The Australian Government has released updated guidance to help telecommunications providers manage security risks associated with 5G networks. This document expands on the 2018 5G Security Guidance while maintaining the government’s existing policy position. It aims to assist critical telecommunications assets—previously known as carriers and nominated service providers—in meeting their regulatory obligations under the Security of Critical Infrastructure Act 2018.
5G networks present unique security challenges due to their decentralised architecture, where sensitive functions traditionally handled in the core network are increasingly distributed to the edge. This shift makes older security measures less effective, increasing risks such as unauthorised access, data breaches, and potential network sabotage. To address these threats, the government recommends that providers conduct thorough vendor risk assessments, evaluating whether suppliers could be subject to extrajudicial direction that conflicts with Australian law. These assessments should also examine supply chain risks, including third-party technology providers and outsourced services.
Even when outsourcing network management, telecommunications providers retain responsibility for security and must maintain control over third-party access, including audit logs and the ability to revoke permissions if needed. The guidance also requires providers to notify the Department of Home Affairs of any network changes that could significantly impact security compliance.
The government emphasises a vendor and country-agnostic approach, applying security measures uniformly rather than targeting specific companies or nations. While no technical solution can completely eliminate 5G risks, providers are expected to implement strong safeguards to mitigate threats as much as possible. Given 5G’s role in enabling smart cities, the Internet of Things, and critical services like remote healthcare and autonomous vehicles, securing these networks is essential for national security and economic stability.
Telecommunications providers are encouraged to maintain open communication with the Cyber and Infrastructure Security Centre and submit change notifications if uncertain about compliance.
