Rushed scrutiny risks mistakes
Critics said the bill was pushed through Parliament too quickly, leaving too little time to test complex provisions and increasing the risk of drafting errors or unintended consequences.
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention)
Current status
This bill became law on Nov 29th, 2024.
Policy area
Transport & communications
What does this bill do?
Critical infrastructure rules now cover linked data storage systems that hold business-critical information, so operators must protect important back-end data as part of the asset itself.
Why was it introduced?
Recent critical infrastructure incidents exposed gaps in the SOCI ActThe main law this bill updates to set security duties for important Australian infrastructure., including weak coverage of business-critical data systems, limited response powers, and telecom security rules that sat outside the main framework. The bill expands what counts as critical infrastructure, broadens emergency directions and information-sharing, lets regulators order fixes to weak risk programs, and folds telecom security duties into the SOCI ActThe main law this bill updates to set security duties for important Australian infrastructure..
Broader context
Australia already regulated key assets under the Security of Critical Infrastructure Act 2018The main law this bill updates to set security duties for important Australian infrastructure., but the government said rising cyber threats and gaps exposed by major cyber incidents showed the law did not fully cover business-critical data systems, telecom security duties or some emergency response needs. As part of the 2023-2030 Australian Cyber Security Strategy, the 2024 bill widened the framework, expanded information-sharing and intervention powers, and after Parliament passed it those changes became law with Royal AssentThe formal step that turns the bill into an Act and makes the changes law. on 29 November 2024.
Key criticism
The main criticism was not the bill’s goal but that Parliament was asked to pass complex cybersecurity powers too quickly, raising risks of drafting mistakes, weak safeguards and unresolved details around device standards and independent review. Those concerns came mainly from Coalition and Greens speakers, who still supported the bill, so the criticism was real but limited and largely about scrutiny and implementation rather than outright opposition.
Who supported it?
Hon Tony Burke MP introduced this bill. It passed on the voices.
Introduced in House 09 Oct 2024
Passed House 20 Nov 2024
Passed Senate 25 Nov 2024
Became law 29 Nov 2024
Did it become law?
Yes
Became law 29 Nov 2024
Final passage
Passed without a counted vote
Members called out ‘aye’ or ‘no’ — no individual votes were recorded.
Passage speed
51 days
From introduction to the latest recorded parliamentary step
Meaning
What does this bill do?
-
Critical infrastructure rules now cover linked data storage systems that hold business-critical information, so operators must protect important back-end data as part of the asset itself.
-
The Australian Government can use last-resort directions more broadly during serious critical infrastructure incidents, including events affecting multiple assets and some non-cyber incidents.
-
Businesses and government can share protected critical infrastructure informationSensitive infrastructure information that the bill makes easier to share for response and operations without triggering unnecessary compliance problems. more easily for incident response and day-to-day operations, reducing unnecessary compliance burden.
-
Home Affairs or the relevant federal regulator can order a critical infrastructure operator to fix a risk management program if it has serious weaknesses.
-
Telecommunications security and notification duties move into the critical infrastructure law, with updated rules to better align telecom regulation with the wider critical infrastructure framework.
Show source excerpts
-
expand the definition of all types of critical infrastructure assets to include secondary assets which hold ‘business critical data’ and relate to the functioning of the primary asset;
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) explanatory memorandum -
facilitate the use of a ‘last resort’ directions power for the Secretary of the Department of Home Affairs, when authorised by the Minister, for the purposes of managing both multi-asset incidents and the consequences of serious incidents which could have, are having, or have had, a ‘relevant impact’ on one or more critical infrastructure assets;
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) explanatory memorandum -
clarify the operation of the secrecy and disclosure provisions—in particular to enable greater intra-government sharing of protected information and cross-industry collaboration, and reduce unnecessary burden of these provisions on entities in the ordinary conduct of business;
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) explanatory memorandum -
create a directions power for the Secretary of the Department of Home Affairs or the relevant Commonwealth regulator which is exercisable where it has been identified a critical infrastructure risk management program is seriously deficient; and
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) explanatory memorandum -
bring appropriate elements of the Telecommunications Sector Security Reforms (TSSR) administered by the Home Affairs portfolio, including security and notification obligations, from Part 14 of the Telecommunications Act 1997 into the SOCI Act, with enhancements to align the regulatory frameworks and clarify telecommunications-specific obligations.
