Categories

With the federal election over and a returning Labor Government, we anticipate busy times ahead. Regulatory reform for the telco sector is already well underway with the:

  • Security of Critical Infrastructure (SOCI) obligations – commenced 4 April;
  • new ACMA rules relating to network outages involving communication requirements and changes to your complaints handling policy – commencing 30 June; and
  • changes to the TIO’s complaints handling processes – commencing 1 July.

We’re proud to say that our advocacy work has had some impact in reducing some of the burdens on industry. We’ve managed to ensure the positive security obligations under the SOCI framework will be limited to carriage service providers with over 20,000 services in operation (or those that supply to government). Our consistent engagement with the ACMA has also resulted in the regulator releasing more educative information alongside new regulation.

You can read more about the SOCI obligations in this newsletter article, the ACMA rules on its website and the TIO changes on the TIO Portal. We are also working on developing updated legal templates that are compliant with the new ACMA rules and will make them available on the IAA Member Portal in due course so please keep posted!

In March, a telecommunications consumer protections Bill was tabled at Parliament to introduce the CSP Register, give the ACMA directly enforceable powers and increase penalties for non-compliance. Though this lapsed due to the election, we anticipate this will be prioritised by the new or returning Communications Minister.

Other things to watch out for includes a new domestic, family and sexual violence industry standard for telcos which we think may land any day now, as well as the revised TCP Code which we understand will soon be submitted to the ACMA for registration.

The Public Policy Advisory Panel will be meeting later this month to discuss all the above and more so please let us know if you have any concerns, or if you’d like to join the discussion!

And as always, please get in touch to share any thoughts on any of the open consultations below and/or previous submissions as we really appreciate your feedback.

Open consultations

Completed submissions

The subordinate legislation under the Security of Critical Infrastructure Act (SOCI Act) and the new Cyber Security Act affecting the telecommunications sector commenced on 4 April 2025.

These instruments introduce new rules for the telco industry, as well as changes to existing obligations, consolidating security regulations that were previously contained under the Telecommunications Act framework into the SOCI legislative framework. Below is a summary of the regulations.

Telecommunications Security and Risk Management Program Rules Telco entities that hold a carrier licence or supply over 20,000 carriage services, or supply services to Commonwealth Government entities are subject to more stringent obligations under the new TSRMP Rules.
This involves:

  • implementing and maintaining a risk management program by 4 October 2025;
  • compliance with at least maturity level 1 of a cyber security framework by 4 October 2026 (further obligations for carriers to comply with maturity level 2 by 4 October 2027);
  • obligation to ‘protect your asset’ as far as it is reasonably practicable to do so.Carriers have further obligations to notify the Department of Home Affairs of any changes to your asset that is likely to have a material adverse effect on your ability to protect your asset


Asset Register and Mandatory Cyber Incident Reporting Rules
Rules requiring telco entities to register their critical assets, and notify the Department of a cyber incident have been folded into the SOCI framework.

However, these rules now only apply to entities with a carrier licence, or meet the ‘relevant carriage service provider asset’ threshold of over 20,000 services in operation, or supply to the Commonwealth Government.

SOCI rules affecting all telcos

Even if you are not a carrier or don’t meet the ‘relevant carriage service provider asset’ threshold, telecommunications assets are still captured under the SOCI Act as critical infrastructure. This means you may still have obligations to:

  • notify your data storage or processing provider that it is storing or processing your business critical data; and
  • following Ministerial directions in relation to serious incidents affecting your asset.


Subordinate cyber security rules

New security standards for smart devices were introduced in March 2025 with the rules commencing 4 March 2026. The rules apply to both manufacturers and suppliers of ‘relevant connectable products’ and is therefore likely to affect telco entities.

The standards introduce 3 rules for manufacturers in relation to their products, including ensuring each device has a unique password or allowing the consumer to create own password, ways for consumers to report security issues and clearly providing information on the support period for security updates.

The manufacturer must also prepare a Statement of Compliance in respect of the rules. Suppliers must then provide this Statement of Compliance with any relevant connectable products they supply to consumers in Australia and must retain the Statement for at least 5 years.

