Security Legislation Amendment (Critical Infrastructure) Act 2021 (124 of 2021)

Schedule 1   Security of critical infrastructure

Part 1   General amendments

Security of Critical Infrastructure Act 2018

32   After section 12

Insert:

12A Meaning of critical liquid fuel asset

(1) An asset is a critical liquid fuel asset if it is any of the following:

(a) a liquid fuel refinery that is critical to ensuring the security and reliability of a liquid fuel market, in accordance with subsection (2);

(b) a liquid fuel pipeline that is critical to ensuring the security and reliability of a liquid fuel market, in accordance with subsection (3);

(c) a liquid fuel storage facility that is critical to ensuring the security and reliability of a liquid fuel market, in accordance with subsection (4).

Note: The rules may prescribe that a specified critical liquid fuel asset is not a critical infrastructure asset (see section 9).

(2) For the purposes of paragraph (1)(a), the rules may prescribe:

(a) specified liquid fuel refineries that are critical to ensuring the security and reliability of a liquid fuel market; or

(b) requirements for a liquid fuel refinery to be critical to ensuring the security and reliability of a liquid fuel market.

(3) For the purposes of paragraph (1)(b), the rules may prescribe:

(a) specified liquid fuel pipelines that are critical to ensuring the security and reliability of a liquid fuel market; or

(b) requirements for a liquid fuel pipeline to be critical to ensuring the security and reliability of a liquid fuel market.

(4) For the purposes of paragraph (1)(c), the rules may prescribe:

(a) specified liquid fuel storage facilities that are critical to ensuring the security and reliability of a liquid fuel market; or

(b) requirements for a liquid fuel storage facility to be critical to ensuring the security and reliability of a liquid fuel market.

12B Meaning of critical freight infrastructure asset

(1) An asset is a critical freight infrastructure asset if it is any of the following:

(a) a road network that, in accordance with subsection (2), functions as a critical corridor for the transportation of goods between:

(i) 2 States; or

(ii) a State and a Territory; or

(iii) 2 Territories; or

(iv) 2 regional centres;

(b) a rail network that, in accordance with subsection (3), functions as a critical corridor for the transportation of goods between:

(i) 2 States; or

(ii) a State and a Territory; or

(iii) 2 Territories; or

(iv) 2 regional centres;

(c) an intermodal transfer facility that, in accordance with subsection (4), is critical to the transportation of goods between:

(i) 2 States; or

(ii) a State and a Territory; or

(iii) 2 Territories; or

(iv) 2 regional centres.

Note: The rules may prescribe that a specified critical freight infrastructure asset is not a critical infrastructure asset (see section 9).

(2) For the purposes of paragraph (1)(a), the rules may prescribe:

(a) specified road networks that function as a critical corridor for the transportation of goods between:

(i) 2 States; or

(ii) a State and a Territory; or

(iii) 2 Territories; or

(iv) 2 regional centres; or

(b) requirements for a road network to function as a critical corridor for the transportation of goods between:

(i) 2 States; or

(ii) a State and a Territory; or

(iii) 2 Territories; or

(iv) 2 regional centres.

(3) For the purposes of paragraph (1)(b), the rules may prescribe:

(a) specified rail networks that function as a critical corridor for the transportation of goods between:

(i) 2 States; or

(ii) a State and a Territory; or

(iii) 2 Territories; or

(iv) 2 regional centres; or

(b) requirements for a rail network to function as a critical corridor for the transportation of goods between:

(i) 2 States; or

(ii) a State and a Territory; or

(iii) 2 Territories; or

(iv) 2 regional centres.

(4) For the purposes of paragraph (1)(c), the rules may prescribe:

(a) specified intermodal transfer facilities that are critical to the transportation of goods between:

(i) 2 States; or

(ii) a State and a Territory; or

(iii) 2 Territories; or

(iv) 2 regional centres; or

(b) requirements for an intermodal transfer facility to be critical to the transportation of goods between:

(i) 2 States; or

(ii) a State and a Territory; or

(iii) 2 Territories; or

(iv) 2 regional centres.

(5) For the purposes of this section, road network includes a part of a road network.

