Australian firms must now adhere to mandatory cyber security incident reporting. 

Home Affairs minister Karen Andrews has announced Australia's critical infrastructure legislation is now in force. 

It means reporting of information security events is now mandatory for several industry sectors.

The Security of Critical Infrastructure 2018 Act identifies several industry assets as “critical”, including telcos and internet service providers, fuel companies, data storage and processing companies, certain types of freight operator, banking, insurance and finance, as well as some food and grocery assets.

The reasoning varies by sector, such as domain name systems, which are deemed critical for resolving issues regarding links to internet protocol addresses.

The government requires reporting of critical cyber security incidents that have significant impact on the availability of assets covered by the Act within 12 hours of the operators becoming aware of the issue.

It says verbal reports must be made to Australian Cyber Security Centre (ACSC), accompanied by written notifications, within 84 hours. 

The legislation considers ‘significant impact’ to be an infrastructure incident that has materially disrupted the availability of essential goods and services.

The government is allowing a three-month grace period from April 8 2022 for mandatory incident reporting to ACSC, giving critical infrastructure operators until July 8 to report incidents. Even so, Home Affairs is strongly encouraging all assets to voluntarily report to the ACSC as soon as possible.