Frameworks

SOCI Act & What Critical Infrastructure Operators Need to Know

The Security of Critical Infrastructure Act 2018 imposes legal obligations on anyone who owns, operates, or has a direct interest in critical infrastructure assets across 11 regulated sectors. Those obligations, registering assets, reporting cyber incidents, and maintaining a risk management program, are ongoing, not one-off.

Overcyte helps critical infrastructure operators meet them continuously, replacing annual spreadsheet exercises with real-time compliance tracking against the frameworks SOCI recognises.
Get in touch
Notate Mockup

What the SOCI Act requires

The Security of Critical Infrastructure Act 2018 is Australia'sprimary legislation for protecting critical infrastructure from cyber andphysical threats. It establishes a legal framework that defines which assetsare considered critical infrastructure, who is responsible for protecting them,and what obligations those responsible entities must meet.

The intent is straightforward: ensure that the systems Australiansdepend on, power, water, transport, and communications, are resilient enough towithstand serious disruption.

The Act has beensignificantly amended three times since 2021, most recently by the EnhancedResponse and Prevention Act 2024, which is now the current version. Each roundof amendments has expanded the scope and tightened obligations.

Sectors Affected by the SOCI Act

The SOCI Act applies to anyone who owns,operates, or holds a direct interest in a critical infrastructure asset acrosseleven sectors:
  • Communications
  • Data storage and processing
  • Defence industry
  • Energy
  • Financial services and markets
  • Healthcare and medical
  • Higher education and research
  • Space technology
  • Transport
  • Water and sewerage
  • Food and grocery
Not all obligations apply to every sector and assetclass. Check the CISC's sector-specific guidance to confirm what applies toyou. If your organisation is in scope, the three obligations below apply, andOvercyte is built to help you manage all of them.

The Three Positive Security Obligations

Mostcritical infrastructure operators are subject to three Positive SecurityObligations (PSOs) under the Act. These are the core compliance requirements,ongoing, not one-off, and increasingly subject to active enforcement. Overcytemaps directly to all three, giving your team continuous visibility across eachobligation rather than a once-a-year compliance exercise.

1. Register of Critical Infrastructure Assets

Responsible entities must provide ownership and operational information about their critical infrastructure assets to the Register of Critical Infrastructure Assets, maintained by the Cyber and Infrastructure Security Centre (CISC). This information includes details about who owns and operates the asset, and any changes to that information over time.

2. Mandatory cyber incident reporting

Cyber incidents that impact the delivery of essential services mustbe reported to the ACSC. The reporting windows are strict:

Significantcyber seurity incidents report within 12 hours. Relevant cybersecurity incidents report within 72 hours.

Getting this rightoperationally is one of the more demanding aspects of SOCI compliance.

3. Critical Infrastructure Risk Management Program

Responsible entities must develop and maintain a written CIRMP taking an all-hazards approach across physical security, personnel, supplychain, and cybersecurity risks. The CIRMP must be reviewed annually, approved by your board, and submitted to the CISC by 28 September each year. CISC moved to active audit activities in 2024–25; non-compliance now carries real regulatory risk.

Designated as a System of National Significance?

Operators designated as Systems of National Significance (SoNS) by the Minister for Home Affairs facefour additional Enhanced Cyber Security Obligations: mandatory incident response plans, cybersecurity exercises, vulnerability assessments, and provision of system information to the government.

How SOCI Relates to Other Recognised Frameworks

The SOCI Act requires operators to meettheir CIRMP cybersecurity obligations against a recognised framework. Itdoesn't prescribe which one, but it does recognise several:
Framework Best Suited To How It Maps to SOCI
AESCSF Energy sector operators. Directly maps to CIRMP cyber security obligations; annual self-assessment feeds SOCI reporting.
Essential Eight Broader critical infrastructure, water, transport, and utilities. Practical baseline for meeting CIRMP cybersecurity requirements across IT and OT environments.
ISO 27001 Operators with existing IT security management systems. Recognised framework for CIRMP cyber security obligations; broader in scope than SOCI requires.
NIST CSF Organisations with US-aligned or global security programs. Internationally recognised; accepted by CISC as a recognised framework for CIRMP compliance.

All four frameworks arebuilt into Overcyte, whichever your organisation uses to meet its CIRMPobligations, compliance tracking is already mapped and ready. The August 2024 graceperiod for demonstrating compliance against a recognised framework has nowclosed. This is no longer optional.

Why SOCI Compliance is Harder in OT Environments

Most SOCI guidance is written with IT environments in mind. For energy, water and utilities operators, the reality is more complex. Critical infrastructure runs on operational technology, SCADA systems, industrial control systems, PLCs and RTUs, which don't behave like IT and can't be managed like it.

Patching cycles are a good example. OT systems often can't be patched on standard IT timescales due to vendor dependencies, change management requirements and operational uptime constraints. Network segmentation and compensating controls become the practical response, but they need to be documented, maintained and defensible under audit.

The CIRMP's all-hazards approach demands continuous visibility, not a point-in-time assessment. Organisations that complete an annual review and file it away are meeting the letter of the obligation but not its intent, and with CISC now conducting active audits, that gap is exactly what assessors will be lookingfor.

Meeting SOCIobligations isn't a project with an end date. The register needs to staycurrent, incidents need to be reportable at short notice, and the CIRMP needsto reflect your actual risk posture, not last year's assessment.

Overcyte maps directlyto the three Positive Security Obligations, supporting CIRMP development andmaintenance, evidence collection, and compliance workflows across your criticalinfrastructure assets. Built-in support for AESCSF, Essential Eight, ISO 27001 and NIST CSF means the frameworkalignment required under your CIRMP is tracked in real time. Flexibledashboards and reports give your board what they need when the 28 Septemberdeadline comes around.

For operators managingOT environments, Overcyte is built by practitioners who understand the gapbetween IT compliance frameworks and operational technology reality, and havedesigned the platform around it.

How Overcyte Supports Continuous SOCI Compliance

Identify. Secure. Assure.

Ready to simplify cybersecurity compliance for critical infrastructure?
Book a demo
Trust CentreTerms of
ServicePrivacy Policy
© Copyright Overcyte 2026