Member Portal
Categories

New cyber security and critical infrastructure rules for telcos

The subordinate legislation under the Security of Critical Infrastructure Act (SOCI Act) and the new Cyber Security Act affecting the telecommunications sector commenced on 4 April 2025.

These instruments introduce new rules for the telco industry, as well as changes to existing obligations, consolidating security regulations that were previously contained under the Telecommunications Act framework into the SOCI legislative framework. Below is a summary of the regulations.

Telecommunications Security and Risk Management Program Rules Telco entities that hold a carrier licence or supply over 20,000 carriage services, or supply services to Commonwealth Government entities are subject to more stringent obligations under the new TSRMP Rules.
This involves:

  • implementing and maintaining a risk management program by 4 October 2025;
  • compliance with at least maturity level 1 of a cyber security framework by 4 October 2026 (further obligations for carriers to comply with maturity level 2 by 4 October 2027);
  • obligation to ‘protect your asset’ as far as it is reasonably practicable to do so.Carriers have further obligations to notify the Department of Home Affairs of any changes to your asset that is likely to have a material adverse effect on your ability to protect your asset


Asset Register and Mandatory Cyber Incident Reporting Rules
Rules requiring telco entities to register their critical assets, and notify the Department of a cyber incident have been folded into the SOCI framework.

However, these rules now only apply to entities with a carrier licence, or meet the ‘relevant carriage service provider asset’ threshold of over 20,000 services in operation, or supply to the Commonwealth Government.

SOCI rules affecting all telcos

Even if you are not a carrier or don’t meet the ‘relevant carriage service provider asset’ threshold, telecommunications assets are still captured under the SOCI Act as critical infrastructure. This means you may still have obligations to:

  • notify your data storage or processing provider that it is storing or processing your business critical data; and
  • following Ministerial directions in relation to serious incidents affecting your asset.


Subordinate cyber security rules

New security standards for smart devices were introduced in March 2025 with the rules commencing 4 March 2026. The rules apply to both manufacturers and suppliers of ‘relevant connectable products’ and is therefore likely to affect telco entities.

The standards introduce 3 rules for manufacturers in relation to their products, including ensuring each device has a unique password or allowing the consumer to create own password, ways for consumers to report security issues and clearly providing information on the support period for security updates.

The manufacturer must also prepare a Statement of Compliance in respect of the rules. Suppliers must then provide this Statement of Compliance with any relevant connectable products they supply to consumers in Australia and must retain the Statement for at least 5 years.

IAA recently held a webinar on IoT Security on 3 April, which included a discussion on the new rules.

Additionally, from 30 May 2025, all entities with an annual turnover of at least $3 million must report ransomware payments to the Department within 72 hours of the ransom being paid.

Please refer to the below summaries and guidance material provided by the Department in respect of these new rules:


IAA will also soon publish a template risk management plan that Members can utilise to assist with their compliance efforts on the IAA Member Portal.

You can also join the Trusted Information Sharing Network for access to further critical infrastructure information and resources.

Please contact us if you have any questions about these new rules.

Brace yourself … seasonal hazards ahead 

Hoping for a nice, quiet summer for a change? Then the latest seasonal weather outlook is not for you! Once again it’s forecast that adverse weather events are likely to cause major disruption across Australia.   

IAA CEO, Narelle Clark, attended a meeting of the Communications Sector Group where Bureau of Meteorology senior climatologist Greg Browning presented Australia’s seasonal outlook for December 2022 to April 2023. The Bureau warns that while severe weather can occur at any time of the year, October through to April is the peak time for flooding, tropical cyclones, heatwaves, bushfires and severe thunderstorms. Indeed, that’s what lies ahead for us according to Greg’s snapshot of what we can expect.   

Here’s a few points:   

La Niña is likely to finish sooner than usual, meaning fewer heavy-rain events than last year in the east. However, eastern Australia’s soils and water catchments are still very full, so if there is any heavy rain, it will likely still result in flooding.  

With all the extra rain we’ve seen, a lot of plant growth has occurred. As things dry up over summer, there is a strong risk of grass fires in the central-west region of NSW, in southern QLD and in north-western VIC (and probably SA too).  

WA is going to have a long, hot summer, with a higher than usual rate of hot days, meaning a high likelihood of bushfires.  