(6) For the purposes of this section, rail network includes a part of a rail network.

12C Meaning of critical freight services asset

(1) An asset is a critical freight services asset if it is a network that is used by an entity carrying on a business that, in accordance with subsection (2), is critical to the transportation of goods by any or all of the following:

(a) road;

(b) rail;

(c) inland waters;

(d) sea.

Note: The rules may prescribe that a specified critical freight services asset is not a critical infrastructure asset (see section 9).

(2) For the purposes of subsection (1), the rules may prescribe:

(a) specified businesses that are critical to the transportation of goods by any or all of the following:

(i) road;

(ii) rail;

(iii) inland waters;

(iv) sea; or

(b) requirements for a business to be critical to the transportation of goods by any or all of the following:

(i) road;

(ii) rail;

(iii) inland waters;

(iv) sea.

12D Meaning of critical financial market infrastructure asset

(1) An asset is a critical financial market infrastructure asset if it is any of the following assets:

(a) an asset that:

(i) is owned or operated by an Australian body corporate that holds an Australian market licence; and

(ii) is used in connection with the operation of a financial market that, in accordance with subsection (2), is critical to the security and reliability of the financial services and markets sector;

(b) an asset that:

(i) is owned or operated by an associated entity of an Australian body corporate that holds an Australian market licence; and

(ii) is used in connection with the operation of a financial market that, in accordance with subsection (2), is critical to the security and reliability of the financial services and markets sector;

(c) an asset that:

(i) is owned or operated by an Australian body corporate that holds an Australian CS facility licence; and

(ii) is used in connection with the operation of a clearing and settlement facility that, in accordance with subsection (3), is critical to the security and reliability of the financial services and markets sector;

(d) an asset that:

(i) is owned or operated by an associated entity of an Australian body corporate that holds an Australian CS facility licence; and

(ii) is used in connection with the operation of a clearing and settlement facility that, in accordance with subsection (3), is critical to the security and reliability of the financial services and markets sector;

(e) an asset that:

(i) is owned or operated by an Australian body corporate that holds a benchmark administrator licence; and

(ii) is used in connection with the administration of a significant financial benchmark that, in accordance with subsection (4), is critical to the security and reliability of the financial services and markets sector;

(f) an asset that:

(i) is owned or operated by an associated entity of an Australian body corporate that holds a benchmark administrator licence; and

(ii) is used in connection with the administration of a significant financial benchmark that, in accordance with subsection (4), is critical to the security and reliability of the financial services and markets sector;

(g) an asset that:

(i) is owned or operated by an Australian body corporate that holds an Australian derivative trade repository licence; and

(ii) is used in connection with the operation of a derivative trade repository that, in accordance with subsection (5), is critical to the security and reliability of the financial services and markets sector;

(h) an asset that:

(i) is owned or operated by an associated entity of an Australian body corporate that holds an Australian derivative trade repository licence; and

(ii) is used in connection with the operation of a derivative trade repository that, in accordance with subsection (5), is critical to the security and reliability of the financial services and markets sector;

(i) an asset that is used in connection with the operation of a payment system that, in accordance with subsection (6), is critical to the security and reliability of the financial services and markets sector.

Note: The rules may prescribe that a specified critical financial market infrastructure asset is not a critical infrastructure asset (see section 9).

(2) For the purposes of paragraphs (1)(a) and (b), the rules may prescribe:

(a) specified financial markets that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for a financial market to be critical to the security and reliability of the financial services and markets sector.

(3) For the purposes of paragraphs (1)(c) and (d), the rules may prescribe:

(a) specified clearing and settlement facilities that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for a clearing and settlement facility to be critical to the security and reliability of the financial services and markets sector.

(4) For the purposes of paragraphs (1)(e) and (f), the rules may prescribe:

(a) specified significant financial benchmarks that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for a significant financial benchmark to be critical to the security and reliability of the financial services and markets sector.

(5) For the purposes of paragraphs (1)(g) and (h), the rules may prescribe:

(a) specified derivative trade repositories that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for a derivative trade repository to be critical to the security and reliability of the financial services and markets sector.

