The TSRMP: All-Hazards Risk Management for Carriers and CSPs

For more than a decade, telecommunications security in Australia lived in its own legislative corner. The Telecommunications Sector Security Reforms (TSSR), enacted under the Telecommunications Act 1997, required carriers and carriage service providers to protect their networks and facilities from unauthorised interference and to notify the government of changes that could compromise security. It was a national-security regime, sitting apart from the broader critical-infrastructure rules that applied to energy, water, ports and the rest.

That separation has now ended. The Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 — the TSRMP Rules — commenced on 4 April 2025 and brought telecommunications into the all-hazards setting of the Security of Critical Infrastructure Act 2018 (SOCI Act). Together with Schedule 5 of the Enhanced Response and Prevention Act 2024, the TSRMP Rules streamline the obligations that previously sat under the TSSR into a single, consolidated risk management framework for critical telecommunications assets.

The practical effect is significant. Many carriers and relevant carriage service providers are now caught by the SOCI Act's Part 2A risk management program obligation — the same kind of obligation that energy and other sectors have known as a CIRMP — but with telecommunications-specific risks built in. This piece explains who is in scope, the four hazard vectors a program must address, the cyber maturity milestones, and what a credible TSRMP looks like in practice.

The TSRMP Timeline

Unlike some critical-infrastructure obligations that are still in consultation, the TSRMP regime is in force. The dates that matter run as follows:

• 4 April 2025

  TSRMP Rules commenced

  The Rules switched on the Part 2A risk management program obligation for responsible entities that own or operate a carrier asset or a relevant carriage service provider asset.

• 4 October 2025

  All-hazards risk management program due

  Responsible entities for existing critical telecommunications assets had to have a written, all-hazards risk management program in place. Assets coming into existence after 4 April 2025 receive a six-month grace period.

• FY2026

  First board-approved annual report

  Responsible entities must produce an annual report on their risk management program, approved by the board (or equivalent governing body), supported by an annual attestation of compliance.

• 4 October 2026

  Cyber & information maturity level 1

  The cyber and information security vector must reach maturity level one of a recognised framework. The obligation is to comply with the maturity, not to become certified.

• 4 October 2027

  Cyber & information maturity level 2

  The cyber and information security vector must step up again to maturity level two — the more demanding of the two milestones, and the one most likely to require multi-year programme work.

Who Is in Scope

The TSRMP Rules apply to responsible entities that own or operate a carrier asset or a relevant carriage service provider asset. In practice, that draws the net as follows:

• All carriers — entities holding a carrier licence. Because of the criticality and interconnectedness of carrier infrastructure, all critical telecommunications assets owned or operated by carriers are captured.
• Relevant carriage service providers — CSPs that supply 20,000 or more active carriage services, or that supply services to the Commonwealth Government or to defence. Smaller CSPs that meet neither threshold generally sit outside the risk management program obligation, though other positive security obligations may still apply.

One subtlety catches people out. The TSRMP is broader than the older concept of a "critical telecommunications asset" tied only to assets used to provide a carriage service. A TSRMP must address both network assets and non-network assets — including the billing, charging, provisioning and operational support systems that do not themselves carry traffic but whose compromise would still have a relevant impact. Scoping only the network is a common and costly mistake.

The "Protect Your Asset" Obligation

Sitting over the whole regime is the overarching obligation to protect the asset. A responsible entity must protect each critical telecommunications asset from all hazards, so far as it is reasonably practicable to do so, where there is a material risk of harms that would have a relevant impact. The phrase "reasonably practicable" was added in response to industry feedback, and it matters: the obligation is to take proportionate, risk-based action — not to achieve theoretical perfection.

The all-hazards risk management program is how an entity discharges that obligation. For each asset, the program must: identify the operational context of the asset; identify each hazard where there is a material risk that the hazard could have a relevant impact; minimise or eliminate that material risk so far as is reasonably practicable; and mitigate the relevant impact of the hazard should it occur.

The Four Hazard Vectors

Like a CIRMP, a TSRMP must address four hazard vectors. The table below summarises what each covers and where the telecommunications-specific emphasis sits.

