Rules Mate
PlaybooksBottom-funnel persona playbook

Compliance playbook for telecommunications carriers and eligible CSPs

Everything an Australian carrier or eligible carriage service provider has to do — Telecommunications Act 1997 (Schedule 1 standard carrier licence conditions, carrier vs CSP distinction), Annual Carrier Licence Charge, TCP Code C628 consumer protections, s 313 law-enforcement assistance, Telecommunications (Interception and Access) Act 1979 + Part 5-1A two-year metadata retention, SOCI Act 2018 critical infrastructure obligations, Cyber Security Act 2024 ransomware reporting, Privacy Act for telco customer data, ACMA reporting and complaints handling under Part 6, Do Not Call + Spam Act for outbound marketing, and the customer service guarantee.

21 obligations1 deadline21 cross-linked articles

Key deadlines — next 12 months

  • 28 September 2026SOCI CIRMP board attestation
  • Within 12 / 72 hoursSOCI cyber-incident report (significant / other)
  • Within 72 hoursRansomware payment report (Cyber Security Act 2024)
  • Within 30 daysNDB assessment of suspected breach
  • AnnualInterception Capability Plan lodgement
  • AnnualAnnual Carrier Licence Charge

Does this apply to me?

Answer yes to any of the below and the obligations in this playbook are likely relevant.

  • 1Do you own a network unit used to supply a carriage service to the public — making you a 'carrier' under s 87 of the Telecommunications Act 1997?
  • 2Do you supply a 'listed carriage service' to the public (resold mobile, VOIP, internet, hosted PBX) — making you a carriage service provider (CSP)?
  • 3Are you classified as an 'eligible carriage service provider' under Telecommunications Consumer Protections Code C628 because you supply telecommunications services to consumers and small business?
  • 4Do you hold or retain telecommunications data (call records, IP-session data, subscriber records) that falls within Part 5-1A of the Telecommunications (Interception and Access) Act 1979?
  • 5Are you a 'responsible entity' for a critical telecommunications asset under the Security of Critical Infrastructure Act 2018 (carriers + CSPs are captured)?
  • 6Do you market to consumers by phone, SMS or email (Do Not Call Register Act 2006 + Spam Act 2003)?

Plain English summary

Telecommunications carriers and CSPs sit at the intersection of three regulators: ACMA (Telco Act, TCP Code, Spam, Do Not Call), the Department of Home Affairs / ASD (SOCI, Cyber Security Act 2024, interception assistance), and the OAIC (Privacy Act for customer data + metadata). The compliance stack is one of the heaviest in the Australian economy because telco infrastructure is treated as critical to every other sector.

A carrier (Telecommunications Act 1997, s 87) owns network units and needs an individual carrier licence from ACMA. A CSP (s 87) supplies a listed carriage service using a network unit. Most resellers are CSPs, not carriers. The distinction drives which Standard Carrier Licence Conditions in Schedule 1 apply (carriers face all of them; CSPs face a subset under Schedule 2). Both carriers and eligible CSPs are bound by the industry-developed TCP Code C628, which ACMA can direct compliance with and ultimately enforce via civil penalty.

Law enforcement and national security assistance under s 313 of the Telco Act + the TIA Act 1979 are non-negotiable. Part 5-1A of the TIA Act requires CSPs (and carriers) to retain prescribed telecommunications data for two years. The Assistance and Access regime (Part 15 of the Telco Act + Industry Assistance Notices) layers technical-capability obligations on top. The SOCI Act 2018 captures the telecommunications sector as critical infrastructure — Critical Infrastructure Risk Management Program (CIRMP), annual board attestation by 28 September, and mandatory cyber-incident reporting (12 hours significant / 72 hours other).

This playbook lists every obligation on a carrier or eligible CSP today, the section of the Act it sits under, who is accountable, the cadence, the maximum penalty, and a regulator-direct source. Cross-link to the cyber incident notification timer and the Essential Eight maturity check.

