Lander & Rogers logo
1 Insights

Enhanced critical infrastructure risk management program rules 2026: what responsible entities need to know

Enhanced critical infrastructure risk management program rules 2026: what responsible entities need to know

In the Director-General of ASIO's Annual Assessment 2025, the Director-General noted that the increasingly complex threat landscape faced by Australian critical infrastructure will continue to deteriorate over the next five years.

In response, the Security of Critical Infrastructure Legislation Amendment (Enhanced Critical Infrastructure Risk Management Program) Rules 2026 (Enhanced CIRMP Rules) were registered in June 2026. The amendments in the Enhanced CIRMP Rules represent a significant uplift in obligations for responsible entities operating in sectors that are considered at heightened risk of targeting by state-sponsored and malicious threat actors.

Key Takeaways

The enhanced requirements apply to critical broadcasting assets, critical domain name systems, critical electricity assets, critical energy market operator assets, critical freight infrastructure assets, critical freight services assets, critical gas assets, critical liquid fuel assets and critical water assets.

Responsible entities for critical infrastructure assets within affected classes should act now to:

  • undertake a gap analysis of their existing CIRMPs against the requirements of the Enhanced CIRMP Rules;
  • develop a plan to uplift CIRMPs within the relevant grace periods; and
  • commence supply chain mapping and review of personnel security processes to allow sufficient time for completion prior to grace periods expiring.

Obligations come into force between June 2027 and June 2028.

New requirements

The Enhanced CIRMP Rules introduce a two-tier framework distinguishing between "baseline CIRMP requirements" and new "enhanced CIRMP requirements." In the case of inconsistency, the enhanced requirement prevails.

Under the Enhanced CIRMP Rules, responsible entities for affected assets must ensure that their CIRMPs address the following:

Additional material risks

A process or system to, as far as reasonably practicable, minimise or eliminate the risks of:

  • impairment to social stability, economic stability, national security or defence;
  • compromise connected with foreign ownership, control or influence (FOCI); and
  • offshore or remote access to critical components and business critical data.

Cyber and information security

A process to, as far as is reasonably practicable, minimise or eliminate cyber and information security risks including risks due to:

  • failure to patch or update operating or security systems;
  • failure to replace legacy systems;
  • deployment or hosting of advanced, novel or emerging technology in a manner that prejudice the availability, integrity, reliability or confidentiality of the asset (or use of such technologies against it).

Responsible entities must also implement phishing-resistant multi-factor authentication for certain systems and critical components, together with logging and monitoring of authentication attempts.

Uplifted cyber maturity

Responsible entities must comply with a prescribed cyber maturity framework or equivalent framework. The updated list of cyber maturity frameworks refers to more stringent standards includes including ISO/IEC 27001:2023, the ASD Essential Eight (Maturity Level 2), NIST CSF 2.0, the US Cybersecurity Capability Maturity Model (Maturity Indicator Level 2), or the AESCSF Framework (Security Profile 2). Under existing CIRMP Rules, requirements in relation to ASD Essential Eight, US Cybersecurity Capability Maturity Model and AESCSF Framework relate to maturity level 1 rather than maturity level 2.

Lateral movement hazards

Establish and maintain a process or system to identify and maintain an inventory of critical systems and how they are connected with other critical systems or computers, recover and restore such systems in the event of an incident, implement network segregation capable of ensuring critical systems can operate independently from other internet-connected computers and minimise or eliminate any material risk of lateral movement hazard.

Personnel hazards

Critical workers must be assessed as suitable through an AusCheck background check (repeated at minimum every five years) or hold a relevant security clearance at Negative Vetting 1 level or higher. Responsible entities must also establish and maintain a process or system to minimise or eliminate the risks of unauthorised access, credential misuse, and incoming and outgoing critical workers.

Supply chain hazards

Entities must map their supply chains for major suppliers and critical components, identify maximum acceptable outages, and implement a process to assess the risks associated with an existing or proposed major supplier for the critical infrastructure asset. Risks which must be assessed in relation to major suppliers including FOCI-related risks, and risks of access, influence and control exercised by suppliers over the critical infrastructure asset.

Physical security and natural hazards

Responsible entities must establish and maintain a process or system to centrally manage physical security and natural hazards, and as far as reasonably practicable consider the physical security consequences arising from the occurrence of all hazards.

Compliance Deadlines

The Enhanced CIRMP Rules commenced on 10 June 2026. Grace periods apply in relation to each obligation.

For assets that were already classified as critical infrastructure assets as at 10 June 2026, the grace periods apply from that date. For assets which become critical infrastructure assets after 10 June 2026, the grace periods run from the date on which the asset first becomes a critical infrastructure asset.

  • Additional material risks, certain cyber risks, and personnel access management: 12-month grace period — compliance required by 10 June 2027.
  • Other obligations: 24-month grace period — compliance required by 10 June 2028.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.