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) explanatory memorandum
Context
Broader context for this bill
Australia already regulated key assets under the Security of Critical Infrastructure Act 2018The main law this bill updates to set security duties for important Australian infrastructure., but the government said rising cyber threats and gaps exposed by major cyber incidents showed the law did not fully cover business-critical data systems, telecom security duties or some emergency response needs. As part of the 2023-2030 Australian Cyber Security Strategy, the 2024 bill widened the framework, expanded information-sharing and intervention powers, and after Parliament passed it those changes became law with Royal AssentThe formal step that turns the bill into an Act and makes the changes law. on 29 November 2024.
- 2018
Security of Critical Infrastructure Act creates the base regime
The 2024 bill was built on the existing Security of Critical Infrastructure Act 2018The main law this bill updates to set security duties for important Australian infrastructure., which already set security obligations for critical infrastructure assets.
Australian Parliament House ↗ - 2023
Australian Cyber Security Strategy sets Shield 4The part of the 2023-2030 Australian Cyber Security Strategy that this bill is said to implement. legislative reforms
The explanatory memorandum says the bill gives effect to reforms identified under Shield 4The part of the 2023-2030 Australian Cyber Security Strategy that this bill is said to implement. of the 2023-2030 Australian Cyber Security Strategy.
Australian Parliament House ↗ - 09 Oct 2024
Government introduces the bill to close gaps in critical infrastructure law
The minister said the bill was the third bill in a cybersecurity package and would strengthen the SOCI ActThe main law this bill updates to set security duties for important Australian infrastructure. to address gaps identified after recent major cybersecurity incidents.
Hansard ↗ - 25 Nov 2024
Parliament passes the bill
Both houses passed the bill in the same form, completing its parliamentary passage and clearing the way for the SOCI changes to take legal effect.
Parliamentary timeline ↗ - 29 Nov 2024
Royal AssentThe formal step that turns the bill into an Act and makes the changes law. makes the changes law
Royal AssentThe formal step that turns the bill into an Act and makes the changes law. turned the bill into an Act, allowing the expanded critical infrastructure rules and powers to operate under federal law.
Parliamentary timeline ↗
Legislative route
How did it move through Parliament?
House Senate
Introduced 09 Oct 2024
The bill was formally presented to the chamber and read a first time, which starts its parliamentary journey.
Introduced and read a first time
Second reading opened 09 Oct 2024
A minister or sponsoring member moved the second reading, opening the main debate on the bill's purpose and principles.
Second reading moved
Intelligence and Security review 10 Oct 2024
Referred to Committee (10/10/2024): Parliamentary Joint Committee on Intelligence and Security; Committee Report (18/11/2024)
Referred to committee
APH bill page notesSecond reading debate 18 Nov 2024
The bill reached this recorded parliamentary step.
Sent to Federation Chamber for debate 19 Nov 2024
The bill reached this recorded parliamentary step.
Referred to Federation Chamber
Federation Chamber debate 19 Nov 2024
The bill reached this recorded parliamentary step.
Second reading debate
House second reading agreed 19 Nov 2024
The chamber agreed to the bill at second reading, meaning it accepted the bill in principle and allowed it to continue.
Second reading agreed to
House agreed to amendment packages 19 Nov 2024
The chamber considered amendments before the bill moved to the next stage.
Consideration in detail debate
Returned from Federation Chamber 20 Nov 2024
The bill reached this recorded parliamentary step.
Reported from Federation Chamber
House third reading agreed 20 Nov 2024
The chamber agreed to the bill at third reading, which completed passage through that chamber.
