The Security of Critical Infrastructure Act 2018 (SOCI Act) has seen a lot of reform in recent years, as the Australian Government strives to better protect the country’s critical infrastructure sectors and assets from threats to its social or economic stability, its defence and its national security.

The SOCI Act and accompanying rules seek to achieve this by:

  • empowering the government to exercise information gathering, direction and intervention powers in respect of specified critical infrastructure sectors
  • requiring the provision of operational and ownership information to the Register of Critical Infrastructure Assets
  • imposing incident reporting and risk management obligations in respect of specified critical infrastructure asset classes
  • applying enhanced cyber security obligations to critical infrastructure assets designated by the Government as systems of national significance

The legislation covers a broad range of assets and obligations, which extend to various participants in the supply chain, including “responsible entities”, “reporting entities”, “direct interest holders”, “managed service providers” and “operators”.

The SOCI Act has been revised several times in recent years. These amendments have primarily focused on making the regime more comprehensive, in recognition of an evolving threat landscape – not necessarily making the regime simpler to understand or comply with. The upshot is that the SOCI Act and its accompanying rules are dense and difficult to navigate.

This summary seeks to demystify the regime’s complexities. In doing so, we acknowledge that complexity exists below the surface and will invariably require a case-by-case assessment.

If you need help understanding how the SOCI Act applies to your organisation or sector, we would be delighted to assist.

Recent reform

The SOCI Act was most recently reformed in November 2024, when the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (ERP Act) was introduced.

The ERP Act seeks to address gaps in the existing regulatory framework and enhance the government’s ability to respond to a wide range of incidents (beyond cyber).

Specifically:

  • data storage systems – the ERP Act expanded the type of assets previously captured as critical infrastructure under the SOCI Act, to more clearly cover related data storage systems that store or process business critical data;
  • expansion of government powers (all hazards) – the ERP Act extended existing government powers under the SOCI Act, to a wider range of incidents, shifting what was previously a cyber-focused regime to address ‘all hazards’;
  • expansion of government powers (CIRMP variations) – the ERP Act gives the government new powers to compel a responsible entity to vary its critical infrastructure risk management program (CIRMP) to address ‘serious deficiencies’;
  • broader ability to share ‘protected information’ – the ERP Act narrowed the definition of ‘protected information’ (relevant to the protection of potentially sensitive information regarding critical infrastructure), to expand and clarify when protected information can be disclosed; and
  • consolidation of telecommunications security requirements under the SOCI Act – the ERP Act brought telecommunications security obligations out of the Telecommunications Sector Security Reforms (TSSR) regime under Part 14 of the Telecommunications Act 1997 (Cth) and under the SOCI Act.

For more information about the ERP Act, the rationale for the reforms and what they mean for you, please see here.

Most amendments described in the ERP Act took effect on 20 December 2024.

The telecommunications sector reforms in Schedule 5 of the ERP Act took effect on 4 April 2025.

The Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 and the Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules 2025 operationalise various aspects of the ERP Act. These rules took effect on 4 April 2025.

The above provides a simplified visual presentation of the different critical infrastructure assets or critical infrastructure sectors assets which are or will be captured by obligations or powers under the SOCI Act (as described below).

Hover  over the different obligations or powers to reveal the assets or sectors covered. 

Entities – Who is captured by the SOCI Act?

Entity

Definition

Key obligations

Responsible Entity

The definition is asset specific, but generally the responsible entity will be the entity that owns, or is licensed or responsible for operating, the asset.

Reporting of operational information.

Notification of cyber incidents.

Risk management program.

Direct Interest Holder

Entity that (a) together with any associates of the entity, holds a legal or equitable interest of at least 10% in a critical infrastructure asset (including if any of the interests are held jointly with one or more other entities); or (b) holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.

Reporting of interest information.

Reporting Entity

Responsible Entity.

Direct Interest Holder.

Reporting of interest and operational information.

Relevant Entity

Responsible Entity.

Direct Interest Holder.

Operator (entity that operates the critical infrastructure asset or part of the asset).

Managed service provider (entity that manages (part of) a critical infrastructure asset, aspect of the asset, or the operation of the asset).

Response to Government information gathering, direction and intervention powers.

 

Trigger

Powers and Safeguards

When:

  • an incident has occurred, is occurring or is imminent; and
  • that incident has had, is having, or is likely to have one or more “relevant impacts”1 on a critical infrastructure asset; and
  • there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice (i) the social / economic stability of Australia / its people, (ii) the defence of Australia, or (iii) national security; and
  • no existing regulatory system could be used to provide a practical and effective response to the incident.

