Security of Critical Infrastructure Act: What are the covered sectors and assets?
This infographic gives a simplified visual presentation of which security obligations apply to, and which powers can be exercised in respect of, the different critical infrastructure assets or sectors under the Security of Critical Infrastructure Act.
Hold over the different heading to reveal the assets or sectors covered. For more information about how the Act will apply to a specific asset, hold over the box for that asset.
Financial Markets Infrastructure
Carriers and carriage service providers are subject to sector specific requirements under telecommunication laws, including cyber incident notification and asset information reporting obligations equivalent to those under the SoCI Act, as well as an obligation to do their best to protect networks and facilities from unauthorised access and interference.
Energy Market Operator
Water and Sewerage
Water and Sewerage
Health and Medical
Higher Education and Research
Food and Grocery
Risk Management Program
Critical data storage and processing assets include assets that are knowingly and wholly or primarily used to provide data storage or processing service on a commercial basis (i) to an end-user that is a government department or agency or a responsible entity for another regulated critical asset, and (ii) relates to “business-critical data” (being personal information that relates to at least 20,000 individuals or is sensitive information or information relating to: any research and development in relation to, systems needed to operate, risk management and business continuity in relation to, a critical assets).
Data Storage and Processing
Government Direction and Intervention
Positive Security Obligations
Designations that an asset is a system of national significance subject to enhanced cyber security obligations are private/confidential to avoid identifying and publicising their significance to malicious actors. Before making such a declaration, the Minister is required to have regard to the asset’s interdependencies with other critical infrastructure assets, and the consequences to Australia’s national interest if a hazard were to occur that had a significant impact on the asset. The Minister is also required to give the responsible entity for the asset a notice setting out the proposed declaration and inviting the entity to make submissions about the proposed declaration.
Critical infrastructure assets in scope
Critical infrastructure assets not in scope
Critical infrastructure sector