The Australian Government is doubling down on critical infrastructure security with new rules set to come into effect in 2027, with extended grace periods for the complex measures.
Informed by "extensive consultation" with industry and stakeholders, the Enhanced CIRMP Rules introduce targeted uplifts to existing risk management requirements for a number of specified asset classes.
These cover critical assets in the areas of energy market operators, electricity, gas, liquid fuel, water, broadcasting, domain name systems, freight services and freight infrastructure.
The Enhanced Rules intend to ensure critical infrastructure providers identify and minimise, mitigate or eliminate risks across their assets.
This includes cyber security risks such as legacy systems, use of artificial intelligence, and connection between critical and non-critical systems, as well as offshoring critical staff or data, insider threats and supply chain risks.
In terms of cyber security risks, the enhanced rules require entities to improve their cyber security by assessing the risks associated with legacy systems and novel or emerging technology, including AI; implementing phishing-resistant multi-factor authentication for critical systems; segregating critical systems from non-critical systems; and increasing their compliance with established cyber security frameworks.
These requirements work towards meeting the targets of the 2023-2030 Australian Cyber Security Strategy Horizon 2 Action Plan, including to uplift the cyber security of Australia’s critical infrastructure, strengthen logging and monitoring standards for critical infrastructure and prepare critical infrastructure to manage emerging technology risks such as AI and quantum computing.
The Enhanced Rules also address insider threat, supply chain resilience, including assessing major supplier risks associated with foreign ownership, control and influence; and enhancing their response to physical hazards through a centrally managed framework that considers risks and controls based on the location of assets.
To support implementation, the department will host a virtual town hall on Thursday, 25 June 2026 to give an overview of the Enhanced CIRMP Rules and answer stakeholder questions.
.jpg&h=142&w=230&c=1&s=1)
.jpg&w=100&c=1&s=0)
.jpg&w=100&c=1&s=0){kind=logo}
.jpg&w=100&c=1&s=0)
