Acts Online
GT Shield

Critical Infrastructure Protection Act, 2019 (Act No. 8 of 2019)

Chapter 4 : Powers and Duties or Persons in Control of Critical Infrastructure

24. Powers and duties of persons in control of critical infrastructure

 

(1) On receipt of a notice referred to in section 20(2), the person in control of a critical infrastructure must, subject to subsection (4), take such steps as may be prescribed to secure such critical infrastructure at that person’s own expense.

 

(2) The person in control of critical infrastructure that is under the control of a Government department or any other organ of state, must take steps to ensure that such critical infrastructure is protected by the employees of that government department or organ of state.

 

(3) Where the Government department or organ of state referred to in subsection (2) is unable to protect a critical infrastructure as contemplated in subsection (2), the person in control of that critical infrastructure must take steps to ensure that a security service provider is appointed to protect the critical infrastructure: Provided that such security service provider may only be appointed after the successful completion of security vetting by the State Security Agency.

 

(4)
(a) Subject to paragraphs (b) and (c), the Minister may, if the person in control of critical infrastructure shows good cause in the application contemplated in sections 17(1) or 18(1)(b), determine that the Head of a Government department is responsible for all or some of the expenses necessary to implement the steps contemplated in subsection (1).
(b) For purposes of determining the extent to which the Head of a Government department contemplated in paragraph (a) is responsible for the expenses, the Minister must—
(i) in the case of a national department, consult the Minister of Finance and the Minister responsible for the affected department;
(ii) in the case of a provincial department, consult the relevant Member of the Executive Council responsible for finance and the relevant Member of the Executive Council responsible for the affected department;
(iii) in the case of a municipality, consult the relevant Municipal Council; and
(iv) where applicable, take into account any policy of the Cabinet, the relevant Executive Council or Municipal Council regarding the standards of any security measures and the reasonable costs that may be incurred by the State.
(c) The Minister must, in writing, inform the Head of the Government department and the person in control of that critical infrastructure of the decision, setting out the extent to which—
(i) the Head of the Government department contemplated in paragraph (b); and
(ii) the person in control of the critical infrastructure, is responsible for expenses necessary to implement the steps contemplated in subsection (1).

 

(5) In the event that a person in control of a critical infrastructure fails to take the steps contemplated in subsection (1), the Minister may, by written notice in the prescribed form and manner, order him or her to take, within a period specified in the notice and at his or her own expense, such steps in respect of the security of the critical infrastructure as may be specified in the notice.

 

(6) If the person in control of a critical infrastructure refuses or fails to take the steps specified in the notice within the period specified therein, the Minister must take or cause steps to be taken in respect of the security of that critical infrastructure and the Minister must recover the reasonable cost thereof from the person in control of that critical infrastructure to such extent as the Minister may determine.

 

(7) A person in control of a critical infrastructure must appoint a person in the employ of the critical infrastructure as security manager to—
(a) implement and monitor, on behalf of the person in control of the critical infrastructure, the prescribed security policy and plan compiled for that critical infrastructure;
(b) authorise access to critical infrastructure or oversee the authorisation of such access by security personnel working under his or her direction;
(c) liaise with any security service provider appointed by the person in control of that critical infrastructure;
(d) implement the directions contemplated in section 25(1)(b);
(e) provide monthly reports to the person in control of that critical infrastructure on the functions contemplated in paragraphs (a), (b) and (c); and
(f) perform such other functions related to the securing of that critical infrastructure as may be assigned to him or her by the person in control of that critical infrastructure:

Provided that such security manager may only be appointed after successful completion of security vetting by the State Security Agency.

 

(8) A person in control of a critical infrastructure must as far as practically possible demarcate and place a notice, in the prescribed format and manner, on premises constituting a critical infrastructure, in order to notify persons that the premises are declared a critical infrastructure.

 

(9) A person to whom functions are assigned in terms of this Chapter must exercise such powers and perform such duties subject to the Constitution and with due regard to the fundamental rights of every person.