Third reading agreed to
Introduced 25 Nov 2024
The bill was formally presented to the chamber and read a first time, which starts its parliamentary journey.
Introduced and read a first time
Second reading opened 25 Nov 2024
A minister or sponsoring member moved the second reading, opening the main debate on the bill's purpose and principles.
Second reading moved
Second reading debate 25 Nov 2024
The bill reached this recorded parliamentary step.
Senate second reading agreed 25 Nov 2024
The chamber agreed to the bill at second reading, meaning it accepted the bill in principle and allowed it to continue.
Second reading agreed to
Committee of the Whole debate 25 Nov 2024
The bill reached this recorded parliamentary step.
Senate third reading agreed 25 Nov 2024
The chamber agreed to the bill at third reading, which completed passage through that chamber.
Third reading agreed to
Passed both houses 25 Nov 2024
Both houses passed the bill in the same form, completing parliamentary passage.
Finally passed both Houses
Assent 29 Nov 2024
The Governor-General gave Royal AssentThe formal step that turns the bill into an Act and makes the changes law., turning the bill into an Act.
Key criticism
The main case against this bill
The main criticism was not the bill’s goal but that Parliament was asked to pass complex cybersecurity powers too quickly, raising risks of drafting mistakes, weak safeguards and unresolved details around device standards and independent review. Those concerns came mainly from Coalition and Greens speakers, who still supported the bill, so the criticism was real but limited and largely about scrutiny and implementation rather than outright opposition.
No party represented in the debate opposed the bill, but several speakers said the process was rushed.
Safeguards and key details left unresolved
The Greens argued the bill still needed stronger safeguards, clearer internet-connected device standards, and a more independent cyber incident review board, warning that important protections had been left unsettled.
Further sources
Votes
Recorded votes
How the bill itself passed
The bill passed both chambers on the voices, so there is no list of individual Aye and No votes for final passage.
Passed House passed the bill
House agreed to the bill's third reading on the voices, so there is no list of individual Aye and No votes for final passage in that chamber.
Passed
House passed the bill
Passed on the voices
In a voice vote, members call out Aye or No and the presiding officer judges which side has it. Individual names are only recorded if a formal division is called.
Passed Senate passed the bill
Senate agreed to the bill's third reading on the voices, so there is no list of individual Aye and No votes for final passage in that chamber.
Passed
Senate passed the bill
Passed on the voices
In a voice vote, members call out Aye or No and the presiding officer judges which side has it. Individual names are only recorded if a formal division is called.
Amendments at a glance
Amendments grouped by chamber. Where APH reports aggregate counts, the package card summarizes the matching public amendment sheets by source theme.
House
Carried Government package: 6 amendments
Government amendments tighten security assessment settings by repealing section 38A, confirming how section 38 applies to certain critical infrastructure and telecommunications assessments, and extending notification and reporting arrangements.
Carried
Government package: 6 amendments
Passed on the voices
The chamber agreed to this amendment package without a counted vote. APH records the agreed count by amendment, while the source documents are grouped into amendment sheets.
Senate
Defeated Harmonised IoTConnected devices such as smart appliances or sensors, which are mentioned because the Greens wanted clearer and more aligned security rules for them. rules note defeated
Senator Shoebridge’s second-reading amendment, which would have noted the case for harmonised Internet of ThingsConnected devices such as smart appliances or sensors, which are mentioned because the Greens wanted clearer and more aligned security rules for them. rules, was defeated on voices.
Defeated
Harmonised IoTConnected devices such as smart appliances or sensors, which are mentioned because the Greens wanted clearer and more aligned security rules for them. rules note defeated
Defeated on voices
The chamber decided this amendment without a counted division, so there is no list of individual Aye and No votes.
Defeated Board oversight amendment defeated
The Senate Journal records this Shoebridge amendment package as defeated on voices.