Hazard vector	What it covers	Telco emphasis
Cyber & information security	Protecting systems and information from cyber compromise	Maturity uplift to ML1/ML2; compromise, theft or manipulation of communications
Personnel	Trusted-insider and critical-role risk	Screening and ongoing suitability for staff with access to critical assets
Supply chain	Vendor, equipment and service-provider risk	Offshoring on a risk-based approach; high-risk vendor and 5G considerations
Physical & natural	Site security, environmental and natural-hazard resilience	Exchanges, data centres, towers and the physical plant behind the network

The supply chain vector deserves a particular note. The explanatory material accompanying the regime is clear that it does not outright prohibit outsourcing or offshoring of critical telecommunications assets. Instead, it requires responsible entities to build security considerations into their supplier arrangements and to take a risk-based approach to deciding which parts of their operations can be offshored. The decision is yours to make — but it must be a documented, risk-informed decision, not an accident of procurement.

The Cyber Maturity Uplift

The most demanding part of the TSRMP regime is the cyber and information security vector. Responsible entities must reach the maturity equivalent of a recognised framework — with maturity level one by October 2026 and maturity level two by October 2027. Frameworks commonly cited for this purpose include ISO/IEC 27001:2023, the ACSC Essential Eight, and the NIST Cyber Security Framework.

Two points are easy to miss and important to get right:

• Comply, do not certify. The obligation is to comply with the relevant maturity level of the chosen framework. There is no requirement to obtain certification from a certification body. An entity can build to, and evidence, ISO 27001:2023 maturity without paying for a certificate — what matters is that the program genuinely meets the maturity, and that you can show it.
• Where a framework has no built-in maturity level, the program must set out how the cyber programme is made equivalent to the required maturity. This is the same approach the broader SOCI cyber obligations take, and it means the framework choice does not let you sidestep the substance.

Because the milestones step up — ML1 then ML2, a year apart — the cyber vector rewards a continuous-assurance cadence rather than a single annual scramble. Baselining now, tracking the gap to each milestone, and re-measuring each quarter gives both the execution runway and the trajectory evidence that a regulator looks for after an incident.

Governance, Reporting and Enforcement

The TSRMP is not a document you write once and file away. The regime builds in continuing obligations:

• Board-approved annual report. From FY2026, the governing body must approve an annual report on the risk management program, supported by an annual attestation of compliance.
• Information-gathering powers. The Secretary of the Department of Home Affairs can require a responsible entity to produce information and documents to monitor and investigate compliance.
• Direction to vary. Where a program is assessed to have a serious deficiency — one that poses a risk to socioeconomic stability, national security or defence — the Secretary can direct the entity to vary it. The Minister also holds directions powers to require, or prohibit, specified action to address a security risk.
• Civil penalties. Non-compliance with the risk management program obligation is subject to civil penalties under the SOCI Act.

The real test of a TSRMP is not whether a year-end snapshot looked tidy, but whether the entity can demonstrate that material risks were genuinely identified and actively managed across all four vectors. That is the question that gets asked after an incident — and the answer lives in the evidence trail, not the cover page.

What a Defensible TSRMP Looks Like

Pulling it together, a credible program for a carrier or relevant CSP has a recognisable shape:

• An asset register that includes non-network assets — every critical telecommunications asset, network and non-network, with its operational context recorded.
• A material risk register across all four vectors — each risk with its likelihood, impact, mitigation and residual position, with the telecommunications-specific risks flagged explicitly.
• A cyber maturity baseline against a chosen framework — with the gap to ML1 and ML2 made visible, and the due dates tracked against current posture.
• An evidence trail — documents that substantiate each control and mitigation, ready to produce if the Secretary asks.
• A board-approved annual report — drawn from the underlying data, not assembled from scratch each year.
• A continuous cadence — quarterly re-measurement and remediation that demonstrates a trajectory of improvement, not a single annual effort.

Entities that treat the TSRMP as a living program — baselined now, re-measured regularly, and evidenced as they go — give themselves both the runway to hit the October 2026 and 2027 cyber milestones and the defensible record to stand behind their attestation if an incident occurs along the way.