If you are a responsible entity for, or direct interest holder in, a ‘critical infrastructure asset’ you have until 11 January 2019 to comply with your initial reporting obligations under the Security of Critical Infrastructure Act 2018. If you have not already done so, now is the time to start considering and collecting the information that you will need to report. This article will assist you in understanding the new reporting framework and your reporting obligations.
The Security of Critical Infrastructure Act 2018 (Act) and the Security of Critical Infrastructure Rules 2018 (Rules) came into operation on 11 July 2018. The stated aim of the legislation is to provide a framework for the Federal Government to manage risks to national security relating to the ownership and control of Australia’s critical infrastructure. The Act provides for:
- the creation of a register of information in relation to critical infrastructure assets (which will not be made public);
- owners and operators of critical infrastructure assets to provide prescribed information about the critical infrastructure asset, and to notify the Government if that information becomes incorrect or incomplete; and
- ministerial power to issue directions to owners and operators of critical infrastructure assets to eliminate or reduce a risk to Australia’s security (for example, directing an owner not to outsource operations of its core network to certain providers).
The Act is directed at managing the risk of espionage, sabotage and coercion resulting from foreign involvement in Australia’s critical infrastructure and, for now, is limited to the electricity, gas, water and port sectors on the basis that these sectors have been identified as the highest risk sectors capable of significantly impacting Australia’s economic interests, government operations, defence capabilities and the general public.
Overview of reporting requirements
The Act imposes reporting obligations on the responsible entity for, and the direct interest holders in, critical infrastructure assets.
Responsible entities are required to report on operational information in relation to an asset, whilst direct interest holders are required to report on interest and control information. An entity may be both the responsible entity for a critical infrastructure asset and a direct interest holder in relation to the asset.
What is a critical infrastructure asset?
Distribution or transmission network or an interconnector servicing at least 100,000 customers, a generator contracted to provide ‘system restart services’ or a synchronous generator with an installed capacity of at least an amount set out in subsection 6 of the Rules.
A critical gas asset includes:
- a gas processing facility that has a capacity of at least 300 terajoules per day;
- a gas storage facility that has a maximum daily quantity of at least 75 terajoules per day;
- a gas distribution network ultimately servicing at least 100,000 customers; or
- a gas transmission pipeline with a prescribed nameplate rating as set out in subsection 8 of the Rules.
A water or sewerage system or network managed by a single water utility that ultimately services at least 100,000 water connections or 100,000 sewerage connections.
The Act specifies a list of 20 major ports as critical infrastructure assets.
An asset declared by the Minister for Home Affairs (Minister) to be a critical infrastructure asset pursuant to the Act.
Reporting requirements for responsible entities
A responsible entity for a critical infrastructure asset is:
- for critical electricity, gas and water assets – the holder of the licence, approval or authorisation to operate the asset or provide the service from the asset;
- for critical water assets – the water utility that holds the licence, approval or authorisation to provide the service delivered by the asset;
- for a port – the port operator (within the meaning of Maritime Transport and Offshore Facilities Security Act 2003);
- an entity declared by the Minister as the responsible entity for a critical infrastructure asset, or an entity specified by the Rules in relation to an asset prescribed to be a critical infrastructure asset.
A responsible entity must report operational information in relation to an asset, which includes:
- the location of the asset;
- the responsible entity for, or operator of, the asset (including name, ABN, country of incorporation/formation); operator may also be the responsible entity.
- the chief executive officer of the responsible entity and the countries of which the CEO is a citizen; and
- a description of:
- the area the asset services;
- the arrangements under which each operator operates the asset (or part of the assets); and
- the arrangements under which data prescribed by the rules relating to the asset is maintained.
Reporting requirements for direct interest holders
A direct interest holder in a critical infrastructure asset is an entity that:
- together with any associates of the entity, holds an interest of at least 10% in the asset (including if any of the interests are held jointly with one or more other entities); or
- holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.
If an entity is a direct interest holder in relation to a critical infrastructure asset it is required to report on interest and control information in relation to the entity and the asset being:
- details of the entity including name, ABN, address of head office, country of incorporation;
- the type and level of interest held in the asset;
- information about the influence or control that may be exercised by the entity in relation to the asset;
- details of the ability of a person, appointed by the entity to the body that governs the asset, to directly access networks or systems that are necessary for the operation or control of the asset; and
- details of any entities that are in a position to directly or indirectly influence or control the reporting entity.
When do you have to report?
Reporting entities have until 11 January 2019 in which to provide the requisite control and ownership and notifiable event information to the Secretary.
Thereafter, reporting entities must report the operational information or interest and control information (as applicable) in respect of critical infrastructure assets by the later of:
- six months from when an asset becomes a critical infrastructure asset; and
- 30 days after the day it becomes a reporting entity for the asset.
Further, reporting entities are under an ongoing obligation to give information to the Secretary where a ‘notifiable event’ occurs in relation to the asset and will have 30 days from the notifiable event occurring to do so.
A notifiable event is an event:
- that has the effect that the operational information or interest and control information previously obtained by the Secretary, becomes incorrect or incomplete;
- that is an entity becoming a reporting entity for the asset; or
- that is a reporting entity for the asset becoming an entity to which the Act applies (e.g. where an entity that does not fall within the definition of entity under clause 5 of the Act changes its structure, for example by becoming an incorporated body).
The Act acknowledges that reporting entities won’t always have ready access to the information they are required to provide to the Department of Home Affairs, and so they will not be taken to have breached their initial or ongoing obligations mentioned above if, after using their best endeavours, they were unable to obtain the required information.
Where a reporting entity fails to comply with the obligations to provide information for the register, it will be liable to a civil penalty up to 50 civil penalty units. This penalty equates to $10,500 per day of contravention.
The Government may also seek a performance injunction to compel the entity to register its information; or propose an enforceable undertaking with the entity.
Should you have any questions regarding the Security of Critical Infrastructure Act 2018 or require assistance leading up to the January reporting deadline, please contact us.