If you've been in a leadership role across mining, energy, utilities, transport or health in Australia over the last few years, you've almost certainly heard the acronym SOCI thrown around — in board meetings, compliance reviews, or the inevitable email from legal asking whether you've "assessed your obligations." What's less certain is whether anyone has explained it to you in plain language, without a law firm billing you for the privilege.
This article is that explanation.
What SOCI Actually Is
The Security of Critical Infrastructure Act 2018 (the SOCI Act) is Australia's principal legislation governing the security of the systems and assets that the country can't function without. It was originally a relatively modest piece of legislation. The 2021-2022 amendments changed that significantly — expanding coverage, introducing mandatory cyber incident reporting, and requiring regulated entities to maintain formal risk management programs.
The regulator responsible for administering the Act is the Cyber and Infrastructure Security Centre (CISC), sitting within the Department of Home Affairs. If you're operating a critical infrastructure asset in Australia, CISC is the government body you deal with.
Who It Covers
The Act covers 11 critical infrastructure sectors:
- Energy (electricity, gas, liquid fuels)
- Water and sewerage
- Transport (ports, rail, aviation, freight)
- Communications and telecommunications
- Financial services and markets
- Data storage and processing
- Health
- Higher education and research
- Defence industry
- Food and grocery
- Space
Within those sectors, the Act applies to "responsible entities" — broadly, organisations that own, operate, or have direct interests in assets deemed critical to national security, the economy, or public safety. If your organisation falls into this category, you are not exempt by virtue of being a private company, an ASX-listed entity, or a contractor rather than an operator. The obligation follows the asset, not the corporate structure.
If you're unsure whether your organisation is in scope, the honest answer is: if you're operating in one of the sectors above at any meaningful scale, you should assume you are and verify rather than assume you aren't.
What It Actually Requires
There are three core obligations worth understanding.
1. Asset Registration Responsible entities must register their critical infrastructure assets on the Register of Critical Infrastructure Assets, maintained by CISC. This is an administrative obligation, but it's also the threshold that triggers the others.
2. Critical Infrastructure Risk Management Program (CIRMP) This is the substantive compliance requirement. A CIRMP is a formal, documented program that identifies the hazards that could disrupt your critical assets and demonstrates the controls you have in place to manage them. Critically, it's an all-hazards framework across four vectors: physical security, personnel security, supply chain risk, and cyber and information security.
The CIRMP isn't a one-off compliance exercise. It must be reviewed and updated annually, and a board-level officer must attest to it. If you run an IT or OT security function in a regulated organisation, a CIRMP that hasn't been reviewed since it was first drafted is a liability, not a compliance tick.
3. Mandatory Cyber Incident Reporting Significant cyber security incidents affecting critical infrastructure assets must be reported to the Australian Signals Directorate (ASD) within 12 hours of becoming aware of them, with a further 72-hour report to follow. "Significant" is defined under the Act and broadly captures incidents that have materially impacted or are likely to impact the asset's operation.
Why This Matters More Right Now
The Act is actively evolving. An independent review delivered in January 2026 by Dr Jill Slay AM found the framework was working but recommended strengthening it. A consultation paper released in March 2026 proposes enhanced CIRMP obligations — more prescriptive requirements across cyber, supply chain and personnel security — and significantly stronger ministerial directions powers, with civil penalties for non-compliance potentially rising to $3.3 million for corporations.
Put plainly: the regulatory bar is moving upward, not staying where it was when your organisation first assessed its obligations.
What This Means for You Practically
If you're a GM, COO, or board director in a covered sector, the single most important question to ask your team is not "are we registered" — it's "when was our CIRMP last reviewed, and does it actually reflect how we operate today?" A CIRMP written in 2022 that hasn't been updated to account for new systems, new vendors, or changes in your OT environment is a document that satisfies the letter of the obligation while missing the point entirely.
If you're an IT or OT security manager, the practical implication is that cyber risk in your organisation can no longer be managed in a silo. The CIRMP framework explicitly requires it to be considered alongside physical, personnel and supply chain risk — which means the engineering, safety and operations teams you may not have historically worked with closely are now formally part of the same risk picture as you.
That alignment is harder than the paperwork. But it's also where the genuine security improvement happens.
The SOCI Brief covers Australian critical infrastructure security weekly — regulatory updates, threat intelligence, and practical guidance for IT and OT leaders. [Subscribe here.]