Australia CISC — Enhanced CIRMP Rules for Critical Infrastructure (AI, Legacy Systems, Supply Chain)

Australia's Cyber and Infrastructure Security Centre (CISC) announced Enhanced Critical Infrastructure Risk Management Program (Enhanced CIRMP Rules) in June 2026, introducing new security requirements for critical infrastructure entities to assess and manage risks from AI systems, legacy systems, supply chains, and insider threats.

First regulatory mandate at national level to explicitly require critical infrastructure operators to assess AI-specific risks as part of formal risk management. Sets a precedent for embedding AI governance into critical infrastructure regulation, influencing global critical-infrastructure security practices.

Australian critical infrastructure operators must conduct AI risk assessments and implement controls to address AI, legacy systems, and supply-chain risks. Non-Australian critical-infrastructure operators should monitor for similar regulatory developments.