Insights

Critical infrastructure assets - your reporting obligations

Date published 4 October 2022

Read time TBC

Organisations who own, control or access critical infrastructure must complete their reporting obligations for Security of Critical Infrastructure Act 2018.

Related services

Projects and Construction Privacy and Data Technology and Digital

On 6 April 2022, the Minister for Home Affairs enacted the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 ( Cth) (Application Rules). These Application Rules “switch on” the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) obligations to provide ownership and operational information about certain critical infrastructure assets to the Register of Critical Infrastructure Assets (the Register) following a six month grace period. Entities that own or operate the following assets must complete their reporting obligations no later than 8 October 2022 :

Other critical infrastructure assets, such as port, water, electricity, and gas assets, as well as assets privately declared by the Minister, have been subject to Register reporting obligations since the original SOCI Act was enacted in 2018, prior to the SLACI and SLACIP amendments.

Register of Critical Infrastructure Assets Refresher

The Register is designed to assist the Government in understanding who owns, controls, or has access to Australia’s critical infrastructure assets. This helps the Government to have visibility of national security risks and apply mitigations where necessary.

Our previous article, Security of Critical Infrastructure Act (SOCI) reforms - what your business needs to know , explains the requirement under the SOCI Act for “reporting entities” to provide information to the Secretary of the Department of Home Affairs to be recorded on the Register.

The “reporting entities” for an asset are those entities which meet the definition of a “responsible entity” for the asset and / or “direct interest holder” of the asset. An asset may have multiple reporting entities.

Reporting entity
Responsible entity	Direct interest holder
Responsible entities are sector specific (e.g. the responsible entity for a critical water asset is the water utility that holds the licence, approval or authorisation to provide the service). Responsible entity for an asset is required to provide operational information, including: the asset’s location; a description of the area the asset services; the name, address, domestic/foreign incorporation details of the responsible entity; the above information for each entity that operates the asset, or part of the asset, on behalf of the responsible entity and a description of the arrangements under which they operate the asset; and a description of the arrangements under which certain protected data relating to the asset is maintained (see FAQ section below). Responsible entities must complete the Registration form for the Responsible Entity of a Critical Infrastructure Asset (Responsible Entity Form). After successfully submitting the Responsible Entity Form, the responsible entity will be given the option to complete the Direct Interest Holder Form if applicable. Where a responsible entity fails to comply with the information reporting obligations, it will be liable for a civil penalty of up to $11,100 (50 penalty units) per day of contravention, or $55,500 (250 penalty units) if the entity is a corporation.	An entity is a “direct interest holder” in relation to an asset if: the entity (together with associates) holds an interest of at least 10% in the asset; or the entity holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset. Direct interest holders must provide interest and control information relating to the asset, including: the entity’s legal name, address and ABN (or other similar business number); the type and level of interest held in the asset; information about the influence or control the entity has in relation to the asset; information about each person appointed to a governing body, who has access to networks or systems necessary for the operation or control of the asset; the name of each other entity that is in a position to directly or indirectly influence or control: (i) the entity; or (ii) any other entity that is in a position to directly or indirectly influence or control the entity; and for each entity identified in paragraph (v) above, certain corporate details of the entity, information about the type and level of interest held in the asset (if applicable) and information about the influence or control an entity has in relation to the other entities in the chain. Direct interest holders must complete the New registration of a Critical Infrastructure Asset form (Direct Interest Holder Form). After successfully submitting the Direct Interest Holder Form, the direct interest holder will be given the option to complete the Responsible Entity Form if applicable. Where a direct interest holder fails to comply with the information reporting obligations, it will be liable for a civil penalty of up to $11,100 (50 penalty units) per day of contravention, or $55,500 (250 penalty units) if the entity is a corporation.

Reporting entity

Responsible entity

Direct interest holder

Responsible entities are sector specific (e.g. the responsible entity for a critical water asset is the water utility that holds the licence, approval or authorisation to provide the service). Responsible entity for an asset is required to provide operational information, including: the asset’s location; a description of the area the asset services; the name, address, domestic/foreign incorporation details of the responsible entity; the above information for each entity that operates the asset, or part of the asset, on behalf of the responsible entity and a description of the arrangements under which they operate the asset; and a description of the arrangements under which certain protected data relating to the asset is maintained (see FAQ section below). Responsible entities must complete the Registration form for the Responsible Entity of a Critical Infrastructure Asset (Responsible Entity Form). After successfully submitting the Responsible Entity Form, the responsible entity will be given the option to complete the Direct Interest Holder Form if applicable. Where a responsible entity fails to comply with the information reporting obligations, it will be liable for a civil penalty of up to $11,100 (50 penalty units) per day of contravention, or $55,500 (250 penalty units) if the entity is a corporation.

