A Guide to Critical Infrastructure Assets in Australia

What are Critical Infrastructure Assets?

Critical infrastructure assets are assets that are essential to the functioning of the Australian economy, society and/or national security.  All of the relevant assets are:

  • of national strategic and socio-economic importance; and
  • subject to increasingly intense national interest approval requirements, investor scrutiny and stringent regulation and reporting obligations.

The new critical infrastructure assets enviroment

In recent years, Australia’s Federal Government has engaged in a continuous program of intensifying the regulation of critical infrastructure assets and the assessment and approval regime for deals involving them. 

Transactions relating to assets considered critical to the Australian national interest - from energy and water assets to healthcare and financial infrastructure - are now subject to extensive scrutiny from Australia’s foreign investment regulator, while the businesses operating those assets themselves now have enhanced cyber and reporting obligations.

At the same time, investors are looking for opportunities to deploy enormous pools of capital into secure assets with multi-decade horizons and infrastructure-like qualities. Traditional investment opportunities involving the passive, steady-yielding infrastructure assets that have been attractive to infrastructure and superannuation funds are increasingly rare, so those investors are moving up the risk curve to find acceptable returns while private equity funds are deploying secure asset or core-plus type strategies and meeting them in the middle. This middle ground is squarely in the zone of these critical infrastructure assets - sectors that are growing in importance and which matter profoundly to the lives of consumers.

This all means that these transactions are at the centre of a brewing regulatory storm. 

Successfully executing transactions involving critical infrastructure assets has always required a deep knowledge of traditional M&A, financing and infrastructure concepts, but it now also demands an understanding of the increasingly complex regulatory environment around cyber security, national interest and ESG considerations. 

What are the critical asset classes?

The first wave of legislation relating to these assets focused on traditional heavy infrastructure – electricity, gas, water and ports - and in those sectors the regulatory regime is now well understood. However, recent reforms have substantially expanded the sectors deemed to be critical, to include the following 11 sectors:

For investors in an increasing number of sectors, therefore, there are substantial and complex legal issues in both the investment and ownership phase.  These assets face significant government oversight and potentially intervention, and their social importance means that ESG and stakeholder style considerations are becoming increasingly critical risks and opportunities.

How are critical asset deals assessed and regulated?

The regulation of these assets now needs to be considered front and centre when conducting diligence for and entering into these deals.  Designing and implementing transactions in these spaces will increasingly require wholistic advice that understands both the national interest and the ESG perspective given the profound impact these businesses have on the Australian economy and lives of Australian people.    

National security

Australia’s geo-political situation has changed dramatically, and this is evident in the critical infrastructure, foreign interference and FIRB legislation passed over the past 2 years. At the same time, Australia has identified a need for much greater critical asset self-sufficiency through the COVID period. This is leading to stronger intervention by government and regulators in deals and capital flows.

New critical infrastructure legislation requires owners to provide “interest and control information” (i.e. basic details of any entity which has an ownership interest or the ability to control a relevant asset, along with the extent of that entity’s ownership or control over the asset) and “operational information” (e.g. the asset’s location, a description of the area the asset services, basic information about entities responsible for the operation of the asset and the arrangements in place with each operator) in relation to relevant critical infrastructure assets. 

Similarly, the recent Australian payments system review recommended that the federal Treasurer be given new powers to intervene in the payments system – based on national interest considerations such as cyber security or consumer protection.

Cyber Security

The Security Legislation Amendment (Critical Infrastructure) Act 2021, passed in December 2021, and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, passed in March 2022, substantially expanded the scope of the existing critical infrastructure regime under the Security of Critical Infrastructure Act 2018, by focusing on cyber security threats to a far broader range of critical infrastructure assets.

In addition to building on the obligations already present under the existing critical infrastructure regime, which required entities owning and operating critical infrastructure assets to provide information to the Government’s Register of Critical Infrastructure Assets and to respond to Ministerial directions, the legislation passed in December 2021 introduced three main obligations on such entities:

  • a requirement to notify cyber incidents impacting the critical infrastructure assets to the Australian Signals Directorate (in some cases, within 12 hours);
  • a requirement to notify their data storage and processing service providers that they are managing “business critical data”; and
  • the possibility of Government assistance and intervention measures being taken, including a “last resort” intervention request authorising the ASD to take positive actions to help defend the asset.

In March 2022, the second package of reforms introduced further onerous obligations on certain entities including:

  • a requirement to establish, maintain and comply with a written risk management program (with grace periods applying for some assets); and
  • an ability for the Government to privately declare certain critical infrastructure assets as being “Systems of National Significance”, subjecting the responsible entity for those assets to enhanced cyber security obligations, if required by the Secretary of Home Affairs, e.g. a need to develop incident response plans, providing access to system information and undertake cyber security exercises.

ESG/stakeholder governance

Many prominent ESG or corporate purpose initiatives and investigations have noted these issues are sharpest in organisations with systemic importance.  By definition, this will capture critical infrastructure assets and will colour all Board and investment decisions around those assets. 

Political and social agendas shape these trends – look no further than Australia’s recent run of Royal Commissions around critical assets (financial services, aged and disability care being the most obvious).  What this will mean in practice is that:

  • there will be an increasing trend towards legislating and regulating stakeholder governance or purpose -  in the same way as anti-bribery and anti-money laundering issues have moved from “social concerns” to hard legislative requirements, so will other aspects of stakeholder concerns in these politically charged sectors; 
  • only certain categories of investors will have the ability to receive approvals to participate in auctions in these spaces, and the impact on stakeholders will be a critical component of regulatory engagement on these deals; and
  • listed company and financial sponsor acquirers will have an increasing focus on ESG in their investment and divestment decision-making.  Their advisers need to be able to speak the language and reflect those issues in diligence and transaction execution.