(6) For the purposes of paragraph (1)(i), the rules may prescribe:

(a) specified payment systems that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for a payment system to be critical to the security and reliability of the financial services and markets sector.

(7) For the purposes of this section, Australian body corporate means a body corporate that is incorporated in Australia.

12E Meaning of critical broadcasting asset

(1) One or more broadcasting transmission assets are a critical broadcasting asset if:

(a) the broadcasting transmission assets are:

(i) owned or operated by the same entity; and

(ii) located on a site that, in accordance with subsection (2), is a critical transmission site; or

(b) the broadcasting transmission assets are:

(i) owned or operated by the same entity; and

(ii) located on at least 50 different sites; and

(iii) not broadcasting re-transmission assets; or

(c) the broadcasting transmission assets are owned or operated by an entity that, in accordance with subsection (3), is critical to the transmission of a broadcasting service.

Note: The rules may prescribe that a specified critical broadcasting asset is not a critical infrastructure asset (see section 9).

(2) For the purposes of paragraph (1)(a), the rules may prescribe:

(a) specified sites that are critical transmission sites; or

(b) requirements for sites to be critical transmission sites.

(3) For the purposes of paragraph (1)(c), the rules may prescribe:

(a) specified entities that are critical to the transmission of a broadcasting service; or

(b) requirements for an entity to be critical to the transmission of a broadcasting service.

12F Meaning of critical data storage or processing asset

(1) An asset is a critical data storage or processing asset if:

(a) it is owned or operated by an entity that is a data storage or processing provider; and

(b) it is used wholly or primarily to provide a data storage or processing service that is provided by the entity on a commercial basis to an end-user that is:

(i) the Commonwealth; or

(ii) a body corporate established by a law of the Commonwealth; or

(iii) a State; or

(iv) a body corporate established by a law of a State; or

(v) a Territory; or

(vi) a body corporate established by a law of a Territory; and

(c) the entity knows that the asset is used as described in paragraph (b).

Note: The rules may prescribe that a specified critical data storage or processing asset is not a critical infrastructure asset (see section 9).

(2) An asset is a critical data storage or processing asset if:

(a) it is owned or operated by an entity that is a data storage or processing provider; and

(b) it is used wholly or primarily to provide a data storage or processing service that:

(i) is provided by the entity on a commercial basis to an end-user that is the responsible entity for a critical infrastructure asset; and

(ii) relates to business critical data; and

(c) the entity knows that the asset is used as described in paragraph (b).

Note: The rules may prescribe that a specified critical data storage or processing asset is not a critical infrastructure asset (see section 9).

(3) If:

(a) an entity (the first entity ) is the responsible entity for a critical infrastructure asset; and

(b) the first entity becomes aware that a data storage or processing service:

(i) is provided by another entity on a commercial basis to the first entity; and

(ii) relates to business critical data;

the first entity must:

(c) take reasonable steps to inform that other entity that the first entity has become aware that the data storage or processing service:

(i) is provided by the other entity on a commercial basis to the first entity; and

(ii) relates to business critical data; and

(d) do so as soon as practicable after becoming so aware.

Civil penalty for contravention of this subsection: 50 penalty units.

12G Meaning of critical banking asset

(1) An asset is a critical banking asset if it is any of the following assets:

(a) an asset where the following conditions are satisfied:

(i) the asset is owned or operated by an authorised deposit-taking institution;

(ii) the authorised deposit-taking institution is an authorised deposit-taking institution that, in accordance with subsection (2), is critical to the security and reliability of the financial services and markets sector;

(iii) the asset is used in connection with the carrying on of banking business;

(b) an asset where the following conditions are satisfied:

(i) the asset is owned or operated by a body corporate that is a related body corporate of an authorised deposit-taking institution;

(ii) the body corporate is a body corporate that, in accordance with subsection (3), is critical to the security and reliability of the financial services and markets sector;

(iii) the asset is used in connection with the carrying on of banking business.

Note: The rules may prescribe that a specified critical banking asset is not a critical infrastructure asset (see section 9).

(2) For the purposes of subparagraph (1)(a)(ii), the rules may prescribe:

(a) specified authorised deposit-taking institutions that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for an authorised deposit-taking institution to be critical to the security and reliability of the financial services and markets sector.

