Over the past few months, the Government has introduced a number of important reforms to the Australian telecommunications regulatory landscape. These reforms will have a significant impact on all carriers and many carriage service providers. Taken together with the current Telecommunications Consumer Protections (TCP) Code amendment process, they constitute a significant uplift in regulatory obligations applicable to the sector.
The legislative reforms comprise:
- Amendments to the Security of Critical Infrastructure Act 2024 (Cth) (SoCI Act), which transfer and uplift certain obligations that apply to telecommunications providers under the Telecommunications Act 1997 (Cth) (Telco Act) and take effect on 4 April 2025.
- Rules that 'switch on' the obligation for carriers and certain carriage service providers (CSPs) to implement and maintain a Telecommunications Security and Risk Management Program (TSRMP Rules)1 have been made and will commence on 4 April 2025.
- The Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules 2025 (Cth) (Amended Application Rules) which amend the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 (Cth) (Application Rules) have been made. Once these amendments take effect on 4 April 2025, they will have the effect of switching on the Asset Registration and Cyber Security Incident Notification Rules under the SoCI Act.
- On 12 February 2025, the Telecommunications Amendment (Enhancing Consumer Safeguards) Bill 2025 (Enhancing Consumer Safeguards Bill) was also introduced into Parliament but has not yet been passed. If passed, this Bill would have the effect of:
- establishing a requirement for eligible CSPs to be registered as a condition of being permitted to supply services;
- enabling the direct enforcement of industry codes by the Australian Communications and Media Authority (ACMA); and
- amending and increasing the penalty amounts for infringement notices and civil penalties.
Key takeaways
- Existing elements of the Telecommunications Sector Security Reforms regime (TSSR) have been integrated and uplifted into the SoCI Act. These obligations will only apply in respect of assets prescribed by the applicable rules.
- The TSRMP Rules and the Amended Application Rules 'switch on' the SoCI Act's positive security obligations for all carriers and 'relevant CSPs' (being CSPs with more than 20,000 active services or which otherwise supply services to the Government). Importantly, carriers and relevant CSPs will need to establish and maintain a security and risk management program to address material risks to their asset across all hazards and meet minimum cybersecurity maturity frameworks.
- If the Enhancing Consumer Safeguards Bill is passed by the Government:
- all CSPs will be required to register with the ACMA;
- compliance with industry codes (specifically the TCP Code) will be mandatory and the ACMA can take direct enforcement action in relation to compliance with the codes; and
- maximum penalties for breaches of industry codes, industry standards and service provider determinations will increase from $250,0002 to the greater of: 30,300 penalty units (currently $9.999 million), three times the benefit obtained by the contravening entity and its related bodies corporate, or 30% of the adjusted turnover of the contravening entity where the benefit cannot be determined.
Security regulation for critical telecommunications assets
Who will be captured?
All carriers and a subset of CSPs will be subject to all three positive security obligations under the SoCI Act with resect to critical telecommunications assets (as opposed to being subject to parallel obligations which are currently enlivened pursuant to the Telecommunications (Carrier Licence Conditions—Security Information) Declaration 2022 (Cth) and the Telecommunications (Carriage Service Provider—Security Information) Determination 2022 (Cth) (the Telco Security Information Instruments) with respect to asset registration and incident notification).
The subset of CSPs to be caught under these new rules ('relevant carriage service provider asset') are:
- CSPs that meet the prescribed threshold of 20,000 active carriage services; and
- CSPs that supply to the Government (except for bodies established by a law of the Government).
What will be captured?
The definition of Critical Telecommunication Asset has been expanded to include:
'(b) any other asset that is:
(i) owned or operated by a carrier or a carriage service provider; and
(ii) used in connection with the supply of a carriage service' (emphasis added)
Consistent with reforms to the SoCI Act implemented in December 2024, the effect of this amendment is to ensure that assets owned and operated by carriers/CSPs which are used in connection with the supply of a service (rather than used directly in the supply a service) are captured under the SoCI Act. This would include, for example, CRM systems and corporate IT networks that were not previously clearly captured.
