⌘K
Docs Part IV - Protection of Critical Information and Critical Information Infrastructure

Part IV - Protection of Critical Information and Critical Information Infrastructure

8. Critical sector

For the purposes of this Part, a critical sector includes—

  1. defence and security;
  2. public sector;
  3. banking and finance;
  4. health;
  5. transport;
  6. pensions and insurance;
  7. information and communications technology;
  8. energy;
  9. education;
  10. mining; and
  11. any other sector as may be prescribed.

9. Designation of critical information or critical information infrastructure

  1. The Agency shall, by notice in the Gazette, designate information or information infrastructure relevant to a critical sector as critical information or critical information infrastructure.
  2. Where information or information infrastructure is designated as critical under subsection (1), a controller shall comply with the baseline security requirements as may be prescribed.

10. Categories of critical information and critical information infrastructure

  1. There shall be categories of critical information and critical information infrastructure that the Agency may determine.
  2. The Agency shall, when categorising critical information or critical information infrastructure under subsection (1), consider the following:
    1. the scale of distribution of the impact of any disruption on the critical information or critical information infrastructure;
    2. time criticality in relation to recovery time objective and recovery point objective in connection with any disruption on the critical information or critical information infrastructure;
    3. the cyber dependence of the critical information or critical information infrastructure; and
    4. any other factors that the Agency may consider necessary.
  3. The Agency shall issue guidelines setting out the requirements applicable to the different categories of critical information and critical information infrastructure.

11. Registration of critical information and critical information infrastructure

  1. A controller shall register critical information or critical information infrastructure with the Agency, within thirty days of the designation under section 9, in a prescribed manner and form.
  2. A controller who contravenes subsection (1) commits an offence and is liable, on conviction, to a fine not exceeding five hundred thousand penalty units or to imprisonment for a term not exceeding five years, or to both.

12. Hosting of critical information and critical information infrastructure

  1. A controller shall host critical information or critical information infrastructure within the Republic, in a prescribed manner and form.
  2. Despite subsection (1), the Agency may authorise a controller to host critical information or critical information infrastructure outside the Republic.
  3. The Agency shall, before authorising the hosting of critical information or critical information infrastructure outside the Republic under subsection (2), consider the following factors:
    1. the categories of critical information or critical information infrastructure referred to under section 10;
    2. the justification of hosting the critical information or critical information infrastructure outside the Republic;
    3. the nature of business operations;
    4. the need to maintain national cyber resilience;
    5. whether the proposed hosting country has a legal framework on cyber security that would facilitate the regulation of the critical information or critical information infrastructure;
    6. whether the critical information or critical information infrastructure belongs to a public body;
    7. national security;
    8. the categories of personal data required to be stored within the Republic under the Data Protection Act, 2021; and
    9. any other factors as may be prescribed.
  4. Where the purpose for which critical information was collected expires or the controller ceases to exist, that critical information shall be surrendered to the Agency.
  5. Where critical information surrendered under subsection (4) is personal data, that data shall be dealt with in accordance with the Data Protection Act, 2021.

13. Change in ownership of critical information or critical information infrastructure

  1. A controller shall notify the Agency of any change of ownership of critical information or critical information infrastructure within seven days of the change in the prescribed manner and form.
  2. A person who contravenes subsection (1), commits an offence and is liable, on conviction, to a fine not exceeding five hundred thousand penalty units or to imprisonment for a term not exceeding five years, or to both.

14. Auditing of critical information or critical information infrastructure

  1. A controller shall annually appoint an information technology auditor to perform a cyber audit on critical information or critical information infrastructure in a manner determined by the Agency.
  2. Despite subsection (1), the Agency may, by notice, require a controller to perform a cyber audit on critical information or critical information infrastructure within a period specified in the notice.
  3. The fees for the cyber audit shall be paid by the controller.
  4. A controller shall submit to the Agency, a report of the cyber audit conducted under subsection (2), within a period as the Agency may determine.
  5. A controller who contravenes this section commits an offence and is liable, on conviction, to a fine not exceeding three million penalty units.

15. Non-compliance to cyber audit requirements

  1. The Agency shall, notify the controller in writing, where a cyber audit does not comply with the guidelines issued relating to cyber audit requirements and this Act, stating the—
    1. findings of the cyber audit;
    2. action required to remedy the non-compliance; and
    3. period within which the controller shall take remedial action.
  2. A controller who fails to take any remedial action within the period stipulated under subsection (1), commits an offence and is liable, on conviction, to a fine not exceeding five hundred thousand penalty units or to imprisonment for a term not exceeding five years, or to both.

