Announcement date
11 March 2025
Link to announcement
Problem being addressed
Critical infrastructure is essential for Australia’s social and economic prosperity, national security and defence, and facilitating the provision of essential services across Australia. However, risks to Australia’s critical infrastructure have evolved in recent years. These risks are inherently complex and reflect factors including increased cyber connectivity and greater participation in, and reliance on, global supply chains to support the provision of essential services.
The Security of Critical Infrastructure Act 2018 (SOCI Act) was designed to manage risks to critical infrastructure assets. The SOCI Act was amended in 2022 to more appropriately capture assets critical to Australia’s defence, national security, economic and social stability and in response to increasing threats from cyber attacks. At that time, critical telecommunications assets remained separately regulated (in part) under the Telecommunications Act 1997 (the Telecommunications Act).
The increasing frequency of serious incidents affecting telecommunications assets and some complexity caused by regulation under different legislative frameworks has contributed to increased risks for owners and operators of critical telecommunications assets.
Proposal
This Impact Analysis Equivalent (IAE) considers the impacts of making subordinate legislation under the SOCI Act to introduce a bespoke critical infrastructure risk management program (CIRMP) for critical telecommunications assets (Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025).
Assessed Impact Analysis outcome
Impact Analysis Equivalent
Assessment Comments
The Office of Impact Analysis (OIA) does not assess the quality of reviews and documents used in lieu of an Impact Analysis (IA). IAEs are assessed by the OIA for relevance to the recommended options and for the coverage of the seven Impact Analysis questions.
For this IAE, the Department of Home Affairs has drawn on the 2022 Regulation Impact Statement: a risk management program framework for critical infrastructure assets along with additional supplementary analysis for critical telecommunications assets prepared by the Department. The OIA assessed that the options analysed in the IAE materials are sufficiently relevant to the proposal.
Regulatory burden
The Certification letter from the Department of Home Affairs outlines that robust estimates of regulatory burden were unable to be produced due to the absence of quantitative submissions from industry.