Positive security obligations
| CARRIER ASSETS | 'RELEVANT CSP' ASSETS | OTHER CSP ASSETS | |
| Risk Management Program obligations | ✓ |
✓ |
|
| Obligation to protect asset3 |
✓ |
✓ |
|
| Notification of changes4 |
✓ |
|
|
| Asset Registration obligation |
✓ |
✓ |
|
| Mandatory Cyber Incident Reporting |
✓ |
✓ |
|
| Government assistance, directions and information-gathering powers |
✓ |
✓ |
✓ |
The TSRMP Rules largely mirror the existing Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (Cth) with additions to reflect telecommunications-specific risks, including risks relating to the compromise, theft or manipulation of communications.
Some key points in the draft TSRMP Rules stand out in particular:
- Carriers and Relevant CSPs will have until 3 October 2025 (ie, six months from 4 April 2025) to develop and implement their risk management program to address the following hazard vectors:
- cyber and information security hazards
- personnel hazards
- supply chain hazards
- physical security hazards and natural hazards.
- With respect to cyber and information security hazards, the requirement to meet minimum cybersecurity maturity frameworks goes beyond that currently provided for under the existing CIRMP Rules for other asset classes. For both carriers and Relevant CSPs, maturity indicator 1 for the prescribed framework must be achieved by 3 October 2026. However for carriers only, maturity indicator 2 with respect to one of the following frameworks must be achieved by 3 October 2027:
- Essential Eight;
- Cybersecurity Capability Maturity Model (published by the US Department of Energy); or
- 2020‑21 AESCSF Framework Core published by Australian Energy Market Operator Limited.
- We understand that the obligation to achieve maturity indicator 2 is something that smaller carriers (unsuccessfully) tried to resist during the consultation process owing to the fact that it would result in an increase in their operating costs. However, the Government is of the view that, given the criticality of telecommunications networks to the economy, the higher maturity indicator is necessary. It is not a stretch to imagine that the obligation to achieve maturity indicator 2 might be imposed on other classes of critical infrastructure assets in the near future.
- The TSRMP Rules will relate to all assets owned or operated by carriers and Relevant CSPs. This is materially broader than the existing concept of a 'critical telecommunications asset' which relates to those assets owned by a carrier/CSP and used to provide a carriage service. The effect of this is that the TSRMP must address both assets relating to a carriers/CSPs telecommunications network as well as those assets which do not (e.g. billing and charging systems).
- Carriers and Relevant CSPs will need to provide an annual attestation in relation to their compliance with their risk management program.
The Amended Application Rules will transfer the existing registration obligations for carriers and CSPs, which are currently applicable by virtue of the Telco Security Information Instruments, to the SoCI Act. As per the above table, the obligation to provide ownership, operation, interest and control information to the Register of Critical Infrastructure Assets will apply to carriers and Relevant CSPs.
We understand that the existing equivalent obligations made under the Telco Security Information Instruments will continue to be in effect until 7 July 2025.
The Amended Application Rules will also activate the Mandatory Cyber Incident Reporting obligations for carriers and Relevant CSPs under the SoCI Act.
Again, the existing equivalent obligations made under the Telco Security Information Instruments will remain in effect until 7 July 2025.5
The reforms to the SoCI Act also transfer elements of the TSSR currently contained in Part 14 of the Telco Act into a new Part 2D of the SoCI Act.
- Obligation to protect asset: the current obligation in section 313(1A) of the Telco Act requires carriers and CSPs to 'do their best' to protect their telecommunications networks and facilities from unauthorised interference or unauthorised access. The new section 30EB of the SoCI Act requires the responsible entity for a critical telecommunications asset prescribed by the rules to protect the asset, 'so far as it is reasonably practicable to do so' for the purposes of: (a) security; and (b) the protection of the asset from any hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset. This obligation will apply with respect to all critical telecommunications assets.
- Notification of changes: all carriers will be required to notify the Secretary of certain changes, and proposed changes, to telecommunications services or telecommunications systems if the change, or proposed change, is likely to have a material adverse effect on the entity's capacity to comply with the obligation to protect the asset for the purposes of security. The kinds of changes to be notified mirror those currently specified in section 314A(2) of the Telco Act. The TSRMP Rules (rule 17) prescribe a list of information that carriers must provide to the Secretary when notifying them of such a change or proposed change. In large part, this has the effect of codifying much of the information that was previously required to be provided under the CISC's sample notification form.
- Compliance with Minister's directions to cease supply: the new section 30EF of the SoCI Act largely replicates the existing section 315A of the Telco Act, which enables the Minister for Home Affairs to issue a direction requiring a carrier or carriage service provider 'not to use or supply, or to cease using or supplying' a particular service that the Minister considers to be 'prejudicial to security'. This obligation applies generally to responsible entities of a critical telecommunications asset and does not rely upon any rules prescribing the application of this section.
