Security of Critical Infrastructure Risk Management Program Rules Introduced

This article applies to responsible entities for critical infrastructure assets and will likely amend the NATIONAL – Security of Critical Infrastructure topic.

Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules (Cth)

Please be advised that the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules (Cth) (the Rules) commenced on 17 February 2023, under the Security of Critical Infrastructure Act 2018 (Cth) (the Act).

Critical infrastructure risk management programs

Part 2A of the Act provides that the responsible entity for one or more critical infrastructure assets, to which Part 2A applies, must have, and comply with, a critical infrastructure risk management program (CIRMP) unless an exemption applies.

A CIRMP is a written program, the purpose of which under the Act is to require a responsible entity for a critical infrastructure asset:

  • to identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset; and
  • so far as it is reasonably practicable to do so—to minimise or eliminate any material risk of such a hazard occurring; and
  • so far as it is reasonably practicable to do so—to mitigate the relevant impact of such a hazard on the asset.

The Rules effectively ‘switch on’ the CIRMP requirements by specifying the critical infrastructure assets to which Part 2A of the Act applies and the CIRMP requirements for the responsible entities for those assets.


The Rules have specified the assets that are required to have critical infrastructure risk management programs. Among the assets specified, the following are included:

  • a critical energy market operator asset;
  • a designated hospital;
  • a critical food and grocery asset;
  • a critical freight infrastructure asset;
  • a critical freight services asset;
  • a critical water asset.

Organisations that operate a hospital should view the list of designated hospitals set out in Schedule 1 of the Rules.

Organisations that are responsible entities for the above-mentioned assets will have a 6 month grace period (until 17 August 2023) to adopt a CIRMP.

If an asset becomes a critical asset, then the requirements under Part 2A of the Act do not apply until 6 months after the asset becomes a critical asset or 6 months after the commencement of the Rule, on 17 August 2023, whichever is later.

Material risks

The definition of material risk for the purpose of the Act has been expanded on under the Rules to include:

  • the stoppage or major shutdown of the organisation’s function for an unmanageable period,
  • the substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the organisation’s assets;
  • an interference with the organisation’s operational technology or information communication technology essential to the functioning of the organisation;
  • the storage, transmission or processing of sensitive operational information outside Australia, which includes:
    • layout diagrams;
    • schematics;
    • geospatial information;
    • configuration information;
    • operational constraints or tolerances information;
    • data that a reasonable person would consider to be confidential or sensitive about the organisation; and
  • remote access to operational control or operational monitoring systems of the organisation.


The Rules also clarify the hazards for which organisations must establish and maintain processes and systems in the organisation’s risk management program. These processes include, but are not limited to, identifying the operational context of the organisation’s critical asset and the material risks to that asset, minimising or eliminating material risks and mitigating the relevant impact of each hazard on the organisation’s critical assets.

The Rules also prescribe specific processes or systems that are required in an organisation’s risk management program for cyber and information security, personnel, supply chains, physical security hazards and natural hazards.

Please click here to access the full version of the Rules.

How Health Legal can help:

For further information please contact the Health Legal and Law Compliance team via our contact page here.