CIRMP Was the Baseline. The 2026 Exposure Draft Shows Where Australia May Tighten Next 

Australia’s critical infrastructure regime is not new. 

The Critical Infrastructure Risk Management Program (CIRMP) has been in force since 2023, requiring  organisations delivering critical infrastructure to identify and manage risks across cyber, physical, personnel and supply chain domains. 

But the latest 2026 Exposure Draft of enhanced CIRMP Rules, alongside consultation on Ministerial Directions Powers, signals something more important: 

Australia is now moving beyond baseline compliance and toward a more targeted, operational view of resilience for its most important national services. 

From baseline obligations to targeted resilience 

The original CIRMP framework established a principles-based foundation. 

Organisations were required to identify material risks, implement mitigation strategies and maintain and review risk management programs  

That baseline still stands. 

What’s changing is the level of specificity and expectation. 

The exposure draft proposes enhanced CIRMP requirements for selected high-risk asset classes, including energy, water, communications and critical infrastructure services. 

This is a clear signal that a one-size-fits-all resilience model is no longer considered sufficient for higher-risk sectors. 

Instead, Australia is moving toward a model where: Risk expectations are more tailored, controls are more operational and resilience is assessed in practical, real-world terms  

Why this matters beyond critical infrastructure 

Regulators are increasingly focused on operational resilience, not just risk identification. Third-party dependency, not just internal controls, and real-world continuity, not just documented processes. 

In practice, that raises a more fundamental question for organisations: 

If a critical supplier becomes unavailable, can you continue to operate? 

That question is no longer theoretical. And it is not limited to regulated infrastructure providers. 

The baseline is changing: from identifying risk to surviving failure 

One of the most important, and often overlooked, implications of the CIRMP evolution is this: 

Identifying supplier risk is no longer enough. 

Organisations are increasingly expected to understand where their dependencies sit, how critical those dependencies are and what happens if those dependencies fail.  

This is particularly relevant in an environment where SaaS adoption is deep, Cloud infrastructure is concentrated, and supply chains are increasingly opaque. 

Mapping risk is the first step. 

But regulators, and increasingly boards, are starting to ask a more difficult question: 

What is your credible path to continuity? 

Ministerial Directions Powers: why they matter  

Alongside the CIRMP exposure draft, the Government is consulting on proposed amendments to Ministerial Directions Powers under Part 3 of the SOCI Act. 

This is not the headline story, but it is an important supporting signal. 

In simple terms, these powers relate to the Government’s ability to direct organisations to act in response to national security risks affecting critical infrastructure. 

The proposed changes aim to make those powers more flexible, more practical to apply  and potentially faster to execute in time-sensitive situations  

The implication is clear: 

The Government is not only refining what resilience should look like, it is also ensuring it has the tools to intervene where necessary. 

For most organisations, this won’t translate into day-to-day operational impact. 

But it does reinforce the broader theme: 

Resilience is being treated as a live, operational concern, not just a compliance exercise. 

An Australian story with a global context 

While this is distinctly an Australian regulatory development, it sits within a broader international pattern. 

Across jurisdictions, we are seeing a consistent shift toward: 

  • Stronger operational resilience frameworks  
  • Greater scrutiny of third-party risk  
  • Increased focus on concentration and dependency  

Australia is not unique in this direction but it is moving decisively. 

And importantly, it is doing so by building on an existing framework, rather than starting from scratch. 

What organisations should be thinking about now 

For boards, legal teams and risk leaders, the takeaway is not that new obligations suddenly apply overnight. 

It’s more nuanced than that. 

The real change is in expectation. Organisations should be asking: 

  • Do we fully understand our critical dependencies?  
  • If a key supplier fails, what happens next?  
  • How quickly could we regain control of critical systems?  
  • And is that answer defensible – commercially and regulatorily?  

Because increasingly, those are the questions that matter. 

 Closing thought 

CIRMP established the baseline. 

The 2026 exposure draft shows where Australia may tighten next. And taken together, they point to a simple but important change: 

Resilience is no longer just about identifying risk.  It’s about demonstrating that you can continue when that risk materialises. 

 

If you’re exploring how to evidence continuity in the face of supplier failure,  particularly in SaaS and cloud environments it’s a conversation worth having with one of our experts. 

We work with organisations globally to help turn dependency risk into practical, defensible continuity strategies, so book a free call with us today. 

 

To understand more about Software Escrow Agreements and how The Escrow Company can help click here.

To keep up to date with The Escrow Company follow us on LinkedIn.