Defeated
Board oversight amendment defeated
Defeated on voices
The chamber decided this amendment without a counted division, so there is no list of individual Aye and No votes.
Defeated Information-sharing consent amendment defeated
The Senate Journal records this Shoebridge amendment as defeated on voices.
Defeated
Information-sharing consent amendment defeated
Defeated on voices
The chamber decided this amendment without a counted division, so there is no list of individual Aye and No votes.
Defeated Coordinator-sharing consent amendment defeated
The Senate Journal records this Shoebridge amendment as defeated on voices.
Defeated
Coordinator-sharing consent amendment defeated
Defeated on voices
The chamber decided this amendment without a counted division, so there is no list of individual Aye and No votes.
Parliamentary debate
Who spoke, and what they said
Start here — lead voices
Sponsor speech Supports
Tony Burke
Mr Burke supports the bill, saying it will strengthen security obligations for critical infrastructure and improve government powers to respond to major incidents and cascading disruptions.
Read in Hansard ↗ Lead supporting voice Supports
James Paterson
Paterson says the coalition will support the bill, because it strengthens Australia's ability to respond to cyberthreats and extends sensible critical infrastructure protections.
Read in Hansard ↗ Lead voice Supports
Tim Ayres
Ayres supports the bill and says it will strengthen the Security of Critical Infrastructure Act to close gaps exposed by recent cyber incidents and uplift the resilience of critical infrastructure.
Read in Hansard ↗ Lead voice Supports
Michelle Landry
Michelle Landry says the coalition will support the bill without amendment because it strengthens Australia’s response to cyber threats and improves cooperation between industry and government.
Read in Hansard ↗All speeches by bloc
Labor
7 speakers · 7 support
Labor
7 speakers · 7 support
-
Tim Ayres ★ Ayres supports the bill and says it will strengthen the Security of Critical Infrastructure Act to close gaps exposed by recent cyber incidents and uplift the resilience of critical infrastructure.
“This Bill seeks to amend the Security of Critical Infrastructure Act 2018 (the SOCI Act) to strengthen existing security obligations on critical infrastructure sectors to address gaps identified following recent major cyber security incidents.”
Read the full speech in Hansard ↗ -
Andrew Charlton Andrew Charlton supports the bill and says it is a necessary package of reforms to strengthen Australia’s cybersecurity, protect critical infrastructure and improve the government’s ability to respond to incidents.
“This is a package of key reforms necessary to support the continued uplift of Australia's collective cybersecurity. I want Australian citizens and businesses to be best placed to take every opportunity in the digital economy, something that cannot occur without being safe and secure online. I commend these bills to the Chamber.”
Read the full speech in Hansard ↗ -
Tim Watts Watts supports the bill and says it is a necessary and urgent step to improve Australia's cyber defences, mandatory ransomware reporting and security standards for connected devices.
“In many respects Australia is already a leader in cybersecurity, but this bill will ensure that Australia has a world-leading, robust cybersecurity regime going forward. The time to act is now, and I commend this bill to the House.”
Read the full speech in Hansard ↗ -
Raff Ciccone Ciccone supports the bill and says it should pass quickly because it will improve the security and resilience of critical infrastructure against growing cyber and geopolitical threats.
“Meanwhile, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 amends the Security of Critical Infrastructure Act 2018. These reforms aim to improve the security and resilience of critical infrastructure by assisting the government and industry's ability to help prevent, manage and respond to future significant incidents impacting critical infrastructure through the act. Our country is facing increased geopolitical and cyber threats, putting our critical infrastructure at heightened risk. Critical infrastructure provides essential services that we rely on every single day. It's important that we make these reforms and pass them as quickly as possible. It is worth noting, however, that data is not the only target of threat actors. Critical infrastructure organisations are also targets, as they provide essential services to support Australian life and businesses, including our electricity, water, health, transport, logistics and telecommunications networks.”
Read the full speech in Hansard ↗ -
Helen Polley Polley supports the bill and urges the Senate to pass it, saying it will strengthen cyber defences, set mandatory security standards for smart devices, and improve ransomware reporting and incident response.