Obligation checklist

Every obligation cites the Act and section. Source URLs link to the regulator's portal — Rules Mate does not republish statutory text.

  1. 1

    Telecommunications Act 1997 (Cth), s 56 — carrier licence

    If you own a network unit used to supply a carriage service to the public, hold an individual carrier licence issued by ACMA. Apply via the ACMA portal; declared carrier licences also possible for nominated network units.

    Who's responsible
    Director / CEO + Regulatory Affairs
    Frequency
    Continuous (annual renewal cycle)
    Penalty
    Operating without a carrier licence is a criminal offence — up to 20,000 penalty units (~$6.6M for body corporate).
  2. 2

    Telecommunications Act 1997 (Cth), Sch 1 — Standard Carrier Licence Conditions

    Comply with all Schedule 1 Standard Carrier Licence Conditions including: carriage service provider rules, network protection, interception capabilities, billing, complaints handling, and obligations to give regulators information.

    Who's responsible
    Regulatory Affairs + COO
    Frequency
    Continuous
    Penalty
    Civil penalty up to ~$10M per contravention; potential licence revocation.
  3. 3

    Telecommunications (Carrier Licence Charges) Act 1997 — Annual Carrier Licence Charge

    Pay the Annual Carrier Licence Charge — assessed by ACMA based on eligible revenue. Charge funds ACMA, TIO, and consumer-protection programs. Lodge the eligible-revenue return by the date specified in the annual notice.

    Who's responsible
    CFO + Regulatory Affairs
    Frequency
    Annual
    Penalty
    Late payment penalty; potential licence consequences for non-payment.
  4. 4

    Telecommunications Act 1997 (Cth), s 101 — service provider rules (CSPs)

    Even without a carrier licence, every CSP must comply with the service provider rules (operating standards, customer service standards, dispute resolution, industry codes). No registration required, but rules apply on first day of service.

    Who's responsible
    COO + Customer Operations
    Frequency
    Continuous
    Penalty
    Civil penalty up to ~$250,000 per contravention; ACMA direction-and-enforcement powers.
  5. 5

    Telecommunications Consumer Protections Code C628:2019 (TCP Code)

    Comply with the registered TCP Code: pre-sale information; advertising; credit assessment for post-paid services; bill content and timing; complaint handling within 15 business days; financial-hardship process; standard agreement terms.

    Who's responsible
    Customer Operations + Marketing + Legal
    Frequency
    Continuous
    Penalty
    ACMA direction to comply; civil penalty up to ~$250,000 per breach following direction; reputational and TIO escalations.
    Full obligation page →
  6. 6

    Telecommunications (Consumer Protection and Service Standards) Act 1999 — Customer Service Guarantee

    Where you supply a standard telephone service, meet the Customer Service Guarantee performance standards — connection and fault rectification timeframes; pay damages if not met (unless waived in writing).

    Who's responsible
    Customer Operations
    Frequency
    Per service event
    Penalty
    Mandatory damages payable to the customer; ACMA enforcement; civil penalty exposure.
    Full obligation page →
  7. 7

    Telecommunications Act 1997 (Cth), s 313 — law enforcement assistance

    Give law enforcement, security, and other authorised officers such help as is reasonably necessary for safeguarding national security, enforcing criminal law, and protecting public revenue. Includes site access, blocking, and information disclosure.

    Who's responsible
    Law Enforcement Liaison + Legal
    Frequency
    Event-driven
    Penalty
    Failure to assist is a contravention of carrier licence condition + service provider rule; civil penalty + enforcement.
  8. 8

    Telecommunications (Interception and Access) Act 1979 (Cth), Part 5-1A — data retention

    Retain prescribed telecommunications data (subscriber details, source/destination, date/time, duration, communication type, network location) for two years. Provide access to authorised agencies on warrant or authorisation.

