SOCI Act & What Critical Infrastructure Operators Need to Know

The Security of Critical Infrastructure Act 2018 imposes legal obligations on anyone who owns, operates, or has a direct interest in critical infrastructure assets across 11 regulated sectors. Those obligations, registering assets, reporting cyber incidents, and maintaining a risk management program, are ongoing, not one-off.

Overcyte helps critical infrastructure operators meet them continuously, replacing annual spreadsheet exercises with real-time compliance tracking against the frameworks SOCI recognises.

Get in touch

What the SOCI Act requires

The Security of Critical Infrastructure Act 2018 is Australia's primary legislation for protecting critical infrastructure from cyber and physical threats. It establishes a legal framework that defines which assets are considered critical infrastructure, who is responsible for protecting them, and what obligations those responsible entities must meet.

The intent is straightforward: ensure that the systems Australians depend on, power, water, transport, and communications, are resilient enough to withstand serious disruption.

The Act has been significantly amended three times since 2021, most recently by the Enhanced Response and Prevention Act 2024, which is now the current version. Each round of amendments has expanded the scope and tightened obligations.

Sectors Affected by the SOCI Act

The SOCI Act applies to anyone who owns, operates, or holds a direct interest in a critical infrastructure asset across eleven sectors:

Communications

Data Storage & Processing

Defence Industry

Energy

Financial Services & Markets

Healthcare & Medical

Higher Education & Research

Space Technology

Transport

Water & Sewerage

Food & Grocery

Not all obligations apply to every sector and asset class. Check the CISC's sector-specific guidance to confirm what applies to you. If your organisation is in scope, the three obligations below apply, and Overcyte is built to help you manage all of them.

The Three Positive Security Obligations

Most critical infrastructure operators are subject to three Positive Security Obligations (PSOs) under the Act. These are the core compliance requirements, ongoing, not one-off, and increasingly subject to active enforcement. Overcyte maps directly to all three, giving your team continuous visibility across each obligation rather than a once-a-year compliance exercise.

Ownership and operational reporting to the CISC

Responsible entities must provide ownership and operational information about their critical infrastructure assets to the Register of Critical Infrastructure Assets, maintained by the Cyber and Infrastructure Security Centre (CISC). This includes details about who owns and operates the asset, and any changes to that information over time.

Mandatory cyber incident reporting

Strict windows to the ACSC

Cyber incidents that impact the delivery of essential services must be reported to the ACSC. The reporting windows are strict:

12 hrs

Significant cybersecurity incidents

72 hrs

Relevant cybersecurity incidents

Getting this right operationally is one of the more demanding aspects of SOCI compliance.

Critical Infrastructure Risk Management Program

Annual CIRMP with board approval

Responsible entities must develop and maintain a written CIRMP taking an all-hazards approach across physical security, personnel, supply chain, and cybersecurity risks.

Must be reviewed annually, approved by your board, and submitted to the CISC by 28 September each year. CISC moved to active audit activities in 2024-25 — non-compliance now carries real regulatory risk.

Overcyte covers all three. Rather than managing each obligation separately, Overcyte gives your team a single continuous view across registration, incident response readiness, and CIRMP maintenance.

How SOCI Relates to Other Recognised Frameworks

The SOCI Act requires operators to meet their CIRMP cybersecurity obligations against a recognised framework. It doesn't prescribe which one, but it does recognise several:

Framework	Best Suited To	How It Maps to SOCI
AESCSF	Energy sector operators.	Directly maps to CIRMP cyber security obligations; annual self-assessment feeds SOCI reporting.
Essential Eight	Broader critical infrastructure, water, transport, and utilities.	Practical baseline for meeting CIRMP cybersecurity requirements across IT and OT environments.
ISO 27001	Operators with existing IT security management systems.	Recognised framework for CIRMP cyber security obligations; broader in scope than SOCI requires.
NIST CSF	Organisations with US-aligned or global security programs.	Internationally recognised; accepted by CISC as a recognised framework for CIRMP compliance.

All four frameworks are built into Overcyte, whichever your organisation uses to meet its CIRMP obligations, compliance tracking is already mapped and ready. The August 2024 grace period for demonstrating compliance against a recognised framework has now closed. This is no longer optional

Why SOCI Compliance is Harder in OT Environments

Most SOCI guidance is written with IT environments in mind. For energy, water and utilities operators, the reality is more complex. Critical infrastructure runs on operational technology, SCADA systems, industrial control systems, PLCs and RTUs, which don't behave like IT and can't be managed like it.

Patching cycles are a good example. OT systems often can't be patched on standard IT timescales due to vendor dependencies, change management requirements and operational uptime constraints. Network segmentation and compensating controls become the practical response, but they need to be documented, maintained and defensible under audit.

The CIRMP's all-hazards approach demands continuous visibility, not a point-in-time assessment. Organisations that complete an annual review and file it away are meeting the letter of the obligation but not its intent, and with CISC now conducting active audits, that gap is exactly what assessors will be looking for.

How Overcyte Supports Continuous SOCI Compliance

Meeting SOCI obligations isn't a project with an end date. The register needs to stay current, incidents need to be reportable at short notice, and the CIRMP needs to reflect your actual risk posture, not last year's assessment.

Overcyte maps directly to the three Positive Security Obligations, supporting CIRMP development and maintenance, evidence collection, and compliance workflows across your critical infrastructure assets. Built-in support for AESCSF, Essential Eight, ISO 27001 and NIST CSF means the framework alignment required under your CIRMP is tracked in real time. Flexible dashboards and reports give your board what they need when the 28 September deadline comes around. For operators managing OT environments, Overcyte is built by practitioners who understand the gap between IT compliance frameworks and operational technology reality, and have designed the platform around it.