On Monday, Parliament passed the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth) (the Bill) (formerly cited as the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (the Former Bill).

The Bill amends the Security of Critical Infrastructure Act 2018 (the Act) to enact urgent elements of the Former Bill, which seek to manage and address complex and evolving risks threatening Australia's critical infrastructure and national security.

Following the Parliamentary Joint Committee on Intelligence and Security’s (the PJCIS) recommendation to split the Former Bill into two parts, non-urgent elements of the Former Bill, including positive-security obligations on the adoption, compliance and maintenance of a critical infrastructure risk management program, have been deferred for further industry and government consultation, as discussed in our recent report on the reforms.

Which aspects of the reforms have been fast-tracked?

The Bill enacts key elements of the reforms identified by the PJCIS as requiring urgent implementation, including:

• Expanding the critical framework coverage of the Act from 4 sectors (electricity, gas, water and ports) to 11, encompassing communications, data storage and processing, financial services and markets, water and sewerage, energy, health care and medical, higher education and research, food and grocery, transport, space technology and defence sectors.
• Implementing mandatory notification of certain cyber security incidents including providing written notification of critical cyber security incidents within 84 hours (rather than 48 hours, as previously proposed). The Bill also defines 'significant impact' in the context of a cyber security incident.
• Establishing last-resort emergency government assistance powers to respond to serious cyber security incidents. This includes a power to authorise the Secretary of the Department of Home Affairs to issue an information-gathering direction, an action direction or to authorise the Australian Signals Directorate to intervene when a cyber security incident has occurred, is occurring or is likely to occur. This last measure generated significant concern during consultation, and the Bill incorporates additional safeguards and oversight through mandatory reporting as recommended by the PJCIS in response to those concerns.
• Enabling the PJCIS to conduct a review of the operation, effectiveness and implications of the Bill not less than three years from when the Bill receives royal assent.

When does the Bill commence?

A core of the Bill’s proposed amendments will commence the day after the Bill receives royal assent (which may take 7 - 10 working days).

Bill Two

As recommended by the PJCIS, the remaining elements of the Former Bill will be amended in consultation with the industry and reintroduced in a subsequent bill (Bill Two).

Bill Two is expected to implement measures including obligations to implement and maintain risk management programs concerning critical infrastructure, and the ability to declare Systems of National Significance (with accompanying enhanced cyber security obligations).

It has been anticipated by the PJCIS that Bill Two should proceed at a ‘more manageable pace’ for government and industry.

Associated with this recommendation, the PJCIS also recommended that Bill Two be referred back to the PJCIS when it is introduced for further review, alongside analysis of the impacts of the Bill and statutory review of the Act.

This is intended to ensure that legislative reforms concerning Australia’s critical infrastructure

…are not just a ‘set and forget’ response to a current threat.

Summary

The urgent reforms proposed in the Former Bill have now been passed, and will soon come into force. The reforms have the potential to impose a significant regulatory burden in some cases, and non-compliance will give rise to financial penalties, so it is important to be aware of the proposed changes.

We also recommend that our clients in key industry sectors continue to monitor the ongoing progress of Bill Two, and participate in any further opportunities to frame these reforms through consultation.

Meanwhile, please reach out to us if you require support in further unpacking the implications of the latest regulatory reforms in this area.