Publication
Road to COP29: Our insights
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Author:
Australia | Publication | 12月 2021
Significant changes to the law with respect to security of critical infrastructure in Australia, including enhanced cybersecurity incident reporting requirements and the inclusion of further asset classes have been passed. On 22 November 2021, the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Bill) passed both houses of the federal parliament of Australia and will come into force after receiving assent, likely before the end of 2021. This legislation amends the Security of Critical Infrastructure Act 2018 (Cth) (Act) in four significant ways.
The Bill expands the application of the Act from four asset classes (water, electricity, gas and ports) to eleven sectors covering 22 asset classes, potentially capturing a large swathe of Australian economic activity. An added dimension is that several of the new asset classes require further definition via the creation of sector-specific rules by the Minister for Home Affairs that will define the operational thresholds to classify critical infrastructure assets. Further rules are then needed to switch on the requirement to disclose operational and influence and control information to a confidential register managed by the Minister for Home Affairs.
A prelude to the content of these rules can be found on the Department of Home Affair’s Cyber and Infrastructure Security Centre website (here). By way of example, the draft rules set the electricity generation threshold at 30 MW for a critical electricity asset. This is in contrast with the critical aviation asset definition which does not have a threshold and relies upon the provision of an air service that is owned or operated by an aircraft operator.
The Bill will include two new cybersecurity incident reporting obligations where a cybersecurity incident affects or has affected a critical infrastructure asset. The reporting body to which reports are to be made is the relevant Commonwealth body, again to be defined in the rules, or if no body is appointed, the Australian Signals Directorate.
The Bill introduces government powers to order private companies operating assets in the newly defined sectors to do, or refrain from doing, an act, require information disclosure, remove hardware equipment and even allow government agencies to take over the operation of assets. These powers are available across not only critical infrastructure assets themselves but also across connected operations and assets in the sector in the event of a significant cybersecurity incident affecting a critical infrastructure asset.
The powers, contained in Part 3A of the amended Act, have been hotly debated by industry and are subject to some oversight by the Parliamentary Joint Committee on Intelligence and Security, but such oversight is limited to the filing of a report. There is little to no recourse for private entities to challenge any such directions and little to no ability to claim compensation for any harm that may be caused by complying with a relevant direction. It remains to be seen when and how such powers will be used, but companies operating in the affected sectors will need to determine how to prepare for such a request, should it occur.
One of the lesser known impacts of the expansion of the definition of critical infrastructure assets is the consequential effect on the definition of “national security business” in the Foreign Acquisitions and Takeovers Act Regulations 2015. A national security business is defined to include responsible entities and direct interest holders as defined in the Act. By expanding the number of critical sectors and assets, the Bill consequently expands the scope of national security businesses to include new responsible entities and direct interest holders across a wide range of different industries.
This will have an immediate impact on foreign investments in entities that are involved in the operation of the ten asset classes that are already defined in the amending Bill (and do not require further rules). Investors will need to consider whether notification (either mandatory or voluntarily where the investment is potentially reviewable under the foreign investment laws) to the Foreign Investment Review Board will be required in order to receive an appropriate clearance for the investment. This obligation will apply for the remaining 12 asset classes once the rules defining these new critical infrastructure assets are finalised.
Once in force, many of the above changes require the relevant parts of the legislation to be “switched on” utilising the Minister’s rule making powers. For the purposes of designating the thresholds for critical infrastructure assets, the rules do not require the minister to consult with affected entities, and it is therefore reasonable to expect that the draft thresholds referred to above may be introduced shortly after the law comes into force. The changes to the register reporting obligations for newly included assets and enhanced cybersecurity reporting obligations both require rules to be made to switch on the obligations and this process will likely begin immediately after the law comes into force.
It is important that organisations understand the application of the law and benefits of making submissions. The rule making process requires a mandatory consultation process of at least 28 days from publication of the relevant rules, with the process for the cybersecurity incident reporting rules further requiring the minister to directly inform entities that may be specified in the rules and provide a written statement in response to any submissions made by that entity. This is a critical juncture for potentially affected organisations to ensure that the application of the registration and cybersecurity incident reporting requirements are appropriately framed and right-sized for your operations.
With only a 28 day window in which to respond, we recommend organisations that are potentially affected begin the work now to:
Please get in contact if you require help in understanding the potential impact of the new law on your operations.
Publication
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023