Enhanced CIRMP Rules: What Critical Infrastructure Operators Must Do by Mid-2027

Australian electricity transmission substation, illustrating SOCI Act critical infrastructure obligations

The Enhanced CIRMP Rules are the most significant change to Australia’s critical infrastructure risk management obligations since the baseline requirement began in 2023. Registered on 9 June 2026 and in force the following day, they move the Critical Infrastructure Risk Management Program (CIRMP) from a principles-based framework to a set of prescriptive, evidence-based controls for nine of the country’s most critical asset classes.¹ Responsible entities in energy, water, gas, liquid fuel, broadcasting, the domain name system and freight now carry specific obligations across cyber, personnel, supply chain and physical security, with the first compliance deadlines falling in mid-2027.²

The statutory clock is already running. Because the enhanced requirements are heavy and the vetting, mapping and network changes take time to stand up, the practical position for an affected operator is straightforward: the work needs to start now, not when the deadline is close.

Key Takeaways

  • The Enhanced CIRMP Rules were registered on 9 June 2026 under the Security of Critical Infrastructure Act 2018 and commenced the following day. They amend the existing CIRMP Rules (LIN 23/006) and add a second tier of requirements for nine designated asset classes.
  • The nine classes are critical electricity, critical energy market operator, critical gas, critical liquid fuel, critical water, critical broadcasting, critical domain name system, critical freight infrastructure and critical freight services assets.
  • Compliance is staged. A 12-month grace period (to mid-2027) covers the additional material risks, including foreign ownership, control and influence (FOCI), the core cyber risks such as legacy and emerging technology, and the first personnel access-management measures. A 24-month grace period (to mid-2028) covers the remaining cyber, personnel vetting, supply chain and physical security measures.
  • The rules shift the CIRMP from principles to prescription. Named requirements now include phishing-resistant multi-factor authentication, network segregation with a three-month operational resilience threshold, AusCheck vetting of critical workers, supplier mapping and a holistic physical security plan.
  • A CIRMP is not a one-off document. It is a board-approved, annually reviewed risk management program, and starting the gap analysis now is the only realistic path to the mid-2027 deadline.

What the Enhanced CIRMP Rules changed: from principles to prescription

The existing CIRMP Rules set out baseline considerations that responsible entities must address across four hazard categories: cyber and information security, personnel, supply chain and physical security. That framework is principles-based. It requires each program to identify and manage the “material risks” to the asset and to reflect proactive risk management, recovery procedures and governance, but it leaves the detail of how to the entity.³

The Enhanced CIRMP Rules keep that all-hazards foundation and add a prescriptive layer on top of it for the nine designated classes. Instead of a general obligation to manage material risks, operators of those assets now face specific, testable expectations: account for foreign ownership, control and influence; manage the risks of legacy and emerging technology, including artificial intelligence; deploy phishing-resistant multi-factor authentication on critical systems; map and manage major supply chain risks; vet critical workers; and maintain a holistic physical security plan.³

A CIRMP is built on a clear-eyed view of risk, so a current, independent security risk assessment is the foundation the rest of the program is measured against. The shift to prescription does not remove the need for judgement. It raises the standard of evidence an operator must be able to show a regulator.

Which sectors are caught

The enhanced tier applies to responsible entities for the following critical infrastructure assets:³

  • critical electricity assets
  • critical energy market operator assets
  • critical gas assets
  • critical liquid fuel assets
  • critical water assets
  • critical broadcasting assets
  • critical domain name system assets
  • critical freight infrastructure assets
  • critical freight services assets

If an organisation operates in one of these sectors and holds a critical infrastructure asset, the enhanced requirements apply from commencement. Asset classes that are subject to the existing CIRMP Rules but are not on this list continue under the current baseline requirements rather than the enhanced tier.³ Energy operators are among the most heavily affected, because the cyber maturity uplift bears on them directly.

