Complex Regimes – Regulatory Overlap in Australia’s Cloud Services Sector

Abstract

Robust cyber security protection is essential to cloud services and government and private sector customers. In Australia, cloud services have undergone a significant regulatory reset, in part due to reforms to the critical infrastructure (‘CI’) legislative framework, including amendments to the Security of Critical Infrastructure Act 2018 (Cth) (‘SOCI Act’). Shifts in industry practice, such as the increased uptake of cloud services by businesses and government agencies and the advent of new security threats, have accentuated these changes. While Australian governments and regulators have implemented numerous legislative, policy, and guidance instruments to bolster cyber security measures, many of these attempts are not well-aligned. The outcome is an unclear and difficult-to-navigate regulatory ecosystem. We argue this complex regulatory landscape will likely result in increased costs, variable compliance, and decreased confidence in providing cyber security services unless careful attention is paid to mitigating the detrimental effects of ‘regulatory overlap’. This article identifies and critically examines key elements of existing statutory, regulatory and guidance instruments imposing cyber security and CI obligations on cloud services providers, as well as agencies and institutions holding key regulatory roles. These elements are examined in the context of cloud services providers subject to direct legal obligations, such as being responsible entities for CI assets and/or systems of national significance under the SOCI Act and other cloud services entities that form part of the supply chain for other providers with such obligations.