Announcement date
21 February 2023
Link to announcement
https://minister.homeaffairs.gov.au/ClareONeil/Pages/world-leading-protection-australias-critical-infrastructure.aspx
Problem being addressed
Critical infrastructure is essential for Australia’s social and economic prosperity, national security and defence, and facilitating the provision of essential services across Australia. However, risks to Australia’s critical infrastructure have evolved in recent years. These risks are inherently complex and reflect factors including increased cyber connectivity and greater participation in, and reliance on, global supply chains to support the provision of essential services. The increased threat environment requires a regulatory environment that is proportionate to the potential damage caused by the disruption of one or many critical infrastructure assets.
The Impact Analysis (IA) focuses on four key problems:
- There are growing risks to critical infrastructure assets.
- Existing legislative arrangements are insufficient for the current threat environment.
- The Government has limited visibility of current risk management practices, and limited ability to ensure that risks are appropriately managed across sectors.
- A stronger partnership between Government and industry is needed to drive a wholesale uplift in security and resilience.
Proposal
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SLACI Bill) was first introduced to Parliament in December 2020 and sought to amend the Security of Critical Infrastructure Act 2018 (SOCI Act) to include more sectors with increased obligations. As part of the positive security obligations, the SLACI Bill also sought to introduce compliance with an all-hazards Risk Management Program (RMP) for particular critical infrastructure assets. The regulatory impact of the SLACI Bill’s positive security obligations (excluding the RMP obligations) were considered in a 2020 Impact Analysis.
Following a review of the SLACI Bill by the Parliamentary Joint Committee on Intelligence and Security, the SLACI Bill was split into two Bills, SLACI and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP). The SLACIP Act includes the positive security obligation requiring operators of critical infrastructure assets to develop and maintain an RMP. The 13 critical infrastructure asset classes are:
- critical electricity assets;
- critical gas assets;
- critical water assets;
- critical data processing or storage assets;
- critical broadcasting assets;
- critical financial market infrastructure assets (specifically payment systems);
- critical domain name systems;
- critical liquid fuels assets;
- critical hospital assets;
- critical energy market operator assets;
- critical freight infrastructure;
- critical freight services assets; and
- critical food and grocery assets.
The IA focuses on the potential impacts of the implementation of the RMP obligations that are set out in the SLACIP Act, and for each of the 13 identified critical infrastructure asset classes, considers the following options:
Option 1: Maintain the status quo;
Option 2: Mandatory adoption of the RMP framework.
Option 3: Voluntarily adoption of the RMP framework.
Significant consultation was undertaken with impacted stakeholders, and the break-even analysis demonstrated Option 2 (Mandatory RMP) will deliver the highest net benefit.
The Government has finalised the risk management program framework as a part of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) (The Rules). The obligation to produce and comply with a critical infrastructure risk management program (CIRMP) for asset classes listed in the Rules commenced 17 February 2023
Assessed Impact Analysis outcome
Good practice
Assessment comments
The Office of Impact Analysis’ (OIA’s) assessment is that the quality of the impact analysis in the IA is Good Practice. The IA contains exceptionally high quality analysis for each of the seven IA questions and follows an appropriate policy development process commensurate with the significance of the problem and magnitude of the proposed intervention. An exemplary rating would have been achieved had an Early Assessment IA been undertaken and had the IA been assessed by the OIA and provided to decision makers prior to each major decision point.
Given the possible widespread impacts these measures may have on the Australian economy, a post-implementation review will need to be completed within five years following implementation.
Regulatory burden
The IA estimates a one-off aggregated cost of $1,601.0 million, across critical infrastructure assets nationally, to achieve compliance with the RMP obligations and RMP rules; and an ongoing aggregated cost of $1,076.3 million per year, across critical infrastructure assets nationally, to maintain compliance.