SOCI Act 2018: The Definitive Compliance Guide for Critical Infrastructure

Australia's Security of Critical Infrastructure Act 2018 (SOCI Act) is considered a 'world leading framework' that strengthens the country's ability to manage both cybersecurity and broader national security risks such as espionage, sabotage and coercion in Australia’s critical infrastructure apparatus.

Originally launched in 2018, the Act has undergone significant reforms, expanding coverage to additional sectors and introducing obligations such as mandatory cyber incident reporting.

Its overall aim is to ensure that owners and operators of critical infrastructure - often run by private sector entities - plan and manage all forms of hazards and are proactive at identifying and mitigating risks.

Security through SOCI

At its core, SOCI is a national security law, not just a cyber security regulation governing Australia's most critical sectors. It creates a framework to:

• Identify critical infrastructure
• Force organisations to actively manage security risks
• Ensure the national government has visibility and intervention powers if something goes wrong

SOCI covers organisations that operate in one of eleven critical sectors including energy, healthcare and finance and any entity that owns, operates, or has a direct interest in a critical infrastructure asset.

It's worth reaffirming. SOCI is not optional or voluntary cybersecurity guidance, it's an enforceable law with significant non-compliance penalties.

Following a recent 2025 review, analysis of the first seven years of enforcement also showed the need for further changes to remove complexity and confusion and to modernise the approach for a world now impacted by emergeing threats such as AI and quantum computing.

Defining critical infrastructure

The 2023 Critical Infrastructure Resilience Strategy defines critical infrastructure as:

"those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security."

The core obligations

A. The “Positive Security Obligations” (PSOs)

The PSOs form the baseline requirements for most regulated entities with three standout actions:

1. Asset registration

• Provide ownership and operational details to the government register
• Keep this information updated to assist with visbility

For those in scope, this means maintaining an accurate asset inventory and tracking ownership changes, outsourcing arrangements and control structures.

2. Mandatory cyber incident reporting

• Operators must report incidents to the Australian Cyber Security Centre (ACSC)
• Timeframes are tight - 12 hours for critical incidents, 72 hours for other significant incidents.

In practice organisations must be well prepared to identify and respond to incidents affecting CNI, with a 24/7 capability, a clear incident classification matrix and coordinated legal and cyber teams at the ready.

3. Risk Management Program (RMP) / Critical Infrastructure Risk Management Program (CIRMP)

To maintain a Critical Infrastructure Risk Management Program, the entity must identify hazards (cyber, physical, supply chain, insider threats, etc.), mitigate them and maintain a documented, board-approved program to show adequate governance and effective legislative compliance.

It should be noted that SOCI extends risk management out into the vendor ecosystem and third parties too.

B. Enhanced obligations

If designated a System of National Significance (SoNS), these operators must also:

• Run cyber exercises
• Conduct vulnerability assessments
• Provide near real-time system telemetry
• Maintain detailed incident response plans

You are in effect, a highly regulated national security asset.

SOCI compliance day-to-day

In the real world, the legislative amendments since 2018 have compounded to provide a number of standard requirements:

1. A functional governance layer

• Board accountability for critical infrastructure risk
• Defined “Responsible Entity”
• SOCI compliance owner, often the CISO and/or Legal

2. A documentation stack

• Critical Infrastructure Risk Management Program (CIRMP)
• Incident Response Plan aligned to the SOCI thresholds
• An asset register and dependency mapping
• Supplier risk framework covering key vendors

3. Operational controls

• Security monitoring via SOC/SIEM
• Incident detection and escalation workflows to report in a trimely way
• Third-party risk assessments rotuinely completed
• Business continuity and disaster recovery that is documented and practiced

4. Reporting and assurance activity

• Internal audits of SOCI obligations
• Evidence collection for regulators on posture, readiness and improvements
• Board reporting on risks and (and) non-compliance aspects

Timelines and effort required

The SOCI compliance burden has iteratively developed over the last eight years and will continue to evolve following the latest review of overall effectiveness.

For CNI personnel, there is a continuous need to seek and provide assurance over national security assets and, for many, effort has been expended over many years to get to a more mature, secure position.

At Overcyte, we've assisted with SOCI reporting - or other Australian framework assesmnets such as the AESCSF or Essential Eight - and there are common areas where organisations struggle the most. These include:

Scoping confusion

• What exactly is a “critical asset”?
• What is precisely in scope across our organisational footprint?

Supply chain visibility

• Are you considering cloud providers, SaaS vendors and all outsourced IT arrangements?
• Who has access to critical systems and data?

Incident reporting thresholds

• Determining what qualifies as “reportable”
• Balancing concerns about over-reporting or under-reporting

Cultural resistance

• Getting true management buy-in
• And operational ownership of risjk and mitigations and treatment plans as rfequired

What good SOCI compliance looks like

A mature organisation will have:

• Clear asset definition and know exactly what systems are critical
• Integrated risk program that covers not just cyber but physical threats and the full supply chain
• Tested incident response and ability to report within 12 hours confidently‍
• Supplier assurance with contracts mandating monitoring/notifications by third parties
• Executive ownership and a Board that understands and challenges SOCI risks

What poor compliance looks like

• Treating SOCI as “just cybersecurity”
• CIRMP written but never used
• No real incident reporting capability, certainly not to the timelines stated
• No visibility over vendors - both system and data access
• Essential Eight Maturity Level One implemented and now considered "done"

How best to meet the SOCI Act compliance expectations

SOCI is best understood as a national security law that compels critical infrastructure organisations to behave like part of Australia’s security perimeter.

It must be treated as a significant enterprise risk and resilience undertaking, not just a cybersecurity framework to be measured each year as part of budget rounds when planning for new security tools or extra FTEs.

Overcyte has helped Australian organisations prepare for and report on SOCI Act compliance. Get in touch to learn how we can simplify your programme.