The two-tranche compliance timeline

The deadlines are staged because the obligations are demanding, and the grace period that applies depends on the specific measure rather than the sector. Mapped to the primary source, the transitional periods run from commencement as follows.³

Due at 12 months (mid-2027):

  • the additional material risks, including national-security impairment, FOCI, and offshore or remote access to critical components and business-critical data
  • the core cyber risks: unpatched systems, legacy technology, and the deployment or hostile use of advanced, novel or emerging technology, including AI
  • the first personnel measure, being the access-management risks around unauthorised access, credential misuse and access by persons other than critical workers

Due at 24 months (mid-2028):

  • the remaining cyber and information security measures, including phishing-resistant multi-factor authentication, network segregation with the three-month operational resilience threshold, and alignment to a higher maturity level of a prescribed cyber framework
  • the personnel background and suitability checks, including AusCheck vetting of critical workers and ongoing reassessment
  • the supply chain measures, including supplier mapping and vendor assessments
  • the physical security and natural hazard measures

The first tranche is the urgent one. Identifying FOCI exposure, beginning to manage legacy technology, and standing up access-management controls all fall due within about twelve months.

What must a compliant CIRMP now cover?

The enhanced requirements are organised by hazard category. In outline, an affected operator’s program must now address the following.³

Additional material risks. The program must guard against impairment that could prejudice Australia’s national security or its social or economic stability, against compromise arising from foreign ownership, control or influence, and against the risks of offshore or remote access to critical components and business-critical data.

Cyber and information security. Beyond the core cyber risks noted above, the program must implement phishing-resistant multi-factor authentication with central logging and monitoring, segregate critical systems from non-critical systems to limit lateral movement, and align to a higher maturity level of a prescribed framework. In practice this is an uplift from maturity level one to maturity level two. For the energy sector the relevant framework is the Australian Energy Sector Cyber Security Framework (AESCSF). The network segregation requirement carries a notable new threshold: critical systems must be able to keep functioning for at least three months while other systems are restored.

Personnel security. Critical workers must undergo an AusCheck background check, or hold a Negative Vetting 1 or higher security clearance, to be considered suitable for access to critical components, with reassessment at least every five years and proactive monitoring of any change in suitability. The program must also manage access by people who are not critical workers, and manage incoming and outgoing critical workers.

Supply chain. Operators must map their supply chain for major suppliers and critical components, set acceptable outage thresholds, and assess each major supplier, including for FOCI, legal and sanctions exposure, and the supplier’s access to or influence over the asset. Mitigation may include supplier diversification, redundancy and recovery planning.

Physical and natural hazards. The rules require a more holistic, centrally managed approach to physical security that considers the physical consequences of all hazard types, including cyber and supply chain hazards, along with site documentation, physical access controls for workers, visitors and the public, and continuous monitoring.

Governance sits over all of it. A CIRMP is approved by the board or responsible governing body and reported annually, so accountability for the uplift rests at the top of the organisation, not only with the security or IT function.

For operators wanting the wider statutory picture, Agilient’s critical infrastructure and SOCI Act hub and its companion SOCI Act compliance guide set out how the CIRMP obligation fits alongside the asset register, mandatory cyber incident reporting and the other duties under the Act.⁴

Why the physical security plan deserves early attention

Compliance programs for critical infrastructure tend to be led from the cyber and IT side, which is where much of the enhanced detail sits. The new requirement for a holistic, centrally managed physical security plan is easy to under-resource as a result, yet it is one of the more substantial additions to the CIRMP for many operators.

The reason it matters is that physical security is where the consequences of the other hazards land. A supply chain compromise, an insider with unsupervised access, or a cyber intrusion that reaches operational technology can all present as a physical event at a site. A plan that maps physical access, integrates monitoring, and considers the physical consequences of cyber and supply chain hazards is what ties the categories together. Agilient’s work in physical security is built on exactly that all-hazards logic, which is the standard the enhanced rules now expect.

What should critical infrastructure operators do now?

The staged deadlines reward operators who begin planning early and penalise those who wait. A practical starting sequence is:

  • Run a gap analysis of the current CIRMP against the enhanced requirements, category by category, to see where the program falls short.
  • Map the critical workforce and begin planning AusCheck vetting, since the vetting and reassessment cycle takes time to establish.
  • Identify FOCI and offshore or remote access exposure across ownership structures, suppliers and data.
  • Begin mapping major suppliers and critical components, and set acceptable outage thresholds.
  • Scope the holistic physical security plan, including access control, monitoring and the physical consequences of cyber and supply chain hazards.
  • Secure board endorsement and budget, since the CIRMP is board-approved and the investment across cyber, vetting and physical security is material.

A useful question for a board to put to management now is simple: for each of the nine hazard areas, can the organisation show a regulator the evidence that the risk is being managed, and if not, what is the plan and the date to close the gap?

