New SOCI Rules Go Live – Changes for Data Storage Systems and Telco Assets

In our previous article here, we examined the six key changes to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) heralded by the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (SOCI Amendment Act). Most, but not all, of those changes took effect on 20 December 2024.

The remaining pieces have now fallen into place, with the commencement on 4 April 2025 of:

1. the Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules 2025 (Cth) (Amending Rules);
2. the Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (Cth) (TSRMP Rules); and
3. Schedule 5 of the SOCI Amendment Act.

The Amending Rules amend both the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (Cth) (CIRMP Rules) and the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 (Cth) (Application Rules).

IN A NUTSHELL

• The amendments to the CIRMP Rules are relevant to responsible entities who own or operate a data storage system in connection with their primary critical infrastructure asset (where they meet given criteria).
• The new TSRMP Rules, custom made for the critical telecommunications sector, along with the amended Application Rules, switch on a suite of obligations for carriers and certain carriage service providers.

We canvass below the important obligations arising from these three (new or updated) sets of Rules.

Details of the Schedule 5 amendments can be found here. To recap, those amendments consolidate into the SOCI Act security requirements previously dispersed across the SOCI regime and the Telecommunications Act 1997 (Cth) (Telecommunications Act). The Schedule 5 amendments also introduce enhanced security obligations for certain critical telecommunications assets, where prescribed by the TSRMP Rules, in the form of an asset protection obligation (SOCI Act s 30EB) and a related notification obligation (SOCI Act s 30EC). Additionally, they empower the Minister for Home Affairs to direct responsible entities, for any critical telecommunications asset, to stop using or supplying a carriage service (SOCI Act s 30EF).

CIRMP RULES – DATA STORAGE SYSTEMS

The amendments to the CIRMP Rules are intended to ensure that vulnerabilities within non-operational data storage systems are appropriately managed, where such repositories hold (for example) business critical research and development or operational information, where they could in turn threaten critical infrastructure.[1]

The CIRMP Rules now require that responsible entities who are otherwise caught by those rules, and who therefore maintain a critical infrastructure risk management program (CIRMP), must also identify and manage risks to their data storage systems within their CIRMP, where those data storage systems are taken to be “part of” their critical infrastructure asset.

As addressed in our previous article, data storage systems are taken to be “part of” a critical infrastructure asset if they satisfy the following requirements under s 9(7) of the SOCI Act:[2]

• the data storage system is owned or operated by the responsible entity for the critical infrastructure asset;
• the data storage system is used (or is to be used) in connection with the critical infrastructure asset;
• the data storage system stores or processes “business critical data” (as defined in s 5 of the SOCI Act) (whether exclusively or otherwise); and
• where there is a material risk that a hazard could have an impact on the data storage system, there is also a material risk that the hazard could have a “relevant impact” (as defined in s 8G of the SOCI Act) on the primary critical infrastructure asset in question.

The amended CIRMP Rules also explicitly designate, as a material risk for the purposes of an entity’s CIRMP, an impact to the availability, integrity, reliability or confidentiality of the data storage system holding business critical data.[3]

To avoid duplication, where an entity is responsible for multiple critical infrastructure assets, the CIRMP Rules allow for streamlined compliance with risk management program obligations to the extent spread across multiple SOCI rules.[4] For example:

1. An entity might be a responsible entity for a critical broadcasting asset (as specified in the CIRMP Rules) and a relevant critical infrastructure asset (as specified in the TSRMP Rules).
2. Rather than requiring the assets to have CIRMPs adhering to different requirements under the two sets of rules, the requirements of the CIRMP Rules will not apply to the critical broadcasting asset if:
   • it is subject to a CIRMP that is instead compliant with the TSRMP Rules; and
   • the requirements in that CIRMP apply to the critical broadcasting asset as if it were a relevant critical infrastructure asset.[5]

Timeline: These amendments are in effect from 4 April 2025

APPLICATION RULES – CRITICAL TELECOMMUNICATIONS ASSETS

The amendments to the Application Rules bring telco carriers and certain other telco providers into alignment with a range of other critical infrastructure entities under the SOCI regime, reflective of the 2023-2030 Australian Cyber Security Strategy.[6]

The Application Rules now switch on, for a critical telecommunications asset that is either (a) owned or operated by a carrier or (b) a relevant carriage service provider asset:

1. the reporting obligations for the Register of Critical Infrastructure Assets (as contained in the SOCI Act, Part 2); and
2. the cyber security incidents notification obligations (as contained in the SOCI Act, Part 2B).

A “critical telecommunications asset” is defined as:[7]

• a telecommunications network that is owned or operated by a carrier or a carriage service provider and used to supply a carriage service; or
• any other asset that is owned or operated by a carrier or a carriage service provider and used in connection with the supply of a carriage service.

A “relevant carriage service provider asset” is defined as a critical infrastructure asset owned or operated by a carriage service provider, where:[8]

• the asset is used in connection with the supply of at least 20,000 active total carriage services (including broadband or fixed telephone services, public mobile telecommunications services or voice only services); or
• the responsible entity is aware that the asset is used in connection with carriage services supplied to a Commonwealth entity.