An entity is a “direct interest holder” in relation to an asset if: the entity (together with associates) holds an interest of at least 10% in the asset; or the entity holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset. Direct interest holders must provide interest and control information relating to the asset, including: the entity’s legal name, address and ABN (or other similar business number); the type and level of interest held in the asset; information about the influence or control the entity has in relation to the asset; information about each person appointed to a governing body, who has access to networks or systems necessary for the operation or control of the asset; the name of each other entity that is in a position to directly or indirectly influence or control: (i) the entity; or (ii) any other entity that is in a position to directly or indirectly influence or control the entity; and for each entity identified in paragraph (v) above, certain corporate details of the entity, information about the type and level of interest held in the asset (if applicable) and information about the influence or control an entity has in relation to the other entities in the chain. Direct interest holders must complete the New registration of a Critical Infrastructure Asset form (Direct Interest Holder Form). After successfully submitting the Direct Interest Holder Form, the direct interest holder will be given the option to complete the Responsible Entity Form if applicable. Where a direct interest holder fails to comply with the information reporting obligations, it will be liable for a civil penalty of up to $11,100 (50 penalty units) per day of contravention, or $55,500 (250 penalty units) if the entity is a corporation.

Reporting entity

Responsible entities are sector specific (e.g. the responsible entity for a critical water asset is the water utility that holds the licence, approval or authorisation to provide the service).
Responsible entity for an asset is required to provide operational information, including:

the asset’s location;
a description of the area the asset services;
the name, address, domestic/foreign incorporation details of the responsible entity;
the above information for each entity that operates the asset, or part of the asset, on behalf of the responsible entity and a description of the arrangements under which they operate the asset; and
a description of the arrangements under which certain protected data relating to the asset is maintained (see FAQ section below).

Responsible entities must complete the Registration form for the Responsible Entity of a Critical Infrastructure Asset (Responsible Entity Form). After successfully submitting the Responsible Entity Form, the responsible entity will be given the option to complete the Direct Interest Holder Form if applicable.
Where a responsible entity fails to comply with the information reporting obligations, it will be liable for a civil penalty of up to $11,100 (50 penalty units) per day of contravention, or $55,500 (250 penalty units) if the entity is a corporation.

An entity is a “direct interest holder” in relation to an asset if:

the entity (together with associates) holds an interest of at least 10% in the asset; or
the entity holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.

Direct interest holders must provide interest and control information relating to the asset, including:

the entity’s legal name, address and ABN (or other similar business number);
the type and level of interest held in the asset;
information about the influence or control the entity has in relation to the asset;
information about each person appointed to a governing body, who has access to networks or systems necessary for the operation or control of the asset;
the name of each other entity that is in a position to directly or indirectly influence or control: (i) the entity; or (ii) any other entity that is in a position to directly or indirectly influence or control the entity; and
for each entity identified in paragraph (v) above, certain corporate details of the entity, information about the type and level of interest held in the asset (if applicable) and information about the influence or control an entity has in relation to the other entities in the chain.

Direct interest holders must complete the New registration of a Critical Infrastructure Asset form (Direct Interest Holder Form ). After successfully submitting the Direct Interest Holder Form, the direct interest holder will be given the option to complete the Responsible Entity Form if applicable.
Where a direct interest holder fails to comply with the information reporting obligations, it will be liable for a civil penalty of up to $11,100 (50 penalty units) per day of contravention, or $55,500 (250 penalty units) if the entity is a corporation.

SOCI Register FAQ

Authors: Lesley Sutton, Claire Harris, Sara Liu

KNOWLEDGE ARTICLES YOU MAY BE INTERESTED IN:

Security of Critical Infrastructure Act (SOCI) reforms - what your business needs to know

Foreign Direct Investment Regulation Guide: Australia

The curtain falls - Final reforms to Australia’s critical infrastructure laws

Cookies Disclaimer

Critical infrastructure assets - your reporting obligations

Register of Critical Infrastructure Assets Refresher

Reporting entity

SOCI Register FAQ

KNOWLEDGE ARTICLES YOU MAY BE INTERESTED IN:

Key contacts