Australian Government guidance on the Optus data breach and the Medibank Private Limited and AHM cyber incident.

Telecommunications security reforms

As part of the Australian Government’s commitment to protecting the essential services that all Australians rely on, the Security of Critical Infrastructure Act 2018 (SOCI Act) was amended in December 2021. Carriers and Carriage Service Providers (CSP) now have new security obligations, including:

  • telling the Australian Cyber Security Centre of the Australian Signals Directorate (ASD) if a cyber-security incident has a relevant impact on a critical infrastructure asset (from 7 July 2022)
  • giving the Cyber and Infrastructure Security Centre of the Department of Home Affairs (Home Affairs) certain information about critical infrastructure assets so it can be included in a register (from 7 October 2022).

To avoid regulatory duplication and provide clarity for industry, Minister for Communications, the Hon Michelle Rowland MP, made the Telecommunications (Carrier License Conditions – Security Information) Declaration 2022 and the Telecommunications (Carriage Service Provider – Security Information) Determination 2022 instruments, which were registered on 6 July 2022 and commenced on 7 July 2022.

Where can I find the instruments?

The instruments are held on the Federal Register of Legislation.

Who do the changes apply to?

All carrier licence holders will be subject to the new carrier licence condition. All eligible CSPs will have to comply with the new service provider rule, unless they are a carrier and subject to the licence condition.

Eligible CSPs are defined as a CSP who supplies any of the following:

  • standard telephone service, where any of the customers are residential customers or small business customers
  • public mobile telecommunications service
  • carriage service that enables end-users to access the internet
  • carriage service intermediary who arranges for the supply of one of these services.

When do the obligations commence?

Obligations to report cyber incidents to ASD commenced on 7 July 2022

Many Carriers and CSPs already provide cyber security reports to the ACSC. Those already doing this should continue to do so, and monitor the ongoing guidance from ACSC and the CISC. 

Obligations to supply asset information to the Secretary of Home Affairs will commence on 7 October 2022

Home Affairs administers the reporting obligations. For the first 12 months their focus will be on educating and assisting Carriers and CSPs to report. 

When do the instruments end?

The instruments end on 8 January 2024 and form part of a broader review of security obligations in the Telecommunications Act.

Further reforms

The instruments are phase 1 of a broader review of the security provisions in the Telecommunications Act, which we’ll be undertaking with Home Affairs.

The broader reforms will bring other provisions contained in the SOCI Act, such as the all hazards risk management program, into the Telecommunications Act. It will ensure the regulation of telecommunication security through the Act continues to be fit for purpose.

Together with Home Affairs, we’ll consult with industry and the community on these reforms in due course.

Frequently Asked Questions

Are there civil penalties attached to the instruments and under what legislative provisions are they enforced?

  • The first 12 months (from 8 July 2022) is considered a learning and familiarisation phase. The CISC will focus on education, support and working with entities to understand the reporting thresholds as they relate to each sector.
  • During this time, enforcement action may occur only for egregious non-compliance, such as failure to report critical incidents, rather than the timeliness of reporting or whether a report contains a sufficient level of detail.
  • The enforcement mechanisms under sections 68 and 101 of the Telecommunications Act that relate to non-compliance with a licence condition or a service determination apply to the new instruments.

'Essential services' are not explicitly defined in the instruments but are defined in state legislation, how is this overlap to be worked through?

  • The instruments’ Explanatory Statement indicates that the intent is to only capture those goods or services that are critical to the health, safety, or the good order of the Australian community.
  • While most states have defined ‘essential services’ in legislation, some states are prescriptive in their approach while others are more general. The one consistent factor is that the goods and services prescribed all relate to services that ensure the health, safety and good order of the Australian community. As such the Australian Government’s approach is intended to align with and be complementary to state-based legislation.

Can I comply with the new obligations at a group level or provide the registry a single entry across a class of assets?

  • A group holding company can report for all carriers and eligible CSPs in the group, though it does so on behalf of each constituent firm.
  • Where a parent company is able to influence the management and operation of a critical infrastructure asset, or otherwise control that asset, it would be a direct interest holder and/or as a responsible entity of those firms.

More information

More information about reporting cyber security incidents can be found on the ACSC website and on the CISC website.

Information about registering asset information can be found on the CISC website.

Information about the consultation process we ran between February and March 2022 can be found on our consultation page.

Questions about the instruments and the broader review can be made to the Telecommunications Security Review team:

Factsheets

  • Register of Critical Infrastructure Assets Guidance – Telecommunications sector PDF: 298 KB