13 min read — for boards, security leaders and compliance teams of Australian critical infrastructure operators.
On 9 June 2026, the Australian Government registered the Security of Critical Infrastructure Legislation Amendment (Enhanced Critical Infrastructure Risk Management Program) Rules 2026, commencing the following day. It is the most significant change to the CIRMP obligation since the baseline rules began in 2023 — moving critical infrastructure risk management from a principles-based framework to prescriptive, evidence-based controls for nine of Australia’s most critical asset classes.
Who is caught: nine designated asset classes
If you operate a critical infrastructure asset in one of these classes, the enhanced tier applies now, with staged compliance deadlines. Other CIRMP-captured asset classes continue under the existing baseline rules.
What changed: a prescriptive layer on the four domains
The existing CIRMP Rules asked entities to manage material risks across four hazard domains and largely left the how to each entity. The enhanced rules keep that all-hazards foundation and bolt a second, prescriptive tier on top — plus a new category of additional material risks:
- Additional material risks: your program must now explicitly address impairment that could prejudice national security or economic stability, foreign ownership, control and influence (FOCI) across your ownership and supplier structures, and offshore or remote access to critical components and business-critical data.
- Cyber and information security: named controls replace general expectations — phishing-resistant multi-factor authentication with central logging and monitoring; network segregation of critical from non-critical systems with a striking new threshold: critical systems must be able to keep operating for at least three months while other systems are restored; management of unpatched and legacy technology and of advanced and emerging technology including AI; and alignment to a higher maturity level of a prescribed framework — in practice an uplift from maturity level one to level two. For the energy sector, that framework is the AESCSF.
- Personnel security: critical workers must pass an AusCheck background check (or hold NV1+ clearance), reassessed at least every five years with proactive monitoring — plus managed access for everyone who is not a critical worker.
- Supply chain: map major suppliers and critical components, set acceptable outage thresholds, and assess each major supplier — including FOCI, legal and sanctions exposure.
- Physical and natural hazards: a holistic, centrally managed physical security plan that considers the physical consequences of every hazard type — including cyber and supply-chain events landing at a site.
The deadlines: two tranches, and the clock is running
Mid-2027 (12 months): the additional material risks (FOCI, national security, offshore/remote access), the core cyber risks (unpatched systems, legacy technology, emerging tech including AI) and the first access-management measures.
Mid-2028 (24 months): phishing-resistant MFA, network segregation with the three-month resilience threshold, the framework maturity uplift, AusCheck vetting, supplier mapping and assessments, and the physical security plan.
The tranche-1 items are the deceptively hard ones: FOCI mapping crosses legal, procurement and corporate structures; legacy-technology risk work touches systems nobody wants to open; and vetting pipelines take months to stand up. Waiting for 2027 to start is how operators miss 2027.
What this means in practice
- Boards own it. The CIRMP remains board-approved and annually reported — directors now sign off on a materially heavier program, and the evidence standard has risen from “we considered it” to “we can show it”.
- Energy operators get a two-for-one. The maturity uplift runs through the AESCSF — the same assessment AEMO’s annual program already expects. One programme can serve both obligations, if your tooling connects them.
- Budgets need re-basing. Vetting, segregation and three-month resilience are capital-and-operations conversations, not policy edits.
How GRCLens turns the enhanced CIRMP from burden into workflow
The hardest part of the enhanced rules is not any single control — it is translating hundreds of operational control answers into a defensible, board-signed report, year after year. This is precisely what the GRCLens AESCSF module with the integrated CIRMP report was built for:
Operational teams complete the AESCSF self-assessment control-by-control, attaching evidence that LensIQ — GRCLens’s AI agent — analyses with a confidence score, leaving the approve/reject decision with your people. Maturity scores roll up against the target profile with every gap carrying drafted commentary. The CIRMP report generates directly from that data — gaps highlighted, commentary editable — and exports to Word and PDF so business managers align the language to their context before the board’s digital sign-off. No re-keying between systems, no reformatting weekends, no print-sign-scan.
The efficiency case is concrete: one evidence base serves the AEMO AESCSF cycle and the CIRMP annual report; assessment effort drops because AI pre-screens artifacts; and next year’s cycle starts from this year’s data instead of a blank spreadsheet. Operators tell us the reporting phase — historically weeks of document assembly — compresses to days.
Where to start
- Gap analysis of your current CIRMP against the enhanced requirements, domain by domain.
- Map your critical workforce and start the AusCheck pipeline early.
- Identify FOCI and offshore-access exposure across ownership, suppliers and data.
- Baseline your AESCSF maturity and cost the path to the higher level.
- Put it on one platform so the 2027 and 2028 deadlines are tracked, evidenced and reportable.
Security Solution Consultants runs enhanced-CIRMP gap assessments and AESCSF uplift programmes across Australia, delivered through GRCLens. Talk to us about a readiness assessment — or see the Energy Sector Security Advisory and Enterprise Risk Management & CIRMP Advisory services.
Sources: Federal Register of Legislation F2026L00701; Cyber and Infrastructure Security Centre announcements, June 2026.


