Image: Getty Images
At the end of last year, Australia’s Security Legislation Amendment (Critical Infrastructure) Act 2021 became law to give government “last resort” powers to direct an entity when responding to cyber attacks, which included introducing a cyber-incident reporting regime for critical infrastructure assets.
Those laws were originally drafted to be wider in scope, with Home Affairs proposing other obligations for organisations within critical infrastructure sectors.
Provisions seeking to enshrine those obligations were eventually set aside, however, with the federal government deciding to follow a recommendation made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to have those omitted aspects introduced under a second Bill.
That second Bill, Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, was introduced into Parliament by Home Affairs Minister Karen Andrews last week.
In this second Bill, the federal government is seeking to introduce risk management programs for critical infrastructure entities and enhanced cybersecurity obligations for those entities most important to the nations, which include providing reports of system information and risk assessments to the Australian Signals Directorate (ASD).
The risk management program obligation, if it were to become law, would apply to entities within the 11 sectors classified as critical infrastructure sectors in