(3) For the purposes of subparagraph (1)(b)(ii), the rules may prescribe:

(a) specified bodies corporate that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for a body corporate to be critical to the security and reliability of the financial services and markets sector.

12H Meaning of critical insurance asset

(1) An asset is a critical insurance asset if it is any of the following assets:

(a) an asset where the following conditions are satisfied:

(i) the asset is owned or operated by an entity that carries on insurance business;

(ii) the entity is an entity that, in accordance with subsection (2), is critical to the security and reliability of the financial services and markets sector;

(iii) the asset is used in connection with the carrying on of insurance business;

(b) an asset where the following conditions are satisfied:

(i) the asset is owned or operated by a body corporate that is a related body corporate of an entity that carries on insurance business;

(ii) the body corporate is a body corporate that, in accordance with subsection (3), is critical to the security and reliability of the financial services and markets sector;

(iii) the asset is used in connection with the carrying on of insurance business;

(c) an asset where the following conditions are satisfied:

(i) the asset is owned or operated by an entity that carries on life insurance business;

(ii) the entity is an entity that, in accordance with subsection (4), is critical to the security and reliability of the financial services and markets sector;

(iii) the asset is used in connection with the carrying on of life insurance business;

(d) an asset where the following conditions are satisfied:

(i) the asset is owned or operated by a body corporate that is a related body corporate of an entity that carries on life insurance business;

(ii) the body corporate is a body corporate that, in accordance with subsection (5), is critical to the security and reliability of the financial services and markets sector;

(iii) the asset is used in connection with the carrying on of life insurance business;

(e) an asset where the following conditions are satisfied:

(i) the asset is owned or operated by an entity that carries on health insurance business;

(ii) the entity is an entity that, in accordance with subsection (6), is critical to the security and reliability of the financial services and markets sector;

(iii) the asset is used in connection with the carrying on of health insurance business;

(f) an asset where the following conditions are satisfied:

(i) the asset is owned or operated by a body corporate that is a related body corporate of an entity that carries on health insurance business;

(ii) the body corporate is a body corporate that, in accordance with subsection (7), is critical to the security and reliability of the financial services and markets sector;

(iii) the asset is used in connection with the carrying on of health insurance business.

Note: The rules may prescribe that a specified critical insurance asset is not a critical infrastructure asset (see section 9).

(2) For the purposes of subparagraph (1)(a)(ii), the rules may prescribe:

(a) specified entities that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for an entity to be critical to the security and reliability of the financial services and markets sector.

(3) For the purposes of subparagraph (1)(b)(ii), the rules may prescribe:

(a) specified bodies corporate that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for a body corporate to be critical to the security and reliability of the financial services and markets sector.

(4) For the purposes of subparagraph (1)(c)(ii), the rules may prescribe:

(a) specified entities that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for an entity to be critical to the security and reliability of the financial services and markets sector.

(5) For the purposes of subparagraph (1)(d)(ii), the rules may prescribe:

(a) specified bodies corporate that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for a body corporate to be critical to the security and reliability of the financial services and markets sector.

(6) For the purposes of subparagraph (1)(e)(ii), the rules may prescribe:

(a) specified entities that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for an entity to be critical to the security and reliability of the financial services and markets sector.

(7) For the purposes of subparagraph (1)(f)(ii), the rules may prescribe:

(a) specified bodies corporate that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for a body corporate to be critical to the security and reliability of the financial services and markets sector.

12J Meaning of critical superannuation asset

(1) An asset is a critical superannuation asset if:

(a) it is owned or operated by a registrable superannuation entity that, in accordance with subsection (2), is critical to the security and reliability of the financial services and markets sector; and

(b) it is used in connection with the operation of a superannuation fund.

Note: The rules may prescribe that a specified critical superannuation asset is not a critical infrastructure asset (see section 9).

(2) For the purposes of paragraph (1)(a), the rules may prescribe:

(a) specified registrable superannuation entities that are critical to the security and reliability of the financial services and markets sector; or

(b) requirements for a registrable superannuation entity to be critical to the security and reliability of the financial services and markets sector.

