This Act creates a framework for managing risks relating to critical infrastructure.

The framework consists of the following:

  (a)   the keeping of a register of information in relation to critical infrastructure assets (the register will not be made public);

  (b)   requiring the responsible entity for one or more critical infrastructure assets to have, and comply with, a critical infrastructure risk management program (unless an exemption applies);

  (c)   requiring notification of cyber security incidents;

  (d)   imposing enhanced cyber security obligations that relate to systems of national significance;

  (e)   requiring certain entities relating to a critical infrastructure asset to provide information in relation to the asset, and to notify if certain events occur in relation to the asset;

  (f)   allowing the Minister to require certain entities relating to a critical infrastructure asset to do, or refrain from doing, an act or thing if the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security;

  (g)   allowing the Secretary to require certain entities relating to a critical infrastructure asset to provide certain information or documents;

  (h)   setting up a regime for the Commonwealth to respond to serious cyber security incidents;

  (i)   allowing the Secretary to undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset.

Certain information obtained or generated under, or relating to the operation of, this Act is protected information. There are restrictions on when a person may make a record of, use or disclose protected information.

Civil penalty provisions of this Act may be enforced using civil penalty orders, injunctions or infringement notices, and enforceable undertakings may be accepted in relation to compliance with civil penalty provisions. The Regulatory Powers Act is applied for these purposes. Certain provisions of this Act are subject to monitoring and investigation under the Regulatory Powers Act. Certain provisions of this Act may be enforced by imposing a criminal penalty.

The Minister may privately declare an asset to be a critical infrastructure asset.

The Minister may privately declare a critical infrastructure asset to be a system of national significance.

The Secretary must give the Minister reports, for presentation to the Parliament, on the operation of this Act.