    Who's responsible
    CIO + Privacy Officer + Law Enforcement Liaison
    Frequency
    Continuous (2-year retention rolling)
    Penalty
    Civil penalty up to ~$2.2M; criminal offences for disclosure outside the regime.
    Full obligation page →
  9. 9

    Telecommunications (Interception and Access) Act 1979 (Cth), Pt 5-3 — interception capability

    Maintain interception capabilities for the services you provide and lodge an Interception Capability Plan with the Communications Access Co-ordinator annually by 1 July. Demonstrate ongoing capability to intercept lawful warrants.

    Who's responsible
    Law Enforcement Liaison + CIO
    Frequency
    Annual ICP + continuous capability
    Penalty
    Civil penalty + Telco Act licence consequences.
  10. 10

    Telecommunications Act 1997 (Cth), Pt 15 — Industry Assistance (TOLA / Assistance and Access)

    Respond to Technical Assistance Requests, Technical Assistance Notices, and Technical Capability Notices issued by interception agencies under Pt 15. Confidentiality obligations apply — no disclosure outside the framework.

    Who's responsible
    Legal + CIO + Law Enforcement Liaison
    Frequency
    Event-driven
    Penalty
    Failure to comply with a TCN: civil penalty up to ~$10M; unauthorised disclosure of a notice: criminal offence up to 5 years imprisonment.
  11. 11

    Security of Critical Infrastructure Act 2018 (Cth) — telecommunications sector

    Telecommunications carriers and CSPs are responsible entities for critical telecommunications assets. Register the asset, adopt a Critical Infrastructure Risk Management Program (CIRMP), give board attestation by 28 September each year, report cyber incidents (12 hours significant impact / 72 hours other) to ASD ACSC.

    Who's responsible
    Board + CISO + CSO
    Frequency
    Annual attestation + continuous CIRMP + event-driven incident reporting
    Penalty
    Civil penalty up to ~$1.565M (corporate) per contravention; ministerial action direction.
    Full obligation page →
  12. 12

    Cyber Security Act 2024 (Cth) — ransomware payment reporting

    If you (carrier or CSP) make or facilitate a ransomware payment, report to the Department of Home Affairs within 72 hours of the payment. Telco entities are critical-infrastructure entities — captured regardless of turnover.

    Who's responsible
    CISO + GC
    Frequency
    Event-driven
    Penalty
    Civil penalty (60 penalty units, ~$19,800 per breach).
  13. 13

    Telecommunications Act 1997 (Cth), Pt 13 — confidentiality / use and disclosure of customer information

    Do not use or disclose information or document relating to the contents of communications, telecommunications data, or carriage services personal information of another person — except where Pt 13 authorises (consent, business needs, law enforcement, emergency).

    Who's responsible
    Privacy Officer + Customer Operations
    Frequency
    Continuous
    Penalty
    Criminal offence up to 2 years imprisonment + civil penalty exposure.
  14. 14

    Privacy Act 1988 (Cth), Sch 1 — Australian Privacy Principles

    Carriers and CSPs are APP entities. Comply with all 13 APPs — privacy policy (APP 1), collection notices (APP 5), security of personal information including telco metadata (APP 11), cross-border disclosure (APP 8). Notifiable Data Breach scheme applies.

    Who's responsible
    Privacy Officer + CISO
    Frequency
    Continuous
    Penalty
    Up to $50M / 3× benefit / 30% turnover for serious or repeated interferences.
    Full obligation page →
  15. 15

    Privacy Act 1988 (Cth), Pt IIIC — Notifiable Data Breach scheme

    Notify the OAIC and affected individuals of eligible data breaches involving customer personal information or telco metadata. Assessment within 30 days of becoming aware.

    Who's responsible
    Privacy Officer + Incident Response Lead
    Frequency
    Event-driven
    Penalty
    Up to $50M / 3× benefit / 30% turnover.
    Full obligation page →
  16. 16

    Telecommunications Act 1997 (Cth), Pt 6 + ACMA reporting and complaint-handling

    Lodge ACMA-mandated reports: annual reports of complaints under the TCP Code, network reliability framework reports for major outages, and other ACMA-direction-driven reports. Resolve complaints in the timeframes required.

