Australia's critical infrastructure faces growing threats, with the Australian Signals Directorate reporting a 13% increase in cyber incidents affecting critical infrastructure in 2024-25. State-sponsored actors, supply chain vulnerabilities and insider threats pose real risks to essential services. The proposed CIRMP Rule enhancements respond to these challenges by expanding requirements beyond the baseline obligations introduced in 2022-23.

However, these reforms arrive as industry contends with unprecedented regulatory complexity across cyber security, privacy, safety and environmental domains. Members report that these compliance demands will consume resources without clear security benefits. The key is proportionality: strengthening defences where risks are highest, providing clear guidance and realistic timelines and recognising existing security investments rather than imposing duplicative requirements.