Security information obligations for carriers and eligible carriage service providers

What we are seeking feedback on

We’re seeking feedback on the:

• scope and content of the draft legislative instruments
• estimated cost of complying with the obligations in the draft instruments

Why a new carrier licence condition and service provider rule are needed

The Australian Government is committed to protecting the essential services Australians rely on by improving the security and resilience of critical infrastructure, including in the telecommunications sector.

The Security of Critical Infrastructure Act 2018 (SOCI Act) was amended in December 2021, introducing new positive security obligations for many sectors, including:

• giving the Secretary of the Department of Home Affairs certain information about critical infrastructure assets to be included in a register; and
• telling the Australian Signals Directorate if a cyber-security incident has a relevant impact on a critical infrastructure asset.

In order to avoid regulatory duplication and provide clarity for the telecommunications industry, these obligations will be introduced through mechanisms under the Telecommunications Act 1997 (Tel Act). The Tel Act contains a well-established regulatory framework that is familiar to industry and is embedded in how the telecommunications sector operates.

Specifically, the Government is proposing to make a new carrier licence condition and a new service provider rule. The new condition and rule align carriers and eligible CSPs with current obligations other sectors will have under the SOCI Act.

What the new condition and rule will do

The proposed carrier licence condition and service provider rule would require carriers and eligible CSPs to:

• give the Secretary of the Department of Home Affairs operational information in relation to their assets and, where an entity other than the carrier or eligible CSP holds a direct interest in an asset owned or operated by the carrier or eligible CSP, the interest and control information of direct interest holders in the asset;
• give the Australian Signals Directorate (ASD) a notice of a critical cyber security incident no later than 12 hours after the carrier or eligible CSP becomes aware of the incident; and
• give the ASD a notice of other cyber security incidents no later than 72 hours after the carrier or eligible CSP becomes aware of the incident.

Who the new condition and rule will affect

All holders of a carrier licence will be subject to the new carrier licence condition. All eligible CSPs would have to comply with the new service provider rule, unless they are a carrier. Eligible CSPs are defined in section 127 of the Telecommunications (Consumer Protection and Service Standards) Act 1999 as a CSP who supplies a:

• standard telephone service, where any of the customers are residential customers or small business customers;
• public mobile telecommunications service; or
• carriage service that enables end‑users to access the internet; or
• carriage service intermediary who arranges for the supply of one of these services.

Eligible CSPs must be members of the Telecommunications Industry Ombudsman scheme.

Other powers under Part 3A of the Security of Critical Infrastructure Act 2018

The SOCI Act also gives the Government powers to assist industry in certain situations if a serious cyber-security incident has had, is having or will have a relevant impact on a critical infrastructure asset. These assistance powers will be available for the Government to use in relation to the telecommunications sector under the SOCI Act; they will not be mirrored in the Tel Act.

Relevant documentation

The draft carrier licence condition and service provider rule consultation process ran from 25 February 2022 to 29 March 2022.

After carefully considering the submissions received, Minister for Communications, the Hon Michelle Rowland MP, made the Telecommunications (Carrier License Conditions – Security Information) Declaration 2022 and the Telecommunications (Carriage Service Provider – Security Information) Determination 2022 instruments, which were registered on 6 July 2022 and commenced on 7 July 2022.

A copy of the Carrier Licence Conditions and the Carriage Service Provider instruments, along with the Explanatory Statement are available on the legislation.gov.au website.

Obligations to report cyber incidents to the Australian Signals Directorate (ASD) commenced on 7 July 2022.

Many Carriers and Carriage Service Providers (CSPs) already provide cybersecurity reports through ASD’s Australian Cyber Security Centre. Those already doing this should continue their current practices, and monitor the ongoing guidance from ASD and the Cyber and Infrastructure Security Centre (CISC). 

Further information on reporting cyber security incidents can be found on the cyber.gov.au website and on the CISC’s website.

Obligations to supply asset information to the Secretary of Home Affairs will commence on 7 October 2022.

Further information on supplying asset information can be found on the CISC’s website .

The Department of Home Affairs will be administering these reporting obligations. They have advised that for the initial 12 months their focus will be on education and assisting Carriers and CSPs to report. 

These instruments will be in force for 18 months during which time it’s anticipated these reporting obligations will be incorporated into other security measures being considered for a future amendment bill.