Australia’s Cyber and Infrastructure Security Centre (CISC) announced enhanced security requirements to strengthen protections for the nation’s critical infrastructure. These Security of Critical Infrastructure Legislation Amendment (Enhanced Critical Infrastructure Risk Management Program) Rules 2026 are designed to ensure that critical infrastructure entities adopt stronger security measures to improve resilience against evolving threats and risks affecting essential services. The updated requirements will focus on supporting a more robust security posture among critical infrastructure operators, helping bolster preparedness and protection against disruptions that could affect nationally significant assets and services.
Informed by extensive consultation with industry and stakeholders, the Enhanced CIRMP Rules introduce targeted uplifts to existing risk management requirements, ensuring Australia’s critical infrastructure owners and operators are better equipped to address an increasingly complex and evolving threat environment across specified asset classes, including critical energy market operator assets, critical electricity assets, critical gas assets, critical liquid fuel assets, critical water assets, critical broadcasting assets, critical domain name systems, critical freight service assets, and critical freight infrastructure assets.
In terms of cybersecurity risks, the Enhanced CIRMP Rules require entities to improve their cybersecurity by assessing risks associated with legacy systems and novel or emerging technology, including AI (artificial intelligence), implementing phishing-resistant multi-factor authentication for critical systems, segregating critical systems from non-critical systems, and increasing their compliance with established cybersecurity frameworks.
The Enhanced CIRMP Rules will ensure critical infrastructure providers identify and minimise, mitigate or eliminate risks across their assets. This includes cybersecurity risks such as legacy systems, AI use, and connections between critical and non-critical systems. It also includes offshoring critical staff or data, insider threats, and supply chain risks.
Last week, Australia released Horizon 2 of its 2023–2030 Cyber Security Strategy, setting out a coordinated national effort to lift cyber resilience across government, industry, and the broader economy. The initiative builds on earlier foundational reforms and responds to a threat environment that officials say has become more complex, shaped by rapid technological change, evolving geopolitical pressures, and the growing impact of AI on both attack and defence capabilities.
At the core of Horizon 2 is a shift toward protecting Australia’s digital ecosystem as a whole, rather than isolated systems, with a strong emphasis on critical infrastructure, supply chains, and emerging technologies. The plan outlines a broad program of actions to strengthen cyber maturity across essential services and improve how risks are identified, managed, and responded to in real time. It also places significant weight on human behaviour as a security factor, aiming to reduce vulnerabilities linked to error and improve resilience across organisations and everyday users.
CISC mentioned that these requirements work towards meeting the targets of the 2023-2030 Australian Cyber Security Strategy Horizon 2 Action Plan, including to uplift the cybersecurity of Australia’s critical infrastructure through enhancements to the CIRMP. It will also strengthen logging and monitoring standards for critical infrastructure. and prepare critical infrastructure to manage emerging technology risks, including AI and quantum computing.
Australia will invest an additional $89.3 million over four years to drive key actions under the three pillars of Horizon 2. The funding is directed at strengthening Australia’s economic resilience and national security by improving the security of infrastructure that underpins essential services, including critical systems across government and industry. A key component of this effort includes an expanded national exercise program designed to test real-world coordination and response, alongside a stronger focus on cyber supply chain security.
The initiative also targets emerging risk areas such as drone security and subsea cables, reflecting the expanding scope of critical infrastructure protection. These measures will be supported through close collaboration with industry, critical infrastructure operators, and international partners, ensuring a coordinated approach to securing new and rapidly evolving technologies as they come online.
Since the launch of the Cyber Security Strategy in 2023, the cyber threat environment has continued to evolve, with threats both increasing and changing. The number of malicious cyber actors has grown, and systems are increasingly connected and automated, creating more potential vulnerabilities that can be exploited. AI tools are also being used to automate and enhance criminal capabilities. The costs of cyber incidents continue to rise, particularly for small and medium businesses and individuals. In preparing for Horizon 2 from 2026 to 2028, changes in technological, economic, and geopolitical trends have been taken into account.
Key threats addressed through Horizon 2 reflect a rapidly intensifying cyber risk landscape. The cost of cybercrime continues to rise, now estimated at $25 billion per year for the Australian economy. The average cost of a cybercrime reported to the Australian Signals Directorate increased by 50% between 2023–24 and 2024–25, reaching $80,000 per incident. A single catastrophic cyber event could also have systemic economic consequences, with estimates suggesting potential losses of $35 billion, or approximately 1.3% of GDP.
Threat environment is also being reshaped by technology and attacker behaviour. Rapid AI adoption is delivering productivity gains while simultaneously expanding the attack surface, with 97% of organisations reporting AI-related security incidents lacking adequate AI access controls. Malicious actors are increasingly using AI and automation, with AI involved in 16% of data breaches in 2024. Exploitation of edge devices such as routers and modems, along with virtual private networks, has also surged, rising from 3% in 2023 to 22% in 2024.
Human error remains a major vulnerability, contributing to 60% of data breaches, while small entities continue to face disproportionate impact as attacks become more sophisticated and harder to detect. At the same time, government and critical infrastructure systems are increasingly targeted by state-based actors conducting espionage, disruption, and potential pre-positioning for future cyber operations.
The Enhanced CIRMP Rules address insider threat, supply chain resilience, including assessing major supplier risks associated with foreign ownership, control, and influence. This helps enhance the response to physical hazards through a centrally managed framework that considers risks and controls based on asset locations. These additional requirements commence in 2027, with extended grace periods for the complex measures.
