Business Insight

High Risk, Higher Standards: What the Enhanced CIRMP Rules Mean for You

Modern glass high-rise building facade with geometric blue-teal panels, protruding balconies, and rectangular grid patterns

    What you need to know

    • On 9 June 2026, the Security of Critical Infrastructure Legislation Amendment (Enhanced Critical Infrastructure Risk Management Program) Rules 2026 (LIN 26/075) (Enhanced CIRMP Rules) were registered, formally amending the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023 (CIRMP Rules) under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).
    • The Enhanced Rules introduce additional obligations for responsible entities of the following "high-risk" asset classes:
      • Critical water assets;
      • Critical energy assets (including critical electricity assets, critical energy market operator assets, critical gas assets and critical liquid fuel assets);
      • Critical broadcasting assets;
      • Critical domain name systems;
      • Critical freight infrastructure assets and critical freight services assets.
    • Responsible entities for these "high-risk" asset classes must comply with both the existing baseline CIRMP requirements and the enhanced CIRMP requirements, with the Enhanced CIRMP Rules prevailing to the extent of any inconsistency.

    What you need to do

    • Consider whether you are a responsible entity for a high-risk asset class and therefore subject to the Enhanced CIRMP Rules.
    • Understand the grace periods which apply to these new obligations and commence planning and implementation of the uplift to your CIRMP and operational controls without delay. While Government has extended the grace periods based on responses received during the consultation period, there is a lot of work to be done in a still relatively short period of time.

    The Enhanced CIRMP Rules

    The existing CIRMP Rules under the SOCI Act require responsible entities to manage material risks across all-hazards, including cyber and information security, physical, personnel and supply chain hazards, and to minimise or eliminate those hazards as far as reasonably practicable.

    The Department of Home Affairs considers that obligations under the baseline CIRMP Rules set minimum expectations for security requirements for responsible entities. As we have seen recently in the media, business disruptions are now a matter of "when" rather than "if". The organisations that fare best are those that are prepared for known risks. When preparation is lacking, the consequences can be swift and wide-ranging – responsible entities may face regulatory scrutiny, disputes, and adverse impacts to their customers, employees, reputation, financial performance and consumer trust.

    Following an extensive consultation process, including an initial Consultation Paper in late 2025, industry submissions, public town halls and sector-specific impact analysis sessions, and an Exposure Draft consultation in early 2026, the Enhanced CIRMP Rules have now been finalised and are in force. The amendments are intended to keep pace with the evolving threat landscape and align with assessments conducted by the National Intelligence Community. These changes appear to reflect a change in mindset by the Department, as it wants organisations to think more broadly about their operational resilience. In our experience, a defensible position, in response to a threat or hazard, requires a significant level of preparedness so that the organisation can withstand, respond to and recover from the disruption without materially impacting its customers and stakeholders. Requiring this work to be done as part of compliance with the Enhanced CIRMP Rules will, in effect, force entities to do the work they may otherwise have been delaying or not prioritising.

    Key uplift areas

    The areas addressed by the Enhanced CIRMP Rules and their corresponding grace periods for compliance are as follows:

    Uplift areaDescriptionGrace period
    Additional material risks – enhanced requirements (s6A)

    Responsible entities must establish and maintain a process or system in their CIRMP to, as far as reasonably practicable, minimise or eliminate a set of specified additional material risks. These are:

    • any impairment of the CI asset's functions that could prejudice the social stability, economic stability, national security or defence of Australia;
    • compromise or impairment of the CI asset's functions as a result of, or in connection with, Foreign Ownership, Control and Influence (FOCI);
    • offshore or remote access to critical components; and
    • offshore or remote access to business critical data.
    10 June 2027 (12 months)
    Cyber and Information Security Hazards – enhanced requirements (s8A)


    Responsible entities must establish and maintain a process or system in their CIRMP to, as far as reasonably practicable, minimise or eliminate the following material risks:

    • failure to patch or update operating or security systems in a timely manner;
    • failure to replace legacy systems, or adequately mitigate risks associated with components or technology that are redundant, unsupported, obsolete or discontinued;
    • deployment, hosting or use of advanced, novel or emerging technology in a manner that could prejudice the availability, integrity, reliability or confidentiality of the asst.
    10 June 2027 (12 months)
    Responsible entities are required to comply with maturity level 2 of their chosen cyber maturity framework. If a responsible entity has selected a framework which is not listed in the CIRMP Rules, their CIRMP must outline the steps taken to make their cyber program equivalent to one of those frameworks (including the conditions governing the maturity level).
    10 June 2028 (24 months)
    Credential Compromise Hazards (s8B)
    This standalone provision applies where the responsible entity's chosen cyber framework does not already require phishing-resistant multi-factor authentication (MFA). The responsible entity must identify the systems and networks for which phishing-resistant MFA is required, minimise or eliminate the risk of a credential compromise hazard occurring, mitigate any relevant impact on the CI asset, implement phishing-resistant MFA for those systems, and centrally log, monitor and review authentication attempts. If the entity cannot practically implement these measures, it should still include a process or system in its CIRMP containing reasonable steps to minimise or eliminate the relevant material risks.
    10 June 2028 (24 months)
    Lateral Movement Hazards (s8C)
    This provision addresses the risk of users moving between computer systems and critical systems in a way that could compromise the availability, integrity, reliability or confidentiality of the asset. Responsible entities must identify and maintain an inventory of critical systems and their connections with other critical systems, recover and restore critical systems after an incident, ensure continued availability while rebuilding or restoring critical systems and minimise or eliminate lateral movement risks so far as reasonably practicable. Network segregation is deemed to satisfy the obligations where it meets the specified requirements, including segregation between critical systems, operational independence from other internet-connected computers, at least three months of continued operation while other computers are in restoration or recovery, logical access controls, central logging and monitoring of communication paths between critical systems and other networks, and implementation of least privilege principles. 10 June 2028 (24 months)
    Personnel Hazards – enhanced requirements (s9A)

    Responsible entities must establish and maintain a process or system in their CIRMP to, as far as reasonably practicable, minimise or eliminate the material risks associated with:

    • unauthorised or unsupervised access to critical components;
    • the compromise or misuse of credentials and privileged access used by individuals to access the asset;
    • access to the asset by persons other than critical works' and
    • incoming and outgoing critical workers.
    10 June 2027 (12 months)
    The baseline CIRMP covers suitability assessments and ongoing monitoring of critical workers. The distinction between "onshore" and "offshore" critical workers included in the Exposure Draft has been removed in favour of a unified framework. Critical workers must be assessed as suitable through either an AusCheck background check or by holding a relevant security clearance (defined as Negative Vetting 1 level or higher). Where a critical worker is unable to meet those requirements, the entity must document the associated risk and the steps being taken to address it. Additionally, for persons with ongoing access to critical components, background checks must be renewed at minimum every five years (for AusCheck) or revalidation (before the NV1 clearance lapses or expires), and entities must proactively monitor for developments that may affect a critical worker's ongoing suitability.
    10 June 2028 (24 months)
    Supply Chain Hazards – enhanced requirements (s10A)
    The supply chain provisions remain broadly consistent with the Consultation Paper. Entities must map their supply chain for major suppliers and critical components identifying risks to the availability, integrity, reliability or confidentiality of those components and determining the maximum acceptable outage for the asset arising from supply chain disruption. A separate vendor assessment process must also be maintained for existing and proposed major suppliers, requiring entities to evaluate each major supplier against a range of factors including FOCI-related legal requirements, jurisdictional restrictions and sanctions, and the supplier's access, influence and control over the asset, material risk, maximum acceptable outage, and mitigation steps.
    10 June 2028 (24 months)
    Physical Security and Natural Hazards – enhanced requirements (s11A)
    The physical security provisions retain the same general structure but shift in focus. Rather than requiring entities to "minimise or eliminate the risk associated with" physical security consequences, the revised framework requires entities to "outline and consider the physical security consequences arising from the occurrence of all hazards". This broader framing encompasses cyber and information hazards, credential compromise hazards, lateral movement, and other physical and natural hazards. Responsible entities must outline the location, ownership and nature of the site, physical critical components, and areas holding business-critical data or containing critical components (including critical systems).
    10 June 2028 (24 months)

    What does this mean for entities with "high risk assets"?