Cyclone season is likely to start early (in December), and indications are that those cyclones will be strong.  

What does this mean for the telco/internet sector?  

We expect there to be no let-up in the level of disruption to services due to weather and bushfires. As such, it is important that organisations make sure their regional teams are geared up for rapid repairs in difficult locations, energy supply back-ups are primed and ready, and all those redundant routes are in place. It’s likely none of them will be redundant in the unnecessary sense of the word!  

Click here to see the slides from Greg Browning’s presentation. The nerds among you will enjoy the pretty graphs despite the unwelcome news😉

At IAA, we aim to help our members and the Internet industry mitigate communications vulnerabilities resulting from internal and external factors. We do this by sharing information about potential risks, paving the way for best practice to be developed and so reducing the impact on your organisation.   

We extend our thanks to Greg Browning and the Bureau of Meteorology for permitting us to reproduce the weather forecast content and to the Department of Infrastructure, Transport, Regional Development, Communications and the Arts, and the Communications Sector Group.   

 

TCP Code Attestation Page – Reminder

 A quick reminder to members to submit your annual attestation of your compliance with the Telecommunications Consumer Protections (TCP) Code. Communications Compliance (CommCom) recently opened the TCP Code compliance attestation page for entries. Lodgements are due on 1 September 2022, and Carriage Service Providers who provide telecommunications services to consumers (as defined in the Code) are required to submit an annual attestation.  

CommCom is an independent body responsible for overseeing the conduct of the Code Compliance Framework outlined in Chapter 10 of the TCP Code that also promotes compliance with the Code through industry guidance and educational initiatives.  

Cyber Security Incident Reporting – are you Aware of Your Obligations?

On 7 July 2022, the security instruments, Telecommunications (Carrier License Conditions – Security Information) Declaration 2022 and the Telecommunications (Carriage Service Provider – Security Information) Determination 2022 (‘Telco Security Instruments’) came into force, activating new rules for carriers and carriage service providers. 

In response to growing risks to the security and resilience of Australia’s critical infrastructure, the Security of Critical Infrastructure Act 2018 (SOCI Act) was amended in Dec 2021, introducing new obligations for a number of sectors, including the telecommunications sector.  

In order to avoid regulatory duplication, some of the obligations will be introduced under the Telecommunications Act 1997 for the telecommunications sector, including mandatory reporting of cyber security incidents and lodging an asset register. The mandatory reporting obligations commenced 7 July 2022, and the asset register obligation will commence from 7 October. 

We’ve prepared a whitepaper: Understanding Critical Infrastructure Obligations – Part One, IAA guidance to members on the: Telecommunications Sector Security Instruments – Cyber Security Incident Reporting, that seeks to guide members in understanding and complying with the cyber security incident reporting obligations under which significant and relevant cyber security incidents now must to be reported to the ACSC. We’ve also prepared a blog post providing commentary on the lack of meaningful engagement with industry in preparing us for the new regulations.  

Official Launch Date set!

It’s official, Wednesday, 24 August 2022 at 9:00am AEST / 7:00am AWST is the launch date for phase one of the new IAA Member Portal. After more than 18 months of planning, designing, coding and testing, the new portal will be rolled out across three phases, with each phase containing new and upgraded features. 

Emails will be sent out to members giving important information on what to expect over the coming weeks. Members are reminded to keep an eye out for the important ‘Getting Started’ email coming on Wednesday, 10 August 2022, that will help make your transition to the new portal as easy as possible. 

We’re also planning to release some teaser videos on our social media channels, so stay tuned to catch a glimpse of what you have to look forward to! 

June’s Advocacy Corner Update

Completed Submissions
Telstra-TPG Merger Authorisation | ACCC
In our response to the Commission’s consultation regarding the merger authorisation requested by Telstra and TPG, we noted our general support for the principle of open access provided at a fair cost, while bringing attention to the potential risk of adversely hindering competition through entrenching dominant players in the market. Overall, IAA believes that any infrastructure built with public money should be open to all relevant and qualified telecommunications providers to access. 

