Industry Research and Development (Cyber Security Small Business Program) Instrument 2017

The Industry Research and Development (Cyber Security Small Business Program) Instrument 2017 is a Commonwealth legislative instrument made under section 33 of the Industry Research and Development Act 1986. Its role is narrow but important. It legally prescribes the Cyber Security Small Business Program for the purposes of that Act.

The instrument says the program has two connected purposes. First, it provides financial assistance to assist CREST Australia New Zealand Ltd, known as CREST ANZ, to grow the pool of CREST ANZ approved members and expand its range of cyber security services. Second, it provides financial assistance to co-fund small businesses to have their cyber security tested by CREST ANZ approved service providers.

That means the instrument is not a full operating manual for the program. It does not read like a grant guideline. Instead, it identifies the program, states what it is for, defines who counts as a small business for this program, and sets the constitutional limit within which the program is prescribed.

The instrument contains a specific definition of small business. For this program, a small business is an entity that:

1. has an ABN, 2. is registered for GST within the meaning of the GST legislation, and 3. employs fewer than 20 people.

All three elements matter. If a business does not have an ABN, is not registered for GST, or employs 20 or more people, it does not meet the definition used in this instrument.

The instrument refers to an entity, which is a term defined in the parent Act. The practical point for business owners is that the legal structure is less important than meeting the stated criteria. The key checks are your ABN status, GST registration status and employee count.

Based on the text of the instrument, businesses are usually outside this program if they do not satisfy the definition of small business or if they assume the program covers services beyond what the instrument describes.

That commonly includes businesses with 20 or more employees, businesses without an ABN, and businesses that are not registered for GST. It also includes businesses wanting to rely on the instrument for broader cyber support arrangements that are not described in the program itself.

The instrument also limits the prescribed program to the extent it is with respect to a specified Commonwealth legislative power. So a business should not assume the instrument supports every possible cyber security activity in every context. The legal footing is narrower than a general statement that the Commonwealth can fund any cyber initiative for any business.

A business would usually look at this instrument when it is trying to work out whether a government-backed cyber testing program exists in law and whether the business is the kind of business the program is aimed at.

Common trigger points include planning a cyber security review, looking for subsidised testing, checking whether a provider must hold a particular approval, or confirming whether your business falls within the program's small business definition before spending time on an application.

The instrument is also relevant if your business wants to understand the legal boundary of the program. It makes clear that the program is prescribed only to the extent it relates to the Commonwealth legislative power over postal, telegraphic, telephonic and other like services. For many modern businesses, that will point to communications-related digital systems and services, but the instrument itself does not provide worked examples or a broader operational explanation.

This instrument does not impose a long list of operational compliance steps on businesses. Its practical obligations are mostly threshold conditions and program limits that a business should verify before relying on it.

First, check eligibility against the definition of small business in the instrument. Second, if you are seeking co-funding for testing, confirm that the testing is by a CREST ANZ approved service provider, because that is how the program is described. Third, do not assume the instrument itself contains the application pathway, grant amount, payment mechanics, acquittal rules or reporting obligations. Those details are not set out in the text here.

For that reason, businesses should keep their legal and factual checks separate. The legal check is whether the instrument covers the program and whether your business is in scope. The administrative check is whether the current program materials, if available, set additional requirements for applying, proving eligibility, receiving funds or completing the funded activity.

Although the instrument does not prescribe a detailed document list, a prudent business should be ready to support the threshold matters it relies on. In practice, that means keeping records that show your ABN, GST registration and employee numbers, and confirming the provider's CREST ANZ approval status.

You should also keep a copy of the current program information you relied on when deciding to apply or proceed, because the instrument itself does not contain the operational detail many businesses expect. If there are separate program guidelines, application forms or funding terms, those documents may be critical to understanding what you must do in addition to meeting the legal definition in the instrument.

Businesses should avoid overstating what this instrument gives them. It does not itself promise a grant, approve a provider engagement, or set out a right to payment. It establishes the program and its legal scope. The rest depends on the current administration of the program.

One of the most important parts of this instrument is easy to miss. Section 6 specifies the legislative power of the Parliament for the purposes of subsection 33(3) of the Act. The specified power is the power to make laws with respect to postal, telegraphic, telephonic, and other like services.

The instrument also says the program is prescribed only to the extent that it is with respect to that specified legislative power. For business readers, the practical message is that this is not an unlimited statement of Commonwealth power. The program is tied to a particular constitutional footing.

If your business is considering relying on the program in a way that is unusual, borderline or not obviously connected with communications services, it is sensible to check the current program materials carefully and get advice if needed. The instrument itself does not explain how that constitutional limit is applied in day-to-day administration.

The instrument was made on 14 June 2017 and registered on 16 June 2017. It commenced on the day after registration, which was 17 June 2017. The Federal Register of Legislation records it as in force.

Before relying on this page, businesses should still check the current Federal Register entry and any current program administration material. An instrument can remain in force while the practical operation of a program changes, pauses or ends. The legal text here does not tell you whether applications are currently open or what funding settings apply now.

If you are considering this program, do not stop at the instrument itself. Use it as the legal foundation, then verify the current administrative position.

At a minimum, check whether the program is currently open, whether there are separate guidelines or terms, whether your proposed testing falls within the current program offering, and whether your chosen provider is currently approved by CREST ANZ. Also confirm that your business still satisfies the ABN, GST and employee-count requirements at the relevant time.

This approach helps avoid a common mistake: assuming that because a legislative instrument exists, the operational details are fixed inside it. In this case, they are not.