Home Insights Security of Critical Infrastructure: enhanced CIRMP rules now in force
Share

Security of Critical Infrastructure: enhanced CIRMP rules now in force

Following the release and subsequent consultation on an exposure draft of the proposed enhancements to the Critical Infrastructure Risk Management Program (CIRMP) rules, the Department of Home Affairs (the Department) has registered the final version of the Security of Critical Infrastructure Legislation Amendment (Enhanced Critical Infrastructure Risk Management Program) Rules 2026 (LIN 26/075) (enhanced CIRMP Rules). 

The enhanced CIRMP Rules commenced on 10 June 2026, and responsible entities have either 12 or 24 months to implement the uplifted requirements (depending on the particular requirement).

The enhanced CIRMP Rules build upon the existing CIRMP framework. They apply to a sub-set of high-risk asset classes already required to maintain a CIRMP under Part 2A of the Security of Critical Infrastructure Act 2018 (SOCI Act). The following table summarises the CIRMP rules applicable to various asset classes for which the CIRMP rules are switched on.

Asset classExisting CIRMP rulesEnhanced CIRMP rules
Critical broadcasting assetYesYes
Critical domain name systemYesYes
Critical data storage or processing assetYesNo
Critical electricity assetYesYes
Critical energy market operator assetYesYes
Critical telecommunications assets (via separate rules and telecommunications guidance) YesNo 
Critical gas assetsYesYes
Designated hospitalsYesNo
Critical food and grocery assetsYesNo
Critical freight infrastructure assetsYesYes
Critical freight services assetsYesYes
Critical liquid fuels assetsYesYes
Critical financial market infrastructure assets used in the operation of a payment systemYesNo
Critical water assetsYesYes
Assets declared to be critical infrastructure assets under s 51 of the ActYes (if specified in the relevant Ministerial declaration)No (if the relevant Ministerial declaration pre-dates the Enhanced CIRMP Rules)

While the final rules retain the broad objectives of the exposure draft (discussed in further detail in our previous insight, Security of Critical Infrastructure: proposed changes to Critical Infrastructure Risk Management Program and enhanced Ministerial Powers), several material changes have been introduced between the consulted version and the registered instrument. In this Insight, we set out the scope of the enhanced CIRMP Rules, summarise the key changes and their practical implications, and outline the relevant compliance timelines and transitional arrangements that responsible entities should be aware of.

Summary of the enhanced CIRMP Rules 

Extended grace periods

The original grace periods in the exposure draft have been amended, with responsible entities now having 12 months to implement requirements under s 6A, ss 8A(2) and 9A(2) (that is, on or before 10 June 2027). The table below summarises the relevant grace periods.

The remaining changes will need to be implemented within 24 months of commencement (that is, on or before 10 June 2028).

For assets that become critical infrastructure (CI) assets on or after 10 June 2026, the relevant grace period will run from the date the asset becomes a CI asset.  

Strengthened material risk obligations

Under s 6A of the enhanced CIRMP Rules, entities are now required to ‘establish and maintain a process or system’ that minimises or eliminates material risks as far as reasonably practicable. This includes risks associated with Australia's social and economic stability, national security or defence, foreign ownership, control or influence (FOCI), and offshore or remote access to critical components or business-critical data.   

The enhanced CIRMP Rules have increased compliance requirements since the exposure draft, adding an obligation to establish new or reform current processes to minimise or eliminate an expanded list of material risks. 

‘Critical workers’ requirements

The enhanced CIRMP Rules now require that all ‘critical workers’ be assessed as suitable via either an AusCheck background check or by holding a relevant security clearance. This is defined as an active security clearance at Negative Vetting 1 level or higher, issued by an Australian Government entity. 

Any critical worker unable to meet these requirements can still be granted access to the relevant critical asset, provided the entity’s CIRMP outlines the associated risks and relevant actions that have been taken, or will be taken as soon as reasonably practicable, to minimise or eliminate the identified risks. The Explanatory Statement clarifies that ‘unable to meet the requirements’ refers to circumstances where an AusCheck background check or security clearance cannot be obtained (particularly, for offshore workers or due to processing delays) rather than where a worker has undergone and failed a check. The exception permits a risk-based approach in the interim, while awaiting finalisation of checks and clearances, suggesting that the provision operates as a transitional measure rather than a permanent bypass.

Restructured cyber obligations

The proposed cyber obligations under the enhanced CIRMP Rules have been organised into four broad categories, incorporating many of the specific issues previously identified under the exposure draft. 

The multi-factor authentication (MFA) obligations have been slightly amended, with entities now only being required to implement an MFA process if they have elected to comply with a security framework that does not already require phishing-resistant MFA controls.