National Data Security Action Plan | Department of Home Affairs
The National Data Security Action Plan is in a very early stage of development. In our response, we focused on the need for government to clarify the policy context surrounding data security for the telecommunications sector. We called for greater meaningful engagement with the sector, and support for businesses to encourage collaboration.  While we acknowledge the need to ensure Australia’s data security, it is imperative that this takes a multistakeholder approach, and that the Action Plan is cohesive, clear and effective. 

Open Submissions
NBN Co. SAU Variation | ACCC | 8 July 2022
The ACCC is seeking submissions to its report on NBN Co.’s SAU Variation. The proposed variation from NBN Co includes product and pricing commitments, changing the framework for NBN Co’s cost recovery, and incorporating fibre-to-the-node and other copper-based technologies to create a single regulatory framework for all technologies. We are still keen to hear from any members with views on this important topic, as we know it is a highly contentious matter! 

The Importance of IXPs

During the month of June, we released two independent reports that assess IAA’s contribution and importance to Australia’s Internet. In this report, “The Importance of IXPs in Australia”, Professor Matthew Roughan from the University of Adelaide provides an analysis of the value and importance of IXPs. Using technical and scientific literature, he substantiates the benefits of IXPs, including improving performance, reliability and security. It is an excellent report, as it contains a substantial technical background, a review of the scientific literature on IXPs, and clearly articulates their benefits. We highly recommend adding it to your weekend reading list! Read the full report. 

From the CEO’s Desk

This last month I’ve enjoyed a brief holiday, and in my absence the team have been just brilliant! Racks have been rearranged, submissions lodged, and our new portal has a shiny new layout. We’ve even cracked a new traffic milestone over the last week, so now 900Gbps is the new normal across the exchanges. Well done everyone, it looks like the IXes are delivering what you want.  

We also quietly observed the 25 year anniversary of WA-IX, and notice has gone out for a bigger birthday party later this year alongside our AGM. I hope we can get a good number of you along, as this will make up for the party we couldn’t have in 2020 to mark the 25th of WAIA itself! It has been great to see the preparation taking shape and we have some lovely messages already to hand from colleagues and friends around the world. 

One of the exciting pieces of reading during my holiday was the Australian National Audit Office (ANAO) report on the Dept of Home Affairs. I’d have to say it is one of the more critical – even scathing – reports I’ve read for a while. Statements such as “The department’s administration and regulation of critical infrastructure protection policy was partly effective” and “The department’s performance framework as it related to critical infrastructure was not adequate” echo our own observations and it would seem the department has a lot of work to do before the system becomes useful to any of us. Thankfully, they have accepted ANAO’s recommendations, but call me cynical, I await the implementation.  

The team also released two great research reports we commissioned that examine the value of our services and look at the impact we have on the internet ecosystem and the Australian market generally. I trust you enjoy the reading, and take as much pride in the contribution of your association as we do. 

All the best 

Narelle 

IAASysters 2022

IAASysters is a program designed to support women in the Internet industry by offering ten sponsored attendees the opportunity to attend the IAASysters Workshop and the AusNOG Conference. The one-day workshop equips attendees with a range of soft skills and important career planning advice, so they have the tools they need to have a fulfilling and successful career.   

Attending the AusNOG Conference is an integral part of the program and also contributes to its success. By sending attendees to this event, they build their technical skills and knowledge and can take advantage of all the networking opportunities that arise from it.   

Applications to become a sponsored attendee are closed. Although applications were open to all, we encouraged women to apply as this program is designed to suit their needs due to a waning number of females within our industry. Applicants were required to meet the following eligibility criteria:  

  • Must be an Internet engineer / technician / product specialist / programmer  
  • Have a passion for the Internet and the Internet industry  

Applications demonstrating the most potential for personal growth and passion for the Internet are rated highest.  

Sponsored attendees receive: 

  • Ticket to attend the IAASysters@AusNOG (31 August 2022) 
  • Ticket to the AusNOG Conference (1-2 September 2022) 
  • Economy airfares to Melbourne and accommodation (if required) 
  • One-year complimentary Professional membership to IAA (subject to Board approval) 

For more information about this event, please head over to the IAASysters page on our website or get in touch with us at events@internet.asn.au 

 

Proudly Sponsored by:

Copyright © 2025 Internet Association of Australia Ltd | Privacy PolicyTerms and Conditions

Sign up to IAA's mailing list

Complete this form to receive all our latest news, events and updates.