Main laws

Commonwealth Act

Security of Critical Infrastructure Act 2018 (Cth)

The Security of Critical Infrastructure Act regulates critical infrastructure risk, cyber incident reporting and government powers in Australia.

In forceCommonwealth4 practical checks

Plain-English explainers, not legal advice. Use the linked official source for section-level detail, and get advice for your situation.

Get legal help

Start here

Quick read

  • The Security of Critical Infrastructure Act is specialist, but its reach can surprise suppliers.
  • A small business may not own a critical asset, but it can still be pulled into customer security questionnaires, contract requirements, incident reporting flows, access controls...

Likely relevant if

  • Businesses operating in or supplying critical infrastructure sectors
  • Data, cloud, energy, communications, transport, health, food, water and finance-adjacent providers
  • Suppliers to regulated critical infrastructure entities

Check first

  • Check whether the business owns, operates or supplies a regulated critical infrastructure asset.
  • Review customer contracts for cyber, incident, access and audit obligations linked to the Act.
  • Maintain incident response, supplier-risk and access-control processes where required.

What happens if you get it wrong

Penalties & enforcement

Risks include government directions, reporting failures, regulatory action, contract breach, loss of enterprise customers and incident-response cost.

Enforced by Cyber and Infrastructure Security Centre and the Department of Home Affairs

When this shows up in real life

  1. Supplying software to a regulated customer

    Expect security questionnaires, audit rights, incident notice clauses and data-access controls to become part of the contract negotiation.

  2. A serious cyber incident occurs

    Check whether the customer or asset is covered, who must report and what contractual notices must be sent.

Plain-English glossary

Critical infrastructure asset
An asset in a regulated sector that may be subject to registration, risk management or incident reporting obligations.
Responsible entity
The entity with legal responsibility for a critical infrastructure asset under the Act.
Cyber incident reporting
Mandatory reporting of certain cyber incidents affecting regulated assets or services.

Common questions

Does this apply to every small business?

No. It is sector-specific. It matters most if the business owns, operates or supplies regulated critical infrastructure or handles systems that support those assets.

Why might suppliers care?

Regulated customers often push security, access, incident and audit obligations down into supplier contracts.

Related topics

How Sprintlaw can help