Penalties

The enhanced CIRMP Rules are subject to the same penalty regime that applies to the existing CIRMP rules. Generally, responsible entities face civil penalties of up to 200 penalty units for failing to maintain, comply with, and/or update a compliant CIRMP. As of the date of publishing, this is $330,000 for corporations.

Summary of enhanced obligations

The following tables summarise the enhanced obligations introduced by the enhanced CIRMP Rules, the areas of change and the applicable compliance periods. 

Additional material risks (s 6A)

Enhanced obligationObligation commencement 

Responsible entities must establish and maintain a process or system in their CIRMP to, so far as is reasonably practicable, minimise or eliminate specified material risks. These include: 

  • any impairment of the CI asset’s functions that could prejudice Australia’s social stability, economic stability, national security or defence;
     
  • compromise or impairment of the functions of the CI asset as a result of, or in connection with, FOCI;
     
  • offshore or remote access to critical components; and
     
  • offshore or remote access to business critical data. 
10 June 2027 (12-month grace period)

Cyber material risks – access management (s 8A(2))

Enhanced obligationObligation commencement 

Entities must establish and maintain a process in their CIRMP to, so far as is reasonably practicable, minimise or eliminate each of the following material risks: 

  • failure to patch or update operating or security systems in a timely manner;
     
  • failure to replace legacy systems, or adequately mitigate risks associated with components or technology that are redundant, unsupported, obsolete or discontinued;
     
  • deployment or hosting of advanced, novel or emerging technology in a manner that could prejudice the availability, integrity, reliability or confidentiality of the asset; and  
     
  • use of advanced, novel or emerging technology against the asset in a manner that could prejudice the availability, integrity, reliability or confidentiality of the CI asset.
10 June 2027 (12-month grace period)

Cyber security framework compliance (s 8A(3)–(4))

Enhanced obligationObligation commencement 

Under section 8A(3), responsible entities must establish and maintain a process or system in their CIRMP that complies with one of the frameworks identified (AS ISO/IEC 27001, Essential Eight, NIST CSF 2.0, C2M2, AESCSF). 

Equivalence can only be demonstrated against items 2, 4 or 5 of the framework table (Essential Eight, C2M2, AESCSF), excluding AS ISO/IEC27001 and NIST CSF 2.0 as equivalence benchmarks from the exposure draft. 

However, the Australian Signals Directorate (ASD) has announced it intends to phase out the Essential Eight framework within the next two years, replacing it with the new ‘Essentials’ series, which will be adapted to modern technology environments. The ASD has indicated the Essential Eight will remain a live document during a transition period before being deprecated and ultimately retired.

10 June 2028 (24-month grace period)

Credential compromise hazards (s 8B)

Enhanced obligationObligation commencement 

Where the chosen framework does not mandate phishing-resistant MFA, entities must establish and maintain a process or system in their CIRMP. This must outline the systems or networks where phishing-resistant MFA is required to authenticate access to internet connected computers and critical systems, privileged and unprivileged access to critical components, and remote access to computer applications, systems or services.

Responsible entities will also be required to minimise, eliminate or mitigate the relevant credential compromise hazards identified as far as reasonably practicable. 

Where responsible entities implement phishing-resistant MFA controls in accordance with ss 8B(4)–(5), they are deemed to satisfy the obligation to minimise or eliminate the relevant credential compromise hazard.

10 June 2028 (24-month grace period)

Lateral movement hazards (s 8C)

Enhanced obligationObligation commencement 

Entities must establish and maintain a process or system in their CIRMP to:

  • identify and maintain an inventory of critical systems and how they connect to other critical systems and computers;
     
  • recover and restore critical systems following an incident having a relevant impact;
     
  • ensure continued availability of the asset while rebuilding or restoring critical systems; and
     
  • so far as reasonably practicable, minimise or eliminate lateral movement hazards and mitigate their impact.

Network segregation compliant with s 8C(4) is deemed to satisfy the obligation to minimise or eliminate lateral movement hazards under s 8C(2)(d). 

10 June 2028 (24-month grace period)

Personnel access management (s 9A(2))

Enhanced obligationObligation commencement 

Entities must establish and maintain a process or system in their CIRMP to minimise or eliminate the material risk associated with: 

  • unauthorised or unsupervised access to critical components;
     
  • the compromise or misuse of credentials and privileged access used by individuals to access the CI asset;
     
  • access to the CI asset by persons other than critical workers; and
     
  • incoming and outgoing critical workers (i.e. onboarding and offboarding). 
10 June 2027 (12-month grace period)

Personnel suitability – background checking (s 9A(3)–(7))

Enhanced obligationObligation commencement 

Critical workers may only be permitted access to critical components where assessed as suitable via: 

  • an AusCheck background check (conducted at minimum every five years for ongoing access), followed by an entity-level suitability assessment considering the matters in s 9(5); or
     
  • holding a relevant security clearance (active at Negative Vetting 1 level or higher). 