“I recommend the bill to be passed in the Senate today.”
Read the full speech in Hansard ↗ -
Tony Burke ★ Mr Burke supports the bill, saying it will strengthen security obligations for critical infrastructure and improve government powers to respond to major incidents and cascading disruptions.
“Together with the other bills in this package, this bill will help to strengthen our responses to the dynamic, cascading consequences of serious incidents that impact our critical infrastructure, and more broadly, the Australian community.”
Read the full speech in Hansard ↗ -
Murray Watt Murray Watt supports the bill as part of the wider cybersecurity package and says it should be passed.
“That committee has now handed down its report and recommended that, subject to implementation of the recommendations in its report, the package be passed by the parliament. The government agrees or agrees in principle to all 13 recommendations in the committee's report and, in line with recommendation 1, proposes the package be passed by the parliament.”
Read the full speech in Hansard ↗
Coalition
4 speakers · 4 support
Coalition
4 speakers · 4 support
-
James Paterson ★ Paterson says the coalition will support the bill, because it strengthens Australia's ability to respond to cyberthreats and extends sensible critical infrastructure protections.
“As I said, the coalition supports the policy intent of this legislative package. In the face of a complex and evolving threat environment, the government needs robust levers to protect Australians from cyberthreats. We will always support sensible changes which ensure our legislation is fit for purpose to tackle the ever-evolving cyberthreats facing Australia, which is why we will be supporting the passage of these bills and the accompanying government amendments.”
Read the full speech in Hansard ↗ -
Michelle Landry ★ Michelle Landry says the coalition will support the bill without amendment because it strengthens Australia’s response to cyber threats and improves cooperation between industry and government.
“The coalition supports the policy intent of the legislative package. In the face of a complex and evolving threat environment, the Commonwealth government needs robust leaders to protect Australians from cyberthreats. Industry should also be able to engage quickly and confidently with government in responding to cyber challenges, and we welcome the limited use provisions which will go some way to facilitating this culture of cooperation. The coalition will be supporting these bills without amendment.”
Read the full speech in Hansard ↗ -
Michael McCormack McCormack says the coalition supports the bill because cybercrime is a serious and growing threat and the new security standards, reporting rules and limited-use protections will help businesses and Australians stay safer.
“It's clear Australia must entrench its place on the world stage as a nation which is proactive and a world leader in cybersafety when it comes to digital technology, and I would like to think that, whichever party or parties occupy the government benches in Australia, the same priority and the same importance is placed on cybersecurity. I know that the government come to this place and space with good intent, and I encourage them and acknowledge them for that. It's very clear that Australia is targeted all too often by people and nations that want to do us harm. But this bill and other measures will ensure business has the confidence to continue to invest and grow.”
Read the full speech in Hansard ↗ -
Andrew Wallace Andrew Wallace supports the bill and the wider cybersecurity package, saying the reforms are very important for national security and should be passed.
“This legislation is so very important. The three bills we're debating are designed to mandate minimum cybersecurity standards for smart devices; to introduce mandatory ransomware reporting for certain businesses to report ransom payments; to introduce limited-use obligations for the National Cyber Security Coordinator and the Australian Signals Directorate, or ASD; to establish a cyber incident review board and clarify, simplify, streamline, and align existing obligations, regulations and government assistance measures.”
Read the full speech in Hansard ↗
Greens
1 speaker · 1 support
Greens
1 speaker · 1 support
-
David Shoebridge Shoebridge says the Greens will support the bill, but argues it has been rushed and needs stronger safeguards, clearer IoTConnected devices such as smart appliances or sensors, which are mentioned because the Greens wanted clearer and more aligned security rules for them. standards and a more independent cyber incident review board.
