On 4 April 2025, the next suite of amendments under the Cyber Security Legislative Package will take effect. These amendments will enhance and clarify security obligations for critical telecommunications assets.
Background
In November last year, the Federal Parliament passed the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (SOCI Amendment). The SOCI Amendment formed part of a broader legislative suite designed to enhance Australia's cyber security regime (see previous articles on the Cyber Security Legislative Package and uplift of the SOCI Act).
Most of the SOCI Amendment commenced on 20 December 2024. However, some key amendments applying to critical telecommunications assets were delayed and will now start on 4 April 2025.
In addition to the SOCI Amendment, the following rules have been registered to dictate the application of the positive security obligations imposed by the SOCI Act:
Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (Cth) (TSRMP Rules).
Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules 2025 (Cth) (Amending Rules).
Telecommunications assets and the SOCI Act
The Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) framework includes ‘critical telecommunications assets’ as one of the listed categories of critical infrastructure assets the SOCI Act regulates. However, when the SOCI Act was reformed in 2022, SOCI-equivalent provisions were implemented as a licence condition (Licence Condition) for carriers and a separate determination (Determination) applying to eligible carriage service providers under the Telecommunications Act 1997 (Cth) (the Telecommunications Act) instead of under the SOCI Act framework.
The SOCI Amendment brings these obligations back into the SOCI Act framework, with other key security obligations from the Telecommunications Act, the Australian Security Intelligence Organisation Act 1979 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth). By consolidating these telecommunications security-related obligations into the SOCI Act, the government aims to “reduce regulatory complexity” and “enhance the security of [our] telecommunications assets”.
Top five key changes from the SOCI Amendment and related Rules
1. Broader definition of critical telecommunications asset
Previously, the definition of ‘critical telecommunications asset’ was limited to telecommunications networks and facilities that are used to supply a carriage service. Now, the definition has been extended to capture any other asset used in connection with the supply of a carriage service.
The Explanatory Memorandum states this update will “ensure that all assets that are used in conjunction with or in the supply of telecommunication services are captured within the [SOCI Act]”. As a result, secondary data storage assets, virtual assets and other assets that support (rather than form part of) a telecommunications network may be regulated as critical telecommunications assets under the SOCI Act, to the extent they are used in connection with the supply of a carriage service.
2. Uplifted general “security obligation” and “notification obligation” from the Telecommunications Act for certain critical telecommunications assets
The SOCI Amendment introduces a broad “security obligation” to protect certain critical telecommunications (drawn from s313 of the Telecommunications Act) and a “notification obligation” to notify changes to a telecommunications service/system that could affect a responsible entity’s ability to comply with the “security obligation” (drawn from s314A of the Telecommunications Act). These new obligations have been uplifted to a higher standard than the provisions they were drawn from in the Telecommunications Act.
The security obligation requires responsible entities to protect (so far as it is reasonably practicable) the confidentiality of communications/information and the availability and integrity of certain critical telecommunications assets. As part of the responsible entity’s compliance with this general obligation, it is required to “maintain competent supervision of and effective control over the asset”, which goes beyond what is required by the existing security obligation under the Telecommunications Act. The Explanatory Memorandum clarifies that this section does not outright prohibit outsourcing or offshoring of critical telecommunications assets, but requires responsible entities to build security considerations with their supplies and take a “risk-based approach” to determining which parts of its operations should be offshored.
The notification obligation requires responsible entities to notify the Secretary of the Department of Home Affairs about certain changes and proposed changes to its telecommunications services or systems that are likely to have a material adverse effect on its ability to comply with the “security obligation”. The notification obligation arises when the responsible entity becomes aware of the implementation of a change or proposed change.
The application of the security obligation (and consequently the notification obligation) is defined in the TSRMP Rules. Applying to critical telecommunications assets which are either:
Owned or operated by a carrier.
Owned or operated by a carriage service provider where the asset supplies 20,000+ active total carriage services (including broadband, fixed line, public mobile and voice only).
Owned or operated by a carriage service provider where the responsible entity is aware the asset is used in connection with carriage services supplied to a Commonwealth entity (the Nominated Telco Assets).
3. “Switches on” the obligation to adopt and maintain a critical infrastructure risk management program (CIRMP) for Nominated Telco Assets
A CIRMP is a written program that:
Identifies hazards that may be a material risk to the relevant critical infrastructure asset.
Addresses the minimisation and elimination of any materials risk to the relevant critical infrastructure asset (as far as is reasonably practicable).
Addresses how to mitigate the impact of any hazards on the relevant critical infrastructure asset (as far as is reasonably practicable).
Under the SOCI Act, a responsible entity that adopts a CIRMP must take all reasonable steps to ensure it stays up to date.
The TSRMP Rules require responsible entities to adopt and maintain a CIRMP for all Nominated Telco Assets (as defined above). They also specify certain material risks to be considered in drafting a CIRMP for a Nominated Telco Asset, which are tailored to telecommunications assets. The CIRMP obligation commences on 4 October 2025 for existing Nominated Telco Assets, and sets out a 6 month compliance grace period for any Nominated Telco Assets that come into existence after 4 April 2025.
As noted in our previous article, the SOCI Amendment empowers the Secretary to give directions to vary a CIRMP which it considers to have a serious deficiency (that is, poses a risk to socioeconomic stability, national security or defence of Australia). The SOCI Amendment and the TSRMP Rules mean that many carriers and carriage services providers are now caught by the CIRMP regime and their CIRMP may be subject to regulatory scrutiny.
4. “Switches on” the SOCI mandatory cyber incident reporting for Nominated Telco Assets
Responsible entities for the Nominated Telco Assets must report critical cyber security incidents that occur to the asset within 12 hours of becoming aware of the incident, if the incident is having a significant impact on the availability of the asset. Responsible entities also have obligations to report other cyber security incidents that occur to the asset within 72 hours after becoming aware of the incident, if the incident is had or is likely to have, an impact on the availability integrity, reliability or confidentiality of the asset.
In practice, carriers and carriage service providers were already subject to almost identical obligations to report cyber security incidents under the Licence Condition and Determination. The SOCI Amendment and related Rules have just consolidated these obligations into the SOCI framework. However, carriers and carriage service providers should be aware the new SOCI Amendment obligations apply to a different scope of assets.
5. “Switches on” the SOCI obligation to report information to the Register of Critical Infrastructure Assets for Nominated Telco Assets
The Amending Rules switch on the SOCI Act’s obligations to report on ownership, operational, interest and control information for inclusion on the Register of Critical Infrastructure Assets, for the Nominated Telco Assets.
Again, in practice carriers and carriage service providers were already subject to obligations under the Licence Condition and Determination to report a similar scope of information to the Secretary of Home Affairs. As above, carriers and carriage service providers will need to review the scope of assets that these obligations apply to.