Commonwealth Consolidated Acts
[Index]
[Table]
[Search]
[Search this Act]
[Notes]
[Noteup]
[Download]
[Help]
SECURITY OF CRITICAL INFRASTRUCTURE ACT 2018
TABLE OF PROVISIONS
Long Title
PART 1--PRELIMINARY
Division 1--Preliminary
1. Short title
2. Commencement
3. Object
4. Simplified outline of this Act
Division 2--Definitions
5. Definitions
6. Meaning of interest and control information
7. Meaning of operational information
8. Meaning of direct interest holder
8A. Meaning of influence or control
8B. Meaning of associate
8C. Meanings of subsidiary and holding entity
8D. Meaning of critical infrastructure sector
8E. Meaning of critical infrastructure sector asset
8F. Critical infrastructure sector for a critical infrastructure asset
8G. Meaning of relevant impact
9. Meaning of critical infrastructure asset
10. Meaning of critical electricity asset
11. Meaning of critical port
12. Meaning of critical gas asset
12A. Meaning of critical liquid fuel asset
12B. Meaning of critical freight infrastructure asset
12C. Meaning of critical freight services asset
12D. Meaning of critical financial market infrastructure asset
12E. Meaning of critical broadcasting asset
12F. Meaning of critical data storage or processing asset
12G. Meaning of critical banking asset
12H. Meaning of critical insurance asset
12J. Meaning of critical superannuation asset
12K. Meaning of critical food and grocery asset
12KA. Meaning of critical domain name system
12L. Meaning of responsible entity
12M. Meaning of cyber security incident
12N. Meaning of unauthorised access, modification or impairment
12P. Examples of responding to a cyber security incident
Division 3--Constitutional provisions and application of this Act
13. Application of this Act
14. Extraterritoriality
15. This Act binds the Crown
16. Concurrent operation of State and Territory laws
17. State constitutional powers
PART 2--REGISTER--OF CRITICAL INFRASTRUCTURE ASSETS
Division 1--Introduction
18. Simplified outline of this Part
18A. Application of this Part
18AA. Consultation--rules
Division 2--Register of Critical Infrastructure Assets
19. Secretary must keep Register
20. Secretary may add information to Register
21. Secretary may correct or update information in the Register
22. Register not to be made public
Division 3--Obligation to give information and notify of events
23. Initial obligation to give information
24. Ongoing obligation to give information and notify of events
25. Information that is not able to be obtained
26. Meaning of notifiable event
27. Rules may exempt from requirement to give notice or information
Division 4--Giving of notice or information by agents etc.
28. Requirement for executors and administrators to give notice or information for individuals who die
29. Requirement for corporate liquidators etc. to give notice or information
30. Agents may give notice or information
PART 2A--CRITICAL--INFRASTRUCTURE RISK MANAGEMENT PROGRAMS
30AA. Simplified outline of this Part
30AB. Application of this Part
30ABA. Consultation--rules
30AC. Responsible entity must have a critical infrastructure risk management program
30AD. Compliance with critical infrastructure risk management program
30AE. Review of critical infrastructure risk management program
30AF. Update of critical infrastructure risk management program
30AG. Responsible entity must submit annual report
30AH. Critical infrastructure risk management program
30AJ. Variation of critical infrastructure risk management program
30AK. Revocation of adoption of critical infrastructure risk management program
30AKA. Responsible entity must have regard to certain matters in deciding whether to adopt or vary critical infrastructure risk management program etc.
30AL. Consultation--rules made for the purposes of section 30AH or 30AKA
30AM. Review of rules
30AN. Application, adoption or incorporation of a law of a State or Territory etc.