12K Meaning of critical food and grocery asset

(1) An asset is a critical food and grocery asset if it is a network that:

(a) is used for the distribution or supply of:

(i) food; or

(ii) groceries; and

(b) is owned or operated by an entity that is:

(i) a critical supermarket retailer, in accordance with subsection (2); or

(ii) a critical food wholesaler, in accordance with subsection (3); or

(iii) a critical grocery wholesaler, in accordance with subsection (4).

Note: The rules may prescribe that a specified critical food and grocery asset is not a critical infrastructure asset (see section 9).

(2) For the purposes of subparagraph (1)(b)(i), the rules may prescribe:

(a) specified entities that are critical supermarket retailers; or

(b) requirements for an entity to be a critical supermarket retailer.

(3) For the purposes of subparagraph (1)(b)(ii), the rules may prescribe:

(a) specified entities that are critical food wholesalers; or

(b) requirements for an entity to be a critical food wholesaler.

(4) For the purposes of subparagraph (1)(b)(iii), the rules may prescribe:

(a) specified entities that are critical grocery wholesalers; or

(b) requirements for an entity to be a critical grocery wholesaler.

12KA Meaning of critical domain name system

(1) An asset is a critical domain name system if it:

(a) is managed by an entity that, in accordance with subsection (2), is critical to the administration of an Australian domain name system; and

(b) is used in connection with the administration of an Australian domain name system.

Note: The rules may prescribe that a specified critical domain name system is not a critical infrastructure asset (see section 9).

(2) For the purposes of paragraph (1)(a), the rules may prescribe:

(a) specified entities that are critical to the administration of an Australian domain name system; or

(b) requirements for an entity to be critical to the administration of an Australian domain name system.

12L Meaning of responsible entity

Critical telecommunications asset

(1) The responsible entity for a critical telecommunications asset is:

(a) whichever of the following is applicable:

(i) if the critical telecommunications asset is owned or operated by a carrier - the carrier;

(ii) if the critical telecommunications asset is owned or operated by a carriage service provider - the carriage service provider; or

(b) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical broadcasting asset

(2) The responsible entity for a critical broadcasting asset is:

(a) the entity referred to in whichever of the following provisions is applicable:

(i) subparagraph 12E(1)(a)(i);

(ii) subparagraph 12E(1)(b)(i);

(iii) paragraph 12E(1)(c); or

(b) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical domain name system

(3) The responsible entity for a critical domain name system is:

(a) the entity referred to in paragraph 12KA(1)(a); or

(b) if another entity is prescribed by the rules in relation to the system - that other entity.

Critical data storage or processing asset

(4) The responsible entity for a critical data storage or processing asset is:

(a) if the asset is covered by subsection 12F(1) - the entity referred to in paragraph 12F(1)(a); or

(b) if the asset is covered by subsection 12F(2) - the entity referred to in paragraph 12F(2)(a); or

(c) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical banking asset

(5) The responsible entity for a critical banking asset is:

(a) if the asset is covered by paragraph 12G(1)(a) - the authorised deposit-taking institution referred to insubparagraph 12G(1)(a)(i); or

(b) if the asset is covered by paragraph 12G(1)(b) - the body corporate referred to in subparagraph 12G(1)(b)(i); or

(c) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical superannuation asset

(6) The responsible entity for a critical superannuation asset is:

(a) the registrable superannuation entity referred to in subsection 12J(1); or

(b) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical insurance asset

(7) The responsible entity for a critical insurance asset is:

(a) if the asset is covered by paragraph 12H(1)(a) - the entity referred to insubparagraph 12H(1)(a)(i); or

(b) if the asset is covered by paragraph 12H(1)(b) - the body corporate referred to in subparagraph 12H(1)(b)(i); or

(c) if the asset is covered by paragraph 12H(1)(c) - the entity referred to insubparagraph 12H(1)(c)(i); or

(d) if the asset is covered by paragraph 12H(1)(d) - the body corporate referred to insubparagraph 12H(1)(d)(i); or

