This instrument is the Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules 2025.

(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information
Column 1	Column 2	Coulmn 3
Provisions	Commencement	Date/Details
1. Sections 1 to 4 and anything in this instrument not elsewhere covered by this table	On the day after registration.
2. Schedule 1	The later of: (a) the day after this instrument is registered; and (b) immediately after the commencement of Parts 1 and 2 of Schedule 5 to the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024.
3. Schedule 2	The later of: (a) the day after this instrument is registered; and (b) immediately after the commencement of Parts 1 and 2 of Schedule 5 to the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024.

(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.

3 Authority

This instrument is made under section 61 of the Security of Critical Infrastructure Act 2018.

4 Schedules

Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

Schedule 1—Amendments of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023

Data storage systems and compliance with Part 2A obligations

1 Section 3 (note)

Repeal the note, substitute:

Note A number of expressions used in this instrument are defined in the Act, including:

(a) business critical data;

(b) critical component;

(d) critical infrastructure asset;

(e) critical worker;

(f) relevant impact;

(g) responsible entity;

(h) security.

2 Section 3

Insert:

Act means the Security of Critical Infrastructure Act 2018.

3 At the end of subsection 4(1)

Add:

Note A data storage system that satisfies all of the requirements under subsection 9(7) of the Act in respect of a critical infrastructure asset specified in subsection (1) is taken to be part of the critical infrastructure asset.

4 After subsection 4(3)

Insert:

Compliance with Part 2A obligations through other instruments

(4) Part 2 of this instrument does not apply in relation to a CI asset specified in subsection 4(1) (CIRMP Rule asset) if:

(a) an entity is the responsible entity for the CIRMP Rule asset; and

(b) that entity is also the responsible entity for a CI asset specified in another instrument for the purposes of paragraph 30AB(1)(a) of the Act (other asset); and

(c) a CIRMP that applies to the entity for the CIRMP Rule asset complies with the requirements specified for paragraph 30AH(1)(c) in the other instrument relating to the other asset (as if those requirements relate to the CIRMP Rule asset); and

(d) the entity complies with the requirements specified for subsections 30AKA(1),(3) and (5) in the other instrument (as if those requirements relate to the CIRMP Rule asset).

Example: An entity is a responsible entity for 2 assets—a critical broadcasting asset and a relevant critical infrastructure asset. The relevant critical infrastructure asset is specified in another instrument. The entity applies the requirements in the other instrument to its critical broadcasting asset as if the critical broadcasting asset is a relevant critical infrastructure asset. If the entity complies with the requirements in the other instrument for both assets, it is taken to have complied with the requirements in this instrument.

5 At the end of section 6

Add:

; (f) impact to the availability, integrity, reliability or confidentiality of the data storage system holding business critical data.

Schedule 2—Amendments of the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022

1 Section 3

Insert:

Act means the Security of Critical Infrastructure Act 2018.

relevant carriage service provider asset is a critical infrastructure asset owned or operated by a carriage service provider where:

(a) the asset is used in connection with the supply of at least 20,000 active total carriage services including any of the following:

(i) broadband services;

(ii) fixed telephone services;

(iii) public mobile telecommunications services;

(iv) voice only services; or

(b) the responsible entity for the asset is aware that the asset is used in connection with carriage services supplied to a Commonwealth entity (other than a body corporate established by a law of the Commonwealth).

2 Subsection 4(1) (note)

Repeal the note.

3 At the end of subsection 4(1)

Add:

; (n) a critical telecommunications asset that is:

(i) owned or operated by a carrier; or

(ii) a relevant carriage service provider asset.

Note 1 Under section 18A(1)(c) of the Act, Part 2 of the Act continues to apply to critical infrastructure assets that were critical infrastructure assets immediately before the commencement of section 18A.

Note 2 A data storage system that meets all of the requirements under subsection 9(7) of the Act in respect of a critical infrastructure asset specified in subsection (1) is taken to be part of the critical infrastructure asset.

4 At the end of subsection 5(1)

Add:

; (u) a critical telecommunications asset that is:

(i) owned or operated by a carrier; or

(ii) a relevant carriage service provider asset.

Note A data storage system that meets all of the requirements under subsection 9(7) of the Act in respect of a critical infrastructure asset specified in subsection (1) is taken to be part of the critical infrastructure asset.