13 July 2026
Following the release and subsequent consultation on an exposure draft of the proposed enhancements to the Critical Infrastructure Risk Management Program (CIRMP) rules, the Department of Home Affairs (the Department) has registered the final version of the Security of Critical Infrastructure Legislation Amendment (Enhanced Critical Infrastructure Risk Management Program) Rules 2026 (LIN 26/075) (enhanced CIRMP Rules).
The enhanced CIRMP Rules commenced on 10 June 2026, and responsible entities have either 12 or 24 months to implement the uplifted requirements (depending on the particular requirement).
The enhanced CIRMP Rules build upon the existing CIRMP framework. They apply to a sub-set of high-risk asset classes already required to maintain a CIRMP under Part 2A of the Security of Critical Infrastructure Act 2018 (SOCI Act). The following table summarises the CIRMP rules applicable to various asset classes for which the CIRMP rules are switched on.
| Asset class | Existing CIRMP rules | Enhanced CIRMP rules |
|---|---|---|
| Critical broadcasting asset | Yes | Yes |
| Critical domain name system | Yes | Yes |
| Critical data storage or processing asset | Yes | No |
| Critical electricity asset | Yes | Yes |
| Critical energy market operator asset | Yes | Yes |
| Critical telecommunications assets (via separate rules and telecommunications guidance) | Yes | No |
| Critical gas assets | Yes | Yes |
| Designated hospitals | Yes | No |
| Critical food and grocery assets | Yes | No |
| Critical freight infrastructure assets | Yes | Yes |
| Critical freight services assets | Yes | Yes |
| Critical liquid fuels assets | Yes | Yes |
| Critical financial market infrastructure assets used in the operation of a payment system | Yes | No |
| Critical water assets | Yes | Yes |
| Assets declared to be critical infrastructure assets under s 51 of the Act | Yes (if specified in the relevant Ministerial declaration) | No (if the relevant Ministerial declaration pre-dates the Enhanced CIRMP Rules) |
While the final rules retain the broad objectives of the exposure draft (discussed in further detail in our previous insight, Security of Critical Infrastructure: proposed changes to Critical Infrastructure Risk Management Program and enhanced Ministerial Powers), several material changes have been introduced between the consulted version and the registered instrument. In this Insight, we set out the scope of the enhanced CIRMP Rules, summarise the key changes and their practical implications, and outline the relevant compliance timelines and transitional arrangements that responsible entities should be aware of.
The original grace periods in the exposure draft have been amended, with responsible entities now having 12 months to implement requirements under s 6A, ss 8A(2) and 9A(2) (that is, on or before 10 June 2027). The table below summarises the relevant grace periods.
The remaining changes will need to be implemented within 24 months of commencement (that is, on or before 10 June 2028).
For assets that become critical infrastructure (CI) assets on or after 10 June 2026, the relevant grace period will run from the date the asset becomes a CI asset.
Under s 6A of the enhanced CIRMP Rules, entities are now required to ‘establish and maintain a process or system’ that minimises or eliminates material risks as far as reasonably practicable. This includes risks associated with Australia's social and economic stability, national security or defence, foreign ownership, control or influence (FOCI), and offshore or remote access to critical components or business-critical data.
The enhanced CIRMP Rules have increased compliance requirements since the exposure draft, adding an obligation to establish new or reform current processes to minimise or eliminate an expanded list of material risks.
The enhanced CIRMP Rules now require that all ‘critical workers’ be assessed as suitable via either an AusCheck background check or by holding a relevant security clearance. This is defined as an active security clearance at Negative Vetting 1 level or higher, issued by an Australian Government entity.
Any critical worker unable to meet these requirements can still be granted access to the relevant critical asset, provided the entity’s CIRMP outlines the associated risks and relevant actions that have been taken, or will be taken as soon as reasonably practicable, to minimise or eliminate the identified risks. The Explanatory Statement clarifies that ‘unable to meet the requirements’ refers to circumstances where an AusCheck background check or security clearance cannot be obtained (particularly, for offshore workers or due to processing delays) rather than where a worker has undergone and failed a check. The exception permits a risk-based approach in the interim, while awaiting finalisation of checks and clearances, suggesting that the provision operates as a transitional measure rather than a permanent bypass.
The proposed cyber obligations under the enhanced CIRMP Rules have been organised into four broad categories, incorporating many of the specific issues previously identified under the exposure draft.
The multi-factor authentication (MFA) obligations have been slightly amended, with entities now only being required to implement an MFA process if they have elected to comply with a security framework that does not already require phishing-resistant MFA controls.
The enhanced CIRMP Rules are subject to the same penalty regime that applies to the existing CIRMP rules. Generally, responsible entities face civil penalties of up to 200 penalty units for failing to maintain, comply with, and/or update a compliant CIRMP. As of the date of publishing, this is $330,000 for corporations.
The following tables summarise the enhanced obligations introduced by the enhanced CIRMP Rules, the areas of change and the applicable compliance periods.
