Log in

Australian Cyber Law Map

You are here: Cyber Law » Australian Cyber Law Map » Telecommunications

Telecommunications

18 June 2025 - 09:33 | Version 17 |

Overview

  • The telecommunications sector is one of Australia's most critical infrastructure sectors and is subject to a comprehensive regulatory regime. Following recent reforms in 2024, the primary security obligations for telecommunications carriers and carriage service providers are now consolidated under the Security of Critical Infrastructure Act 2018 (Cth) (see the Security of Critical Infrastructure page).
  • This change, driven by the 2023-2030AustralianCyberSecurityStrategy, was designed to align the telecommunications sector with the 'all-hazards' risk management approach applied to other critical infrastructure sectors and to address legislative gaps by replacing a series of temporary measures that were due to sunset in 2025. This framework exists alongside long-standing obligations under the Telecommunications Act 1997 (Cth), which primarily govern service provision, consumer safeguards, and lawful access and interception.

Background

The legal framework governing the Australian telecommunications sector is complex, with key obligations now spread across the Telecommunications Act 1997 (Cth) and the Security of Critical Infrastructure Act 2018 (Cth).

Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act)

Following the commencement of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (ERP Act) on 4 April 2025, the core security obligations for telecommunications providers were consolidated into the SOCI Act.
  • New Security Obligations (Part 2D): The ERP Act inserted a new Part 2D into the SOCI Act, which imposes an enhanced 'all-hazards' security duty on responsible entities for critical telecommunications assets. This requires them to take all reasonably practicable steps to protect their assets from hazards that could impact their confidentiality, integrity, and availability (s 30EB). This security obligation now explicitly includes maintaining "competent supervision of and effective control over the asset", which goes beyond the previous TSSR requirements and places a greater onus on entities to manage outsourced and offshored arrangements. Failure to comply carries a significant civil penalty of 1,500 penalty units.
  • Notification of Changes: Responsible entities must notify the Secretary of Home Affairs of any actual or proposed changes to their services or systems that are likely to have a material adverse effect on their capacity to comply with their security obligations (s 30EC). The Secretary can then request further information and assess if the change poses a risk to security.
  • Ministerial Directions: The Minister retains the power to direct a carrier or carriage service provider not to use or supply a carriage service if the Minister considers that its use would be prejudicial to security (s 30EF).
  • Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (Cth) (TSRMP Rules): These obligations are further detailed in these specific Rules. The TSRMP Rules largely mirror the existing Critical Infrastructure Risk Management Program (CIRMP) Rules for other sectors, but include additional requirements to address telecommunications-specific risks, such as the compromise, theft, or manipulation of communications.

Telecommunications Act 1997 (Cth)

While the core security duties have moved to the SOCI Act, the Telecommunications Act 1997 (Cth) continues to provide the main regulatory framework for the industry. Key ongoing provisions include:
  • Industry Regulation and Consumer Safeguards: The Act sets out the licensing regime for carriers and the rules governing the provision of telecommunications services to the public. It includes consumer protection measures such as the Universal Service Obligation (USO) and the Customer Service Guarantee (CSG).
  • Powers of the ACMA: It establishes the powers of the Australian Communications and Media Authority (ACMA) as the industry's primary day-to-day regulator for non-security matters.
  • Preventing Illegal Use: The Act imposes a duty on carriers and carriage service providers to do their best to prevent their networks from being used to commit offences (Part 14).
Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act)
  • The TIA Act governs the interception of and access to telecommunications content and data by law enforcement and national security agencies.
    • Interception Capabilities: The TIA Act requires carriers and carriage service providers to have and maintain the capability to allow law enforcement agencies to execute interception warrants on their networks.
    • Data Retention: Part 5-1A of the TIA Act requires carriers to retain specific types of telecommunications data (metadata, but not content) for a period of two years to assist with law enforcement investigations.
  • Telecommunications data retained under this Part 5-1A is 'personal information' for the purposes of the Privacy Act 1988 (Cth).
  • See Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (19 January 2017).

Cloud Service Providers (CSPs)

  1. As "Critical Data Storage or Processing Assets": A CSP is directly regulated as a responsible entity under the SOCI Act if it is declared a "critical data storage or processing asset". This typically occurs if the CSP holds data for a government agency or another critical infrastructure entity. In this case, the CSP must comply with all relevant SOCI Act obligations, including the requirement to have a Critical Infrastructure Risk Management Program (CIRMP).
  2. As Part of a Telecommunications Asset: Following the ERP Act amendments, a data storage system (such as a cloud service) that holds "business critical data" for a critical telecommunications asset is now considered part of that primary asset (SOCI Act, s 9(7)). This ensures that secondary data storage assets, virtual assets, and other assets that support (rather than form part of) a telecommunications network are captured by the SOCI Act framework.
  3. As a Supply Chain Hazard: The SOCI Act's risk management program rules explicitly require responsible entities to manage "supply chain hazards". This includes identifying and mitigating risks arising from reliance on third-party suppliers like CSPs.

Regulatory & Policy Framework

The security policies and rules for the telecommunications sector are now primarily issued under the authority of the SOCI Act.

Relevant Organisations

The regulation of the telecommunications sector is now split between two key bodies, reflecting the separation of general industry regulation from national security obligations.
  • Cyber and Infrastructure Security Centre (CISC): Located within the Department of Home Affairs, the CISC is now the primary regulator for the security of all critical infrastructure, including critical telecommunications assets. It is responsible for administering the obligations under the Security of Critical Infrastructure Act 2018 (Cth).
  • Australian Communications and Media Authority (ACMA): The ACMA remains the day-to-day technical and industry regulator for the telecommunications sector under the Telecommunications Act 1997 (Cth). Its role focuses on matters such as licensing, spectrum management, consumer safeguards, and technical standards. The ACMA refers matters relating to security threats to the Department of Home Affairs and the CISC.

Inquiries & Consultations

The legislative framework that consolidated telecommunications security obligations under the Security of Critical Infrastructure Act 2018 (Cth) was developed following extensive public and industry consultation.

Industry Materials

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine