Security Legislation Amendment (Critical Infrastructure) Act 2021 (124 of 2021)
Schedule 1 Security of critical infrastructure
Part 1 General amendments
Security of Critical Infrastructure Act 2018
39 After Part 2
Insert:
Part 2B - Notification of cyber security incidents
30BA Simplified outline of this Part
If a cyber security incident has a relevant impact on a critical infrastructure asset, the responsible entity for the asset may be required to give a relevant Commonwealth body a report about the incident.
Note: See also section 30BB (application of this Part).
30BB Application of this Part
(1) This Part applies to a critical infrastructure asset if:
(a) the asset is specified in the rules; or
(b) both:
(i) the asset is the subject of a declaration under section 51; and
(ii) the declaration determines that this Part applies to the asset.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003.
(2) Subsection (1) has effect subject to subsection (3).
(3) The rules may provide that, if an asset becomes a critical infrastructure asset, this Part does not apply to the asset during the period:
(a) beginning when the asset became a critical infrastructure asset; and
(b) ending at a time ascertained in accordance with the rules.
30BBA Consultation - rules
Scope
(1) This section applies to rules made for the purposes of section 30BB.
Consultation
(2) Before making or amending the rules, the Minister must:
(a) cause to be published on the Department's website a notice:
(i) setting out the draft rules or amendments; and
(ii) inviting persons to make submissions to the Minister about the draft rules or amendments within 28 days after the notice is published; and
(b) give a copy of the notice to each First Minister; and
(c) consider any submissions received within the 28-day period mentioned in paragraph (a); and
(d) if the Minister is aware that an entity is the responsible entity for an asset that is, or is proposed to be, specified in the rules:
(i) give the entity a copy of the draft rules or amendments; and
(ii) if a submission is received from the entity within the 28-day period mentioned in paragraph (a) - give the entity a written statement that sets out the Minister's response to the submission.
30BC Notification of critical cyber security incidents
(1) If:
(a) an entity is the responsible entity for a critical infrastructure asset; and
(b) the entity becomes aware that:
(i) a cyber security incident has occurred or is occurring; and
(ii) the incident has had, or is having, a significant impact (whether direct or indirect) on the availability of the asset;
the entity must:
(c) give the relevant Commonwealth body (see section 30BF) a report that:
(i) is about the incident; and
(ii) includes such information (if any) as is prescribed by the rules; and
(d) do so as soon as practicable, and in any event within 12 hours, after the entity becomes so aware.
Civil penalty: 50 penalty units.
Form of report etc.
(2) A report under subsection (1) may be given:
(a) orally; or
(b) in writing.
(3) If a report under subsection (1) is given orally, the entity must:
(a) do both of the following:
(i) make a written record of the report in the approved form;
(ii) give a copy of the written record of the report to the relevant Commonwealth body (see section 30BF); and
(b) do so within 84 hours after the report is given.
Civil penalty: 50 penalty units.
(4) If the report is given in writing, the entity must ensure that the report is in the approved form.
Civil penalty: 50 penalty units.
Exemption - written record
(5) The head (however described) of the relevant Commonwealth body (see section 30BF) may, by written notice given to an entity, exempt the entity from subsection (3) in relation to a report about a specified cyber security incident.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003.
(6) A notice under subsection (5) is not a legislative instrument.
(7) The head (however described) of the relevant Commonwealth body (see section 30BF) may, by writing, delegate any or all of the head's powers under subsection (5) to a person who:
(a) is an SES employee, or acting SES employee, in the relevant Commonwealth body; or
(b) holds, or is acting in, a position in the relevant Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee.
Note: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901.
(8) In exercising powers under a delegation, the delegate must comply with any directions of the head (however described) of the relevant Commonwealth body.
30BD Notification of other cyber security incidents
(1) If:
(a) an entity is the responsible entity for a critical infrastructure asset; and
(b) the entity becomes aware that:
(i) a cyber security incident has occurred, is occurring or is imminent; and
(ii) the incident has had, is having, or is likely to have, a relevant impact on the asset;
the entity must:
(c) give the relevant Commonwealth body (see section 30BF) a report that:
(i) is about the incident; and
(ii) includes such information (if any) as is prescribed by the rules; and
(d) do so as soon as practicable, and in any event within 72 hours, after the entity becomes so aware.
Civil penalty: 50 penalty units.
Form of report etc.
(2) A report under subsection (1) may be given:
(a) orally; or
(b) in writing.
(3) If a report under subsection (1) is given orally, the entity must:
(a) do both of the following:
(i) make a written record of the report in the approved form;
(ii) give a copy of the written record of the report to the relevant Commonwealth body (see section 30BF); and
(b) do so within 48 hours after the report is given.
Civil penalty: 50 penalty units.
(4) If the report is given in writing, the entity must ensure that the report is in the approved form.
Civil penalty: 50 penalty units.
Exemption - written record
(5) The head (however described) of the relevant Commonwealth body (see section 30BF) may, by written notice given to an entity, exempt the entity from subsection (3) in relation to a report about a specified cyber security incident.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003.
(6) A notice under subsection (5) is not a legislative instrument.
(7) The head (however described) of the relevant Commonwealth body (see section 30BF) may, by writing, delegate any or all of the head's powers under subsection (5) to a person who:
(a) is an SES employee, or acting SES employee, in the relevant Commonwealth body; or
(b) holds, or is acting in, a position in the relevant Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee.
Note: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901.
(8) In exercising powers under a delegation, the delegate must comply with any directions of the head (however described) of the relevant Commonwealth body.
30BE Liability
(1) An entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in compliance with section 30BC or section 30BD.
(2) An officer, employee or agent of an entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in connection with an act done or omitted by the entity as mentioned in subsection (1).
30BEA Significant impact
For the purposes of this Part, a cyber security incident has a significant impact (whether direct or indirect) on the availability of an asset if, and only if:
(a) both:
(i) the asset is used in connection with the provision of essential goods or services; and
(ii) the incident has materially disrupted the availability of those essential goods or services; or
(b) any of the circumstances specified in the rules exist in relation to the incident.
30BEB C onsultation - rules
Scope
(1) This section applies to rules made for the purposes of paragraph 30BEA(b).
Consultation
(2) If the Minister is aware that an entity is the responsible entity for a critical infrastructure asset, then, before making or amending the rules, the Minister must:
(a) give the entity a copy of the draft rules or amendments; and
(b) give the entity a written notice inviting the entity to make a submission to the Minister about the draft rules or amendments within 28 days after the notice is given; and
(c) consider any submission received within the 28-day period mentioned in paragraph (b); and
(d) if a submission is received from the entity within the 28-day period mentioned in paragraph (b) - give the entity a written statement that sets out the Minister's response to the submission.
30BF Relevant Commonwealth body
For the purposes of this Part, relevant Commonwealth body means:
(a) a Department that is specified in the rules; or
(b) a body that is:
(i) established by a law of the Commonwealth; and
(ii) specified in the rules; or
(c) if:
(i) no rules are in force for the purposes of paragraph (a); and
(ii) no rules are in force for the purposes of paragraph (b);
ASD.
Copyright notice
© Australian Taxation Office for the Commonwealth of Australia
You are free to copy, adapt, modify, transmit and distribute material on this website as you wish (but not in any way that suggests the ATO or the Commonwealth endorses you or any of your services or products).