If an employee is unable to meet the s 9A(4) requirements (for example, where a check cannot be obtained due to processing times), access may be granted, provided the CIRMP outlines the associated risks and actions taken (or to be taken) to minimise or eliminate those risks.

10 June 2028 (24-month grace period)

Supply chain hazards (s 10A)

Enhanced obligationObligation commencement 

Supply chain mapping (s 10A(2)–(3)): 

Entities will be required to establish and maintain a process or system to map their supply chains for major suppliers and critical components. Additionally, the process or system will be required to assess new and ongoing supply chain risks affecting the availability, integrity, reliability or confidentiality of critical components or business critical data. These risks will need to be mitigated or minimised in the CIRMP.  Additionally, responsible entities will need to identify the maximum acceptable outage, and include measures to address the risks or impacts of an outage which exceeds the specified period.

Vendor assessment (s 10A(4)–(5)): 

Entities must establish and maintain a process or system in their CIRMP to assess the risks of each existing or proposed major supplier, identifying: 

  • FOCI-related legislative or legal requirements;
     
  • restrictions, sanctions or impediments in the supplier’s jurisdiction;
     
  • the supplier’s access, influence and control over the asset;
     
  • the combined materiality of those factors (including whether they could exceed a maximum acceptable outage); and
     
  • steps to minimise or eliminate material risks. 
10 June 2028 (24-month grace period)

Physical security and natural hazards (s 11A)

Enhanced obligationObligation commencement 

Entities must establish and maintain a process or system in their CIRMP to centrally manage physical security and natural hazards (s 11A(1)(a)). So far as reasonably practicable, it needs to outline and consider the physical security consequences arising from the occurrence of all hazards, including cyber and information security hazards, credential compromise hazards, lateral movement hazards, other physical and natural hazards, personnel hazards, and supply chain hazards (s 11A(1)(b)). 

Specifically, entities must outline: 

  • the location, ownership and nature of the site;
     
  • the critical components of the CI asset; and
     
  • areas holding business-critical data or containing critical components. 
10 June 2028 (24-month grace period)

Implications for responsible entities and further regulatory change

The enhanced CIRMP Rules represent a significant uplift in risk management expectations for a group of critical infrastructure assets considered particularly important to Australia’s stability and security.

As we identified in our Insight article on the Department’s exposure draft, the Department will soon propose further amendments in line with the remaining recommendations contained in Dr Jill Slay’s independent review of the SOCI Act (the Review). These amendments are likely to include an expansion of the federal government’s powers under Part 3 of the SOCI Act, including new powers to allow the Minister to: 

  • issue directions to responsible entities for critical infrastructure assets where a specific vendor, product, service or technology presents a material security risk (including directions to cease using a specified vendor, product or service); and
     
  • impose conditions on reporting entities where the ownership, control or governance arrangements for a critical infrastructure asset create a material risk to national security. 

The Review also recommended a shift to a penalty-based risk management process, a broadened definition of critical infrastructure to encompass other sectors (including space assets and healthcare/food supply) and the introduction of a new definition of the higher education and research sector. In addition to these changes, the Department has also indicated that further consultation on extending the enhanced CIRMP framework to additional asset classes or sectors beyond those currently covered in the enhanced CIRMP Rules is likely. 

Responsible entities for affected asset classes should promptly undertake a detailed review of their existing CIRMPs and consider what changes are required to meet the enhanced obligations within the applicable grace periods. In particular, relevant entities should commence work on required uplifts to ensure they are ready for the 12 and 24 month compliance deadlines. Additionally, other entities not currently subject to the enhanced CIRMP Rules should consider the enhanced obligations with a view to uplifting their processes should more sectors be included under the enhanced CIRMP obligations.


Authors

James North

Head of Technology, Media and Telecommunications

Justin Gay

Special Counsel

Jack Matthews

Senior Associate

Rachael Rozengurt

Law Graduate


Tags

Technology, Media and Telecommunications Regulatory Cyber Security

This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.

Share
  • Print article

Key Contacts

NORTH-james-highres_SMALL

James North

Head of Technology, Media and Telecommunications

Other Contacts

GAY Justin highres SMALL

Justin Gay

Special Counsel

MATTHEWS Jack SMALL

Jack Matthews

Senior Associate

Related Capabilities