Timeline: These amendments are in effect from 4 April 2025. The relevant assets are already subject to equivalent cyber incident and register reporting obligations pursuant to instruments under the Telecommunications Act, which will remain in effect until 7 July 2025.[9] Grace periods apply to critical telecommunications assets caught by the Application Rules that come into existence after 4 April 2025 – six months from when the asset became a critical telecommunications asset caught by the Rules for Part 2 compliance and three months for Part 2B compliance.[10]

TSRMP RULES – HEIGHTENEND TELCO SECURITY & RISK MANAGEMENT

The TSRMP Rules switch on heightened security obligations, as contained in the new Part 2D of the SOCI Act, for a subset of critical telecommunications assets. These enhanced obligations are bespoke for the sector, intended to address telecommunications-specific risks.

In summary, the TSRMP Rules:

1. apply the new s 30EB protection obligation to relevant critical infrastructure assets;
2. apply the new s 30EC notification obligation to any critical telecommunications assets that are owned or operated by a carrier; and
3. apply CIRMP obligations to relevant critical infrastructure assets (with a six-month grace period).

Telco protection / notification obligations

Under the newly introduced Part 2D of the SOCI Act, section 30EB obliges a responsible entity to protect a critical telecommunications asset so far as reasonably practicable to ensure the confidentiality of communications carried on and information contained on the asset, as well as the asset’s availability and integrity. Pursuant to the TSRMP Rules, this protection obligation applies only to a “relevant critical infrastructure asset”,[11] namely, a critical telecommunications asset that is:[12]

• owned or operated by a carrier; or
• a “relevant carriage service provider asset” (see definition above).[13]

This definition is intended to reflect a proportionate, threshold-based approach as it subjects only a discrete class of critical telecommunications assets to security / protection obligations.[14] The SOCI Act’s government assistance, information gathering and direction powers remain applicable to all critical telecommunications assets.

Also under Part 2D, s 30EC obliges a responsible entity to provide the Secretary of the Department of Home Affairs with written notification of the implementation of a change, or proposed change, by the entity to a telecommunications service or telecommunications system that is likely to have a material adverse effect on the entity’s capacity to comply with its protection obligation. The TSRMP Rules apply this s 30EC notification obligation only to critical telecommunications assets owned or operated by a carrier.[15]

As part of the notification, s 17 of the TSRMP Rules requires the responsible entity to provide all information that is reasonably necessary to assess the change or proposed change. A non-exhaustive list of information that should be provided is also included (for example, a risk assessment or a timeline of the planning, development and implementation of the proposed changes).

Timeline: These obligations are in effect from 4 April 2025.

Uplifted risk management obligations

Finally, the TSRMP Rules apply the risk management program obligations contained in Part 2A of the SOCI Act to “relevant critical infrastructure assets” (see definition above).[16] This means that the responsible entity for a critical telecommunications asset that is:

• owned or operated by a carrier; or
• a “relevant carriage service provider asset”,

must have, and comply with, a CIRMP.

The TSRMP Rules replicate and uplift the requirements set out in the CIRMP Rules. Under s 9 of the TSRMP Rules, a CIRMP must comply with the following requirements:

1. Identify the operational context of the relevant critical infrastructure asset.
2. Identify the material risks, including but not limited to the specific risks that are to be taken as material risks in s 8 of the TSRMP Rules. For example, s 8 specifies, amongst others, that a stoppage of the asset’s function for an unmanageable period, an interference with a billing and charging system that is essential to the function of the asset, or remote access to operational control or operational monitoring systems of the asset, are all material risks.
3. As far as it is reasonably practicable to do so, minimise or eliminate material risks and mitigate the relevant impact of each hazard on the asset.
4. Include a mechanism for regular review of the CIRMP.
5. Include a mechanism for maintaining currency of the CIRMP.

Further requirements are prescribed by the TSRMP Rules in respect of cyber and information security hazards (s 11), personnel hazards (s 12), supply chain hazards (s 14) and physical security hazards and natural hazards (s 15). Carriers in particular are required to comply with more stringent cybersecurity frameworks (s 11(4)).

Timeline: The TSRMP Rules have inbuilt grace periods for compliance with CIRMP obligations.[17] For any existing relevant critical infrastructure assets, the obligation does not take effect until 4 October 2025. For any assets that become a relevant infrastructure asset after 4 April 2025, the obligation does not take effect until six months after the asset became a relevant critical infrastructure asset.

NEXT STEPS

All organisations responsible for critical infrastructure assets should be implementing changes to risk and compliance frameworks, processes and documentation with respect to CIRMPs (alongside other SOCI obligations) to address any data storage systems that are now caught as ‘part of’ their primary critical infrastructure assets.

Telco sector entities will require careful risk management, compliance, reporting, incident management and security review, and uplift as required, to reflect the transfer of obligations from telecommunications legislation and instruments to the SOCI Act and its associated rules.

Brooke Hall-Carney

David Colovic