Additional material risks (s 6A)
| Enhanced obligation | Obligation commencement |
|---|---|
Responsible entities must establish and maintain a process or system in their CIRMP to, so far as is reasonably practicable, minimise or eliminate specified material risks. These include:
| 10 June 2027 (12-month grace period) |
Cyber material risks – access management (s 8A(2))
| Enhanced obligation | Obligation commencement |
|---|---|
Entities must establish and maintain a process in their CIRMP to, so far as is reasonably practicable, minimise or eliminate each of the following material risks:
| 10 June 2027 (12-month grace period) |
Cyber security framework compliance (s 8A(3)–(4))
| Enhanced obligation | Obligation commencement |
|---|---|
Under section 8A(3), responsible entities must establish and maintain a process or system in their CIRMP that complies with one of the frameworks identified (AS ISO/IEC 27001, Essential Eight, NIST CSF 2.0, C2M2, AESCSF). Equivalence can only be demonstrated against items 2, 4 or 5 of the framework table (Essential Eight, C2M2, AESCSF), excluding AS ISO/IEC27001 and NIST CSF 2.0 as equivalence benchmarks from the exposure draft. However, the Australian Signals Directorate (ASD) has announced it intends to phase out the Essential Eight framework within the next two years, replacing it with the new ‘Essentials’ series, which will be adapted to modern technology environments. The ASD has indicated the Essential Eight will remain a live document during a transition period before being deprecated and ultimately retired. | 10 June 2028 (24-month grace period) |
Credential compromise hazards (s 8B)
| Enhanced obligation | Obligation commencement |
|---|---|
Where the chosen framework does not mandate phishing-resistant MFA, entities must establish and maintain a process or system in their CIRMP. This must outline the systems or networks where phishing-resistant MFA is required to authenticate access to internet connected computers and critical systems, privileged and unprivileged access to critical components, and remote access to computer applications, systems or services. Responsible entities will also be required to minimise, eliminate or mitigate the relevant credential compromise hazards identified as far as reasonably practicable. Where responsible entities implement phishing-resistant MFA controls in accordance with ss 8B(4)–(5), they are deemed to satisfy the obligation to minimise or eliminate the relevant credential compromise hazard. | 10 June 2028 (24-month grace period) |
Lateral movement hazards (s 8C)
| Enhanced obligation | Obligation commencement |
|---|---|
Entities must establish and maintain a process or system in their CIRMP to:
Network segregation compliant with s 8C(4) is deemed to satisfy the obligation to minimise or eliminate lateral movement hazards under s 8C(2)(d). | 10 June 2028 (24-month grace period) |
Personnel access management (s 9A(2))
| Enhanced obligation | Obligation commencement |
|---|---|
Entities must establish and maintain a process or system in their CIRMP to minimise or eliminate the material risk associated with:
| 10 June 2027 (12-month grace period) |
Personnel suitability – background checking (s 9A(3)–(7))
| Enhanced obligation | Obligation commencement |
|---|---|
Critical workers may only be permitted access to critical components where assessed as suitable via:
If an employee is unable to meet the s 9A(4) requirements (for example, where a check cannot be obtained due to processing times), access may be granted, provided the CIRMP outlines the associated risks and actions taken (or to be taken) to minimise or eliminate those risks. | 10 June 2028 (24-month grace period) |
Supply chain hazards (s 10A)
| Enhanced obligation | Obligation commencement |
|---|---|
Supply chain mapping (s 10A(2)–(3)): Entities will be required to establish and maintain a process or system to map their supply chains for major suppliers and critical components. Additionally, the process or system will be required to assess new and ongoing supply chain risks affecting the availability, integrity, reliability or confidentiality of critical components or business critical data. These risks will need to be mitigated or minimised in the CIRMP. Additionally, responsible entities will need to identify the maximum acceptable outage, and include measures to address the risks or impacts of an outage which exceeds the specified period. Vendor assessment (s 10A(4)–(5)): Entities must establish and maintain a process or system in their CIRMP to assess the risks of each existing or proposed major supplier, identifying:
| 10 June 2028 (24-month grace period) |
Physical security and natural hazards (s 11A)
| Enhanced obligation | Obligation commencement |
|---|---|
Entities must establish and maintain a process or system in their CIRMP to centrally manage physical security and natural hazards (s 11A(1)(a)). So far as reasonably practicable, it needs to outline and consider the physical security consequences arising from the occurrence of all hazards, including cyber and information security hazards, credential compromise hazards, lateral movement hazards, other physical and natural hazards, personnel hazards, and supply chain hazards (s 11A(1)(b)). Specifically, entities must outline:
| 10 June 2028 (24-month grace period) |
The enhanced CIRMP Rules represent a significant uplift in risk management expectations for a group of critical infrastructure assets considered particularly important to Australia’s stability and security.
As we identified in our Insight article on the Department’s exposure draft, the Department will soon propose further amendments in line with the remaining recommendations contained in Dr Jill Slay’s independent review of the SOCI Act (the Review). These amendments are likely to include an expansion of the federal government’s powers under Part 3 of the SOCI Act, including new powers to allow the Minister to:
The Review also recommended a shift to a penalty-based risk management process, a broadened definition of critical infrastructure to encompass other sectors (including space assets and healthcare/food supply) and the introduction of a new definition of the higher education and research sector. In addition to these changes, the Department has also indicated that further consultation on extending the enhanced CIRMP framework to additional asset classes or sectors beyond those currently covered in the enhanced CIRMP Rules is likely.
Responsible entities for affected asset classes should promptly undertake a detailed review of their existing CIRMPs and consider what changes are required to meet the enhanced obligations within the applicable grace periods. In particular, relevant entities should commence work on required uplifts to ensure they are ready for the 12 and 24 month compliance deadlines. Additionally, other entities not currently subject to the enhanced CIRMP Rules should consider the enhanced obligations with a view to uplifting their processes should more sectors be included under the enhanced CIRMP obligations.
Authors
Head of Technology, Media and Telecommunications
Partner
Special Counsel
Senior Associate
Lawyer
Law Graduate
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.