30AGResponsible entity must submit annual report

#### 30AG Responsible entity must submit annual report Scope (1) This section applies if, during a period (the relevant period) that consists of the whole or a part of a financial year: (a) an entity was the responsible entity for one or more critical infrastructure assets; and (b) the entity had a critical infrastructure risk management program that applied to the entity. Annual report (2) The entity must, within 90 days after the end of the financial year, give: (a) if there is a relevant Commonwealth regulator that has functions relating to the security of those assets—the relevant Commonwealth regulator; or (b) in any other case—the Secretary; a report that: (c) if the entity had the program at the end of the financial year—includes whichever of the following statements is applicable: (i) if the program was up to date at the end of the financial year—a statement to that effect; (ii) if the program was not up to date at the end of the financial year—a statement to that effect; and (d) if a hazard had a significant relevant impact on one or more of those assets during the relevant period—includes a statement that: (i) identifies the hazard; and (ii) evaluates the effectiveness of the program in mitigating the significant relevant impact of the hazard on the assets concerned; and (iii) if the program was varied during the financial year as a result of the occurrence of the hazard—outlines the variation; and (da) if one or more of those assets are critical telecommunications assets: (i) includes a summary of the changes (if any) the entity notified during the relevant period under subsection 30EC(2); and (ii) describes the risks (if any) advised to the entity during the relevant period under paragraph 30ED(3)(c); and (iii) describes the measures (if any) the entity adopted during the relevant period to eliminate or reduce risks advised to the entity during the relevant period or any previous period; and (iv) includes a statement that evaluates the effectiveness of those measures to eliminate or reduce risks advised to the entity during the relevant period or any previous period; and (db) if the entity was given a direction under section 30AI during the relevant period—includes a statement that: (i) sets out the content of the direction; and (ii) sets out how the program was varied in response to the direction; and (e) is in the approved form; and (f) if the entity has a board, council or other governing body—is approved by the board, council or other governing body, as the case requires. Civil penalty: 150 penalty units. (3) A report given by an entity under subsection (2) is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act.