9Meaning of critical infrastructure asset

#### 9 Meaning of critical infrastructure asset (1) An asset is a critical infrastructure asset if it is: (a) a critical telecommunications asset; or (b) a critical broadcasting asset; or (c) a critical domain name system; or (d) a critical data storage or processing asset; or (da) a critical banking asset; or (db) a critical superannuation asset; or (dc) a critical insurance asset; or (dd) a critical financial market infrastructure asset; or (de) a critical water asset; or (df) a critical electricity asset; or (dg) a critical gas asset; or (dh) a critical energy market operator asset; or (di) a critical liquid fuel asset; or (dj) a critical hospital; or (dk) a critical education asset; or (dl) a critical food and grocery asset; or (dm) a critical port; or (dn) a critical freight infrastructure asset; or (do) a critical freight services asset; or (dp) a critical public transport asset; or (dq) a critical aviation asset; or (dr) a critical defence industry asset; or (e) an asset declared under section 51 to be a critical infrastructure asset; or (f) an asset prescribed by the rules for the purposes of this paragraph. > Note 1: For prescription by class, see subsection 13(3) of the Legislation Act 2003. > Note 2: Data storage systems that store or process business critical data are part of the critical infrastructure asset: see subsection (7). (2) However, the rules may prescribe that a specified: (a) a critical telecommunications asset; or (b) a critical broadcasting asset; or (c) a critical domain name system; or (d) a critical data storage or processing asset; or (e) a critical banking asset; or (f) a critical superannuation asset; or (g) a critical insurance asset; or (h) a critical financial market infrastructure asset; or (i) a critical water asset; or (j) a critical electricity asset; or (k) a critical gas asset; or (l) a critical energy market operator asset; or (m) a critical liquid fuel asset; or (n) a critical hospital; or (o) a critical education asset; or (p) a critical food and grocery asset; or (q) a critical port; or (r) a critical freight infrastructure asset; or (s) a critical freight services asset; or (t) a critical public transport asset; or (u) a critical aviation asset; or (v) a critical defence industry asset; is not a critical infrastructure asset. > Note: For prescription by class, see subsection 13(3) of the Legislation Act 2003. (2A) If an asset is owned by: (a) the Commonwealth; or (b) a body corporate established by a law of the Commonwealth (other than a government business enterprise); the asset is not a critical infrastructure asset unless: (c) the asset is declared under section 51 to be a critical infrastructure asset; or (d) the asset is prescribed by the rules for the purposes of paragraph (1)(f). (2B) Subject to subsections (2C) and (2D), an asset is not a critical infrastructure asset if, or to the extent to which, the asset is located outside Australia. (2C) Subsection (2B) does not apply for the purposes of working out whether a satellite‑based facility is a critical telecommunications asset if the satellite‑based facility is in a satellite to which either or both of the following apply: (a) the satellite is included in the Register of Space Objects kept under section 76 of the Space (Launches and Returns) Act 2018; (b) Australia is the appropriate State Party for the purposes of undertaking the authorisation and continuing supervision required in respect of the satellite under Article VI of the Outer Space Treaty. > Note: For the definitions of Outer Space Treaty and satellite‑based facility, see section 5. (2D) Subsection (2B) does not apply for the purposes of working out whether a submarine cable is a critical telecommunications asset if the submarine cable is installed in Australian waters. > Note: For the definitions of submarine cable and Australian waters, see section 5. Prescribing an asset as a critical infrastructure asset (3) The Minister must not prescribe an asset for the purposes of paragraph (1)(f) unless the Minister is satisfied that: (a) the asset is critical to: (i) the social or economic stability of Australia or its people; or (ii) the defence of Australia; or (iii) national security; and (b) the asset relates to a critical infrastructure sector. Consultation with State and Territory Ministers (4) The Minister (the Commonwealth Minister) also must not prescribe the asset unless the Commonwealth Minister has: (a) consulted the following persons (the consulted Minister): (i) the First Minister of the State, the Australian Capital Territory or the Northern Territory in which the critical infrastructure asset is wholly or partly located; (ii) each Minister of a State, the Australian Capital Territory, or the Northern Territory, who has responsibility for the regulation or oversight of the relevant critical infrastructure sector in that State or Territory; and (b) given each consulted Minister written notice of the proposal to prescribe the asset; and (c) had regard to any representations given by a consulted Minister under subsection (5) within the period specified for that purpose. (5) The notice must invite each consulted Minister to make written representations to the Commonwealth Minister in relation to the proposal to prescribe the asset within the period specified in the notice, which must be: (a) at least 28 days after the notice is given; or (b) a shorter period if the Commonwealth Minister considers the shorter period is necessary because of urgent circumstances. (6) Subsection (4) does not limit the persons with whom the Commonwealth Minister may consult. Data storage systems (7) If, under this section, an asset is a critical infrastructure asset, then a data storage system in respect of which all of the following requirements are satisfied is taken to be part of the critical infrastructure asset: (a) the responsible entity for the critical infrastructure asset owns or operates the data storage system; (b) the data storage system is used, or is to be used, in connection with the critical infrastructure asset; (c) business critical data is stored, or is processed in or by, the data storage system (whether or not other information is also stored, or is processed in or by, the data storage system); (d) for a hazard where there is a material risk that the occurrence of the hazard could have an impact on the data storage system, there is also a material risk that the occurrence of the hazard could have a relevant impact on the critical infrastructure asset. > Note: The effect of this subsection is, for example, that: (a) obligations under Part 2 in relation to a critical infrastructure asset will also need to take into account the data storage system; and (b) a critical infrastructure risk management program under Part 2A in relation to a critical infrastructure asset will also need to cover the data storage system; and (c) notification obligations under Part 2B of cyber security incidents relating to any relevant impact on a critical infrastructure asset will also need to take into account any relevant impact on the data storage system.