(e) if the asset is covered by paragraph 12H(1)(e) - the entity referred to insubparagraph 12H(1)(e)(i); or

(f) if the asset is covered by paragraph 12H(1)(f) - the body corporate referred to insubparagraph 12H(1)(f)(i); or

(g) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical financial market infrastructure asset

(8) The responsible entity for a critical financial market infrastructure asset is:

(a) if the asset is covered by paragraph 12D(1)(a) - the body corporate referred to in subparagraph 12D(1)(a)(i); or

(b) if the asset is covered by paragraph 12D(1)(b) - the associated entity referred to in subparagraph 12D(1)(b)(i); or

(c) if the asset is covered by paragraph 12D(1)(c) - the body corporate referred to in subparagraph 12D(1)(c)(i); or

(d) if the asset is covered by paragraph 12D(1)(d) - the associated entity referred to in subparagraph 12D(1)(d)(i); or

(e) if the asset is covered by paragraph 12D(1)(e) - the body corporate referred to in subparagraph 12D(1)(e)(i); or

(f) if the asset is covered by paragraph 12D(1)(f) - the associated entity referred to in subparagraph 12D(1)(f)(i); or

(g) if the asset is covered by paragraph 12D(1)(g) - the body corporate referred to in subparagraph 12D(1)(g)(i); or

(h) if the asset is covered by paragraph 12D(1)(h) - the associated entity referred to in subparagraph 12D(1)(h)(i); or

(i) if the asset is covered by paragraph 12D(1)(i) - the entity prescribed by the rules; or

(j) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical water asset

(9) The responsible entity for a critical water asset is:

(a) the water utility that holds the licence, approval or authorisation (however described), under a law of the Commonwealth, a State or a Territory, to provide the service to be delivered by the asset; or

(b) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical electricity asset

(10) The responsible entity for a critical electricity asset is:

(a) the entity that holds the licence, approval or authorisation (however described) to operate the asset to provide the service to be delivered by the asset; or

(b) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical gas asset

(11) The responsible entity for a critical gas asset is:

(a) the entity that holds the licence, approval or authorisation (however described) to operate the asset to provide the service to be delivered by the asset; or

(b) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical energy market operator asset

(12) The responsible entity for a critical energy market operator asset is:

(a) if the asset is used by Australian Energy Market Operator Limited (ACN 072 010 327) - that company; or

(b) if the asset is used by Power and Water Corporation - that corporation; or

(c) if the asset is used by Regional Power Corporation - that corporation; or

(d) if the asset is used by Electricity Networks Corporation - that corporation; or

(e) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical liquid fuel asset

(13) The responsible entity for a critical liquid fuel asset is:

(a) if the asset is a liquid fuel refinery - the entity that operates the liquid fuel refinery; or

(b) if the asset is a liquid fuel pipeline - the entity that operates the liquid fuel pipeline; or

(c) if the asset is a liquid fuel storage facility - the entity that operates the liquid fuel storage facility; or

(d) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical hospital

(14) The responsible entity for a critical hospital is:

(a) if the critical hospital is a public hospital - the local hospital network that operates the hospital; or

(b) if the critical hospital is a private hospital - the entity that holds the licence, approval or authorisation (however described), under a law of a State or a Territory to operate the hospital; or

(c) if another entity is prescribed by the rules in relation to the hospital - that other entity.

Critical education asset

(15) The responsible entity for a critical education asset is:

(a) the entity referred to in the definition of critical education asset in section 5; or

(b) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical food and grocery asset

(16) The responsible entity for a critical food and grocery asset is:

(a) the entity referred to in paragraph 12K(1)(b); or

(b) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical port

(17) The responsible entity for a critical port is:

(a) the port operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003) of the port; or

(b) if another entity is prescribed by the rules in relation to the port - that other entity.

