Commonwealth Act
Security of Critical Infrastructure Act 2018 (Cth)
The Security of Critical Infrastructure Act regulates critical infrastructure risk, cyber incident reporting and government powers in Australia.
Plain-English explainers, not legal advice. Use the linked official source for section-level detail, and get advice for your situation.
Get legal helpStart here
Quick read
- The Security of Critical Infrastructure Act is specialist, but its reach can surprise suppliers.
- A small business may not own a critical asset, but it can still be pulled into customer security questionnaires, contract requirements, incident reporting flows, access controls...
Likely relevant if
- Businesses operating in or supplying critical infrastructure sectors
- Data, cloud, energy, communications, transport, health, food, water and finance-adjacent providers
- Suppliers to regulated critical infrastructure entities
Check first
- Check whether the business owns, operates or supplies a regulated critical infrastructure asset.
- Review customer contracts for cyber, incident, access and audit obligations linked to the Act.
- Maintain incident response, supplier-risk and access-control processes where required.
What happens if you get it wrong
Penalties & enforcement
Risks include government directions, reporting failures, regulatory action, contract breach, loss of enterprise customers and incident-response cost.
Enforced by Cyber and Infrastructure Security Centre and the Department of Home Affairs
When this shows up in real life
Supplying software to a regulated customer
Expect security questionnaires, audit rights, incident notice clauses and data-access controls to become part of the contract negotiation.
A serious cyber incident occurs
Check whether the customer or asset is covered, who must report and what contractual notices must be sent.
Plain-English glossary
- Critical infrastructure asset
- An asset in a regulated sector that may be subject to registration, risk management or incident reporting obligations.
- Responsible entity
- The entity with legal responsibility for a critical infrastructure asset under the Act.
- Cyber incident reporting
- Mandatory reporting of certain cyber incidents affecting regulated assets or services.
Common questions
Does this apply to every small business?
No. It is sector-specific. It matters most if the business owns, operates or supplies regulated critical infrastructure or handles systems that support those assets.
Why might suppliers care?
Regulated customers often push security, access, incident and audit obligations down into supplier contracts.