As we highlighted in a previous article, recent changes to the Security of Critical Infrastructure Act 2018 (Cth) (SoCI Act) expanded the scope of infrastructure assets caught by the legislation, and introduced a number of associated new obligations.
One new set of obligations introduces a reporting requirement, to allow the Commonwealth Government to establish and maintain a register of critical infrastructure assets.
For many categories of critical infrastructure asset, the deadline to submit initial information to the Cyber and Infrastructure Security Centre (CISC) is 8 October 2022.
There are two categories of information that are required to be provided in relation to each critical infrastructure asset:
- entities responsible for a critical infrastructure asset must submit prescribed ‘operational information’ in relation to the asset; and
- all relevant direct interest holders must also declare their interest in the critical infrastructure asset. An entity is a direct interest holder of a critical infrastructure if the entity:
- together with any associates of the entity, holds an interest of at least 10% in the asset; or
- holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.
Once this information is submitted, these responsible entities and interest holders must continue to provide ongoing updates to the CISC as circumstances change.
These reporting obligations initially apply to critical infrastructure assets in the following categories:
- critical broadcasting assets;
- critical domain name systems;
- critical data storage or processing assets;
- critical payment systems;
- critical food and grocery assets;
- critical hospitals;
- critical freight infrastructure assets and critical freight services assets;
- critical public transport assets;
- critical liquid fuel assets;
- critical energy market operator assets; and
- critical electricity assets and critical gas assets (to the extent they were not already captured by the previous version of the SoCI Act).
If you have any questions or require assistance, contact our Privacy, Data Protection and Cyber Security team today.
This article was written by Daniel Kiley, Partner and Paul Sigar, Solicitor.