Commonwealth Consolidated Acts

[Index] [Table] [Search] [Search this Act] [Notes] [Noteup] [Previous] [Next] [Download] [Help]

SECURITY OF CRITICAL INFRASTRUCTURE ACT 2018 - SECT 30BC

Notification of critical cyber security incidents

  (1)   If:

  (a)   an entity is the responsible entity for a critical infrastructure asset; and

  (b)   the entity becomes aware that:

  (i)   a cyber security incident has occurred or is occurring; and

  (ii)   the incident has had, or is having, a significant impact (whether direct or indirect) on the availability of the asset;

the entity must:

  (c)   give the relevant Commonwealth body (see section   30BF) a report that:

  (i)   is about the incident; and

  (ii)   includes such information (if any) as is prescribed by the rules; and

  (d)   do so as soon as practicable, and in any event within 12 hours, after the entity becomes so aware.

Civil penalty:   50 penalty units.

Form of report etc.

  (2)   A report under subsection   (1) may be given:

  (a)   orally; or

  (b)   in writing.

  (3)   If a report under subsection   (1) is given orally, the entity must:

  (a)   do both of the following:

  (i)   make a written record of the report in the approved form;

  (ii)   give a copy of the written record of the report to the relevant Commonwealth body (see section   30BF); and

  (b)   do so within 84 hours after the report is given.

Civil penalty:   50 penalty units.

  (4)   If the report is given in writing, the entity must ensure that the report is in the approved form.

Civil penalty:   50 penalty units.

Exemption--written record

  (5)   The head (however described) of the relevant Commonwealth body (see section   30BF) may, by written notice given to an entity, exempt the entity from subsection   (3) in relation to a report about a specified cyber security incident.

Note:   For specification by class, see subsection   13(3) of the Legislation Act 2003 .

  (6)   A notice under subsection   (5) is not a legislative instrument.

  (7)   The head (however described) of the relevant Commonwealth body (see section   30BF) may, by writing, delegate any or all of the head's powers under subsection   (5) to a person who:

  (a)   is an SES employee, or acting SES employee, in the relevant Commonwealth body; or

  (b)   holds, or is acting in, a position in the relevant Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee.

Note:   The expressions SES employee and acting SES employee are defined in section   2B of the Acts Interpretation Act 1901 .

  (8)   In exercising powers under a delegation, the delegate must comply with any directions of the head (however described) of the relevant Commonwealth body.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback