Regulators yesterday released the long-signalled update to the Critical Infrastructure Compliance Guide, tightening the window in which operators must report significant cyber incidents and clarifying which classes of system fall inside scope.
The previous guidance, in place since 2022, had been widely criticised by industry bodies for ambiguity around "significant" — a term now replaced with a tiered definition covering three severity bands.
What's changed
Operators in energy, water, transport and data storage now have 12 hours to make an initial report for tier-one events, down from 48. The reporting portal has also been consolidated: a single lodgement now satisfies obligations under three previously separate schemes.
Compliance officers have 90 days to align internal procedures. The regulator has signalled a "supportive posture" during the transition, with formal enforcement action reserved for wilful or repeated breaches.
Industry response
Peak bodies have broadly welcomed the consolidation but flagged concern about the 12-hour window. "Getting verified information into a report inside half a day is a real stretch for smaller operators," said one senior compliance head who asked not to be named.