 Before "The", insert "(1)". 19 Section 43 After "Secretary", insert ", or an authorised APS employee,". 20 At the end of section 43 Add: (2) An authorised APS employee may disclose protected information under this section only if doing so is in accordance with an authorisation under section 44A. 21 Section 43AA Before "The", insert "(1)". 22 Section 43AA After "Secretary", insert ", or an authorised APS employee,". 23 At the end of section 43AA Add: (2) An authorised APS employee may disclose protected information under this section, and make a record of or use protected information for the purpose of that disclosure, only if doing so is in accordance with an authorisation under section 44A. 24 Section 43A Before "The", insert "(1)". 25 Section 43A After "Secretary", insert ", an authorised APS employee or any other entity". 26 At the end of section 43A Add: (2) An authorised APS employee may disclose protected information under this section, and make a record of or use protected information for the purpose of that disclosure, only if doing so is in accordance with an authorisation under section 44A. 27 Subparagraphs 43E(1)(b)(i) and (ii) After "responsibility for", insert "emergency management or for". 28 Subsections 43E(2) and (3) Repeal the subsections, substitute: (2) An entity may disclose protected information if: (a) the entity is the entity to whom the protected information relates; and (b) the Secretary has consented, in writing, to the disclosure; and (c) if the Secretary's consent is subject to one or more conditions—those conditions are satisfied. Note: This subsection is an authorisation for the purposes of other laws, including the Australian Privacy Principles. 29 After section 43E Insert: 43F Authorised use and disclosure—relevant entity's business, professional, commercial or financial affairs A relevant entity for a critical infrastructure asset may make a record of, use or disclose protected information if: (a) the protected information was obtained, generated or adopted by the entity for the purposes of complying with this Act; and (b) the entity makes the record, or uses or discloses the information, for the entity's business, professional, commercial or financial affairs. Note: This section is an authorisation for the purposes of other laws, including the Australian Privacy Principles. 30 At the end of Subdivision A of Division 3 of Part 4 Add: 44A Authorised APS employees (1) The Secretary may, in writing, authorise an APS employee in the Department, or each APS employee in the Department included in a specified class of APS employees in the Department, to be an authorised APS employee for the purposes of this Subdivision. (2) The Secretary must, in any authorisation under subsection (1), specify the kind of protected information that the APS employee, or each APS employee in that class, is authorised: (a) to disclose under section 42, 42A, 43, 43AA or 43A; and (b) to make a record of or use for the purpose of a disclosure under section 42, 42A, 43AA or 43A. 31 Paragraph 45(1)(a) Repeal the paragraph, substitute: (a) the entity obtains, generates or adopts a document or information; and 32 Paragraph 45(1)(b) After "the", insert "document or". 33 Paragraph 45(1)(c) After "uses the", insert "document or". 34 Subsection 45(1) (note 2) Repeal the note, substitute: Note 2: A document or information that records or is the fact that an asset is declared under section 51 to be a critical infrastructure asset may be protected information: see section 5A. 35 Application provision The amendments of the Security of Critical Infrastructure Act 2018 made by this Schedule apply in relation to the making of a record, use or disclosure of a document or information on or after the day on which this item commences, whether the document or information is obtained, generated or adopted before, on or after that day. Schedule 4—Direction to vary critical infrastructure risk management program Security of Critical Infrastructure Act 2018 1 Section 5 Insert: relevant official has the meaning given by section 30AI. serious deficiency has the meaning given by section 30AI. 2 Before paragraph 30AG(2)(e) Insert: (db) if the entity was given a direction under section 30AI during the relevant period—includes a statement that: (i) sets out the content of the direction; and (ii) sets out how the program was varied in response to the direction; and 3 After section 30AH Insert: 30AI Direction to vary critical infrastructure risk management program (1) A relevant official may give the responsible entity for one or more critical infrastructure assets a written direction to vary the entity's critical infrastructure risk management program if the relevant official is satisfied that there are one or more serious deficiencies with the program. (2) A relevant official is: (a) the Secretary, unless paragraph (b) applies; or (b) if there is a relevant Commonwealth regulator that has functions relating to the security of those assets: (i) the chief executive officer (however described) of that regulator; or (ii) an SES employee, or an acting SES employee, in that regulator; or (iii) a person who holds, or is acting in, a position in that regulator that is equivalent to, or higher than, a position occupied by an SES employee in the Department. (3) A serious deficiency is a deficiency that poses a material risk to: (a) national security; or (b) the defence of Australia; or (c) the social or economic stability of Australia or its people. Contents of direction (4) A direction under subsection (1) must: (a) specify the serious deficiencies; and (b) require the responsible entity to vary the entity's critical infrastructure risk management program to address those deficiencies; and (c) specify the period within which the responsible entity must vary that program, which must be a period of at least 14 days starting on the day on which the direction is given. Compliance with direction (5) The responsible entity must comply with a direction under subsection (1). Note: If the entity is not a legal person, see Division 2 of Part 7. Civil penalty: 250 penalty units. Consultation before giving direction (6) A relevant official must, before giving a direction under subsection (1), give the responsible entity a written notice: (a) stating that the relevant official is considering giving the responsible entity a direction under subsection (1); and (b) specifying the serious deficiencies covered by subsection (1); and (c) invite the responsible entity to give the relevant official, within 14 days after the day the notice is given to the responsible entity, a written submission in relation to the notice. (7) A relevant official must, in deciding whether to give a direction under subsection (1), have regard to: (a) any written submission received from the responsible entity within that 14‑day period; and (b) any action that is taken, or proposed to be taken, by the responsible entity in response to the notice and that is notified to the relevant official within that 14‑day period. (8) Subsection (7) does not limit the matters to which the relevant official may have regard. Certain persons to give copy of direction to Secretary (9) A relevant official covered by paragraph (2)(b) must give the Secretary a copy of any direction the relevant official gives under subsection (1). Direction not a legislative instrument (10) A direction under subsection (1) is not a legislative instrument. 4 After paragraph 60(2)(g) Insert: (gaa) the number of directions given to entities under section 30AI during the financial year; and 5 Application provisions (1) The amendments of sections 30AG and 60 of the Security of Critical Infrastructure Act 2018 made by this Schedule apply in relation to a financial year that ends after