30ANA. Application, adoption or incorporation of certain documents
30ANB. Consultation--rules made for the purposes of paragraph 30ANA(2)(f)
30ANC. Disallowance of rules
PART 2AA--REPORTING--OBLIGATIONS RELATING TO CERTAIN ASSETS THAT ARE NOT COVERED BY A CRITICAL INFRASTRUCTURE RISK MANAGEMENT PROGRAM
30AP. Simplified outline of this Part
30AQ. Reporting obligations relating to certain assets that are not covered by a critical infrastructure risk management program
PART 2B--NOTIFICATION--OF CYBER SECURITY INCIDENTS
30BA. Simplified outline of this Part
30BB. Application of this Part
30BBA. Consultation--rules
30BC. Notification of critical cyber security incidents
30BD. Notification of other cyber security incidents
30BE. Liability
30BEA. Significant impact
30BEB. C onsultation--rules
30BF. Relevant Commonwealth body
PART 2C--ENHANCED--CYBER SECURITY OBLIGATIONS
Division 1--Simplified outline of this Part
30CA. Simplified outline of this Part
Division 2--Statutory incident response planning obligations
Subdivision A--Application of statutory incident response planning obligations
30CB. Application of statutory incident response planning obligations--determination by the Secretary
30CC. Revocation of determination
Subdivision B--Statutory incident response planning obligations
30CD. Responsible entity must have an incident response plan
30CE. Compliance with incident response plan
30CF. Review of incident response plan
30CG. Update of incident response plan
30CH. Copy of incident response plan must be given to the Secretary
30CJ. Incident response plan
30CK. Variation of incident response plan
30CL. Revocation of adoption of incident response plan
Division 3--Cyber security exercises
30CM. Requirement to undertake cyber security exercise
30CN. Cyber security exercise
30CP. Compliance with requirement to undertake cyber security exercise
30CQ. Internal evaluation report
30CR. External evaluation report
30CS. Meaning of evaluation report
30CT. External auditors
Division 4--Vulnerability assessments
30CU. Requirement to undertake vulnerability assessment
30CV. Compliance with requirement to undertake a vulnerability assessment
30CW. Designated officers may undertake a vulnerability assessment
30CX. Compliance with requirement to provide reasonable assistance etc.
30CY. Vulnerability assessment
30CZ. Vulnerability assessment report
30DA. Meaning of vulnerability assessment report
Division 5--Access to system information
Subdivision A--System information reporting notices
30DB. Secretary may require periodic reporting of system information
30DC. Secretary may require event - based reporting of system information
30DD. Consultation
30DE. Duration of system information periodic reporting notice or system information event - based reporting notice
30DF. Compliance with system information periodic reporting notice or system information event - based reporting notice
30DG. Self - incrimination etc.
30DH. Admissibility of report etc.
Subdivision B--System information software
30DJ. Secretary may require installation of system information software
30DK. Consultation
30DL. Duration of system information software notice
30DM. Compliance with system information software notice
30DN. Self - incrimination etc.
30DP. Admissibility of information etc.
Division 6--Designated officers
30DQ. Designated officer
PART 3--DIRECTIONS--BY THE MINISTER
Division 1--Simplified outline of this Part
31. Simplified outline of this Part
Division 2--Directions by the Minister
32. Direction if risk of act or omission that would be prejudicial to security
33. Consultation before giving direction
34. Requirement to comply with direction
35. Exception--acquisition of property
35AAA. Directions prevail over inconsistent critical infrastructure risk management programs
35AAB. Liability
PART 3A--RESPONDING--TO SERIOUS CYBER SECURITY INCIDENTS
Division 1--Simplified outline of this Part
35AA. Simplified outline of this Part
Division 2--Ministerial authorisation relating to cyber security incident
35AB. Ministerial authorisation
35AC. Kinds of acts or things that may be specified in an intervention request
35AD. Consultation
35AE. Form and notification of Ministerial authorisation
35AF. Form of application for Ministerial authorisation
35AG. Duration of Ministerial authorisation
35AH. Revocation of Ministerial authorisation
35AJ. Minister to exercise powers personally
Division 3--Information gathering directions
35AK. Information gathering direction
35AL. Form of direction
35AM. Compliance with an information gathering direction
35AN. Self - incrimination etc.
35AP. Admissibility of information etc.
