cover image: Australian Information Industry Association  Submission on  2023 - 2030


Australian Information Industry Association Submission on 2023 - 2030

1 Mar 2024

Should a broad definition, subject to exceptions, be used to define the smart devices that are subject to an Australian mandatory standard? Should this be the same as the definition in the PTSI Act in the UK? Definitions should follow the PTSI Act and EU Cyber Resilience Act as closely as possible to ensure international consistency and prevent multiple disparate laws and regulations across the wo. [...] • Lower the annual turnover threshold for reporting entities to $AUD 3 million to capture a larger segment of the Australian economy to ensure the regime provides the Government with greater fidelity of the ransomware threat. [...] • Clearly define the purpose that disclosed information will be used for to enhance the certainty of how the limited use obligation will apply and provide further reassurance to affected entities that regulators cannot liberally interpret the limited use obligation to leverage the information provided to Australian Signals Directorate (ASD) and/or the Cyber Coordinator as part of an investigation. [...] How can the proposed amendments to the SOCI Act address the risk to data storage systems held by critical infrastructure while balancing regulatory burden? The AIIA understands the need to plug the gap by ensuring that both business-critical datasets stored in the cloud (data storage and processing sector) and on premises should be subject to the same SOCI obligations/ Risk Management Program. [...] • Change the term “Protected Information” in the SOCI Act to “Restricted Information” to avoid further confusion between the “Protected Information” in the SOCI Act and the “Protected” security classification in the Protective Security Policy Framework (PSPF).


Siew Lee

Published in