Get your free info pack:

HERE

Connect with us:

Linkedin Envelope

1300 862 667

Login

LATEST NEWS

New Telecom Security Rules for Critical Infrastructure

  • time-clock-circle
  • Compliance
security critical infrastructure (phonetower) istock 1033913574

This article applies to organisations across Australia who are responsible entities for ‘critical telecommunications assets’ (as defined below).

Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth)

Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (Cth)

On 4 April 2025, relevant parts of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (the Amending Act) amended the Security of Critical Infrastructure Act 2018 (Cth) (the Act) and the Telecommunications Act 1997 (Cth) (Telecommunications Act).

To coincide with the commencement of those parts of the Amending Act, the Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (Cth) (the new Rules) also commenced operation on 4 April 2025.

What’s changed?

By way of overview, the Amending Act has removed key security obligations for telecommunications assets from the Telecommunications Act and has consolidated and enhanced those provisions and inserted those provisions into the Act. Essentially, the Amending Act has introduced to the Act enhanced security requirements in relation to critical telecommunications assets to ensure security regulation for critical telecommunications assets are aligned to other critical infrastructure assets and are protected from emerging cyber risks.

Further Information

New enhanced security requirements for critical telecommunications assets

Firstly, it is important to note that the definition of a critical telecommunications asset in the Act has now been expanded to also include:

  • any other asset that is:
    • owned or operated by a carrier or a carriage service provider; and
    • used in connection with the supply of a carriage service.

As a result of this expanded definition of critical telecommunications asset set out above, assets owned and operated by carriage service providers and carriers which are used in connection with the supply of a carriage service are now captured by the Act. The Explanatory Memorandum to the Amending Act provides examples of assets that are captured under the new definition and these include, but are not limited to the following assets (to the extent they are used in connection with the supply of a carriage service):

  • secondary data storage assets;
  • assets owned or operated by carriage service providers;
  • virtual assets; and
  • assets that don’t directly make up part of a telecommunications network but support its function or are critical to carrying on a carriage supply business.

We note that newly introduced section 30EB of the Act requires a responsible entity to in short protect a critical telecommunications asset (so far as is reasonably practicable) to ensure the confidentiality of communications carried on, and information contained on the asset as well as the availability and integrity of the asset. It is important to note that under the new Rules, this new obligation in section 30EB applies only to a ‘relevant critical infrastructure asset’ which is defined in the new Rules as a critical telecommunications asset that is:

  • owned or operated by a carrier; or
  • a relevant carriage service provider asset.

We note that a relevant carriage service provider asset is defined in the new Rules as a critical infrastructure asset owned or operated by a carriage service provider where:

  • the asset is used in connection with the supply of at least 20,000 active total carriage services including any of the following:
    • broadband services;
    • fixed telephone services;
    • public mobile telecommunications services;
    • voice only services; or
  • the responsible entity for the asset is aware that the asset is used in connection with carriage services supplied to a Commonwealth entity (other than a body corporate established by a law of the Commonwealth).

Organisations that are responsible entities for a relevant critical infrastructure asset should note that failure to comply with newly introduced section 30EB incurs a sanction of 1500 penalty units (currently $495,000).

Responsible entity to notify certain changes and proposed changes to telecommunications service or system

We also note that newly introduced section 30EC of the Act now requires a responsible entity for a critical telecommunications asset that is owned or operated by a carrier to provide the Secretary of the Department of Home Affairs (Department) with written notification of the implementation of a change or a proposed change, by the entity to a telecommunications service or telecommunications system that is likely to have a material adverse effect on the entity’s capacity to comply with its protection obligation under section 30EB of the Act. We note that rule 17 of the new Rules sets out the information that must be provided to the Department under section 30EC. This information for example includes a risk assessment of the change or proposed change which considers (where relevant), material risks, supply chain hazards, physical security and natural hazards, personnel hazards and cyber and information hazards.

Failure to notify the Department under section 30EC incurs a penalty of 300 penalty units (currently $99,000).

New critical infrastructure risk management program requirements

Finally, section 7 of the new Rules apply the risk management program requirements in the Act to relevant critical infrastructure assets. As a result, this means that a responsible entity for a relevant critical infrastructure asset (i.e. a critical telecommunications asset that is owned or operated by a carrier, or a relevant carriage service provider asset), must have a critical infrastructure risk management program (CIRMP) that complies with the requirements set out in the new Rules. For example, rule 9 of the new Rules requires that the CIRMP must identify the operational context of the relevant critical infrastructure asset and identify the material risks, including but not limited to the material risks specified in rule 8 of the new Rules, and rule 11 of the new Rules sets out requirements in relation to cyber and information security hazards.

Importantly, the new Rules have provided a ‘grace period’ for responsible entities for relevant critical infrastructure assets to comply with these new CIRMP requirements, whereby these requirements only take effect from 4 October 2025 (or otherwise 6 months after the asset becomes a relevant critical infrastructure asset).

What you should do

Organisations who are responsible entities for critical telecommunications assets should update their incident management and security procedures to ensure compliance with the new requirements under sections 30EB and 30EC of the Act, and the new requirements regarding its CIRMP, discussed above.

We also encourage organisations to refer to the comprehensive Telecommunications Guidance Document prepared by the Department of Home Affairs which can be accessed here. This document is designed to provide practical guidance for responsible entities for critical telecommunications assets in relation to the new changes discussed above.

How Law Compliance can help:

Want to find out more about what we do and how we can make legal compliance easy for your organisation? Contact us or request a free info pack today. 

Enjoyed this article?

Share this:

LinkedIn
Email
Free Info Pack
What We Offer
Sectors
About Us
FAQs

Want to stay informed of new articles and updates?

Follow us on:

li logo
Envelope Phone-alt

Sign up to our newsletter

Latest News

Related Posts