The Cyber Security Legislative Package Decoded: Key implications for Critical Infrastructure Owners and Operators

We invite you to either listen to the article or read the below.

Protecting Australia from cyber security threats and ensuring the resilience of critical infrastructure is an increasingly important aspect of Australia’s national security.

On 29 November 2024, the Cyber Security Legislative Package received Royal Assent. This package is designed to implement seven key initiatives under the 2023–2030 Australian Cyber Security Strategy, addressing legislative gaps to align Australia with international best practices and positioning the nation as a global leader in cyber security.

The Cyber Security Legislative Package comprises:

• the Cyber Security Act 2024
• the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024
• the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024.

In this article, the Pentagram Advisory team provides a broad, practical overview of the key changes and outlines actionable next steps for critical infrastructure owners and operators.

Cyber Security Act 2024

The Cyber Security Act establishes a legislative framework for addressing ‘contemporary, whole-of-economy cyber security issues’ and aims to position the Australian Government to identify and respond to new and emerging cyber security threats.

Ransomware reporting obligations (Part 3, Cyber Security Act)

Part 3 of the Cyber Security Act establishes an obligation for a reporting business entity to submitransomware payment reports to the Department of Home Affairs (DHA) and the Australian Signals Directorate. These reports must include specific details about the ransomware attack, such as:

• When the incident occurred or was detected.
• The impact on infrastructure and customers.
• Details of the ransom demand, payment amount, and method.
• Communications with the threat actors, including negotiation records.

This obligation is proposed to apply to responsible entities for critical infrastructure assets subject to Part 2B of the Security of Critical Infrastructure Act 2018 with an annual turnover of AUD $3 million or more in the previous financial year.  This threshold was set after consultation and aligns with standards under the Privacy Act 1988.

This new requirement aims to improve the Government’s visibility into ransomware threats, ensuring a coordinated and effective response.

The Cyber Security (Ransomware Reporting) Rules 2024, released as an exposure draft with an accompanying Explanatory Statement by DHA on 16 December 2024, establish mandatory ransomware payment reporting obligations under the Cyber Security Act.

This requirement has not commenced yet. It will come into effect on 30 May 2025, six months after the Royal Assent date.

What is next?

The Cyber and Infrastructure Security Center (CISC) invites industry feedback on the exposure draft.  Submissions are due by Friday, 14 February 2025.

If your business is affected, take steps to understand your obligations, update internal policies and prepare for compliance.

Coordination of major cyber security incidents (Part 4, Cyber Security Act)

Part 4 of the Cyber Security Act establishes obligations on the National Cyber Security Coordinator (NCSC) regarding the use and disclosure of information voluntarily provided during a significant cyber security incident.  The obligations apply to entities voluntarily providing information about significant cyber security incidents to the NCSC.

Key Provisions:

• Voluntary Information Sharing: Entities affected by significant cyber security incidents can voluntarily provide information to the NCSC under strict parameters.
• Use and Disclosure Limitations: Information provided to the NCSC is protected under Limited Use Obligations.
• Admissibility Protections: Information voluntarily provided to the NCSC cannot be used as evidence in civil compliance proceedings under Commonwealth law and is inadmissible against the reporting entity in legal proceedings for civil penalties.
• Non-Compellability of NCSC Officers: Officers of the NCSC are not compellable as witnesses in federal, state, or territory courts regarding information provided under Part 4 of the Act.

This obligation commenced on 30 November 2024.

Cyber Incident Review Board (Part 5, Cyber Security Act)

Part 5 establishes the Cyber Incident Review Board – an independent, advisory body tasked to conduct no-fault, post-incident reviews of significant cyber security incidents.  The Board will provide concrete recommendations to aid in the prevention, detection, response, and minimisation of cyber security incidents.

CISC invites industry feedback on the exposure draft Cyber Security (Cyber Incident Review Board) Rules 2024 and accompanying Explanatory Statement. Submissions are due by Friday, 14 February 2025.

This requirement has not commenced yet. It will come into effect on 30 May 2025, six months after the Royal Assent date.

Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (ERP Act)

The ERP Act introduces a number of amendments, primarily to the Security of Critical Infrastructure Act 2018 (SOCI Act), but also to the Telecommunications Act 1997, the Telecommunications (Interception and Access) Act 1979 and the Australian Security Intelligence Organisation Act 1979.