“I'll finish with this. This is rushed legislation that's important, and the rush is part of the problem. I move:”
Read the full speech in Hansard ↗
Record
Full record
- Act title
- Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024
- Act number
- Act No. 100, 2024
- Became law
- 29 Nov 2024
- Takes effect
-
- Sections 1 to 3 and anything in this Act not elsewhere covered by this table 29 Nov 2024
- Schedules 1 to 4 A single day to be fixed by Proclamation
- Schedule 5, Parts 1 and 2 A single day to be fixed by Proclamation
- Schedule 5, Part 3, Division 1 The later of:
- Schedule 5, Part 3, Division 2 At the same time as the provisions covered by table item 3
- Schedule 5, Part 3, Division 3 Immediately before the commencement of Schedule 4 to the Crimes and Other Legislation Amendment (Omnibus No. 1) Act 2024
- Schedule 5, Part 4 At the same time as the provisions covered by table item 3
- Schedule 6 At the same time as the provisions covered by table item 2
- Schedule 7 30 Nov 2024
- Schedule 8 At the same time as the provisions covered by table item 2
- Registered
- 04 Dec 2024
- Administered by
- Department of Home Affairs
- Final law metadata was collected from the APH progress table; commencement rows were parsed from the bill text.
- Status
- Act -- Collected from the APH bill page.
- Originating house
- House of Representatives
- 09 Oct 2024
House · Introduced and read a first time
Introduced
The bill was formally presented to the chamber and read a first time, which starts its parliamentary journey.
- 09 Oct 2024
House · Second reading moved
Second reading opened
A minister or sponsoring member moved the second reading, opening the main debate on the bill's purpose and principles.
- 18 Nov 2024
House · Second reading debate
Second reading debate
The bill reached this recorded parliamentary step.
- 19 Nov 2024
House · Referred to Federation Chamber
Referred to Federation Chamber
The bill reached this recorded parliamentary step.
- 19 Nov 2024
House · Second reading debate
Second reading debate
The bill reached this recorded parliamentary step.
- 19 Nov 2024
House · Second reading agreed to
Second reading agreed
The chamber agreed to the bill at second reading, meaning it accepted the bill in principle and allowed it to continue.
- 19 Nov 2024
House · Consideration in detail: amendments considered
Amendment packages agreed
The chamber considered amendments before the bill moved to the next stage.
- 20 Nov 2024
House · Reported from Federation Chamber
Reported from Federation Chamber
The bill reached this recorded parliamentary step.
- 20 Nov 2024
House · Third reading agreed to
Third reading agreed
The chamber agreed to the bill at third reading, which completed passage through that chamber.
- 25 Nov 2024
Senate · Introduced and read a first time
Introduced
The bill was formally presented to the chamber and read a first time, which starts its parliamentary journey.
- 25 Nov 2024
Senate · Second reading moved
Second reading opened
A minister or sponsoring member moved the second reading, opening the main debate on the bill's purpose and principles.
- 25 Nov 2024
Senate · Second reading debate
Second reading debate
The bill reached this recorded parliamentary step.
- 25 Nov 2024
Senate · Second reading agreed to
Second reading agreed
The chamber agreed to the bill at second reading, meaning it accepted the bill in principle and allowed it to continue.
- 25 Nov 2024
Senate · Committee of the Whole debate
Committee of the Whole debate
The bill reached this recorded parliamentary step.
- 25 Nov 2024
Senate · Third reading agreed to
Third reading agreed
The chamber agreed to the bill at third reading, which completed passage through that chamber.
- 25 Nov 2024
Parliament · Finally passed both Houses
Passed both houses
Both houses passed the bill in the same form, completing parliamentary passage.
- 29 Nov 2024
Assent · Assent
Assent
The Governor-General gave Royal AssentThe formal step that turns the bill into an Act and makes the changes law., turning the bill into an Act.
Parliamentary Joint Committee on Intelligence and Security; Committee Report (18/11/2024)
Referred to committee
Referred to Committee (10 Oct 2024): Parliamentary Joint Committee on Intelligence and Security; Committee Report (18 Nov 2024)
APH bill page notes