Cybersecurity 2025

AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis

enforcement operations involving cybercrime financing; and • ASIO investigates cyber-activity involving espionage, sabotage and terrorism related activities – ASIO also contributes to the investigation of computer network operations directed against Australia’s systems. State and territory-based police and prosecu - tion agencies investigate, enforce and prosecute state and territory cybercrimes. 2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation Australia’s critical infrastructure and assets are regulated through Commonwealth, state and territory legislation, with a particular emphasis on the SOCI Act. That said, there is broader legislation, such as the Privacy Act and Cyber Security Act, and more sector-specific legisla - tion, such as the Telecommunications Act, that cannot be ignored. SOCI Act (and TSSR) The SOCI Act currently regulates certain assets across eleven sectors: communications, data storage and processing, financial services, ener - gy, food and grocery, health and medical, high - er education and research, space technology, transport, water and sewerage, and the defence industry. And from November 2025, telecommu - nications security obligations (which are current - ly under the Telecommunication Sector Security Reforms (TSSR)) will be moved into the SOCI, a change implemented by the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (the “2024 SOCI Amendment Act”).

Notwithstanding recent reforms which clarified the SOCI Act, the exact parameters of the leg - islation are broad and complex, and extend to various participants in a supply chain includ - ing “responsible entities”, “reporting entities”, “direct interest holders”, “managed service pro - viders” and “operators”. Some of these defini - tions are asset-specific, but for our purposes, it is important to note that a “responsible entity” is generally the entity that owns, is licensed or otherwise responsible for operating the asset. Further, despite the imminent shift of the TSSR and its obligations to the SOCI Act, these obli - gations still remain in force and apply to the rel - evant infrastructure as is. The TSSR are appli - cable to carriers, carriage service providers and carriage service intermediaries. Cyber Security Act Additionally, there are cybersecurity obliga - tions imposed on critical infrastructure under the Cyber Security Act where they constitute “a reporting business entity”. A “reporting business entity” is an entity that: • is carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the “turnover threshold for that year” (to be determined) but is not a Com - monwealth body, State body, or responsible entity for a critical infrastructure asset; or • a responsible entity for a critical infrastruc - ture asset “to which Part 2B of the Security of Critical Infrastructure Act 2018 applies”, which is defined in the rules or declaration – at the time of writing, these were prescribed in Security of Critical Infrastructure (Appli - cation) Rules (LIN 22/026) 2022 (the “SOCI Application Rules”) and includes most infra - structure assets.

16

CHAMBERS.COM

Powered by