Skip to main content

Australian Security of Critical Infrastructure Act 2018

The Australian SOCI Act imposes security, risk management, and incident reporting duties on critical infrastructure operators across many sectors. It requires a risk management program, 12/72-hour incident reporting, and enhanced obligations for systems of national significance.

Jurisdiction
Australia

What the SOCI Act Is

The Security of Critical Infrastructure Act 2018 (SOCI Act) establishes a framework for managing security risks to Australia's critical infrastructure. Significantly expanded by amendments in 2021 and 2022, it broadened the sectors covered and introduced new obligations, including mandatory cyber incident reporting and a Critical Infrastructure Risk Management Program. It exists because attacks on essential services can threaten national security, the economy, and public safety.

The Act is administered with the Cyber and Infrastructure Security Centre and gives government powers to assist, and in serious cases direct, responses to significant incidents.

Who It Applies To

The Act applies to responsible entities and operators of critical infrastructure assets across an expanded set of sectors, including energy, water, communications, data storage and processing, financial services, healthcare, food and grocery, transport, defense industry, space, and education. Specific obligations depend on the asset class, with the most sensitive "systems of national significance" facing enhanced requirements.

Key Requirements

  • Asset register — Provide and maintain ownership and operational information for relevant assets.
  • Risk management program — Establish and maintain a Critical Infrastructure Risk Management Program covering cyber, physical, personnel, and supply chain hazards.
  • Incident reporting — Report significant cyber incidents within 12 hours and other reportable incidents within 72 hours.
  • Enhanced obligations — For systems of national significance, meet enhanced cybersecurity obligations such as incident response planning and exercises.
  • Government assistance — Cooperate with government assistance measures during serious incidents.
  • Governance — Ensure board-level oversight and annual reporting on the risk management program.

Penalties for Non-Compliance

The Act provides for civil penalties for failing to comply with obligations such as reporting and maintaining a risk management program. Beyond fines, entities face regulatory directions, increased oversight, and reputational and operational consequences, particularly where critical services are disrupted.

How to Comply

Determine which assets and sectors bring the organization into scope, then register assets and stand up a Critical Infrastructure Risk Management Program addressing cyber, physical, personnel, and supply chain risks. Implement incident detection with 12-hour and 72-hour reporting workflows. For systems of national significance, build enhanced capabilities such as response plans and exercises. Ensure board oversight and annual reporting, and align with recognized cybersecurity frameworks.