Blog page img

Our Blog

Learn About The Latest Issues Facing The Technology and Telecommunications Industries. Subscribe To Our Blog And Get Regular Updates Automatically!

Some of our Satisfied Clients

Startups, SMEs, Public Listed Entities, Multinational Corporations and Government

featured in

Mandatory cybersecurity reporting for critical infrastructure assets

New amendments to the Security of Critical Infrastructure Act 2018 (Cth) include a new mandatory cybersecurity reporting requirement for certain critical infrastructure assets that commenced on 8 July 2022.

A cybersecurity incident refers to one or more acts, events or circumstances involving:

  • unauthorised access to or modification of computer data or computer program, or
  • unauthorised impairment of electronic communications to or from a computer, or
  • unauthorised impairment of the availability, reliability, security or operation of computer data, a computer program or a computer.

If a cybersecurity incident occurs and has had a significant impact on a critical infrastructure asset, the owner of the asset must notify the Australian Cyber Security Centre (ACSC) of the incident. Notification must be made within 12 hours after becoming aware of the incident.

A significant impact is one where the critical infrastructure asset is used in connection with the provision of essential goods and services and the incident has materially disrupted the availability of the goods or services. For example, a critical cybersecurity incident might impact an electricity asset and the distribution of electricity.

Alternatively, the cybersecurity incident may have a relevant impact. A relevant impact is an impact on the availability, integrity, reliability, or confidentiality of the critical infrastructure asset. For example, a cybersecurity incident may impact a bank’s network and expose data but may not impact the provision of banking services. In such situations, owners of the asset must notify ACSC within 72 hours of becoming aware of the incident.

To file a report for either impact, the owner of the asset should use the ACSC’s guide on reporting cybersecurity incidents.

The introduction of the mandatory cybersecurity reporting regime is designed to strengthen the security of Australia’s key infrastructure and encourage the development of responses and protections to minimise future cybersecurity risk and harm.

We have significant expertise advising clients on cyber security obligations and services. For further information, please email

#cybersecurity #cyberlaw #regulatoryadvice

"Stellar Results Through Technology Contract Negotiations"

Are you putting your business at risk with lawyers who don’t understand Technology Contracts?

free book