Kinetic IT

Enhanced CIRMP Rules Signal a New Era of Resilience for Critical Infrastructure

The Enhanced Critical Infrastructure Risk Management Program (CIRMP) Rules provide a clear signal on the future of risk management across Australia’s critical infrastructure sectors. Registered on 9 June 2026, the rules are now in force. They represent the most significant uplift to Australia’s critical infrastructure risk management framework since the 2023 baseline CIRMP obligation.

What the Enhanced CIRMP Rules Change

The Cyber and Infrastructure Security Centre (CISC) has outlined several changes. These cover artificial intelligence (AI) and emerging technology, legacy and end-of-life technology, and insider threats. They also address supply chain resilience and the interdependencies between critical and non-critical systems. The new obligations follow two grace periods. The first tranche, covering additional material risks, patching and legacy-technology measures, and the first personnel measures, takes effect from mid-2027. The cyber framework maturity uplift, phishing-resistant multi-factor authentication, lateral movement controls, and supply chain measures will follow from mid-2028.

Jeremy O’Donohue, Managing Director, State Government and Critical Infrastructure at Kinetic IT, said the rules reset expectations for how operators manage risk. “The smart move is not to wait for the 2028 obligations to arrive, but to read the staged requirements now, understand which tranche applies when, and build the capability progressively. Operators who treat the mid-2027 and mid-2028 dates as a single deadline will find themselves doing in months what should have been done over two years.”

For operators across energy, water, transport, communications, and other critical sectors, the rules arrive at a critical moment. Technology and operational environments are becoming harder to separate. Many organizations are modernizing platforms, managing legacy systems, strengthening cybersecurity, and working with broader supplier ecosystems simultaneously. O’Donohue said that shift means risk rarely sits in one part of an organization: “What stands out in these reforms is how difficult it is becoming to separate cyber risk from operational risk, and the rules now expect operators to manage that overlap deliberately, rather than treating each hazard in isolation.”

Why CIRMP Risk Categories No Longer Sit in Isolation

The updated rules reflect that shift. On paper, AI, legacy technology, supply chain resilience, and insider threats can appear to be separate risk categories. In practice, they often overlap, and can be different expressions of the same underlying vulnerability.

“This is especially important for organisations that deliver essential services,” O’Donohue said. “A weakness in a supplier environment can become a cyber security issue. A cyber incident can become a service delivery issue. And an operational failure can become a public confidence issue. The boundaries organisations have traditionally drawn around these risks are becoming less useful.”

Critical infrastructure operators should not view the reforms as just a compliance exercise. Compliance matters, particularly for regulated sectors, but it isn’t the whole point. The rules can help build a clearer view of how disruption could move through an organization and affect the services people rely on.

According to Kinetic IT’s Sovereign Technology Report, government and critical infrastructure leaders face sustained pressure. They must modernize, strengthen resilience, improve cybersecurity, and prepare for AI adoption, all while maintaining essential services in complex environments. The report also points to the growing importance of accountability, operational continuity, and response capability in high-consequence environments. O’Donohue framed the opportunity this way: “This is a chance to think about resilience differently, not as a collection of controls, but as an organisational capability that spans technology, people, partners, and operations.”

A Staged Timeline, Not a Single Deadline

The staged deadlines across 2027 and 2028 give organizations time to plan. Operators can use that time to identify where their most important dependencies sit and how risks interact. It also gives them room to assess where disruption could have the greatest real-world impact. O’Donohue said that runway only pays off for operators who use it: “There is room to do this well, but only for those who begin early. The organisations that will be in the strongest position are those that use this moment to develop a clearer picture of where disruption is most likely to have real-world impact on services, communities, and public trust.”

He closed on the stakes: “For critical infrastructure operators, the value of the Enhanced CIRMP Rules will not be measured by compliance alone. It will be measured by whether organisations can keep essential services running when conditions are difficult.”

Stay Informed With Cyber News Live

Cyber threats are constantly evolving, and staying informed is critical to protecting your organization.

Follow Cyber News Live for the latest cybersecurity news, threat intelligence, expert analysis, and practical guidance to help strengthen your cyber defenses.

Shopping Cart0

Cart

Login