IAA recently held a webinar on IoT Security on 3 April, which included a discussion on the new rules.

Additionally, from 30 May 2025, all entities with an annual turnover of at least $3 million must report ransomware payments to the Department within 72 hours of the ransom being paid.

Please refer to the below summaries and guidance material provided by the Department in respect of these new rules:


IAA will also soon publish a template risk management plan that Members can utilise to assist with their compliance efforts on the IAA Member Portal.

You can also join the Trusted Information Sharing Network for access to further critical infrastructure information and resources.

Please contact us if you have any questions about these new rules.

Join our briefing with Q&A for IAA Members regarding our updated Master Service Agreement and Membership Agreement.

To ensure compliance with current legislation and good governance, we have reviewed our Master Service Agreement (MSA) and Membership Agreement (MA). With the assistance of our lawyers, we have conducted a meticulous review and updated the terms of these agreements to ensure compliance with the latest legal requirements.

Please note, we are **not** terminating either of our existing agreements. However, in accordance with clause 24.2 of the MSA, any changes to the Agreement must be in writing and signed by the parties.

In addition, our team has taken this opportunity to streamline processes to benefit our Members by allowing electronic execution of the agreements through the IAA Member Portal, as well as consolidating outdated documents – including the Disconnect Policy, Acceptable Use Policy, Code of Conduct – Members Services, Pricing Policy and Services Schedules – into the MSA. This consolidation simplifies our contractual framework and aligns our terms with current operational practices.

Please review IAA’s new MSA and MA

Following a busy end to 2024, the policy team has had an equally hectic start to 2025!

There are several consultations currently underway that will have a significant impact on the telecommunications sector. Namely, the review of the Telecommunications Consumer Protections Code by Communications Alliance, as well as rules for the telco sector under Security of Critical Infrastructure Act. These subordinate rules will apply to carriers and carriage service providers that have over 20,000 services in operation or supplies to the government. If this is you or your organisation, then we highly recommend you attend the Town Hall that the Department will be running on 11 February to find out more information and ask any questions. You can read more about the open consultations below, and let us know if you have any concerns you’d like us to include in our submission!

The policy team has also had its hands full onboarding our new PPAP members! We received a record number of applications, and you can read more about our new PPAP members in this newsletter item. The interest in PPAP is a testament to the growth of the advocacy work that IAA has been doing to improve policy for the telco sector, and we thank all our Members for their interest in and support of our policy work. PPAP meetings are open to guests, so please let us know if you would like to attend. We will also provide regulatory updates at each in-person event this year, so make sure to attend!

As always, please get in touch to share your thoughts on any of the open and/or previous submissions below. We really appreciate your input.

Open consultations:

Telecommunications Service Provider (Customer Identity Authentication) Determination 2022 | ACMA | 14 February 2025

The ACMA proposes to amend its requirements related to identity verification. Proposed changes include the introduction of new authentication methods, the removal of biometric data as a primary authentication method, exceptions to sending notifications about high-risk transactions and record keeping requirements.

Consultation on Subordinate Legislation to the Cyber Security Act and Security of Critical Infrastructure Act 2018 | Department of Home Affairs | 14 February 2025

Following amendments to the Security of Critical Infrastructure Act, and the passage of the Cyber Security Act in late 2024, the Department of Home Affairs is consulting on various subordinate legislation related to rules governing the new Cyber Incident Review Board, ransomware reporting requirements; security of smart devices, data storage systems as a critical infrastructure asset, and most importantly, the risk management program rules for the telecommunications sector. All carriers and CSPs with 20,000+ active services in operation or those that knowingly supply to government will be subject to the positive security obligations, including the risk management program rules.

C628: Telecommunications Consumer Protections Code Review | Communications Alliance | 28 February 2025

Communications Alliance is conducting its periodic review of the TCP Code, and the latest iteration is now open for public consultation. The TCP Code is a significant instrument that applies to most of IAA’s Members. There are many proposed changes, including enhanced rules regarding the identification and protection of vulnerable customers, providing at least 2 fee-free payment methods, the requirement to perform credit checks for consumers for contracts that could result in a debt of +$150, providing a (near) real time customer support channel, flexibility regarding direct billing payments, and compliance processes.