Key Measures

1. Data storage systems that hold business critical data

The ERP Act amends the definition of a critical infrastructure asset in section 9 of the SOCI Act to include certain data storage systems that hold business critical data.

If a responsible entity for a critical infrastructure asset owns or operates a data storage system used in connection with that asset, and the system stores or processes business critical data related to the asset, this data storage system now forms part of a critical infrastructure asset.  As a result, it must be protected to the same level as other critical infrastructure assets.

For further details, please refer to the detailed summary prepared by the Pentagram Advisory team.

2. Managing consequences of impacts of incidents on critical infrastructure assets

The application of Part 3A of the SOCI Act has been broadened. Previously limited to authorising the Minister to make certain directions in response to serious cyber security incidents, it now applies to all serious incidents, except for intervention orders, which remain restricted to cyber security incidents only.

At this stage, no immediate action is required. However, responsible entities should be prepared to collaborate with the DHA on exercises and practice arrangements to ensure readiness.

For further details and examples, please refer to the CISC factsheet.

3. A new definition of ‘protected information’

The amendment clarifies the existing disclosure and information sharing provisions to enable intra-government sharing of protected information and cross-industry collaboration.

The new definition of ‘protected information’ refers to information that is either:

• Confidential commercial information
• Information that, if disclosed, could harm the public, the security of a critical infrastructure asset, or Australia’s national security, defence, or socioeconomic stability.

For further details, please refer to the CISC factsheet.

 4. Direction to vary Critical Infrastructure Risk Management Program

This amendment introduces a new power authorising the  DHA, or another relevant Commonwealth regulator, to issue a formal direction requiring the variation of a responsible entity’s Critical Infrastructure Risk Management Program (CIRMP) if one or more ‘serious deficiencies’ are identified.

A serious deficiency is defined as a deficiency posing a material risk to national security, the defence of Australia, or the social or economic stability of Australia or its people. This measure addresses gaps in the powers currently available to regulators to enforce critical infrastructure risk management obligations.

Process for issuing directions:

• The regulator must first issue a written notice to the responsible entity, specifying the serious deficiencies identified and inviting the entity to provide a written submission within 14 days.
• If the entity is unwilling or unable to address the deficiencies, and the regulator has consulted with the entity and considered their response, a formal direction can be issued.

The responsible entity must comply with a direction issued under subsection 30AI(1) and include details of the direction and their response in the annual report submitted to the relevant Commonwealth regulator or Secretary under section 30AG of the SOCI Act.  Directions issued under this power will be included in the annual SOCI Act report to Parliament.

For further details, please refer to the CISC factsheet.

5. Security regulation for critical telecommunications assets

This amendment integrates elements of the Telecommunications Sector Security Reform from the Telecommunications Act 1997 into the SOCI Act.

Note: This requirement has not commenced yet. On 16 December 2024, CISC released exposure drafts of the Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2024, the Security of Critical Infrastructure (Application) Amendment (Critical Telecommunications Assets) Rules 2024 and the explanatory document for consultation.

CISC is inviting industry submissions by Friday, 14 February 2025. For further details, please refer to the CISC factsheet.

6. Notification of declaration of Systems of National Significance

This amendment aligns with the deregulatory agenda by removing duplicative requirements.

It eliminates the need for the Minister for Home Affairs to notify each direct interest holder for a critical infrastructure asset declared as a System of National Significance (SoNS). Instead, only the responsible entity is required to be notified.

Additionally, the amendment removes the obligation for responsible entities of a SoNS asset to notify the Secretary of DHA of changes to direct interest holders.  However, the responsible entity is still required to notify the Secretary of any changes to the responsible entity itself.

For further details, please refer to the CISC factsheet.

Conclusion

The Cyber Security Legislative Package represents a substantial shift in how Australia approaches cyber security and critical infrastructure resilience.  These amendments aim to enhance transparency, improve incident management, and ensure stronger protections for critical assets.

For critical infrastructure owners and operators, these changes reinforce the need to stay proactive.  Immediate steps include understanding new obligations, updating internal policies, and preparing for compliance with upcoming requirements.

At Pentagram Advisory, we are closely following the progress of consultations and regulatory developments and will keep our followers regularly updated.  If you have questions or require tailored advice, please reach out to us: [email protected].