Enhanced CIRMP Rules infographic showing the nine critical infrastructure sectors and the two-tranche compliance timeline
Enhanced CIRMP Rules: the nine critical infrastructure sectors and the two-tranche compliance timeline. Download the printable PDF.

How Agilient Can Assist

Agilient is an independent, vendor-neutral security, risk and resilience consultancy. Because Agilient does not sell or install equipment, its advice on a CIRMP is shaped by the operator’s risk and obligations, not by a product range.

For responsible entities working through the Enhanced CIRMP Rules, Agilient’s critical infrastructure risk management consultants can lead the gap analysis against the new requirements and build the program around the independent security risk assessment it is measured against. The firm designs the holistic physical security plan the rules now call for, advises on personnel security and access management, and helps build the supply chain and FOCI risk governance the enhanced tier expects. Where the obligation is operational continuity, including the three-month resilience threshold and recovery planning, Agilient’s business continuity and resilience work keeps critical services running through an incident.

On the technical cyber uplift, such as multi-factor authentication, network segregation and the maturity-level increase, Agilient works alongside the operator’s cyber and IT teams within the CIRMP governance framework rather than performing the technical assessment itself. The same team supports government, energy, utilities, healthcare, aviation and other regulated sectors across Sydney, Melbourne, Brisbane, Adelaide and Canberra.

A CIRMP that is current, evidenced and board-endorsed is the goal, and mid-2027 is closer than it looks.

Related reading: For the wider national threat picture behind these obligations, see ASIO’s 2026 Threat Assessment: what it means for Australian business.

Frequently asked questions

What are the Enhanced CIRMP Rules?

The Enhanced CIRMP Rules are amendments to Australia’s Critical Infrastructure Risk Management Program obligations, registered on 9 June 2026 under the Security of Critical Infrastructure Act 2018. They add a prescriptive second tier of risk management requirements, across cyber, personnel, supply chain and physical security, for nine designated high-risk asset classes, moving the CIRMP from a principles-based framework to evidence-based controls.

Who do the Enhanced CIRMP Rules apply to?

They apply to responsible entities for nine asset classes: critical electricity, critical energy market operator, critical gas, critical liquid fuel, critical water, critical broadcasting, critical domain name system, critical freight infrastructure and critical freight services assets. Other asset classes that are subject to the existing CIRMP Rules continue under the current baseline requirements rather than the enhanced tier.

When do operators have to comply?

Compliance is staged from commencement. A 12-month grace period, ending in mid-2027, applies to the additional material risks including FOCI, the core cyber risks such as legacy and emerging technology, and the first personnel access-management measures. A 24-month grace period, ending in mid-2028, applies to the remaining cyber measures, personnel vetting, supply chain obligations and physical security requirements.

What is the three-month operational resilience requirement?

As part of the network segregation obligation, the rules require that critical systems be designed to keep functioning for at least three months while other systems are restored. In practice this means architecting critical systems so they can continue to operate independently during incident response and recovery, rather than failing alongside the systems that have been compromised.

Do critical workers need a security clearance under the new rules?

Critical workers must either undergo an AusCheck background check or hold a Negative Vetting 1 or higher security clearance to be considered suitable for access to critical components. Suitability must be reassessed at least every five years, with proactive monitoring of any change that could affect a person’s ongoing suitability. This is an obligation on the operator in respect of its own workforce.

How should an organisation start preparing?

Begin with a gap analysis of the current CIRMP against the enhanced requirements, then map the critical workforce and plan AusCheck vetting, identify FOCI and offshore access exposure, start supply chain mapping, and scope the physical security plan. Because the CIRMP is board-approved and the investment is material, securing board endorsement and budget early is part of the first step.

References

  1. Federal Register of Legislation, Security of Critical Infrastructure Legislation Amendment (Enhanced Critical Infrastructure Risk Management Program) Rules 2026 (F2026L00701), legislation.gov.au
  2. Cyber and Infrastructure Security Centre, Enhancing the Critical Infrastructure Risk Management Program (CIRMP) Rules, cisc.gov.au
  3. Clayton Utz, Australia’s Enhanced CIRMP Rules: what critical infrastructure operators need to know, claytonutz.com
  4. Department of Home Affairs, Security of Critical Infrastructure Act 2018, homeaffairs.gov.au