Commonwealth Act

Security of Critical Infrastructure Act 2018 (Cth)

The Security of Critical Infrastructure Act regulates critical infrastructure risk, cyber incident reporting and government powers in Australia.

In forceCommonwealth4 practical checks

Plain-English explainers, not legal advice. Check the linked official source before you rely on a specific section, and get advice for your situation.

Get legal help

Start here

Quick read

The Security of Critical Infrastructure Act is specialist, but its reach can surprise suppliers.
A small business may not own a critical asset, but it can still be pulled into customer security questionnaires, contract requirements, incident reporting flows, access controls...

Likely relevant if

Businesses operating in or supplying critical infrastructure sectors
Data, cloud, energy, communications, transport, health, food, water and finance-adjacent providers
Suppliers to regulated critical infrastructure entities

Check first

Check whether the business owns, operates or supplies a regulated critical infrastructure asset.
Review customer contracts for cyber, incident, access and audit obligations linked to the Act.
Maintain incident response, supplier-risk and access-control processes where required.

What happens if you get it wrong

Penalties & enforcement

Risks include government directions, reporting failures, regulatory action, contract breach, loss of enterprise customers and incident-response cost.

Enforced by Cyber and Infrastructure Security Centre and the Department of Home Affairs

When this shows up in real life

1
Supplying software to a regulated customer
Expect security questionnaires, audit rights, incident notice clauses and data-access controls to become part of the contract negotiation.
2
A serious cyber incident occurs
Check whether the customer or asset is covered, who must report and what contractual notices must be sent.

Plain-English glossary

Critical infrastructure asset: An asset in a regulated sector that may be subject to registration, risk management or incident reporting obligations.
Responsible entity: The entity with legal responsibility for a critical infrastructure asset under the Act.
Cyber incident reporting: Mandatory reporting of certain cyber incidents affecting regulated assets or services.

Common questions

Does this apply to every small business?

No. It is sector-specific. It matters most if the business owns, operates or supplies regulated critical infrastructure or handles systems that support those assets.

Why might suppliers care?

Regulated customers often push security, access, incident and audit obligations down into supplier contracts.

How Sprintlaw can help

Start here

Quick read

The Security of Critical Infrastructure Act is specialist, but its reach can surprise suppliers.
A small business may not own a critical asset, but it can still be pulled into customer security questionnaires, contract requirements, incident reporting flows, access controls...

Likely relevant if

Businesses operating in or supplying critical infrastructure sectors
Data, cloud, energy, communications, transport, health, food, water and finance-adjacent providers
Suppliers to regulated critical infrastructure entities

Check first

Check whether the business owns, operates or supplies a regulated critical infrastructure asset.
Review customer contracts for cyber, incident, access and audit obligations linked to the Act.
Maintain incident response, supplier-risk and access-control processes where required.

When this shows up in real life

1
Supplying software to a regulated customer
Expect security questionnaires, audit rights, incident notice clauses and data-access controls to become part of the contract negotiation.
2
A serious cyber incident occurs
Check whether the customer or asset is covered, who must report and what contractual notices must be sent.

Plain-English glossary

Critical infrastructure asset: An asset in a regulated sector that may be subject to registration, risk management or incident reporting obligations.
Responsible entity: The entity with legal responsibility for a critical infrastructure asset under the Act.
Cyber incident reporting: Mandatory reporting of certain cyber incidents affecting regulated assets or services.

Common questions

Does this apply to every small business?

No. It is sector-specific. It matters most if the business owns, operates or supplies regulated critical infrastructure or handles systems that support those assets.

Why might suppliers care?

Regulated customers often push security, access, incident and audit obligations down into supplier contracts.

Security of Critical Infrastructure Act 2018 (Cth)

Start here

What happens if you get it wrong

When this shows up in real life

Plain-English glossary

Common questions

Related topics

How Sprintlaw can help

Security of Critical Infrastructure Act 2018 (Cth)

Start here

What happens if you get it wrong

When this shows up in real life

Plain-English glossary

Common questions

Related topics

How Sprintlaw can help