Critical infrastructure and the SOCI Act

Overview

What is the SOCI Act?

The Security of Critical Infrastructure Act 2018 is the Commonwealth law that manages national security risks to critical infrastructure. It imposes obligations on responsible entities for assets in defined critical infrastructure sectors, with the aim of protecting those assets from cyber, physical, personnel and supply chain hazards. It is administered by the Cyber and Infrastructure Security Centre.

The Act has grown considerably since 2018, first through reforms that introduced positive security obligations, including the risk-management program, and again through the 2024 and 2025 reforms described below.

Scope

Who is a responsible entity, and which assets are covered?

The Act applies to responsible entities for critical infrastructure assets across defined sectors, which include energy, communications, data storage or processing, financial services and markets, water and sewerage, health care and medical, food and grocery, transport, higher education and research, the space technology sector, and the defence industry.

Not every obligation applies to every asset. The CIRMP obligation, in particular, is switched on for specified asset classes under the CIRMP Rules, so the first step for any operator is to confirm whether its assets are captured and which obligations apply.

The program

The Critical Infrastructure Risk Management Program (CIRMP)

Where the obligation applies, a responsible entity must have, and comply with, a CIRMP. The program must identify each hazard that could have a relevant impact on the asset and, so far as is reasonably practicable, minimise or eliminate the risk of that hazard, then mitigate the impact of any incident that does occur. It must address four hazard vectors:

• Cyber and information security hazards.
• Personnel hazards.
• Supply chain hazards. Covered in the supply chain security pillar.
• Physical and natural hazards.

The program is not a one-off document. It must be reviewed regularly and kept current as the asset and its risks change.

A critical infrastructure risk management plan must be reviewed and tested, not just written. Testing the plan against realistic scenarios is covered on the exercising and testing pillar.

Reporting

Annual reporting and board accountability

A responsible entity must give an annual report on its CIRMP to the relevant regulator within 90 days of the end of the Australian financial year. The report must be approved by the entity’s board or governing body, thereby making the board directly accountable for the program’s adequacy. The CIRMP itself must be reviewed at least once every 12 months.

Recent changes

What changed with the 2024 and 2025 reforms?

The regime was expanded by the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024. Most of its provisions commenced on 20/12/2024, with the telecommunications provisions commencing on 04/04/2025.

• Data storage systems. The Act was clarified to cover the protection of certain data storage systems that hold business-critical data.
• All-hazards response powers. New powers allow government to direct action and information gathering to manage the impact of an all-hazards incident on critical infrastructure.
• Risk-management program directions. The regulator can now issue a written direction to a responsible entity to address seriously deficient parts of its risk-management program.
• Telecommunications security. The Telecommunications Security and Risk Management Program Rules 2025 commenced on 04/04/2025 for carrier and carriage service provider assets, bringing telecommunications into the framework.

An independent review of the SOCI Act was delivered on 31/01/2026, and further consultation on the regime is ongoing, so operators should expect the obligations to continue evolving.

The bigger picture

How SOCI relates to the PSPF and to business continuity

The SOCI Act does not sit in isolation. Its risk-management approach mirrors the security risk management discipline that underpins every framework on this hub, and an operator that also handles government information may have PSPF obligations alongside it.

Because the four hazard vectors include physical and natural hazards, a CIRMP overlaps heavily with physical and facility security and with business continuity and the wider resilience disciplines.

How we help

How Agilient supports SOCI and CIRMP compliance

Agilient helps responsible entities understand their SOCI obligations and build a CIRMP that withstands board scrutiny and regulatory review. The work is independent and spans the critical infrastructure sectors.

Agilient works across Sydney, Melbourne, Brisbane, Adelaide and Canberra.