    Who's responsible
    Regulatory Affairs + Customer Operations
    Frequency
    Annual + event-driven major outage reports
    Penalty
    Civil penalty for late or false reports; direction-and-enforcement escalation.
  17. 17

    Telecommunications Industry Ombudsman Act 1997 — TIO membership

    Carriers and CSPs supplying residential and small-business consumer services must be members of the Telecommunications Industry Ombudsman (TIO). Pay TIO levy. Comply with TIO determinations.

    Who's responsible
    Regulatory Affairs + Customer Operations
    Frequency
    Continuous; TIO levy each cycle
    Penalty
    ACMA enforcement of TIO membership obligation; civil penalty for failure to join or pay.
  18. 18

    Spam Act 2003 (Cth), s 16 — commercial electronic messages

    Do not send commercial electronic messages (SMS, email, MMS) without consent; include sender identification and a functional unsubscribe in every message. ACMA has issued the largest Spam Act penalties against telcos.

    Who's responsible
    Marketing + Customer Operations
    Frequency
    Every campaign
    Penalty
    Up to $2.355M per day for serious breaches (ACMA enforcement; telcos have received the largest historical penalties).
    Full obligation page →
  19. 19

    Do Not Call Register Act 2006 (Cth)

    Do not make unsolicited telemarketing calls or send unsolicited marketing faxes to numbers on the Do Not Call Register. Wash lists at least every 30 days. Telcos generally cannot rely on the 'existing business relationship' exemption for non-existing customers.

    Who's responsible
    Sales + Marketing + Customer Operations
    Frequency
    Every campaign; register check at least every 30 days
    Penalty
    Up to $2.355M for serious repeated breaches; ACMA enforcement.
    Full obligation page →
  20. 20

    Telecommunications (Emergency Call Service) Determination 2019 — Triple Zero access

    Provide access to Triple Zero (000) emergency services free of charge; meet the call-routing performance standards; lodge incident reports for outages affecting the emergency call service.

    Who's responsible
    Network Operations + Regulatory Affairs
    Frequency
    Continuous
    Penalty
    Civil penalty up to ~$2.2M per breach; ACMA direction.
  21. 21

    Telecommunications (Service Provider — Identity Checks for Pre-paid Mobile Carriage Services) Determination 2017

    Carry out identity checks on every pre-paid mobile customer at point of sale (or via authorised online/over-the-counter verification). Retain identity records as part of the service provider rule.

    Who's responsible
    Customer Operations + Channel Partners
    Frequency
    Per activation
    Penalty
    Civil penalty + carrier licence consequences.

Deadlines

Pulled from the Rules Mate compliance calendar. Click through for the full deadline page.

Forms and regulator portals

Direct links to the lodgement forms and regulator portals. Rules Mate does not host copies — we link to the official source.

  • ACMA — carrier licence application

    Apply for an individual carrier licence.

    Open portal →

  • ACMA — Spam Act enforcement / complaints

    Report a spam breach or seek guidance on Spam Act compliance.

    Open portal →

  • Do Not Call Register — washer access

    Telemarketers must subscribe to the Register and wash lists at least every 30 days.

    Open portal →

  • Department of Home Affairs — Interception Capability Plan portal

    Annual ICP lodgement via the Communications Access Co-ordinator.

    Open portal →

  • ASD ACSC — cyber incident reporting

    Lodge SOCI mandatory cyber-incident notifications (12 / 72 hours).

    Open portal →

  • OAIC — Notifiable Data Breach notification

    Report an eligible data breach.

    Open portal →

  • Telecommunications Industry Ombudsman — membership

    TIO registration for carriers and CSPs supplying consumer and small-business services.

    Open portal →

Free tools that help

Interactive Rules Mate tools matched to this persona.

Cyber incident notifications

Use tool →

Essential Eight maturity check

Use tool →

Privacy Act 2026 readiness

Use tool →

NDB notification timer

Use tool →

Compliance calendar builder

Use tool →

Penalty estimator

Use tool →

What changes 2025–2026

28 September annually — SOCI board attestation

Telecommunications-sector responsible entities lodge the CIRMP annual board attestation by 28 September. Material risk-management uplift expected each cycle.

