We’re seeking feedback on draft legislative instruments requiring carriers and eligible carriage service providers to share information about their assets and cyber security incidents.
Why we want your inputCarriers and eligible carriage service providers (CSPs) will be required to report on asset and cyber security incidents, to align to the obligations other sectors have under the Security of Critical Infrastructure Act 2018. These changes will provide clarity for the sector and reduce regulatory duplication.
How you can voice your opinionRead the consultation paper and draft legislative instruments and provide your submission using the form below, email or post.
What will be the outcome of this consultation?Your submission will help inform the design of new security obligations for carriers and eligible CSPs.
What we are seeking feedback on
We’re seeking feedback on the:
- scope and content of the draft legislative instruments
- estimated cost of complying with the obligations in the draft instruments
Why a new carrier licence condition and service provider rule are needed
The Australian Government is committed to protecting the essential services Australians rely on by improving the security and resilience of critical infrastructure, including in the telecommunications sector.
The Security of Critical Infrastructure Act 2018 (SOCI Act) was amended in December 2021, introducing new positive security obligations for many sectors, including:
- giving the Secretary of the Department of Home Affairs certain information about critical infrastructure assets to be included in a register; and
- telling the Australian Signals Directorate if a cyber-security incident has a relevant impact on a critical infrastructure asset.
In order to avoid regulatory duplication and provide clarity for the telecommunications industry, these obligations will be introduced through mechanisms under the Telecommunications Act 1997 (Tel Act). The Tel Act contains a well-established regulatory framework that is familiar to industry and is embedded in how the telecommunications sector operates.
Specifically, the Government is proposing to make a new carrier licence condition and a new service provider rule. The new condition and rule align carriers and eligible CSPs with current obligations other sectors will have under the SOCI Act.
What the new condition and rule will do
The proposed carrier licence condition and service provider rule would require carriers and eligible CSPs to:
- give the Secretary of the Department of Home Affairs operational information in relation to their assets and, where an entity other than the carrier or eligible CSP holds a direct interest in an asset owned or operated by the carrier or eligible CSP, the interest and control information of direct interest holders in the asset;
- give the Australian Signals Directorate (ASD) a notice of a critical cyber security incident no later than 12 hours after the carrier or eligible CSP becomes aware of the incident; and
- give the ASD a notice of other cyber security incidents no later than 72 hours after the carrier or eligible CSP becomes aware of the incident.
Who the new condition and rule will affect
All holders of a carrier licence will be subject to the new carrier licence condition. All eligible CSPs would have to comply with the new service provider rule, unless they are a carrier. Eligible CSPs are defined in section 127 of the Telecommunications (Consumer Protection and Service Standards) Act 1999 as a CSP who supplies a:
- standard telephone service, where any of the customers are residential customers or small business customers;
- public mobile telecommunications service; or
- carriage service that enables end‑users to access the internet; or
- carriage service intermediary who arranges for the supply of one of these services.
Eligible CSPs must be members of the Telecommunications Industry Ombudsman scheme.
Other powers under Part 3A of the Security of Critical Infrastructure Act 2018
The SOCI Act also gives the Government powers to assist industry in certain situations if a serious cyber-security incident has had, is having or will have a relevant impact on a critical infrastructure asset. These assistance powers will be available for the Government to use in relation to the telecommunications sector under the SOCI Act; they will not be mirrored in the Tel Act.
The draft carrier licence condition and service provider rule consultation process ran from 25 February 2022 to 29 March 2022.
After carefully considering the submissions received, Minister for Communications, the Hon Michelle Rowland MP, made the Telecommunications (Carrier License Conditions – Security Information) Declaration 2022 and the Telecommunications (Carriage Service Provider – Security Information) Determination 2022 instruments, which were registered on 6 July 2022 and commenced on 7 July 2022.
Obligations to report cyber incidents to the Australian Signals Directorate (ASD) commenced on 7 July 2022.
Many Carriers and Carriage Service Providers (CSPs) already provide cybersecurity reports through ASD’s Australian Cyber Security Centre. Those already doing this should continue their current practices, and monitor the ongoing guidance from ASD and the Cyber and Infrastructure Security Centre (CISC).
Obligations to supply asset information to the Secretary of Home Affairs will commence on 7 October 2022.
Further information on supplying asset information can be found on the CISC’s website .
The Department of Home Affairs will be administering these reporting obligations. They have advised that for the initial 12 months their focus will be on education and assisting Carriers and CSPs to report.
These instruments will be in force for 18 months during which time it’s anticipated these reporting obligations will be incorporated into other security measures being considered for a future amendment bill.