← Back to all briefings

Policy · Credibility 93/100 · · 2 min read

Policy Briefing — Australia SLACIP Act Receives Royal Assent

Australia’s Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 received Royal Assent, expanding critical infrastructure coverage and introducing enhanced cyber incident reporting duties.

Executive briefing: On the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) became law. It amends the Security of Critical Infrastructure Act 2018 by expanding coverage to 11 sectors, creating enhanced cyber security obligations for systems of national significance, and introducing mandatory incident reporting to the Australian Cyber Security Centre (ACSC).

Key regulatory changes

  • Broader asset classes. The SLACIP Act adds sectors such as healthcare, higher education, data storage, and communications to the critical infrastructure regime and introduces the concept of enhanced critical infrastructure.
  • Systems of national significance. Operators designated as systems of national significance must adopt risk management programmes, undertake cyber exercises, and provide incident response plans to government.
  • Incident reporting. Critical infrastructure entities must notify the ACSC of cyber security incidents within 12 hours (significant impact) or 72 hours (other incidents), with telephone notification required for serious events.

Operational preparation

  • Map Australian assets and supply chains to the expanded sector list and determine whether any systems could be declared nationally significant.
  • Update Australian-specific incident response runbooks to ensure 12-hour ACSC notification and confirm on-call contacts can provide initial telephone reports.
  • Document critical asset risk management programmes aligned to the Act’s rules, including vulnerability management, physical security, and personnel vetting controls.

Assurance considerations

  • Board oversight. Directors must evidence governance of the Risk Management Programme Rules once issued—prepare reporting dashboards covering control maturity and exercise results.
  • Supplier obligations. Contracts with managed service providers and data centre partners should include SLACIP-aligned incident notification and cooperation clauses.
  • Cross-regime mapping. Align SLACIP reporting with APRA CPS 234, ISO/IEC 27001, and NIST CSF artefacts to avoid duplicative attestation packages.

Zeph Tech is building SLACIP compliance checklists and ACSC reporting templates so Australian subsidiaries can demonstrate readiness before ministerial declarations take effect.

  • Australia
  • Critical infrastructure
  • Incident reporting
  • SLACIP
Back to curated briefings