Division 4--Action directions
35AQ. Action direction
35AR. Form of direction
35AS. Revocation of direction
35AT. Compliance with direction
35AU. Directions prevail over inconsistent critical infrastructure risk management programs
35AV. Directions prevail over inconsistent obligations
35AW. Liability
Division 5--Intervention requests
35AX. Intervention request
35AY. Form and notification of request
35AZ. Compliance with request
35BA. Revocation of request
35BB. Relevant entity to assist the authorised agency
35BC. Constable may assist the authorised agency
35BD. Removal and return of computers etc.
35BE. Use of force against an individual not authorised
35BF. Liability
35BG. Evidentiary certificates
35BH. Chief executive of the authorised agency to report to the Defence Minister and the Minister
35BJ. Approved staff members of the authorised agency
Division 6--Reports to the Parliamentary Joint Committee on Intelligence and Security
35BK. Reports to the Parliamentary Joint Committee on Intelligence and Security
PART 4--GATHERING--AND USING INFORMATION
Division 1--Simplified outline of this Part
36. Simplified outline of this Part
Division 2--Secretary's power to obtain information or documents
37. Secretary may obtain information or documents from entities
38. Copies of documents
39. Retention of documents
40. Self - incrimination
Division 3--Use and disclosure of protected information
Subdivision A--Authorised use and disclosure
41. Authorised use and disclosure--performing functions etc.
42. Authorised use and disclosure--other person's functions etc.
42A. Authorised use and disclosure--development of proposed amendments of this Act etc.
43. Authorised disclosure relating to law enforcement
43AA. Authorised disclosure to Ombudsman official
43A. Authorised disclosure to IGIS official
43B. Authorised use and disclosure--Ombudsman official
43C. Authorised use and disclosure--IGIS official
43D. Authorised use and disclosure--ASD
43E. Authorised disclosure of protected information by the entity to whom the information relates
44. Secondary use and disclosure of protected information
Subdivision B--Offence for unauthorised use or disclosure
45. Offence for unauthorised use or disclosure of protected information
46. Exceptions to offence for unauthorised use or disclosure
47. No requirement to provide information
PART 5--ENFORCEMENT
Division 1--Simplified outline of this Part
48. Simplified outline of this Part
Division 2--Civil penalties, enforceable undertakings and injunctions
49. Civil penalties, enforceable undertakings and injunctions
Division 3--Monitoring and investigation powers
49A. Monitoring powers
49B. Investigation powers
Division 4--Infringement notices
49C. Infringement notices
PART 6--DECLARATION--OF ASSETS BY THE MINISTER
Division 1--Simplified outline of this Part
50. Simplified outline of this Part
Division 2--Declaration of assets by the Minister
51. Declaration of assets by the Minister
51A. Consultation--declaration
52. Notification of change to reporting entities for asset
PART 6A--DECLARATION--OF SYSTEMS OF NATIONAL SIGNIFICANCE BY THE MINISTER
Division 1--Simplified outline of this Part
52A. Simplified outline of this Part
Division 2--Declaration of systems of national significance by the Minister
52B. Declaration of systems of national significance by the Minister
52C. Consultation--declaration
52D. Notification of change to reporting entities for asset
52E. Review of declaration
52F. Revocation of determination
PART 7--MISCELLANEOUS
Division 1--Simplified outline of this Part
53. Simplified outline of this Part
Division 2--Treatment of certain entities
53A. How certain entities hold interests
54. Treatment of partnerships
55. Treatment of trusts and superannuation funds that are trusts
56. Treatment of unincorporated foreign companies
Division 3--Matters relating to Secretary's powers
57. Additional power of Secretary
58. Assets ceasing to be critical infrastructure assets
59. Delegation of Secretary's powers
Division 4--Periodic reports, reviews and rules etc.
60. Periodic report
60AAA. Regular reports about consultation
60AA. Compensation for acquisition of property
60AB. Service of notices, directions and instruments by electronic means
60A. Independent review
60B. Review of this Act
61. Rules
AustLII: Copyright Policy
| Disclaimers
| Privacy Policy
| Feedback