    Since their introduction, the CIRMP Rules have had the difficult task of applying a one-size-fits-all security approach for a wide range of sectors and assets, with extremely varied levels of capability, resourcing and maturity. Inevitably, such an approach must cater for the lowest common denominator so as not to over-burden smaller or less mature entities, but this can result in the bar being set too low for more critical or mature entities.

    In defining a "high-risk" class of assets, government has acknowledged that certain asset classes are acutely critical to Australia's national security and require stronger security controls.

    Ideally, high-risk entities should already be exceeding the current CIRMP requirements, but commercial constraints, optimism bias, and a failure to plan ahead has meant that many are not and will need to undertake significant work to uplift their policies, practices and controls to comply with the Enhanced CIRMP Rules.

    What are the key changes we think "high risk assets" should focus on?

    Three changes stand out as particularly impactful - (1) cyber framework uplift, (2) management of foreign ownership and control risks and (3) compliance with the enhanced critical worker obligations.

    Moving up from a baseline maturity level for frameworks such as the AESCSF and Cybersecurity Capability Maturity Model is a non-trivial task, and entities should conduct a thorough gap analysis to identify where uplift is required. The dedicated sections for credential compromise hazards and lateral movement hazards reflects the Department's heightened focus on these specific areas of threat. The three-month operational independence requirement for critical systems during network restoration may be challenging for many entities.

    The interconnectedness of critical infrastructure supply chains and foreign ownership within them present a risk multiplier. The Enhanced CIRMP Rules address FOCI risks as an additional material risk under section 6A, as part of the vendor assessment process under section 10A; and through the broader supply chain mapping obligations. Identifying and managing these risks will require a rigorous mapping exercise that considers all aspects of an asset and its supply chain. Entities will be required to establish a process to identify vendors, suppliers and managed service providers involved in providing, supporting or controlling the technology, consumables, capability and components critical to the asset, before teasing out the foreign ownership or control risks within this complex ecosystem and establishing controls to minimise or eliminate them. This will be a challenging task for all entities with complex or opaque supply chains.

    And finally we expect that the enhanced critical worker obligations will require organisations to revisit their terms of employment to understand if they can mandate the additional checks required in order to allow critical workers to access critical components and how they can require employees, or contractors who provide critical workers, to proactively inform them if their suitability to be a critical worker changes over time.

    What now?

    As the Enhanced CIRMP Rules are now in force, our advice for responsible entities for high-risk assets is to act promptly to assess their current state of compliance against the enhanced requirements and develop and execute on implementation plans to meet the applicable grace period deadlines.

    Want to know more?

    Other authors: John Moore, Director, Risk Advisory; Sanjay Vinoharan, Director, Risk Advisory; Sanjam Bajwa, Lawyer. 

    This publication is a joint publication from Ashurst Perkins Coie Australia and Ashurst Perkins Coie Risk Advisory Pty Ltd, which are part of the Ashurst Perkins Coie Group.

    Ashurst Perkins Coie Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.

    Ashurst Perkins Coie Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.

    The Ashurst Perkins Coie Group comprises Ashurst Perkins Coie UK LLP, Ashurst Perkins Coie US LLP, Ashurst Perkins Coie Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst Perkins Coie" or describe themselves as being affiliated with Ashurst Perkins Coie. Some members of the Ashurst Perkins Coie Group are limited liability entities. Some members of the Ashurst Perkins Coie Group provide legal services and some provide non-legal services. Different legal entities in the group may operate in the same jurisdictions. Information about which Ashurst Perkins Coie Group entity operates in any country can be found on our website at www.ashurstperkinscoie.com.

    The services provided by Ashurst Perkins Coie Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by qualified legal practitioners acting in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    This material is current as at July 8 2026 but does not take into account any developments after that date. It is not intended to be a comprehensive review of all developments in the law or in practice, or to cover all aspects of those referred to, and does not constitute professional advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst Perkins Coie. We accept no liability for use of these materials and reliance upon it by any person.

    © 2026. Ashurst Perkins Coie Group. All rights reserved.