The Security of Critical Infrastructure Act 2018 (Cth) (the Act) came into force on 11 July 2018 to strengthen the Government’s ability to protect Australia’s “critical infrastructure assets” (being, certain ports, water assets, and gas and electricity assets) from the risk of espionage, sabotage and coercion.

Given that most critical infrastructure in Australia is privately owned or operated, the Act introduces measures to cover gaps in the Government’s understanding of the ownership and control of critical infrastructure, and the lack of mechanisms to identify, manage and respond to national security risks.

The two key mechanisms under the Act to achieve its objectives are the establishment of a register of the interest, control and operational information regarding critical infrastructure assets and providing the Minister of Home Affairs with the power to issue directions to an owner or operator of a critical infrastructure asset to mitigate national security risks (for example, directing a critical infrastructure asset owner to not outsource operations of its core network to certain providers).

The Act places obligations on “direct interest holders” (owners or controllers of critical infrastructure assets) and “responsible entities” (entities that hold a licence or authorisation to operate a critical infrastructure asset, but may not own the asset, i.e. a port operator), both considered “reporting entities”, to report certain information to the Secretary of the Attorney-General’s Department.

What does this mean for you?

Reporting entities should already be considering what information needs to be disclosed. Reporting entities have six months after the commencement of the Act to provide this information to the Attorney-General’s Department.

Reporting Entities should also be considering whether any additional measures are required under their contracting arrangements to ensure compliance with the Act.

Finally, reporting entities and investors should also be aware of the continuous obligation to provide updated information within 30 days if the information on the register becomes incorrect or incomplete or if a new entity becomes a reporting entity in relation to an asset.