16. Report on cyber security situational awareness

A controller shall submit to the Agency, a report on cyber security situational awareness in a manner determined by the Agency.

17. Duty to report cyber security incidents in respect of critical information and critical information infrastructure

  1. A controller shall immediately notify the Agency of a perceived or actual occurrence of any of the following cyber security incidences, in a manner that the Agency may determine:
    1. a cyber security incident in respect of critical information or critical information infrastructure;
    2. a cyber security incident in respect of any computer or computer system under the controller’s control that is interconnected or communicates with critical information or critical information infrastructure; or
    3. any other type of cyber security incident in respect of critical information or critical information infrastructure that the Agency may specify to the controller.
  2. Despite subsection (1), a controller shall submit a preliminary cyber incident report to the Agency within twelve hours of notifying the Agency of the perceived or actual occurrence of the incident under that subsection, in a prescribed manner and form.
  3. A controller shall, as soon as the cyber security incident is resolved, submit to the Agency a detailed cyber security incident report.
  4. Despite subsection (3), a controller shall submit to the Agency a cyber security incident status report, at intervals, that the Agency may determine.
  5. A controller shall establish mechanisms and processes, in accordance with information security standards published by the Agency in the Gazette, for the detection of a cyber security threat in respect of critical information or critical information infrastructure.
  6. A controller who contravenes this section commits an offence and is liable, on conviction, to a fine not exceeding five hundred thousand penalty units or to imprisonment for a term not exceeding five years, or to both.

18. Power to investigate cyber security incident and cyber security threat

  1. The Agency shall, where the Agency receives information regarding an alleged cyber security threat or cyber security incident which satisfies the severity threshold in subsection (2), investigate that cyber security threat or cyber security incident, for the purposes of —
    1. assessing the impact or potential impact of the cyber security threat or incident; or
    2. preventing any or further harm arising from a cyber security threat or incident.
  2. A cyber security threat or incident satisfies the severity threshold where the cyber security threat or incident creates a risk of—
    1. significant harm being caused to critical information or critical information infrastructure; or
    2. disruption to the provision of an essential service.
  3. An inspector may, for the purpose of conducting an investigation under subsection (1) —
    1. request, by written notice, a controller to attend at a reasonable time and place as may be specified in the notice to answer any question;
    2. request, by written notice, a controller to produce a physical or electronic record, document or copy in the possession of the controller;
    3. request, by written notice, a controller to provide an inspector with information, which the inspector considers to be relevant to the investigation;
    4. copy or take extracts from any physical or electronic record or document in the possession of the controller;
    5. request for information from a person who appears to be acquainted with the facts and circumstances relating to the alleged cyber security threat or incident;
    6. direct, by written notice, a controller to carry out remedial measures, or to cease carrying on activities, as may be specified in the notice in order to minimise the cyber security threat or incident on a computer or computer system; or
    7. require the owner of a computer or computer system to take any action to assist with the investigation.
  4. An inspector may, with a warrant, where the inspector reasonably believes that there is a perceived or actual cyber security threat or incident, enter premises where a computer or computer system affected or was affected by the cyber security threat or incident is located, to —
    1. examine the operation of the computer or computer system;
    2. take a copy of, or extracts from, any electronic record or computer programme contained in a computer or computer system; or
    3. take possession of a computer or other equipment for the purpose of conducting digital forensics.
  5. The Agency shall, immediately after the completion of an examination or analysis on a computer or other equipment taken into possession by an inspector in exercise of the powers under subsection (4), return the computer or other equipment to the owner.
  6. A person commits an offence where that person willfully gives false information or without lawful excuse refuses to give information or produce a record, document or copy thereof required of that person by an inspector under this section.
  7. A person convicted of an offence under subsection (6) is liable, to a fine not exceeding one hundred thousand penalty units or to imprisonment for a term not exceeding one year, or to both.

19. Cyber security exercise

  1. The Agency shall conduct a national cyber security exercise for the purpose of testing the state of readiness of controllers for a cyber attack at least once a year.
  2. Despite subsection (1), the Agency may conduct a cyber security exercise at intervals that the Agency may determine.
  3. A controller shall participate in a cyber security exercise as directed, in writing, by the Agency.
  4. A controller who fails to comply with a written direction issued under subsection (3) commits an offence and is liable, on conviction, to a fine not exceeding three million penalty units.

20. Cyber Security Risk Register

The Agency shall keep and maintain an electronic Cyber Security Risk Register which shall contain the following information:

  1. data of critical information or critical information infrastructure;
  2. identified and potential risks;
  3. the level of impact of risk; and
  4. any other information that the Agency may determine.
Type to search…
↑↓ navigate select esc close