Understanding the proposed changes to the security of critical infrastructure act 2018 
Published By
Adam McCarthy
April 13, 2021

As part of an overarching strategy to strengthen the security of Australia’s critical infrastructure assets, the government is proposing a series of new regulations that are expected to be ratified and come into force in the coming months.  
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced by the Department of Home Affairs in December last year following a period of consultation which attracted 194 public submissions.  


The proposed amendments are designed to enable the Department of Home Affairs to have more teeth and direct organisations that fall into certain categories to engage and collaborate with the relevant government security agencies in a more in a more active fashion.  
In the Draft Bill, the sectors identified to be essential are:  

  • Communications
  • Data storage and processing
  • Defence
  • Financial services and markets
  • Food and grocery
  • Higher education and research
  • Healthcare 
  • Transport
  • Energy
  • Space technology
  • Water and sewerage.

There’s a quite a significant geopolitical overlay to some of this legislation insofar as it’s been driven by a series of events that have been occurring against Australia and our allies, perpetrated in the main by foreign nationals and nation states. 

When framed into the context of organisations and businesses that are critical to Australia’s security, the government having a direct role in making sure that we have stronger security within those critical sectors takes on much greater importance.  

The proposed changes will give the government the ability to actively respond via stepping into a commercial organisation that meets the criteria of an essential service, provided that the government have a bona fide and legitimate reason to do so, such as in the event of a breach.  

But the majority of the legislative changes are about making sure that the critical infrastructures that help run the nation (such as energy, water, financial markets, etc.) are more resilient to cyber-attacks, and that each of those are better placed in the event that they come under attack. 


ParaFlare is part of an overall tapestry of security controls and resiliency mechanisms within an organisation. We’re focused on providing detection and response to threats in a timely manner.  

Where the new legislation says that you’ve got 12 hours or 72 hours to report incidents, depending on their severity, that’s a key part of what our cyber operations team already does.  

We detect an issue, we investigate it, and we make sure it’s an incident that we have recorded and communicated effectively. That’s where we can help organisations meet the legislative requirements around the reporting of incidents, as well as tabletop activities, undertaking incident response activities, testing, and so on.  

This provides reassurance to our clients who are categorised in the critical infrastructure space that they are already equipped to meet the requirements of this new legislation once it becomes enshrined in law.  

You can learn more when the white paper covering this in detailed is published to our registered readers.  If you want to become one please go to contact us on our website.

You Should also read

Security is the responsibility of everyone. What role do we play?

What is an incident response retainer?

Is it time to consider an incident response retainer

Managing security operations centre teams in a time of change