Protecting Critical Infrastructure in Australia: What the SOCI Act Requires

cirmp critical infrastructure security security compliance soci act Jul 09, 2026

Protecting Critical Infrastructure in Australia: What the SOCI Act Requires

Australia's critical infrastructure β€” the assets, systems, and networks essential to the functioning of the economy, government, and society β€” faces a threat environment that has changed materially in recent years. The combination of state-sponsored cyber activity, physical sabotage risk, and the increasing interdependency of systems has elevated critical infrastructure security from a specialist concern to a national priority.

The legislative response is the Security of Critical Infrastructure Act 2018 (SOCI Act), significantly strengthened by amendments in 2021 and 2022. For the organisations that operate critical infrastructure assets, understanding what the SOCI Act requires β€” and what the consequences of non-compliance look like β€” is a board-level responsibility.


What the SOCI Act Covers

The SOCI Act applies to critical infrastructure assets across eleven sectors:

  • Communications
  • Data storage and processing
  • Defence industry
  • Education and research
  • Energy (electricity, gas, liquid fuels)
  • Financial services and markets
  • Food and grocery
  • Health care and medical
  • Space technology
  • Transport
  • Water and sewerage

Within each sector, specific asset classes are defined as critical infrastructure assets. Not every organisation in these sectors is captured β€” the Act applies to the specific assets and entities that meet the definition within each sector.


The Positive Security Obligations

The core of the SOCI Act's regulatory framework is the positive security obligation β€” the requirement for responsible entities to actively manage the security risks to their critical infrastructure assets, rather than simply avoid causing harm.

Critical Infrastructure Risk Management Program (CIRMP)

The central obligation for most responsible entities is the development, implementation, and maintenance of a Critical Infrastructure Risk Management Program. The CIRMP must:

  • Identify the critical infrastructure asset and its dependencies
  • Identify hazards that could have a significant impact on the asset
  • Assess the risk associated with each identified hazard
  • Identify and implement measures to minimise or eliminate those risks
  • Include a plan for responding to and recovering from serious incidents

The CIRMP must address risks across four hazard categories: physical security and natural hazards, cyber and information security, personnel security, and supply chain security.

Annual reporting. Responsible entities must provide an annual report to the Cyber and Infrastructure Security Centre (CISC) confirming that the CIRMP is in place and has been reviewed in the preceding 12 months.

Board accountability. The SOCI Act creates explicit board-level accountability. The CIRMP must be reviewed and approved by the board annually. Directors cannot delegate this responsibility β€” it is a governance obligation, not an operational one.


Enhanced Cyber Obligations for Systems of National Significance

A subset of critical infrastructure assets are designated as Systems of National Significance (SoNS) by the Minister. These assets carry enhanced cyber security obligations that go beyond the standard CIRMP requirements, including:

  • Mandatory incident response planning
  • Mandatory cyber security exercises
  • Vulnerability assessments
  • Board-level engagement with Australian Signals Directorate

The SoNS designation is made by ministerial determination β€” responsible entities do not self-assess for this category.


Incident Reporting Obligations

The SOCI Act creates mandatory incident reporting obligations that apply to all responsible entities. Cyber security incidents that have a significant impact on a critical infrastructure asset must be reported to the ASD within 12 hours of the responsible entity becoming aware. Other serious incidents must be reported within 72 hours.

The reporting obligation applies regardless of whether the incident was caused by a malicious actor, a system failure, or human error. The threshold is impact, not cause.

Failure to report within the required timeframe is a civil penalty offence.


Government Assistance Powers

One of the most significant elements of the 2021 amendments is the government assistance powers β€” the ability of the Australian Government to direct a responsible entity to take specific action in response to a serious cyber attack, and in extreme circumstances, to take direct action on behalf of the entity.

These powers are reserved for significant, imminent threats. But their existence reflects the seriousness with which the government views critical infrastructure security β€” and the expectation that responsible entities will have done the work to minimise the circumstances in which those powers would need to be invoked.


What Non-Compliance Looks Like

The SOCI Act carries civil penalty consequences for non-compliance. Failure to develop or maintain a CIRMP, failure to report incidents within required timeframes, and failure to comply with government directions are all civil penalty offences.

Beyond the direct regulatory consequence, the reputational and operational implications of a critical infrastructure security failure β€” whether caused by inadequate compliance or genuine attack β€” are significant.


Empire Protection β€” SOCI Act Advisory

Empire Protection provides SOCI Act compliance advisory services for responsible entities across the critical infrastructure sectors. Our advisory capability covers CIRMP development and review, gap assessments against SOCI Act requirements, physical security assessment for critical assets, and incident response planning.

We do not produce generic CIRMP templates. We build compliance programs around the specific asset, the specific sector, and the specific risk environment of the responsible entity.

Contact Empire Protection


Empire Protection β€” Demand Excellence in everything we do. Sydney, Australia | empireprotection.global

The Right People, The Right Methods, The Right Results.
In everything we do,Β Empire ProtectionΒ Demands Excellence.