 

The Minister may authorise the Secretary to do any or all of the following things relating to an incident impacting one or more critical infrastructure assets or specified critical infrastructure sector assets (as applicable):2

  1. Information gathering directions, to assist the Secretary to determine whether a power under the SOCI Act should be exercised in relation to the incident and the relevant asset. The Minister must be satisfied that the directions are likely to facilitate a practical and effective response to the incident. 
  2. Action directions, directing the entity to do (or refrain from doing) a specified act or thing. This Minister must be satisfied that (a) the relevant entity is unwilling or unable to take all reasonable steps to respond to the incident; (b) the direction is reasonably necessary for the purposes of responding to the incident; (c) the direction is a proportionate response to the incident; and (d) compliance with the direction is technically feasible.
  3. Intervention requests, authorising the Australian Signal Directorate (ASD) to do one or more specified acts or things in relation to a cyber security incident. This is regarded as a ‘step in’ power, which requires the Minister must be satisfied that (a) the incident is a cyber security incident; (b) an action direction would not constitute a practical and effective response to the incident; (c) the relevant entity is unwilling or unable to take all reasonable steps to respond to the incident; (d) the intervention is reasonably necessary for the purposes of responding to the incident; (e) the intervention is a proportionate response to the incident and (f) compliance with the request is technically feasible. Step in powers may include (i) accessing, modifying or analysing computer systems or data; (ii) installing computer programs; and (iii) removing, disconnecting, connecting or adding computers or computer devices.

There are three positive security obligations set out under the SOCI Act:

  • to provide operational and ownership information to the Register of Critical Infrastructure Assets;
  • to notify the Australian Cyber Security Centre (ACSC) of actual or imminent cyber security incidents with an actual or likely relevant impact; and
  • implementing and complying with a CIRMP.

These obligations only apply to a critical infrastructure asset if the obligation has been switched on for that asset, as specified in the relevant rules (as illustrated in the infographic).

 

The Cyber and Infrastructure Security Centre (CISC) maintains the confidential Register of Critical Infrastructure Assets.

A responsible entity for, or a direct interest holder in, an applicable critical infrastructure asset (each a “reporting entity”) must provide the CISC with certain operational and interest and control information relating to the assets in the register.

The types of information the responsible entity must provide include information about the location of the critical infrastructure asset, a description of the area the critical infrastructure asset services, a description of the arrangements under which another entity operates the critical infrastructure asset or a part of the critical infrastructure asset, a description of the arrangements under which relevant data types are managed by a third-party, the type and level of the interest the direct interest holder holds in the asset, and more.

Reporting entities must comply with these obligations from the date that is 6 months after the asset becomes a critical infrastructure asset.

Responsible entities are also required to update the CISC where operational information becomes incorrect or incomplete, or the reporting entity for an asset changes, no later than 30 days after the relevant event has occurred.


A responsible entity for an applicable critical infrastructure asset must report actual or imminent cyber security incidents to the ASD.

If the incident has a “relevant impact” (i.e. if the incident directly or indirectly impacts the asset’s availability, integrity or reliability, or the confidentiality of information about or stored on the asset) reporting must occur within 72 hours of the entity becoming aware.

This timeframe is reduced to 12 hours if the incident has had, or is having, a “significant impact” on the availability of the asset (i.e. if the incident is materially disrupts the provision or availability of essential goods or services).

Cyber security incidents can be reported over the phone if a written report is also provided.

Responsible entities must comply with these obligations from the date that is 3 months after the relevant asset becomes a critical infrastructure asset.

A responsible entity for an applicable critical infrastructure asset must adopt, maintain and comply with a CIRMP.

A CIRMP is a written program, adopting an “all-hazards” approach to the asset, that:

  • identifies each hazard where there as a material risk of a relevant impact; and
  • minimises, mitigates or eliminates any material risk from the hazard (to the extent reasonably practicable).

The “all-hazards” approach requires consideration of both natural and man-made hazards, including cyber and information security, personnel, supply chain, physical security and natural hazards.

The Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023 specify requirements applicable in respect of CIRMPs, based on the above principles-based outcomes. These include obligations to comply with an information security framework and establish and maintain a process to identify and manage risk in respect of “critical workers”.

Responsible entities must, before 28 September of each year, submit an annual report on their CIRMP that has been signed by their board, council or other governing body, to the CISC (or the Reserve Bank of Australia in the case of entities responsible for critical payment systems). The report must address whether the program is up to date, any variations to the program, and details of how the program was effective in mitigating any relevant impacts that hazards may have had on the relevant asset during that year.

The CISC may give a responsible entity a written direction to vary its CIRMP to address a “serious deficiency” posing a material risk to Australia’s national security, defence or social or economic stability.

