The Security of Critical Infrastructure Act 2018 (SOCI Act) has seen a lot of reform in recent years, as the Australian Government strives to better protect the country’s critical infrastructure sectors and assets from threats to its social or economic stability, its defence and its national security.
The SOCI Act and accompanying rules seek to achieve this by:
- empowering the government to exercise information gathering, direction and intervention powers in respect of specified critical infrastructure sectors
- requiring the provision of operational and ownership information to the Register of Critical Infrastructure Assets
- imposing incident reporting and risk management obligations in respect of specified critical infrastructure asset classes
- applying enhanced cyber security obligations to critical infrastructure assets designated by the Government as systems of national significance
The legislation covers a broad range of assets and obligations, which extend to various participants in the supply chain, including “responsible entities”, “reporting entities”, “direct interest holders”, “managed service providers” and “operators”.
The SOCI Act has been revised several times in recent years. These amendments have primarily focused on making the regime more comprehensive, in recognition of an evolving threat landscape – not necessarily making the regime simpler to understand or comply with. The upshot is that the SOCI Act and its accompanying rules are dense and difficult to navigate.
This summary seeks to demystify the regime’s complexities. In doing so, we acknowledge that complexity exists below the surface and will invariably require a case-by-case assessment.
If you need help understanding how the SOCI Act applies to your organisation or sector, we would be delighted to assist.
Recent reform
The SOCI Act was most recently reformed in November 2024, when the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (ERP Act) was introduced.
The ERP Act seeks to address gaps in the existing regulatory framework and enhance the government’s ability to respond to a wide range of incidents (beyond cyber).
Specifically:
- data storage systems – the ERP Act expanded the type of assets previously captured as critical infrastructure under the SOCI Act, to more clearly cover related data storage systems that store or process business critical data;
- expansion of government powers (all hazards) – the ERP Act extended existing government powers under the SOCI Act, to a wider range of incidents, shifting what was previously a cyber-focused regime to address ‘all hazards’;
- expansion of government powers (CIRMP variations) – the ERP Act gives the government new powers to compel a responsible entity to vary its critical infrastructure risk management program (CIRMP) to address ‘serious deficiencies’;
- broader ability to share ‘protected information’ – the ERP Act narrowed the definition of ‘protected information’ (relevant to the protection of potentially sensitive information regarding critical infrastructure), to expand and clarify when protected information can be disclosed; and
- consolidation of telecommunications security requirements under the SOCI Act – the ERP Act brought telecommunications security obligations out of the Telecommunications Sector Security Reforms (TSSR) regime under Part 14 of the Telecommunications Act 1997 (Cth) and under the SOCI Act.
For more information about the ERP Act, the rationale for the reforms and what they mean for you, please see here.
Most amendments described in the ERP Act took effect on 20 December 2024.
The telecommunications sector reforms in Schedule 5 of the ERP Act took effect on 4 April 2025.
The Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 and the Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules 2025 operationalise various aspects of the ERP Act. These rules took effect on 4 April 2025.
The above provides a simplified visual presentation of the different critical infrastructure assets or critical infrastructure sectors assets which are or will be captured by obligations or powers under the SOCI Act (as described below).
Hover over the different obligations or powers to reveal the assets or sectors covered.
Entities – Who is captured by the SOCI Act?
|
Entity |
Definition |
Key obligations |
|---|---|---|
|
Responsible Entity |
The definition is asset specific, but generally the responsible entity will be the entity that owns, or is licensed or responsible for operating, the asset. |
Reporting of operational information. Notification of cyber incidents. Risk management program. |
|
Direct Interest Holder |
Entity that (a) together with any associates of the entity, holds a legal or equitable interest of at least 10% in a critical infrastructure asset (including if any of the interests are held jointly with one or more other entities); or (b) holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset. |
Reporting of interest information. |
|
Reporting Entity |
Responsible Entity. Direct Interest Holder. |
Reporting of interest and operational information. |
|
Relevant Entity |
Responsible Entity. Direct Interest Holder. Operator (entity that operates the critical infrastructure asset or part of the asset). Managed service provider (entity that manages (part of) a critical infrastructure asset, aspect of the asset, or the operation of the asset). |
Response to Government information gathering, direction and intervention powers. |
Footnotes
- What constitutes a “relevant impact” varies, but in relation to a cyber security incident it includes direct or indirect impacts on the availability, integrity or reliability of the asset; or the confidentiality of information about or stored on the asset.
- “Critical infrastructure sector assets” include critical infrastructure assets and any other asset that “relates to” a critical infrastructure sector. For example, this could capture IT systems or other equipment supplied to support or service critical infrastructure assets.
- Minister for Home Affairs, ‘Safeguarding Australia's most critical infrastructure’ available here (24 March 2025).
This article was originally published on 29 March 2023 and updated on 6 January 2025 and 28 April 2025.
Key contacts
Cameron Whittfield
Partner, Melbourne
Julian Lincoln
Partner, Melbourne
Peter Jones
Partner, Head of TMT, Asia, Singapore
Legal Notice
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills Kramer 2026
Stay in the know
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead



