Regulation Spotlight: Security of Critical Infrastructure in Australia

Overview of the Australian SOCI Legislation

The Security of Critical Infrastructure Act 2018 (SOCI Act) is a central piece of Australian legislation designed to protect the nation’s critical infrastructure from physical and cyber threats. The Act aims to ensure the resilience and security of assets and services that, if disrupted, would significantly impact Australia’s society, economy, or security.

The original SOCI Act was amended in 2021 and 2022 to capture all assets that are critical to Australia and following a deteriorating threat environment and increasing number of large scale, high impact cyber attacks.

The SOCI Act was further amended in 2024 by the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (ERP Act) in response to significant incidents impacting critical infrastructure to upliftexisting obligations for captured entities and enhance the government’s ability to manage the consequences of all hazards incidents on critical infrastructure assets. It also harmonised Australian telecommunications security regulation.

There is a Government fact sheet that provide general guidance on the history and intent of the legislation.

Sectors and Companies Covered

The SOCI Act applies to 22 asset classes across 11 critical infrastructure sectors:

• Communications
• Data storage and processing
• Defence industry
• Higher education and research
• Energy (electricity, gas, liquid fuels)
• Financial services and markets
• Food and grocery
• Healthcare and medical
• Space technology
• Transport (aviation, maritime, road, rail)
• Water and sewerage

Entities covered include:

• Responsible entities: Owners or operators of critical infrastructure assets.
• Direct interest holders: Entities with a significant (usually 10% or more) interest or influence over a critical asset.
• Other participants: Managed service providers, reporting entities, and certain supply chain actors, depending on their relationship to the asset.

Not all obligations are 'switched on' for every sector or asset class, so applicability can vary and requires careful assessment for each organisation - see the compliance table on the Cyber and Infrastrucrure Security Centre website.

Compliance Regime and Key Obligations

The SOCI Act establishes a multi-layered compliance regime, including:

1. Positive Security Obligations (PSO):

• Register of Critical Infrastructure Assets: Entities must register their assets and keep records current with the Cyber and Infrastructure Security Centre (CISC).
• Mandatory Cyber Incident Reporting: Significant cyber incidents affecting critical infrastructure must be reported to the Australian Cyber Security Centre (ACSC) within 12 hours of awareness, with a follow-up written report.
• Risk Management Program (RMP): Entities must implement, maintain, and annually review a risk management program to identify, assess, and mitigate risks (including cyber and physical threats).

2. Enhanced Cyber Security Obligations (ECSO):

• These apply to entities operating 'Systems of National Significance' (SoNS)—assets deemed vital for national security and economic stability.
• Requirements include advanced incident response plans, participation in cyber security exercises, regular vulnerability assessments, and provision of system information to authorities.

3. Government Assistance Measures:

• In the event of a serious cyber threat or incident, the government can direct entities to take specific actions or, in extreme cases, intervene directly to manage the response.

4. Annual Reporting:

• Entities must submit an annual report detailing compliance with their risk management program and any significant incidents or updates to their security posture. The first Critical Infrastructure Risk Management Program () reports were due by 28 September 2024

5. Penalties for Non-Compliance:

• Failure to comply with SOCI obligations can result in significant penalties, including fines and enforcement actions.

The SOCI Act is regularly updated to address emerging threats and close regulatory gaps, with further reforms expected as part of Australia’s broader cybersecurity strategy.Organitions in covered sectors must remain agile and proactive to keep up with evolving requirements.

The SOCI Act imposes comprehensive security and reporting obligations on organisations operating critical infrastructure across 11 sectors, with a strong focus on cyber resilience, risk management, and government collaboration. Overcyte can help organisations report on their compliance with the legislation and manage a programme of remedial activities.

‍

‍