Critical freight infrastructure asset

(18) The responsible entity for a critical freight infrastructure asset is:

(a) if the Commonwealth is responsible for the management of the asset - the Commonwealth; or

(b) if a State is responsible for the management of the asset - the State; or

(c) if a Territory is responsible for the management of the asset - the Territory; or

(d) if a body is:

(i) established by a law of the Commonwealth, a State or a Territory; and

(ii) responsible for the management of the asset;

that body; or

(e) if none of paragraphs (a), (b), (c), (d) and (e) apply - the entity prescribed by the rules in relation to the asset; or

(f) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical freight services asset

(19) The responsible entity for a critical freight services asset is:

(a) the entity referred to in subsection 12C(1); or

(b) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical public transport asset

(20) The responsible entity for a critical public transport asset is:

(a) the entity referred to in paragraph (a) of the definition of critical public transport asset in section 5; or

(b) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical aviation asset

(21) The responsible entity for a critical aviation asset is:

(a) if the asset is:

(i) used in connection with the provision of an air service; and

(ii) owned or operated by an aircraft operator;

the aircraft operator; or

(b) if the asset is:

(i) used in connection with the provision of an air service; and

(ii) owned or operated by a regulated air cargo agent;

the regulated air cargo agent; or

(c) if the asset is used by an airport operator in connection with the operation of an airport - the airport operator; or

(d) if another entity is prescribed by the rules in relation to the asset - that other entity.

Critical defence industry asset

(22) The responsible entity for a critical defence industry asset is:

(a) the entity referred to in paragraph (a) of the definition of critical defence industry asset ; or

(b) if another entity is prescribed by the rules in relation to the asset - that other entity.

Assets prescribed by the rules

(23) The responsible entity for an asset prescribed by the rules in relation to the asset for the purposes of paragraph 9(1)(f) is the entity specified in the rules.

Assets declared to be a critical infrastructure asset

(24) The responsible entity for an asset declared under section 51 to be a critical infrastructure asset is the entity specified in the declaration as the responsible entity for the asset (see subsection 51(2)).

12M Meaning of cyber security incident

A cyber security incident is one or more acts, events or circumstances involving any of the following:

(a) unauthorised access to:

(i) computer data; or

(ii) a computer program;

(b) unauthorised modification of:

(i) computer data; or

(ii) a computer program;

(c) unauthorised impairment of electronic communication to or from a computer;

(d) unauthorised impairment of the availability, reliability, security or operation of:

(i) a computer; or

(ii) computer data; or

(iii) a computer program.

12N Meaning of unauthorised access, modification or impairment

(1) For the purposes of this Act:

(a) access to:

(i) computer data; or

(ii) a computer program; or

(b) modification of:

(i) computer data; or

(ii) a computer program; or

(c) the impairment of electronic communication to or from a computer; or

(d) the impairment of the availability, reliability, security or operation of:

(i) a computer; or

(ii) computer data; or

(iii) a computer program;

by a person is unauthorised if the person is not entitled to cause that access, modification or impairment.

(1A) The following is an example of a situation where a person is not entitled to cause access, modification or impairment of a kind mentioned in subsection (1): a person who is an employee or agent of the responsible entity for an asset would exceed the person's authority as such an employee or agent in causing such access, modification or impairment in relation to the asset.

(2) For the purposes of subsection (1), it is immaterial whether the person can be identified.

(3) For the purposes of subsection (1), if:

(a) a person causes any access, modification or impairment of a kind mentioned in that subsection; and

(b) the person does so:

(i) under a warrant issued under a law of the Commonwealth, a State or a Territory; or

(ii) under an emergency authorisation given to the person under Part 3 of the Surveillance Devices Act 2004 or under a law of a State or Territory that makes provision to similar effect; or

(iii) under a tracking device authorisation given to the person under section 39 of the Surveillance Devices Act 2004; or

(iv) in accordance with a technical assistance request; or

(v) in compliance with a technical assistance notice; or

(vi) in compliance with a technical capability notice;

the person is entitled to cause that access, modification or impairment.

12P Examples of responding to a cyber security incident

The following are examples of responding to a cyber security incident:

(a) if the incident is imminent - preventing the incident;

(b) mitigating a relevant impact of the incident on:

(i) a critical infrastructure asset; or

(ii) a critical infrastructure sector asset;

(c) if a critical infrastructure asset or a critical infrastructure sector asset has been, or is being, affected by the incident - restoring the functionality of the asset.