On October 9, 2024, a series of cyber security-related regulations were presented to the Australian Parliament. This series is referred to as the "Cyber Security Legislative Package" and consists of
- the "Cyber Security Bill 2024" (Cyber Security Bill for short),
- the "Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024" (in short: SOCI Bill) and
- the "Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024" (IS Bill for short).
These individual pieces of legislation are similar to the familiar regulations that we have already seen in the EU with the Cyber Resilience Act (CRA), the NIS-2 Directive (EU) 2022/2555 and in the UK with the PSTI Act, albeit in different forms.
Cyber Security Bill
Affected products are similar in definition to "bindable products" as in the PSTI Act. The Cyber Security Bill also defines the "internet-connectable product" and the "network-connectable product". The term "products with digital elements" as we know it from the CRA is not used here.
However, we cannot identify any restrictions on the target group. The Cyber Security Bill not only addresses products for consumers, but also products for professional users without restriction and thus differs significantly from the UK's PSTI Act .
The conformity assessment procedure is concluded with a "statement of compliance", which manufacturers must attach to the "compliant products". This is again based on the UK's PSTI Act
In the event of a safety incident, reports must, as usual, be submitted to the prescribed authorities.
SOCI Bill
The NIS 2 Directive (EU) 2022/2555 distinguishes the requirements between "essential entities" and "important entities". Essential entities are system-critical organizations, while important entities can be those with less critical functions that can still have a potentially serious impact on security. "Essential entities" are subject to stricter requirements and stronger sanctions. "Important entities" also have obligations, but somewhat milder requirements.
The SOCI Bill does not make this distinction and is aimed at organizations that are defined as operators of critical infrastructures. These sectors are described in the "Security of Critical Infrastructure Act 2018", among others.
However, the stricter reporting obligations and the requirement for comprehensive risk management are similar to the NIS 2 Directive (EU) 2022/2555.
If you have any questions or require further support, please do not hesitate to contact us. Read more about cybersecurity here.
Author
Benjamin Kerger (B. Eng.)
Product Compliance Consultant
