The subordinate legislation under the Security of Critical Infrastructure Act (SOCI Act) and the new Cyber Security Act affecting the telecommunications sector commenced on 4 April 2025.
These instruments introduce new rules for the telco industry, as well as changes to existing obligations, consolidating security regulations that were previously contained under the Telecommunications Act framework into the SOCI legislative framework. Below is a summary of the regulations.
Telecommunications Security and Risk Management Program Rules Telco entities that hold a carrier licence or supply over 20,000 carriage services, or supply services to Commonwealth Government entities are subject to more stringent obligations under the new TSRMP Rules.
This involves:
- implementing and maintaining a risk management program by 4 October 2025;
- compliance with at least maturity level 1 of a cyber security framework by 4 October 2026 (further obligations for carriers to comply with maturity level 2 by 4 October 2027);
- obligation to ‘protect your asset’ as far as it is reasonably practicable to do so.Carriers have further obligations to notify the Department of Home Affairs of any changes to your asset that is likely to have a material adverse effect on your ability to protect your asset
Asset Register and Mandatory Cyber Incident Reporting Rules
Rules requiring telco entities to register their critical assets, and notify the Department of a cyber incident have been folded into the SOCI framework.
However, these rules now only apply to entities with a carrier licence, or meet the ‘relevant carriage service provider asset’ threshold of over 20,000 services in operation, or supply to the Commonwealth Government.
SOCI rules affecting all telcos
Even if you are not a carrier or don’t meet the ‘relevant carriage service provider asset’ threshold, telecommunications assets are still captured under the SOCI Act as critical infrastructure. This means you may still have obligations to:
- notify your data storage or processing provider that it is storing or processing your business critical data; and
- following Ministerial directions in relation to serious incidents affecting your asset.
Subordinate cyber security rules
New security standards for smart devices were introduced in March 2025 with the rules commencing 4 March 2026. The rules apply to both manufacturers and suppliers of ‘relevant connectable products’ and is therefore likely to affect telco entities.
The standards introduce 3 rules for manufacturers in relation to their products, including ensuring each device has a unique password or allowing the consumer to create own password, ways for consumers to report security issues and clearly providing information on the support period for security updates.
The manufacturer must also prepare a Statement of Compliance in respect of the rules. Suppliers must then provide this Statement of Compliance with any relevant connectable products they supply to consumers in Australia and must retain the Statement for at least 5 years.
IAA recently held a webinar on IoT Security on 3 April, which included a discussion on the new rules.
Additionally, from 30 May 2025, all entities with an annual turnover of at least $3 million must report ransomware payments to the Department within 72 hours of the ransom being paid.
Please refer to the below summaries and guidance material provided by the Department in respect of these new rules:
IAA will also soon publish a template risk management plan that Members can utilise to assist with their compliance efforts on the IAA Member Portal.
You can also join the Trusted Information Sharing Network for access to further critical infrastructure information and resources.
Please contact us if you have any questions about these new rules.
