Legal Insights
Annual reporting requirements for your Critical Infrastructure Risk Management Program under the Security of Critical Infrastructure Act 2018 (Cth)
Responsible entities for specified critical infrastructure assets that are required to hold and maintain a critical infrastructure risk management program (CIRMP) or that are exempt from such requirement, must comply with annual reporting requirements under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) for the first time this year.
The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules), made under the SOCI Act, commenced on 17 February 2023. The CIRMP Rules activated additional obligations for responsible entities for specified critical infrastructure assets under the SOCI Act, including the obligation to submit an annual report to the relevant regulator relating to its CIRMP and/or to certain assets that are not covered by a CIRMP.
Due to a grace period, responsible entities were not obligated to submit an annual report for the 2022-2023 financial year.
However, the inaugural annual report for the 2023-2024 financial year must be submitted between 30 June 2024 and 28 September 2024.
What is CIRMP?
In accordance with the SOCI Act, responsible entities for specified critical infrastructure assets must adopt, maintain, comply, regularly review and update their CIRMPs, unless an exemption applies.
CIRMPs are written programs for specified assets that have the purpose of:
- identifying each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;
- minimising or eliminating any material risk of such hazard occurring (so far as it is reasonably practicable to do so);
- mitigating the relevant impact of such hazard on the asset (so far as it is reasonably practicable to do so); and
- complying with any requirements as are specified in the CIRMP Rules from time to time.
Hazards could include cyber and information security hazards, personnel hazards, physical security and natural hazards and supply chain hazards.
Responsible entities must also submit an annual report to the relevant government regulator every financial year, relating to their CIRMP and/or to certain assets that are not covered by a CIRMP (Annual Report).
What does the Annual Report need to contain?
The Annual Report must be submitted in the approved form and the responsible entity must confirm details in the report, including whether:
- the CIRMP is (or is not) up to date at the end of the relevant financial year;
- any hazards have had a ‘significant relevant impact’ on one or more of their critical infrastructure assets during the relevant financial year. Note:
- the term ‘significant’ is not defined within the SOCI Act and the regulator notes it is the responsibility of the responsible entity to determine where a relevant impact may be considered significant; and
- the term ‘relevant impact’ relates to a direct or indirect impact on the availability, integrity, reliability or confidentiality of the critical infrastructure asset; and
- if any hazards have had a significant relevant impact on one or more of those assets during the relevant period — a self-assessment that:
- identifies the hazard and the nature of the impact, including how it occurred and the extent of the consequences;
- evaluates the effectiveness of the CIRMP in mitigating the significant relevant impact of the hazard on the assets concerned (or if the CIRMP could be improved); and
- if the CIRMP was varied during the financial year as a result of the occurrence of the hazard—outlines the relevant variation.
In addition to the above, responsible entities that are exempt from the requirement to hold and maintain a CIRMP in relation to an asset(s) must submit an Annual Report that sets out the reason why that asset(s) is exempt and the action (if any) taken by the entity for the purposes of mitigating the significant relevant impact of the hazard on the asset(s) concerned.
The Annual Report does not need to contain the CIRMP.
Before the Annual Report is submitted, it must be approved by the board, council or other governing body of the responsible entity (if it has one).
When is the Annual Report due?
Given a 6-month grace period from when the CIRMP Rules commenced to meet the CIRMP obligations under Part 2A of the SOCI Act (which, ended 17 August 2023), the obligation to submit an Annual Report in relation to a responsible entity’s CIRMP for the 2022-2023 financial year was not enforced (but voluntary submissions were encouraged).
The inaugural Annual Report will therefore be for the 2023-2024 financial year, and must be submitted between 30 June 2024 and 28 September 2024.
For future years, each Annual Report must be submitted within 90 days after the end of the relevant financial year.
Note, if a responsible entity’s asset does not become a ‘critical infrastructure asset’ until after the CIRMP Rules commenced, the responsible entity is only required to meet CIRMP requirements within 6 months from when the asset becomes a critical infrastructure asset.
What will the information in the Annual Report be used for?
In accordance with the regulator’s guidance:
“Annual reports will be used by Government to better understand the threat environment in each sector. This enables Government to provide meaningful assistance if subject to a hazard and advise entities on ways to further enhance the security and resilience of CI assets.”[1]
Key takeaways
If you currently hold and maintain a CIRMP (or are exempt from such requirement), then you are likely to be required to submit an Annual Report in relation to your CIRMP and/or certain assets that are not covered by a CIRMP for the financial year ending 2024.
For any responsible entity that is subject to the SOCI Act and the CIRMP Rules, now is the time to consider whether you need to comply with the Annual Reporting requirements in relation to your CIRMP and/or certain assets that are not covered by a CIRMP, and if so, the steps required to prepare and submit that Annual Report.
To ensure you are complying with the Annual Reporting requirements or other requirements relating to the SOCI Act and/or the CIRMP Rules, please get in touch with one of our key contacts to discuss the support we can provide.
Key contacts
Sign up for our latest updates
Keep up to date with our legal insights and events
Sign upRecent articles
Legal Insights
Amendments to the ACT's Building and Construction Industry (Security of Payment) Act 2009
By Pria O'Sullivan, and Susan Guo
Recent updates to the Australian Capital Territory’s Building and Construction Industry (Security of Payment) Act 2009.
Legal Insights
Reform to Australia’s merger clearance regime
By Ron Smooker, Shaun Temby, Jacqueline Picone, and Oliver Wahlstrom
A new mandatory, suspensory merger review system conducted by the ACCC comes into effect in Australia on 1 January 2026.
Legal Insights
What all Victorian Government personnel need to know about OVIC’s recent statement on ChatGPT
By Robert Gregory, Georgia Hunt, and Jack Curran
Generative AI, including ChatGPT is becoming common in all facets of personal, professional and public life.
Legal Insights
Important changes to the Workplace Injury Rehabilitation and Compensation Act 2013 concerning workers’ compensation in Victoria
By Catherine Dunlop, Jessica Mourney
From 31 March 2024, amendments to the Victorian workers’ compensation scheme took effect
Partner
Sydney