Banking
Security of Critical Infrastructure Act: What are the covered sectors and assets?
This infographic gives a simplified visual presentation of which security obligations apply to, and which powers can be exercised in respect of, the different critical infrastructure assets or sectors under the Security of Critical Infrastructure Act.
Hold over the different heading to reveal the assets or sectors covered. For more information about how the Act will apply to a specific asset, hold over the box for that asset.
Financial
Services
Superannuation
Financial Markets Infrastructure
Insurance
Transport
Aviation
Public Transport
Freight Services
Freight Infrastructure
Port
Communications
Domain Name
Systems
Broadcasting
Carriers and carriage service providers are subject to sector specific requirements under telecommunication laws, including cyber incident notification and asset information reporting obligations equivalent to those under the SoCI Act, as well as an obligation to do their best to protect networks and facilities from unauthorised access and interference.
Defence
Industry
Defence
Energy
Liquid fuel
Energy Market Operator
Gas
Electricity
Food and
Grocery
Water and Sewerage
Water and Sewerage
Health and Medical
Hospital
Data Storage
and Processing
Data Storage
and Processing
Higher Education and Research
Education
Notification of
Cyber Incidents
Food and Grocery
Register of
Critical Assets
Risk Management Program
Telecommunications
Telecommunications
Critical data storage and processing assets include assets that are knowingly and wholly or primarily used to provide data storage or processing service on a commercial basis (i) to an end-user that is a government department or agency or a responsible entity for another regulated critical asset, and (ii) relates to “business-critical data” (being personal information that relates to at least 20,000 individuals or is sensitive information or information relating to: any research and development in relation to, systems needed to operate, risk management and business continuity in relation to, a critical assets).
Data Storage and Processing
Payment Services
Enhanced
Cyber Security
Government Direction and Intervention
Positive Security Obligations
Designations that an asset is a system of national significance subject to enhanced cyber security obligations are private/confidential to avoid identifying and publicising their significance to malicious actors. Before making such a declaration, the Minister is required to have regard to the asset’s interdependencies with other critical infrastructure assets, and the consequences to Australia’s national interest if a hazard were to occur that had a significant impact on the asset. The Minister is also required to give the responsible entity for the asset a notice setting out the proposed declaration and inviting the entity to make submissions about the proposed declaration.
Critical infrastructure assets in scope
Critical infrastructure assets not in scope
Critical infrastructure sector
Space Technology