•   The responsible entity for one or more critical infrastructure assets must have, and comply with, a critical infrastructure risk management program (unless an exemption applies).

•   The purpose of a critical infrastructure risk management program is to do the following for each of those assets:

  (a)   identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;

  (b)   so far as it is reasonably practicable to do so--minimise or eliminate any material risk of such a hazard occurring;

  (c)   so far as it is reasonably practicable to do so--mitigate the relevant impact of such a hazard on the asset.

•   A responsible entity must give an annual report relating to its critical infrastructure risk management program. If the entity has a board, council or other governing body, the annual report must be approved by the board, council or other governing body.