Regulated entities, under Part 2b of the Security of Critical Infrastructure Act 2018, carriers or certain carriage service providers under the Telecommunications Act 1997 covered by the Telecommunications Security Information instruments*, may be subject to mandatory cyber incident reporting requirements, these include:
Reporting Critical Cyber Security Incidents
If you become aware that a critical cyber security incident has occurred, or is occurring, AND the incident has had, or is having, a significant impact on the availability of your asset, you must notify the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) within 12 hours after you become aware of the incident.
A significant impact is one where both the critical infrastructure asset is used in connection with the provision of essential goods and services; and the incident has materially disrupted the availability of those essential goods or services.
If you make the report verbally you must make a written record using the form below within 84 hours of verbally notifying ASD's ACSC.
Reporting other Cyber Security Incidents
If you become aware that a cyber security incident has occurred, or is occurring, AND the incident has had, is having, or is likely to have, a relevant impact on your asset you must notify the ASD's ACSC within 72 hours after you become aware of the incident.
A relevant impact is an impact on the integrity, reliability or confidentiality of your asset or systems.
If you make the report verbally you must make a written record using the form below within 48 hours of verbally notifying ASD's ACSC.
More information on reporting under the Security of Critical Infrastructure Act 2018 (SOCI Act) can be found on the Cyber and Infrastructure Security Centre's website.
More information on reporting for Telecommunications providers can be found on the Department of Infrastructure, Transport, Regional Development, Communications and the Arts website.
*Part 2 of the Telecommunications (Carriage Service Provider—Security Information) Determination 2022 or, the Telecommunications (Carrier Licence Conditions—Security Information) Declaration 2022.
- a critical telecommunications asset (carriers and eligible carriage service providers)
- a critical broadcasting asset
- a critical domain name system
- Data storage or processing
- Defence industry
- a critical defence industry asset
- a critical electricity asset
- a critical gas asset
- a critical energy market operator asset
- a critical liquid fuel asset
- Financial services and markets
- a critical banking asset
- a critical superannuation asset
- a critical insurance asset
- a critical financial market infrastructure asset
- Food and grocery
- a critical food and grocery asset
- Health care and medical
- a critical hospital
- Higher education and research
- a critical education asset
- Space technology
- a critical port
- a critical freight infrastructure asset
- a critical freight services asset
- a critical public transport asset
- a critical aviation asset
- Water and sewerage
- a critical water asset
Notifiable data breaches. A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your organisation or agency, you must notify affected individuals and the Office of the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. If there is malicious cyber activity related to a data breach which you wish to report, please complete and submit the form below.
Fraud and Cybercrime: If you are reporting fraud or cybercrime, please refer to ReportCyber.
Please do not complete this form on any network you believe has been compromised.
Use a separate system and contact details to complete and submit this form.