ASIO director-general warns CRITICAL INFRASTRUCTURE is UNDER THREAT: privacy and cyber security law UPDATES FOR THE TRANSPORT INDUSTRY

At an event hosted by ASIC on Wednesday, ASIO chief Mike Burgess warned that foreign state-backed hackers have been making “highly sophisticated” attempts to infiltrate critical infrastructure networks. He warned that the groups were targeting Australian companies to gain persistent, undetected access to systems to enable “disruptive” and “devastating” sabotage when they choose, urging businesses to harden their systems and protect sensitive data. The evolving threat environment has prompted substantial privacy and cyber security law reform over the past year. This Newsflash summarises the key legal developments relevant to the transport industry.

Privacy law reform

The Privacy Act Review Report released in February 2023 put forward 166 proposals to reform Australia’s privacy framework. In December 2024, the Privacy and Other Legislation Amendment Act 2024 (Cth) was enacted, progressing 23 of the proposals. The reform increased the consequences for businesses who fail to meet their privacy obligations, including higher civil penalties, infringement notices and compliance notices, along with enabling individuals to seek remedies when individuals or corporations breach their privacy. The reform also clarified that ‘reasonable steps’ by APP entities (which include agencies and organisations, excluding most small businesses with an annual turnover under AUD $3 million unless an exception applies) to protect the security of personal information includes taking ‘technical and organisational’ measures. Additionally, from 10 December 2026 APP entities will be required to disclose information about substantially automated decisions which significantly affect individuals’ rights or interests in their privacy policies.  

Cyber security developments

In November 2024, the Australian Government passed a suite of legislation to implement its 2023-2030 Cyber Security Strategy, which aims to enhance Australia’s national cyber resilience.

The Cyber Security Act 2024 (Cth) (CS Act) introduced mandatory reporting obligations for entities that are either carrying on business in Australia with an annual turnover for the previous financial year greater than AUD $3 million, or a responsible entity for a critical asset (including critical aviation assets, critical ports, critical freight infrastructure assets, critical freight services assets, and critical public transport assets). The CS Act also created a Cyber Security Coordinator to coordinate responses to significant cyber security incidents and a Cyber Incident Review Board to review these incidents and share learnings.

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (SOCI) gave effect to the reforms outlined in the 2023-2030 Australian Cyber Security Strategy. Under SOCI, entities which provide services relevant to critical infrastructure are required to comply with enhanced security obligations including taking additional steps to manage cyber and supply chain risks. The reform introduced a new power of the Secretary for the Department of Home Affairs to direct a responsible entity to amend its Critical Infrastructure Risk Management Program (CIRMP) where a ‘serious deficiency’ is identified. It also expanded the triggers of Federal Government powers to gather information and give directions in response to cyber security incidents. Other key changes included expanding the definition of critical infrastructure assets to capture data storage systems and expanding the scope of protected information and clarifying rights to use and disclose it.

The Transport Security Amendment (Security of Australia’s Transport Sector) Act 2025 (Cth) (TSA Act) was enacted in March 2025 to implement certain recommendations of the Independent Review into Australia’s Aviation and Maritime Transport Security Settings. The changes include expanding the definition of ‘unlawful interference’, introducing reporting obligations for both Aviation Industry Participants (AIPs) and Marine Industry Participants (MIPs), requiring AIPs to undertake security assessments, and requiring AIPs and MIPs to set out the measures and procedures for addressing the outcomes of their security assessments with a view to providing a yearly Statement of Compliance to the Secretary for the Department of Home Affairs (Secretary). Other changes include the establishment of a ‘demerits points scheme’ and mandatory training requirements for the aviation sector including the power of the Secretary to direct AIPs and MIPs to take, or comply with, additional security measures if there is a threat of unlawful interference. For MIPs, the reform also amended the definitions of ‘port’ and ‘security regulated port’ to ensure that infrastructure, operations, assets or anchorages used in connection with a port are captured within ‘security regulated ports’.

Relevantly, in October 2025, Australia signed the United Nations Convention against Cybercrime – the first international treaty aimed at enhancing global cooperation, coordination and effectiveness in responding to cyber crime. The treaty has yet to be implemented via domestic legislation.

Key takeaways for transport operators

Considering the evolving cyber threat environment and rapid pace of change in privacy and cyber security legislation, it is critical that transport industry participants carefully review their privacy and cyber security policies and procedures to ensure all policies are compliant and that reporting obligations in the event of any cyber security incident are understood.

Contacts 

Keira Nelson
+ 61 2 9230 9440
keira.nelson@nortonwhite.com

Alison McKenzie
+ 61 3 9119 2535
alison.mckenzie@nortonwhite.com