Australia critical infrastructure rules tighten risk
Thu, 2nd Jul 2026 (Today)
Australia's critical infrastructure operators face new risk management obligations under the Enhanced Critical Infrastructure Risk Management Program Rules, extending oversight to artificial intelligence, legacy technology, supply chains and cyber security.
The rules significantly reshape how operators in sectors including energy, water, transport and communications assess and manage risk. They introduce staged obligations across two implementation periods, with one set taking effect in 2027 and a second in 2028.
The Cyber and Infrastructure Security Centre has outlined changes covering AI and emerging technology, legacy and end-of-life systems, insider threats, supply chain resilience and the links between critical and non-critical systems. The first tranche includes additional material risks, patching and legacy technology measures, and initial personnel measures. Later requirements cover cyber framework maturity uplift, phishing-resistant multi-factor authentication, lateral movement controls and supply chain measures.
Jeremy O'Donohue, Managing Director, State Government and Critical Infrastructure, Kinetic IT, said the phased structure means operators should not treat the later deadline as the real starting point.
"These rules reset the baseline for how critical infrastructure operators are expected to manage risk. The smart move is not to wait for the 2028 obligations to arrive, but to read the staged requirements now, understand which tranche applies when, and build capability progressively. Operators who treat the mid-2027 and mid-2028 dates as a single deadline will find themselves doing in months what should have been done over two years," O'Donohue said.
Overlapping risks
The shift comes as many operators update digital systems while continuing to run older technology and manage large supplier networks. In that environment, cyber risk and operational risk are increasingly hard to separate.
"Risk rarely sits in one part of the organisation. What stands out in these reforms is how difficult it is becoming to separate cyber risk from operational risk, and the rules now expect operators to manage that overlap deliberately rather than treating each hazard in isolation," O'Donohue said.
That overlap is central to the revised approach. Risks that appear distinct on paper, such as AI adoption, supplier exposure, insider threats and obsolete technology, can combine in ways that increase the chance of disruption to essential services.
O'Donohue said the traditional boundaries many organisations use to classify threats are becoming less useful as systems become more connected.
"This is especially important for organisations that deliver essential services. A weakness in a supplier environment can become a cyber security issue. A cyber incident can become a service delivery issue. And an operational failure can become a public confidence issue. The boundaries organisations have traditionally drawn around these risks are becoming less useful," O'Donohue said.
Beyond compliance
For operators, the new rules bring an obvious compliance burden, but they also reflect a broader push to test whether organisations understand how disruption could spread across systems, partners and frontline services. The focus is not only on preventing incidents, but also on understanding dependencies and maintaining continuity when failures occur.
Kinetic IT's Sovereign Technology Report found that government and critical infrastructure leaders are under pressure to modernise systems, improve resilience, strengthen cyber defences and prepare for AI adoption while keeping essential services running. It also pointed to growing attention on accountability, operational continuity and response arrangements in high-consequence environments.
"For organisations managing critical assets across energy, water, transport and communications, this is an opportunity to think about resilience differently - not as a collection of controls, but as an organisational capability that spans technology, people, partners and operations," O'Donohue said.
Implementation window
The staggered timetable gives operators time to review their exposure and decide where early work is most urgent. That may include identifying legacy systems that are difficult to patch, mapping critical suppliers, reviewing access controls and testing whether cyber and operational teams share the same view of core risks.
Organisations that delay, however, may face a compressed program of work as the first obligations draw nearer. The design of the rules suggests regulators expect operators to use the transition period to build a more complete picture of how service disruption could affect communities and public confidence.
"The timeline is realistic if organisations start now. With the first obligations landing in mid-2027 and the cyber framework and supply chain measures following in mid-2028, there is room to do this well, but only for those who begin early. The organisations that will be in the strongest position are those that use this moment to develop a clearer picture of where disruption is most likely to have real-world impact on services, communities and public trust," O'Donohue said.
"For critical infrastructure operators, the value of the Enhanced CIRMP Rules will not be measured by compliance alone. It will be measured by whether organisations can keep essential services running when conditions are difficult," O'Donohue said.