Data storage and processing providers that hold a certificate of hosting certification (at a strategic level) do not need to have a CIRMP, however they must, within 90 days after the end of each financial year, report on their assets and any hazards that had a significant relevant impact on one or more of those assets during the relevant period.

 

On 4 April 2025, the legislative reforms under the ERP Act streamlined national security obligations in relation to the telecommunications sector.

While the intention is to bring the existing security obligations arising under the TSSR regime into SOCI Act, the reality is that the reforms also brought about changes to these existing obligations. For example, the definition of ‘telecommunications assets’ subject to critical infrastructure regulatory oversight has been expanded to include any assets (in addition to telecommunication networks) that are owned or operated by a carrier or carriage service provider and used in connection with the supply of a carriage service.

For operators of telecommunications assets, this reform agenda is complex, with many moving parts. The new obligations will need to be carefully reviewed against existing obligations for individual assets, with close attention paid to details set out in the ERP Act and Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025.

At a high level, following passage of the ERP Act, responsible entities for critical telecommunications assets may be required to comply with the following obligations:

  • asset registration – responsible entities must register their critical infrastructure assets through the Register of Critical Infrastructure Assets (if not already registered under TSSR);
  • cyber security incident notification – if a cyber security incident has a relevant impact on a critical telecommunications asset, the responsible entity may be required to file a report for incidents meeting certain thresholds of severity;
  • CIRMP – from 4 October 2025 (or otherwise 6 months after an asset becomes a relevant critical infrastructure asset), the responsible entity for a critical telecommunications asset that is (i) owned and operated by a carrier, or (ii) a relevant carriage service provider asset, will need to adopt, maintain and comply with a CIRMP, as well as comply with related annual reporting obligations;
  • enhanced security regulation – the responsible entity for a critical telecommunications asset must protect the asset (so far as it is reasonably practicable to do so) to ensure (a) the confidentiality of communication carried on and information contained on the asset, and (b) the availability and integrity of the asset. This obligation is intended to secure and protect the asset from any hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset; and
  • material adverse effect notification – a responsible entity must, as soon as practicable, notify the Secretary of the Department of Home Affairs of certain actual changes and proposed changes to their telecommunications service or system that are likely to have a material adverse effect on the entity’s capacity to protect the asset. The kinds of changes prompting notification include (but are not limited to) providing a new telecommunicates service, changing the location of notifiable equipment, procuring notifiable equipment and entering into certain outsourcing arrangements.

The Department of Home Affairs may declare a critical infrastructure asset to be a system of national significance (SONS).

A declaration will follow a notification and consultation process.

As at 24 March 2025, the Department of Home Affairs had issued SONS declarations in respect of over 220 assets, across sectors including energy, communications, transport, financial services and markets, food and grocery, and data storage or processing.3 

A responsible entity for a SONS may be required to comply with one or more enhanced cyber security obligations, including:

  • incident response planning – adopting, maintaining and complying with an incident response plan for its assets;
  • cyber security exercises – conducting cyber security exercises testing the entity’s ability and preparedness to respond to and mitigate cyber incidents, including reporting relating to the exercise (and in some circumstances, external audits);
  • vulnerability assessments – undertaking a vulnerability assessment in respect of the relevant asset; and
  • system information – providing the ASD with periodic or event-based reports and / or installing software to transmit system information directly to the ASD.

Some but not all of the above obligations will apply to a critical infrastructure asset declared a SONS. Details of the relevant obligations will be described in the declaration notice issued by the Department of Home Affairs.


Footnotes

  1. What constitutes a “relevant impact” varies, but in relation to a cyber security incident it includes direct or indirect impacts on the availability, integrity or reliability of the asset; or the confidentiality of information about or stored on the asset.
  2. “Critical infrastructure sector assets” include critical infrastructure assets and any other asset that “relates to” a critical infrastructure sector. For example, this could capture IT systems or other equipment supplied to support or service critical infrastructure assets.
  3. Minister for Home Affairs, ‘Safeguarding Australia's most critical infrastructure’ available here (24 March 2025).

This article was originally published on 29 March 2023 and updated on 6 January 2025 and 28 April 2025.

 

Cyber in Australia

View more cyber insights

Key contacts

Peter Jones photo

Peter Jones

Partner, Head of TMT, Asia, Singapore

Stay in the know

Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead

Subscribe now
Melbourne Sydney Perth Brisbane Cyber risk advisory Technology Telecommunications Cyber Security Tech Regulation Geopolitics and Business Business Protection and Risk Cameron Whittfield Julian Lincoln Peter Jones