Completed submissions:

Member Guidance – Reasonable steps to inform consumers and occupiers of IDR and EDR | TIO

 Scams Prevention Framework Bill | Treasury

SLAID Act Review | INSLM

NBN Co Amendment (Commitment to Public Ownership) Bill 2024 | Senate Standing Committees on Environment and Communications

Unfair Trading Practices Consultation Paper | Treasury

Online Safety Amendment (Social Media Minimum Age) Bill 2024 | Senate Standing Committees on Environment and Communications

Following our recruitment process in late 2024, we’ve successfully grown the IAA Public Policy Advisory Panel (PPAP). We have four returning members who have renewed their terms, as well as five new faces and we’re chuffed to work with the expanded PPAP as we face a busy year ahead.

With a diverse representation of Corporate, Professional and Affiliate Members, as well as different backgrounds and interests, we’re excited about the quality of discussions we’ll have as each panel member brings their unique insight on important policy matters.

Our first PPAP meeting of 2025 will be held on 5 February 2025 and new panel members will have their work cut out for them as we dive straight into discussions of the TCP Code and telco security regulations, which are currently open for consultation!

Welcome to our new PPAP panelists:

Craig Lester
Jean Linis-Dinco
Mark Newton
Sanjeev Israni
Trace Wu

You can read more about PPAP on the IAA website!

If you have any questions about the PPAP, or IAA’s advocacy work in general, please get in touch at policy@internet.asn.au.

From events to consultations, it’s been as busy as ever for our Policy Team!

You may have noticed IAA being highlighted in CommsDay for taking a stance on important regulatory issues. Whether it be for our CEO setting the record straight on the TCP Code at a major industry event, or our response to the one of our many consultations such as the Senate Committee’s inquiry into the privacy reform, we’re dedicated to representing our Members and to improving the telecommunications regulatory landscape.

As we’ve reported in previous newsletters, the co-regulation approach for telecommunications policy is coming under attack and as Narelle noted in her presentation at the CommsDay Wholesale Forum, there seems to be some ‘arguably disinformation’ floating around on what co-regulatory codes like the TCP Code actually mean. Rest assured, we’ll continue to advocate for the continuation of co-regulation for the telco sector to ensure that regulation affecting the industry is developed by those who actually operate and understand telco systems!

Our Policy Officer and Board Chair also gave a lightning talk at AusNOG to give an update on recent and upcoming regulatory changes, as well as to spread awareness about IAA’s important advocacy work, and how to get involved via the IAA Public Policy Advisory Panel (PPAP).

Speaking of which, the PPAP met for its quarterly meeting on 22 August. Discussions centred around the TIO and its recent changes to its reclassifications approach, which we reported in the last August newsletter. We are now accepting applications to the PPAP.

Completed Submissions:

Upcoming Submissions:

Are you passionate about shaping the way the internet is run? IAA needs your expertise to drive impactful advocacy!

Our Public Policy Advisory Panel (PPAP) is an important body that helps IAA cut through the maze of regulations, providing critical insights that inform our policy positions and advocacy work.

With the terms of many of our current PPAP members ending in early 2025, we’re calling on you to play your part in improving the telco regulatory landscape!

We’re looking for dedicated individuals from our Professional, Corporate and Affiliate Members, for three-year terms, acting in a voluntary capacity.

As a panel member, we invite you to attend quarterly online meetings with the potential for one in-person meeting per year. As part of the panel you’ll:

  • Contribute to IAA’s responses to government and industry inquiries.
  • Help us influence regulation changes and inform topical internet matters.

Find out more and apply to join now via the IAA website by 8:00pm AEDT, 5 December and let’s navigate the future of internet policy together!

Formed in 2022, the IAA Public Policy Advisory Panel is an advisory body of IAA Members that help inform IAA’s public policy and advocacy work related to the telecommunications sector.

Involvement in policy and legislative reform in the Internet and broader telecommunications landscape is a critical part of IAA’s work. Indeed, the Western Australia Internet Association, IAA’s precursor, started as an advocacy body. That’s why we hold the Panel to be so important to our advocacy work.

The Panel meets quarterly to discuss live and upcoming policy issues affecting the Internet industry. The feedback provided by our Members via the Panel greatly informs our responses to the various consultations held by Government and regulatory bodies on matters that affect our industry, and therefore you, our Members!

We have found the Panel immensely helpful for our advocacy work since its formation and believe it has had a genuine impact in shaping telecommunications/Internet policy. For example, we couldn’t have participated as meaningfully during the NBN Co SAU reform process without the input of our Panel, the outcome of which we believe resulted in an SAU that is fairer for smaller RSPs, especially on matters related to NNI.

IAA is also regularly invited by government and regulators to be the voice for smaller communications providers in the industry. More recently, we have been championing our Members in discussions surrounding the security and resilience of telecommunications as part of Australia’s critical infrastructure ecosystem. The Panel has again been of great help, serving as a sounding board for proposed reforms.

Most recently during our last quarterly meeting in June, Panel Members engaged in spirited discussion over the TIO’s complaints handling processes and TCP Code reforms, and more broadly, our concerns about growing calls for direct regulation from regulators, consumer groups and government.

As the telco sector faces increasing regulatory pressures, it’s more important than ever to make sure that the voices of smaller ISPs are heard and able to influence policy makers. We greatly appreciate the Panel and encourage IAA Members to get involved to contribute to IAA’s advocacy efforts.

If you would like to know more about the Panel, please reach out at policy@internet.asn.au.

Don’t be fooled by the lower than usual number of consultations going on, there’s still lots happening in the sector when it comes to policy!

Co-regulation for telecommunications continues to come under fire and is very topical as Communications Alliance released its near-complete draft of the Telecommunications Consumer Protections (TCP) Code Review 2024 to the Review Committee on 20 May. The ACCC, and TIO in particular, have critiqued the TCP Code Review iteration, claiming it does not sufficiently protect consumers. We can expect public consultation on the revised TCP Code to open shortly.

The TIO will soon be implementing changes to their reclassification processes, and publishing guidance material surrounding complaints handling processes, including what constitutes a consumer’s “reasonable attempt to contact a telecommunications service provider” before lodging a complaint with the TIO.

The IAA Public Policy Advisory Panel (PPAP) met for its quarterly meeting on 11 June where there was a spirited discussion on the future of co-regulation in the telecommunications industry, and what can be done to defend it. IAA will be calling for nominations for the PPAP later this year, so make sure to keep an eye open.

Our policy team has also been busy attending bilateral meetings with regulators and government over the period, including on matters related the ACMA’s compliance and enforcement approach, the National Office of Cybersecurity, and the federal government’s telecommunications strategy to 2035.

On the Internet Governance front, we are excited to share the news of the launch of the auIGF (previously NetThing) which will be held this year in Melbourne on 28-29 October. IAA has been a long-time supporter and participant of Australia’s Internet governance community, and encourage you to attend.

The Asia Pacific Internet Governance Academy Australia (APIGA Australia) also recently launched. A program to foster the next generation of youth leaders in Australia’s Internet and digital ecosystem, APIGA Australia are providing fellowships to attend its inaugural event held in November 2024. You can read more about APIGA Australia on their website.

Also! Don’t forget your upcoming compliance obligations:

  • CommCom TCP Code attestation, due 2 September 2024; and
  • Fair Work’s ‘Right to disconnect’ policy will come into place for non-small business employers on 26 August 2024, and small-business employers from 26 August 2025. Eligible employees will have the right to refuse employer or third-party contact outside of working hours. Arnotts Technology Lawyers have prepared some legal documents to assist our Members with their compliance. You can access their ‘Right to disconnect’ Policy template, along with a FAQs document, via the ‘Right to Disconnect – Template Pack’ in the Legal Templates section of the IAA Member Portal.

As always, please get in touch to share any thoughts on any of the open and/or previous submissions as we really appreciate your feedback.

Completed Submissions:

Upcoming Submissions:

Sign up to IAA's mailing list

Complete this form to receive all our latest news, events and updates.