Telecommunications security reforms

As part of the Australian Government's commitment to protecting the essential services that all Australians rely on, the Security of Critical Infrastructure Act 2018 (SOCI Act) was amended in December 2021. Carriers and Carriage Service Providers (CSP) now have new security obligations, including:

  • telling the Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC) if a cyber-security incident has a relevant impact on a critical infrastructure asset (from 7 July 2022)
  • giving the Department of Home Affairs’ Cyber and Infrastructure Security Centre (CISC)  certain information about critical infrastructure assets so it can be included in a register (from 7 October 2022).

To avoid regulatory duplication and provide clarity for industry, the Minister for Communications, the Hon Michelle Rowland MP, made the Telecommunications (Carrier License Conditions—Security Information) Declaration 2022 and the Telecommunications (Carriage Service Provider—Security Information) Determination 2022 instruments, which were registered on 6 July 2022 and commenced on 7 July 2022.

Where can I find the instruments?

The instruments are held on the Federal Register of Legislation.

Who do the changes apply to?

All carrier licence holders are subject to the new carrier licence conditions. Additionally, all eligible CSPs have to comply with the new service provider rule, unless they are a carrier and subject to the licence condition.

Eligible CSPs are defined as a CSP that:

  • supplies a standard telephone service, where any of the customers are residential customers or small business customers
  • supplies a public mobile telecommunications service
  • supplies a carriage service that enables end-users to access the internet
  • acts as a carriage service intermediary that arranges for the supply of one of these services.

When did the obligations commence?

Obligations to report cyber incidents to ASD commenced on 7 July 2022

Many Carriers and CSPs already provide cyber security reports to the ACSC. Those already doing this should continue to do so and monitor ongoing guidance from the ACSC and the CISC.

Obligations to supply asset information to the Secretary of Home Affairs commenced on 7 October 2022

Home Affairs administers the reporting obligations.

When do the instruments end?

The instruments end on 6 July 2025 and form part of a broader review of security obligations in the Telecommunications Act.

As the instruments were due to sunset on 8 January 2024, the department consulted with carriers and eligible carriage service providers from 13 November to 13 December 2023, with the aim of extending the instruments by 18 months.

Following the consultation period, the amendment instruments were registered on 22 December 2023, extending the sunset date of the original instruments to 6 July 2025.

The amendment instruments can be found at:

Further reforms

The instruments are phase 1 of a broader review of the security provisions in the Telecommunications Act, which we'll be undertaking with Home Affairs.

The broader reforms will bring other provisions contained in the SOCI Act, such as the all hazards risk management program, into the Telecommunications Act. It will ensure the regulation of telecommunication security through the Telecommunications Act continues to be fit for purpose.

Together with Home Affairs, we'll consult with industry and the community on these reforms in due course.

Distribution list

Keep up to date by signing up to our emailing list.

The Communications and Media Group in the department regularly  engages with its stakeholders to formulate policy and develop legislation. We also hold information sessions from time to time. To improve our outreach and engagement with all stakeholders we are re-building and updating our email distribution list. If you are an industry participant (e.g. a carrier or a carriage service provider) or an advisor to the industry, you may find it useful to subscribe to our mailing list. It focuses on policy development in the following areas:

  • New & Emerging Technologies
  • Telecommunications Resilience & Security
  • Digital Inclusion
  • Powers and Immunities Framework
  • Spectrum Policy
  • Reform of the Radiocommunications Framework
  • Broadband (including the NBN).

The department will use this distribution list to consult and inform stakeholders of changes in the telecommunications space. (Please note that this is a distinct list from those maintained by independent government agencies, such as the Australian Communications and Media Authority (ACMA) or the Telecommunication Industry Ombudsman (TIO).)

Frequently Asked Questions

Are there civil penalties attached to the instruments and under what legislative provisions are they enforced?

  • The first 12 months (from 8 July 2022) was considered a learning and familiarisation phase. Over this period the CISC focused on education, support and working with entities to understand the reporting thresholds as they relate to each sector.
  • The enforcement mechanisms under sections 68 and 101 of the Telecommunications Act that relate to non-compliance with a licence condition or a service determination apply to the new instruments.

'Essential services' are not explicitly defined in the instruments but are defined in state legislation, how is this overlap to be worked through?

  • The instruments’ Explanatory Statement indicates that the intent is to only capture those goods or services that are critical to the health, safety, or good order of the Australian community.
  • While most states have defined ‘essential services’ in legislation, some states are prescriptive in their approach while others are more general. The one consistent factor is that the goods and services prescribed all relate to services that ensure the health, safety and good order of the Australian community. As such, the Australian Government’s approach is intended to align with and be complementary to state-based legislation.

Can I comply with the new obligations at a group level or provide the registry a single entry across a class of assets?

  • A group holding company can report for all carriers and eligible CSPs in the group, though it does so on behalf of each constituent firm.
  • Where a parent company is able to influence the management and operation of a critical infrastructure asset, or otherwise control that asset, it would be a direct interest holder and/or as a responsible entity of those firms.

More information

More information about reporting cyber security incidents can be found on the ACSC website and the CISC website.

Information about registering asset information can be found on the CISC website.

Information about the consultation process we ran between February and March 2022 can be found on our consultation page.

Questions about the instruments and the broader review can be sent to the Telecommunications Security Review team:

Fact sheets

  • Register of Critical Infrastructure Assets Guidance—Telecommunications sector PDF: 298 KB