Other TSSR components that would be repealed from the existing Telco Act, including other direction-making powers of the Minister for Home Affairs, the Secretary of Home Affairs' information gathering powers and requirements in relation to security capability plans are not proposed to be replicated into the SoCI Act.
However, the existing SoCI Act's direction-making, information-gathering powers are broadly equivalent to these provisions.
New CSP registration requirements and enforcement powers for telco regulator
The Enhancing Consumer Safeguards Bill has been introduced by the Government to improve compliance and enforcement of telecommunications consumer protection rules for the benefit of consumers.6
These proposed reforms coincide with a review by the ACMA of the TCP Code and a draft revised version that has been the subject of public consultation (and much debate).
Registration of CSPs
Currently, there is no licensing or other registration framework that applies to CSPs under the Telco Act (unlike carriers, that must register a carrier licence with the ACMA).
The Enhancing Consumer Safeguards Bill proposes to establish a CSP registration scheme prohibiting:
- CSPs from providing a listed carriage service to the public unless it is registered; and
- carriers or wholesale CSPs from supplying listed carriage services to CSPs that are not registered.
The CSP registration scheme is proposed to apply to 'eligible carriage service providers', being CSPs that enter into the Telecommunications Industry Ombudsman (TIO) scheme and supply:
- a standard telephone service;
- public mobile telecommunications service; or
- a carriage service that enables end-users to access the internet.7
ACMA will also have the power to:
- impose conditions on the registration of CSPs;
- refuse a CSP's registration based on prescribed grounds for refusal (eg the application contains false or misleading material, the applicant has engaged in or is likely to engage in a contravention of the TIO scheme, or the applicant has engaged in conduct that poses a significant risk to consumers); and
- revoke the registration of a registered CSP.
Mandatory industry codes
The ACMA does not currently have the power to directly enforce industry codes rather, it must first direct a provider to comply with the code or issue a formal warning.8 The ACMA can currently only take stronger enforcement action if the provider continues to not comply with its directions or warnings.
The Enhancing Consumer Safeguards Bill proposes to make compliance with an industry code mandatory and to make breaches of the obligation to comply with registered industry code a civil penalty provision that is directly enforceable by the ACMA at first instance.
Pecuniary penalties
Currently, maximum civil penalties differ greatly across the Telco Act and the current maximum civil penalty for non-compliance with a direction by the ACMA to comply with a registered industry code is $250,000.9
The Enhancing Consumer Safeguards Bill proposes to increase maximum penalties that can be ordered by the court for individual contraventions to the greater of:
- 30,300 penalty units (~$9.999 million);
- three times the benefit obtained by the relevant entity and its related bodies corporate from the contravening conduct; or
- if the court cannot determine the benefit, 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.
Infringement notices given to bodies corporate
Currently the Telco Act only permits the Minister for Communications to increase infringement notice penalties for breaches of either the general carrier licence conditions or CSP rules.
The proposed amendments to the Telco Act will allow the Minister for Communications to increase infringement notice penalty amounts for any breach where the ACMA can already issue an infringement notice.
What's next?
Organisations in the telecommunications sector should consider the steps required to ensure compliance with the latest reforms. This might include:
- reviewing existing cyber incident response plans or business continuity plans and updating such processes and documentation to ensure they are consistent with the incoming amendments to statutory obligations and the TSRMP Rules.
- performing a gap analysis to address any discrepancies between obligations under the TSSR and the 'all hazards' approach to protection of telecommunications assets under the SoCI reforms.
- considering whether they constitute a CSP for the purposes of the TIO scheme to prepare for potential mandatory registration with the ACMA.
- reviewing existing operations and processes to ensure compliance with registered industry codes, and/or
- keeping a watching brief on the review into the TCP Code.
Footnotes
-
Telco Act, s 570.
-
Akin to, but broader than, s 313 of the Telco Act.
-
Akin to s 314A of the Telco Act.
-
Explanatory Statement, Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules 2025 (Cth), page 12.
-
Explanatory Memorandum, Telecommunications Amendment (Enhancing Consumer Safeguards) Bill 2025 (Cth), 5.
-
Telecommunications (Consumer Protection and Service Standards) Act 1999, s 127.
-
Telco Act, ss 121 - 122.
-
Telco Act, s 570.