Policy Briefing — Australia SLACIP Act Receives Royal Assent
Australia’s Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, which received Royal Assent on April 1, 2022, significantly expands critical infrastructure obligations—demanding immediate governance, cyber uplift, and supplier risk management across newly covered sectors.
Executive briefing: The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) received Royal Assent on April 1, 2022, further amending Australia’s Security of Critical Infrastructure Act 2018 (SOCI). Together with the 2021 amendments, the SLACIP Act expands the number of critical infrastructure sectors from four to eleven, introduces positive security obligations (PSOs) covering risk management programs, mandatory cyber incident reporting, and enhanced cyber security obligations for systems of national significance (SoNS). Organizations operating in sectors such as communications, financial services, healthcare, education, data storage, space, water, and food and grocery must rapidly adapt governance, technology, and supplier practices to comply.
Understand the expanded regulatory scope
The SLACIP Act’s sector list now includes communications, financial market infrastructure, data storage or processing, defense, higher education and research, energy, food and grocery, healthcare, space, transport, and water. Entities that own or operate critical infrastructure assets within these sectors must register with the Australian Cyber and Infrastructure Security Centre (CISC) and provide asset information to the government. The Act introduces the concept of critical infrastructure risk management programs (CIRMPs), requiring responsible entities to systematically identify and mitigate material risks across cyber and information security, personnel, supply chain, and physical security.
Mandatory cyber incident reporting mandates notification to the Australian Signals Directorate (ASD) within 12 hours for significant impacts (critical cyber security incidents) and within 72 hours for other reportable incidents. The legislation empowers the government to declare certain assets systems of national significance, subjecting them to enhanced cyber obligations, including mandatory cyber exercises, vulnerability assessments, and access to system information. Government assistance measures give the ASD authority to provide directions, request information, or intervene during serious cyber incidents, underscoring the importance of collaborative response planning.
Operational priorities for compliance
Conduct an asset and obligation assessment. Inventory infrastructure assets, supply chain dependencies, and digital systems to determine whether they fall within the expanded definitions. Map ownership structures, operational control, and outsourcing arrangements. Submit required information to the CISC register, ensuring accuracy and ongoing maintenance.
Develop or enhance the critical infrastructure risk management program. CIRMPs must address four risk classes: cyber and information security, personnel, supply chain, and physical. Establish cross-functional teams involving security, operations, HR, procurement, and legal. Use frameworks such as ISO 31000, NIST CSF, and AS ISO 27001 to evaluate risk, determine controls, and document mitigation plans. The program must be approved by the board or governing body and reviewed annually. Maintain evidence of risk assessments, control testing, and continuous improvement.
Upgrade cyber incident response capabilities to meet reporting deadlines. Review incident response plans, define thresholds for reportable incidents, and ensure on-call structures can escalate to the ASD within required timeframes. Implement logging, detection, and orchestration tools capable of identifying major impacts promptly. Conduct tabletop exercises simulating ransomware, supply chain compromise, or OT disruption to validate readiness. Document communication protocols covering regulators, government partners, customers, and suppliers.
Entities designated as systems of national significance should prepare for enhanced obligations even before formal notification. Build relationships with the Australian Cyber Security Centre (ACSC), develop interfaces for sharing system information, and plan for government-directed vulnerability assessments or exercises. Ensure OT environments support secure remote access, segmentation, and monitoring to facilitate coordinated incident response.
Governance and board-level responsibilities
The SLACIP Act expects boards and accountable officers to oversee compliance. Update board charters and risk committee agendas to include critical infrastructure security. Provide directors with briefings on legislative obligations, government assistance powers, and potential penalties. Establish regular reporting on CIRMP status, incident metrics, supply chain risk, and government engagement. Include critical infrastructure risk in enterprise risk frameworks, with defined appetites and escalation thresholds.
Legal teams should review contracts, insurance policies, and governance documents to ensure alignment. Update terms with suppliers and service providers to include compliance with the SOCI/SLACIP regime, incident notification obligations, and cooperation during government-led responses. Verify that directors and officers (D&O) insurance covers regulatory investigations and enforcement.
Human resources and security leaders must enhance personnel security programs, including background checks, insider threat monitoring, and access reviews. Document workforce vetting processes, training, and disciplinary procedures as part of the CIRMP. Ensure privacy considerations are addressed, balancing personnel monitoring with employee rights under Australian law.
Supply chain and sourcing considerations
The risk management program requires explicit attention to supply chain security. Identify critical suppliers, assess their security posture, and evaluate contract clauses related to incident response, data handling, and access controls. Implement due diligence questionnaires referencing ASD Essential Eight maturity, ISO 27001 certification, or other relevant standards. Monitor supplier performance through audits, attestations, and threat intelligence.
For technology sourcing, prioritize solutions that support visibility across OT and IT environments, including network detection for industrial control systems, asset discovery, and secure remote access. Evaluate managed security service providers (MSSPs) for their ability to meet reporting obligations, share telemetry with government agencies, and integrate with existing SOC workflows. Ensure cloud providers and data center operators understand SLACIP requirements and support compliance evidence collection.
Establish contingency plans for supplier disruption, considering the Act’s emphasis on resilience. Diversify suppliers where feasible, maintain inventory buffers for critical components, and plan for rapid onboarding of alternative vendors. Document business continuity strategies and test them through exercises.
Implementation roadmap and stakeholder engagement
Create a detailed implementation plan with phases: regulatory interpretation, asset inventory, CIRMP development, control enhancement, training, and continuous monitoring. Assign executive sponsors and project managers, allocate budgets, and define success metrics. Track progress through program management offices (PMOs) and provide status updates to executive leadership and boards.
Engage proactively with government partners. Participate in ACSC programs, share threat intelligence, and leverage guidance from the Department of Home Affairs. Join industry information sharing groups (e.g., Joint Cyber Security Centres) to align on best practices. Collaborate with peers within sectors to develop baseline controls and share lessons learned.
Invest in workforce training covering SLACIP obligations, incident reporting, and secure operations for OT environments. Tailor training for executives, engineers, field technicians, and suppliers. Incorporate scenario-based exercises and post-incident reviews to reinforce learning.
By treating the SLACIP Act as a catalyst for holistic resilience—spanning governance, technology, and supply chain management—critical infrastructure operators can strengthen defences against escalating cyber threats and demonstrate stewardship of essential services. Early action reduces regulatory risk, builds trust with government partners, and protects the continuity of operations Australians depend on.
Continue in the Policy pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Semiconductor Industrial Strategy Policy Guide — Zeph Tech
Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.
-
Digital Markets Compliance Guide — Zeph Tech
Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…
-
Export Controls and Sanctions Policy Guide — Zeph Tech
Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…