Critical infrastructure security laws to be updated: What you need to know

The Australian Government has opened consultation on reforms to laws aimed at protecting Australia's critical infrastructure.

The Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) provides a framework for managing risks relating to critical infrastructure. It includes obligations on responsible entities of critical infrastructure assets (CI Assets) to develop and maintain a Critical Infrastructure Risk Management Program (CIRMP) for those assets and gives the Australian Government powers to make ministerial directions in respect of those assets.

In response to recommendations from a recent review in January this year, the Government is now consulting on further reforms to the SOCI Act, with a focus on expanding Ministerial Directions powers and enhancing the CIRMP rules.

Through these reforms, the Government is seeking to strengthen Australia’s ability to prevent and respond to serious threats to critical infrastructure, while ensuring obligations remain proportionate and practical for industry.

Ministerial Directions Powers

The proposed amendments to the Ministerial Directions powers in Part 3 of the SOCI Act are intended to provide government with more flexible and targeted tools to address significant national security and resilience risks.

The Government is seeking feedback on the following 5 measures under consideration:

1. Amend Directions Power: To amend the existing directions power in section 32 to replace the current mandatory Adverse Security Assessment with a more flexible entity-specific ASIO threat advice and to relax the strict exhaustion of alternative regulatory precondition.
2. Conditions power: To introduce a new "conditions" power to allow Government to provide tailored, ongoing governance controls on reporting entities where ownership, control, or governance arrangements create a material risk to national security that cannot be sufficiently managed.
3. Vendor-risk product specific directions power: To introduce a new "vendor-risk product specific" directions power to restrict the use of high risk vendors, products and services where necessary to mitigate or eliminate a material risk that is prejudicial to national security.
4. Continuous disclosure relief: To introduce temporary time-bound relief regarding high-risk cyber incidents from continuous disclosure obligations for listed entities where such disclosure could compromise national security.
5. Civil penalty provisions: To increase civil penalty provisions for failing to comply with a Ministerial Direction from 250 to 2,000 penalty units.

The Consultation Paper: Proposed amendments to the Ministerial Directions powers in Part 3 of the SOCI Act, provides details on the proposed measures and guidance on the feedback being sought.

In practice, this could allow for more tailored directions to responsible entities where incidents or vulnerabilities threaten essential services, defence capability, or broader economic and social stability. However, the proposals also raise important questions around the thresholds for issuing directions, the limits on these powers, and the appropriate level of oversight and transparency.

The Government asks stakeholders to consider whether the proposed framework strikes the right balance between enabling rapid government intervention in times of crisis and preserving operational autonomy and commercial certainty.

Enhancements to CIRMP Rules

In parallel, the Government has released an Exposure Draft of amendments to the CIRMP Rules (Exposure Draft), which support Part 2A of the SOCI Act.

The draft proposes enhancements to the CIRMP requirements for the following designated categories of CI Assets:

• a critical broadcasting asset;
• a critical domain name system;
• a critical electricity asset;
• a critical energy market operator asset;
• a critical freight infrastructure asset;
• a critical freight services asset;
• a critical gas asset;
• a critical liquid fuel asset; and
• a critical water asset.

The proposed enhancements are more prescriptive for responsible entities of the designated categories of CI Assets and require responsible entities to:

• Material risks: consider any impairment to a CI Asset's functions that could prejudice the social stability, economic stability, national security or defence of Australia or any potential or possible risk of compromise of impairment of a CI Asset from foreign ownership, control or influence.
• Cyber and information security framework: meet maturity level 2 under a recognised security framework (ISO 27001:2023, Essential Eight Maturity Model, NIST Cybersecurity Framework 2.0, Cybersecurity Capability Model v2.1, the 2023 AESCSF Framework Core or equivalent).
• Cyber security measures: where it is reasonably practicable to do so, implement phishing resistant MFA controls and network segmentation to meet various requirements.
• Personnel hazards: establish and maintain a process or system to eliminate material risks associated with unauthorised or unsupervised access to critical systems or misuse of credentials and to assess the suitability of and manage and monitor onshore and offshore personnel access to critical systems.
• Supply chain hazards: establish and maintain a system or process to map supply chain for major suppliers and critical systems across physical and cyber supply chains, and identify and mitigate vulnerabilities and risks.
• Physical security and natural hazards: establish and maintain a system or process to centrally manage physical security and natural hazards and, where it is reasonably practicable to do so, minimise or eliminate the risks associated with physical security consequences arising from the occurrence of physical or other hazards, including cyber and information, personnel and supply chain hazards.

A copy of the Exposure Draft is included in the consultation paper available here.

Once introduced, a range of grace periods from 6 months – 24 months will apply to the new requirements.

Practical implications for industry

For owners and operators of critical infrastructure assets, these proposals will have practical implications and it is likely to influence:

• board-level oversight of risk;
• incident response and assurance frameworks; and
• how cyber, physical, and supply chain risk programs align with CIRMP obligations.

The consultation process provides an important opportunity for industry, peak bodies and civil society to shape the final form of these reforms.  Stakeholders can highlight where the proposed powers and rules are clear and workable and where further refinement is needed.

Consultation Timeline

The Australian Government is seeking feedback on its reforms with submissions open until 1 May 2026.

Ministerial Directions Powers

The Government is hosting a public town hall to provide further information on the changes to the Ministerial Directions powers on 20 April 2026 2:00 pm – 3:00 pm AEST.

CIRMP Rules Enhancements

The Government held a public town hall for the changes to the CIRMP Rules earlier this month. The videos of that town hall will be published on the Critical Infrastructure Security Centre website once available.

You can find further details about the changes, make submissions and find links to the recordings of the public town halls here.

For more information or assistance contributing to the consultation, please contact our Technology team.

Authors

Demetrios Christou | Partner | +61 2 8248 3428 | dchristou@tglaw.com.au

Ashlee Broadbent | Associate | +61 8 8236 1185 | abroadbent@tglaw.com.au

‍