Strict new cybersecurity measures have been outlined for major telecommunications companies.

As part of new legislation introduced by Home Affairs Minister Clare O’Neil, telecommunications will now be classified as “critical infrastructure”, necessitating annual board approval for new or updated cyber risk management programs. 

Failure to comply could result in significant penalties for companies.

The move follows a high-profile cyberattack on Optus last year and a recent nationwide network outage, prompting Minister O’Neil to include telcos under the Security of Critical Infrastructure Act. 

“Reliable telcos are vital to Australia’s national security. As we learnt again last week, nothing much works in the 2020s without reliable internet,” she said

“Telcos should be held to at least the same standards as other critical infrastructure. Our telcos must be prepared for major vulnerabilities, have risk management plans in place, and build backups to maintain essential services when things go wrong.”

Ms O’Neil described existing regulations as “bloody useless” in the wake of the Optus breach in October 2022, where sensitive data of 9.8 million Australians was compromised.

The new legislation aims to align telcos with cybersecurity standards applicable to other critical infrastructure sectors. 

These changes precede the government's cybersecurity strategy release, addressing concerns raised by the recent cyberattack on DP World, a major stevedore managing container operations at key ports in Australia.

In addition to reporting requirements introduced last year, the updated laws impose stricter rules to bolster critical systems against cyber threats. 

The government is granted intervention powers to provide directions during incidents, streamlining the regulatory regime covering telecommunications.