Infrastructure Update: New obligations under the Security of Critical Infrastructure Act 2018 (Cth)

Alex OttawayAlex Ottaway, Special Counsel and Michael Graziano, Solicitor at HWL Ebsworth share their insights on the Security of Critical Infrastructure Act 2018 (Cth). Michael Graziano


ALERT: The grace period for Reporting Entities to report prescribed information in respect of Critical Infrastructure Assets (CIAs) expires on 8 October 2022.

New reforms brought about by the Security of Critical Infrastructure Act 2018 (Cth) (SoCI Act) and the accompanying Rules have created significant additional compliance obligations for many corporate entities and State Government bodies in all Australian States and Territories.

Is your organisation required to comply with the reporting requirements of the SoCI Act?

The SoCI Act may oblige your organisation to report certain information to the Secretary of the Department of Home Affairs, and to keep that information up-to-date (‘Reporting Requirements‘), if your organisation is a Reporting Entity (Responsible Entity or a Direct Interest Holder) in respect of a CIA.

In ascertaining whether your organisation is subject to the Reporting Requirements, the first question to ask is whether it owns, operates, controls, manages or has other significant involvement with a CIA. Under the SoCI Act, there are 22 different classes of CIA, as follows:

Each of these classes of CIA has a specific definition under the Act. A number of these classes of CIA are defined by reference to objective criteria, such as a ‘critical public transport asset’ which is defined as a public transport network or system that is managed by a single entity and is capable of handling at least five million passenger journeys per month.

As mentioned above, ‘Responsible Entities’ and ‘Direct Interest Holders’ are Reporting Entities for the purposes of the SoCI Act and are subject to the Reporting Requirements.

The SoCI Act identifies the Responsible Entity for each of the classes of CIA referred to above. The test to be applied in identifying the Responsible Entity is different for each class of CIA. In most cases, the Responsible Entity is the entity that has operational control of the asset.

A Direct Interest Holder is defined in the SoCI Act as being a party that (together with that party’s associates) holds an interest of at least 10% in the CIA or holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset. Parties that only have an interest in a CIA due to a moneylending arrangement are deemed not to be Direct Interest Holders.

If you are concerned that any assets owned, operated, managed or controlled by your organisation may be CIAs for the purposes of the SoCI Act, we recommend that you seek legal advice as soon as possible.

What does your organisation need to do, to comply with the Reporting Requirements?

Responsible Entities of CIAs must report operational information to the Secretary of the Department of Home Affairs to be entered into the Critical Infrastructure Register. They must ensure that the information is kept up-to-date, i.e. must report if information previously provided becomes inaccurate or incomplete, or if another entity becomes a reporting entity in respect of the CIA.

Direct Interest Holders of CIAs must provide interest and control information to the Secretary of the Department of Home Affairs and must also comply with the obligation to keep reported information up-to-date, referred to above.

There is a civil penalty of 50 penalty units (currently $11,100) for each non-compliance with these requirements.Part 2 Michael

Other obligations under the Security of Critical Infrastructure Act

The particular obligations that will apply to your organisation and its assets will largely depend on:

  1. whether the assets are categorised as Critical Infrastructure Sector Assets, Critical Infrastructure Assets, or a Systems of National Significance (these terms are explained below);
  2. the class that your asset falls into (e.g. whether it an critical public transport asset, critical freight asset, etc) and whether the regulations have ‘switched on’ particular obligations for that class of assets.

Below is an example of how the various obligations under the SoCI Act will apply to the assets in a Critical Infrastructure Sector.

The SoCI Act identifies 11 sectors of the economy as ‘Critical Infrastructure Sectors’ (CIS) which have been deemed as crucial sectors of the Australia economy. The Critical Infrastructure Sectors are:

(a) communications; (g) higher education and research;
(b) data storage or processing; (h) food and grocery;
(c) financial services and markets; (i) transport;
(d) water and sewerage; (j) space technology; and
(e) energy; (k) defence industry.
(f) health care and medical;


A ‘Critical Infrastructure Sector Asset’ (CISA) is any asset which relates to a CIS.

While many assets will be captured by this definition, it is not expected that the SoCI Act will have a significant impact on these assets. CISAs are only subject to action and information gathering directions in response to cyber security incidents. Additionally, the Rules or the Minister may declare a CISA to also be a CIA, in which case the more onerous positive security obligations will apply.

Directions given by the Minister

The SoCI Act also empowers the Minister for Home Affairs to issue or approve the issuance of a direction to a Responsible Entity, Direct Interest Holder or Operator of a CIA or CISA to take (or refrain from taking) certain actions in limited prescribed circumstances. Contravention of such a direction may constitute a criminal offence with a maximum penalty of two years’ imprisonment and 120 penalty units (currently $26,640 for an individual and $133,200 for a corporation).

What’s coming next?

Currently, the Commonwealth government is developing Rules, in consultation with the relevant industries, for the implementation of Critical Infrastructure Risk Management Programs.

In general, once these obligations have been ‘switched on’, Responsible Entities for CIAs will be required to adopt, maintain, comply with, review and update a critical infrastructure risk management program in respect of the CIA. A critical infrastructure risk management program is a written document the purpose of which is:

  • to identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the CIA;
  • to minimise or eliminate any material risk of such a hazard occurring; and
  • to mitigate the relevant impact of such a hazard on the asset.

Once ‘switched on’, there will be a penalty of 200 penalty units (currently $222,000 for a corporation) for each non-compliance with these obligations.

The Responsible Entity must also produce an annual report relating to its critical infrastructure risk management program, with a penalty of 150 penalty units (currently $166,500 for a corporation) for non-compliance.

This publication is general in nature, is not intended to be legal advice and should not be relied upon as such. For legal advice in respect of your particular circumstances, please consult the authors.
The copyright in this material is and will remain the property of HWL Ebsworth Lawyers.

Alex Ottaway is a Special Counsel in the Sydney Construction and Infrastructure group. Alex has over 12 years’ experience as a qualified solicitor, specialising in the resolution of disputes involving construction and infrastructure projects. He advises and acts for participants in diverse industries such as infrastructure (roads/ports/tunnels), industrial (chemical/polymer plants), resources (LNG/oil & gas), energy, advanced manufacturing and housing. He has practised in Sydney and in London. Connect with Alex via LinkedIn

Michael Graziano is a Solicitor in HWL Ebsworth Lawyers’ Sydney Construction and Infrastructure team who assists a range of participants in the construction industry by preparing construction contracts and other project documentation, and delivering project advice.