30 May 2025 — Cyber Security Act ransomware reporting commenced

Carriers and CSPs (as critical-infrastructure entities) must report ransomware payments to Home Affairs within 72 hours.

10 December 2026 — Privacy Act ADM transparency + Children's Online Privacy Code

APP 1 Privacy Policy must disclose automated decision-making that significantly affects individuals. Telco customer-onboarding ADM (credit decisions, fraud scoring) is captured.

2026 — TCP Code C628 review

ACMA and Communications Alliance have signalled a major refresh of the TCP Code. Expect tighter financial-hardship rules, clearer bill-shock controls, and stronger complaint-handling standards.

Ongoing — Assistance and Access (Pt 15) enforcement posture

The Industry Assistance regime continues to mature. Technical Capability Notices remain rare but Technical Assistance Requests are routine. Plan internal escalation paths and confidentiality protocols.

Ongoing — TIO levy and complaints visibility

ACMA's Communications Compliance and Enforcement Priorities consistently include telco consumer protection, complaint handling, and financial-hardship treatment.

In-depth reading

21 Rules Mate articles tagged to this playbook.

Frequently asked

What's the difference between a carrier and a CSP?

A carrier (s 87) owns the network unit used to supply a carriage service to the public — fibre, towers, switches. A CSP supplies the listed carriage service to the public using network units, typically owned by someone else. Resold mobile and white-label NBN resellers are CSPs, not carriers. Carriers need an individual licence; CSPs do not but must follow the service provider rules from day one.

Do small CSPs (under 50K customers) escape the TCP Code?

No. Code C628 applies to every 'supplier' that provides telecommunications services to consumers. Some specific obligations have phased thresholds for sole traders and very small businesses, but the bulk of the Code applies from the first consumer customer.

How does s 313 sit with the Privacy Act and Pt 13?

Pt 13 of the Telco Act is the gatekeeper for disclosure of telco-customer information; s 313 of the Telco Act + the TIA Act + Industry Assistance Notices are the routes through it. Disclosures made for valid law-enforcement assistance under s 313 are authorised by Pt 13. Outside those routes, the Privacy Act APPs and Pt 13 apply.

What metadata exactly must we retain for 2 years?

Section 187AA of the TIA Act sets the data set: subscriber information; source of a communication; destination; date, time, duration; type of communication; communication-type identifiers; the location of equipment at the start and end of the communication. Web-browsing history is explicitly excluded. The two-year retention runs from creation.

Are we captured by SOCI as a small CSP?

The telecommunications sector is captured at a broad sector level by SOCI Pt 2A reforms. Smaller CSPs may not be 'responsible entities' for specific declared assets, but the sector-level data-storage and data-processing class obligations may apply if you host customer data above the thresholds. Get a sector classification confirmed by the Cyber and Infrastructure Security Centre before assuming you are out of scope.

Can we use customer numbers for our own marketing without consent?

Only narrowly. The Spam Act requires consent (express or inferred) for commercial electronic messages. An existing-business relationship can support inferred consent for related services, but not for unrelated upsells. Pt 13 of the Telco Act + APP 6 also constrain secondary use of customer information for marketing. Most telcos build positive consent into the onboarding flow.

What's the practical hardest obligation in this list?

Financial-hardship process under TCP Code Chapter 6 and the TIO escalation pipeline. The Code requires you to identify, communicate with, and offer suitable arrangements to customers in financial hardship. ACMA and TIO data continues to show this is the most common cause of regulatory escalation for mid-size carriers and CSPs.

Free assessment

Get a personalised obligation list

2-minute structured check tailored to your business.

AI advisor (waitlist)

Ask any compliance question

Coming Phase 2 — grounded answers with citations.

Last verified: 9 June 2026

Rules Mate provides citation-first reference material, not legal advice. Always consult a qualified professional for specific obligations.