The recent amendments to the Security of Critical Infrastructure Act 2018 ("the Act'") constitute some of the most significant cybersecurity reforms in Australia's history.

In many respects, this reform agenda now leads the world. The Act is part of an increasingly complex cybersecurity regulatory ecosystem. This high-level summary provides a simple overview to help demystify the complexities of the new regime.


  1. The full Security of Critical Infrastructure Act reforms (split in two, in December 2021 and in March 2022) are now in force.
  2. While Government intervention and direction obligations have been in place since last December, positive security obligations and enhanced security obligations are now in effect.
  3. Despite the apparent simplicity of the regime, applicability remains complex and uncertain. The legislation covers a broad range of companies, arguably more than intended.
  4. Given this, many Australian corporates are now grappling with multiple legislative and regulatory regimes, in addition to the critical infrastructure reforms.
  5. Despite this complexity, these reforms are arguably the most ambitious and significant security reforms in Australian legislative history.
  6. This summary provides a high-level overview. We look to simplify a complex regime, acknowledging that complexity exists just below the surface and will invariably require a case-by-case assessment.


The Act introduces broad Government direction and intervention powers in respect of assets that relate to ten critical infrastructure sectors ("critical infrastructure sector assets"). The Act also imposes positive security obligations on entities ("responsible entities") that own or operate assets in those sectors that meet certain criticality thresholds ("critical infrastructure assets").1 and enhanced obligations apply to designated "systems of national significance". We clarify below what each obligation and power entails, and the sectors or assets in respect of which they apply.


This infographic provides a simplified visual presentation of the different "critical infrastructure assets" or "critical infrastructure sectors assets" which are or will be captured by new obligations or powers under the Act.

Hover over the different obligations or powers to reveal the assets or sectors covered. For more information about how the Act will apply to a specific asset, hover over the box for that asset.


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.