The 2022 Critical Infrastructure Act. Does it apply to you, and if so, what do you need to know?

You’ll have to forgive us if this blog is a bit daunting, but this is an important topic. First – a quick timeline to set the scene:

  • 2018: The Australian government passed the Security of Critical Infrastructure Act 2018 (also called the SOCI Act). Designed to provide a framework for managing national security risks to our critical infrastructure, the SOCI Act helps counter foreign and local cyberattacks and interference, espionage, and even sabotage.
  • 2021: In the first of two tranches of reforms to the SOCI Act, the Security Legislation Amendment (Critical Infrastructure) Act 2021 was passed and took effect on 3 December 2021.
  • 2022: The second tranche followed in the form of the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 – aka the SLACIP Act. This came into force on 1 April 2022.

For this blog, the SLACIP Act is the one to be aware of – especially the new features it includes over and above the previous versions.

Why? Because they could impact you.

First, what is critical infrastructure?

The Australian and state and territory governments officially define critical infrastructure as: “those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.”
Like it or not, you could now be part of our critical infrastructure

Like it or not, you could now be part of our critical infrastructure

The four original government-designated critical infrastructure sectors were electricity, gas, water, and ports.

The 2021 and 2022 reforms materially expand the scope of the original SOCI Act to cover eleven ‘critical infrastructure sectors’ and twenty-two categories of ‘critical infrastructure assets’.

The SOCI Act, in particular, introduced a Ministerial power to declare systems of national significance. It also grants the Government ‘last resort’ broad information gathering, direction and intervention powers (subject to various checks and balances), which it can apply to the 11 critical infrastructure sectors.

If the Government does decide to exercise its powers under the regulations, these 11 critical infrastructure sectors will be required to comply with reporting and ‘other’ positive security obligations (see below) in relation to specific critical infrastructure assets. Enhanced cyber security obligations will be applied to designated systems of national significance.

The updated critical infrastructure sectors under SLACIP:

  • Communications
  • Financial services and markets
  • Data storage or processing
  • Defence industry
  • Higher education and research
  • Energy
  • Food and grocery
  • Health care and medical
  • Space technology
  • Transport
  • Water and sewerage

While it sounds like these powers only impact the 11 critical infrastructure sectors (and you aren’t in any of them), don’t relax yet. Why not? Because these obligations also extend to those in their supply chains who are designated as responsible entities, reporting entities, direct interest holders, managed service providers and operators.

What are these ‘other’ positive security obligations?

The ‘other’ positive security obligations listed in the SOCI Act (and carried over to the SLACIP Act) are as follows:

  1. (Confidential) Register of Critical Infrastructure Assets – maintained by the Cyber Infrastructure Security Centre (CISC). Assets must provide the CISC with specific operational and interest and control information about the entity and asset, as well as contractual arrangements for operating core functionalities or maintaining business-critical data.
  2. Mandatory Cyber Security Incident Reporting/Notification of Cyber Security Events – here, assets must report actual or imminent cyber security incidents to the ASD.  If the incident directly or indirectly impacts the asset’s availability, integrity or reliability, or the confidentiality of information about or stored on the asset, it must be reported within 72 hours. If it resulted in a significant impact – 12 hours.
  3. Risk Management Program – The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) rolled out 17 February 2023. More about this below.

Reporting requirements

If you’ve been designated a responsible entity, you’ll be subject to annual reporting obligations under the SOCI Act. This means that within 90 days after the end of the financial year, your annual report (as approved by your board, council, or other governing body) must be submitted to the Secretary for Home Affairs or a specified regulator.

The requirements of your report will vary depending on whether you’ve been required to produce a critical infrastructure risk management program or not. Either way, failing to comply with the risk management program or your annual reporting obligations under the SOCI Act may attract civil penalties.

A new (more holistic) approach to risk management

As well as providing Ministerial power to privately declare an asset as a critical infrastructure asset or a system of national significance, the SLACIP Act can require compliance with its new risk management program, including delivering additional reporting. (To note: If an asset is called out as a system of national significance, it’s done so in privacy to avoid signalling its importance to bad actors.)

So, if you are designated a responsible entity of one or more critical infrastructure assets, you can be required to ‘adopt, comply with, and maintain a critical infrastructure risk management program.’

Which is a good idea. This amendment drives a holistic ‘all-hazards’ approach to improving core security practices by requiring responsible entities of specified critical infrastructure assets to (in the words of the Government):

  • Identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset
  • Minimise or eliminate any material risk of such a hazard occurring (so far as it is reasonably practicable to do so) and
  • Mitigate the relevant impact of such a hazard on the asset (so far as it is reasonably practicable to do so).

If you have been deemed to be in a critical infrastructure sector or have been categorised as a critical infrastructure asset, you must document, regularly review and update your risk management program. As part of this, your program must also establish and maintain a process/system for complying with ISO/IEC 27001:2015, the Essential Eight Maturity Model (or an equivalent framework).

Is this you?

Before you start to worry, remember that the new risk management program only applies if the Minister decides to empower it. And if that happens, then the program will initially apply to these critical infrastructure sectors and assets:

  • Communications: Broadcasting, Domain name systems
  • Data storage and processing
  • Health and medical: Hospitals
  • Energy: Market operators, gas, electricity, and liquid fuel
  • Financial services: Specified payment systems operator asset
  • Food and grocery
  • Transport: Freight infrastructure, freight services
  • Water and sewerage

It’s worth noting that there would probably be a case-by-case assessment rather than a blanket application of this requirement.

So, what next?

While we’ve discussed all the potential impacts of the SLACIP Act, we have yet to discuss why it was introduced. Is the Australian Government being over-vigilant? (Short answer: no).

In part two of our critical infrastructure series, we’ll explain what has prompted the SLACIP Act and why the measures it introduces are so important to us all.

Get in touch for a Free, No‑Obligation Consultation

Arrange a chat with our experienced team to discuss your data protection, disaster recovery, cloud or security requirements.

  • Arrange an introductory chat about your requirements
  • Gain a proposal and quote for our services
  • View an interactive demo of our service features

Prefer to call now?
Sales and Support
1300 88 38 25

This field is for validation purposes and should be left unchanged.

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

This field is hidden when viewing the form

Source Technology LogoInformation Security Management System ISO 27001 Certified

Disaster Recovery as a Service

Your IT disaster recovery strategy. Fully tested. Run at 100% capacity during a disaster or cyber event.

Backup as a Service

Your data protection strategy. Simplify your IT operations with all-inclusive backups and recoveries.

M365 Backup as a Service

Mitigate your risk of data loss by ensuring your Microsoft365 data is backed up and recoverable.

SaaS Backup as a Service

Backup and recover Salesforce, MS Dynamics, Google Cloud.

Company


Customer Stories


Resources


Contact


Call 1300 88 38 25

[email protected]

Visit us on LinkedIn

Post: PO Box 1197, Collingwood VIC 3066

© 2026 Source Technology. All rights reserved. Privacy Policy Terms of Service