The Security of Critical Infrastructure (SOCI) Act

Act on your security obligations and work with a trusted critical infrastructure cybersecurity partner

Schedule a Free Introduction Call
A view of the 12 apostles in Australia
A set of documents on a table

SOCI Explained

What is the Security of Critical Infrastructure (SOCI) Act?

The Security of Critical Infrastructure (SOCI) Act 2018 is a law passed by the Australian government, requiring critical infrastructure organisations to:

  • Register their critical infrastructure assets with the government
  • Disclose and address various type of risks
  • Develop and implement resilient defence mechanisms
  • Report incidents, mechanisms, and measures
  • Maintain transparency with the government and seek aid through the framework or plan for surveillance

Certain industry types are prone to more damages than the others, with cascading effects on the interdependent essential public services that are serving as the backbone of the economy. Threats can range from cyber-attacks to natural disasters, which must be disclosed, addressed, and reported holistically, as per the CIRMP requirement, post amendments in 2022.

The SOCI Act allows the government to step in when there’s a threat to the national security. So, it is important to establish safety protocols from the beginning while also taking initiative to improve throughout the lifecycle of the asset.

Critical Infrastructure (CI) is any asset, system, or service critical to serving a nation’s people, economy, and the government.

There are 11 sectors identified, under the ambit of SOCI:

  • Energy
  • Transport
  • Defence Industry
  • Space Technology
  • Data Storage and Processing
  • Financial Services and Markets
  • Higher Education and Research
  • Healthcare and Medical
  • Water and Sewerage
  • Communications
  • Food and Grocery

SOCI has outlined compliance obligations for both the asset owners and operators of CI assets, consisting of business service owners, organisational asset operators, and supply chain partners involved in Australia’s essential service sector.

These can either be Australian-owned, operating with foreign entities or international owners operating in Australia.

A Critical Infrastructure Risk Management Program (CIRMP) is a mandate under SOCI, to methodically report risk management associated to critical infrastructure by identifying potential threats, mitigate through measures, monitor effectiveness, and maintain compliance.

There are four hazard vectors outlined in a CIRMP, with specific rules and requirements to address risks according to the all-hazards approach:

  1. Cyber & Information Security Hazards
  1. Personnel Hazards
  1. Supply Chain Hazards
  1. Physical Security & Natural Hazards

For the Cyber & Information Security Hazards, the responsible entities must comply with one of the listed cyber frameworks: Australian Energy Sector Cybersecurity Framework (AESCSF), National Institute of Standards and Technology (NIST), Cybersecurity Framework (CSF), ISO 27001/27002, ASD's Essential Eight, and the Australian Government Information Security Manual (ISM).

OpusV offers cybersecurity solutions and consultancy, in adherence to the AESCSF framework, in view of the legislation.

The government has mandated the documentation and submission of CIRMP report, annually.

It is not only a responsible way to demonstrate accountability, but also a method to seek government-assistance in terms of remediation in case of severe cyber-attacks with high intensity impact, ensuring continuous operations.

Although the SOCI Act is primarily a legislative requirement, as an asset owner, you must ensure that you are aware of, and in control of managing risks across your asset adequately, to ensure safety and security, be it for the community, stakeholders, or partners.

Following the SOCI Act will help you stay informed of the various regulations surrounding critical infrastructure risk management. It helps enhancing security, credibility, governance, and business continuity during disruptions.

The possible repercussions of non-compliance can be exponentially high, in the long run. From financial loss to credibility damage, some common issues may include penalties and fines by the government, cyber-terrorism causing halt of operations, loss of goodwill, and legal costs.

Apart from a business standpoint, a major setback can look like disruption in power supply impacting the functioning of power plants, hospitals, or transport, leading to direct government intervention.

A view of parliament in Australia

SOCI Requirements

What is the Security of Critical Infrastructure (SOCI) act?

Business meeting where multiple people are sitting taking notes

The SOCI Act was first introduced in 2018 to strengthen Australian critical infrastructure’s cyber resilience and national security. Since then, it has undergone various reforms to expand the scope of legislation and enhance regulatory oversight:

  • Expansion of asset classes such as data storage and processing.
  • Refinement of ‘protected information’ definition to include data security considerations.
  • Adoption of 'all-hazards' approach in incident reporting with notifications other events like ransom.  

In conjunction with these latest reforms, SOCI Act mandates the below requirements catering to ensure accountability, transparency, and preparedness planning:

The owners, operators, or vendors of critical infrastructure must register assets with the government, providing detailed information such as asset location, service areas, utilisation arrangements, data storage or processing, and operational dependencies. Failure to register your assets can result in breach of the legislative act and regulatory standards.

Asset owners and operators should maintain holistic digital and physical structural security, as well as supply chain security, such as strong measures for the data service providers involved in storing or processing data related to the critical infrastructure assets.

PSO requires the establishment of a Critical Infrastructure Risk Management Program (CIRMP), for vulnerability assessment and risk mitigation, which must be reported to Cyber and Infrastructure Security Centre (CISC) annually for compliance monitoring.

The implementation of a Risk Management Program (RMP) should holistically cover various types of hazards, whether technological issues like digital ecosystem malfunction, operational failures, or physical dysfunctionalities due to natural disasters. As a part of RMP, the legislation requires a cyber security incident response plan, to be developed and submitted to the secretary department of home affairs. Critical infrastructure assets must go under cyber security testing and simulated attacks, which will be reviewed by the authorised representative from the Australian Cyber Security Centre (ACSC) and check if critical assets are equipped to address security challenges. Also, annual reports must be submitted according to the Australian financial year and regulatory standards, as a support document outlining the measures taken for advancing security and threat defence mechanism.

In failure of compliance with RMP obligations, there can be regulatory action. However, the act currently limits the regulator’s ability to issue directions on remediation.

Cyber incidents must be reported to ACSC within 12 hours, with track of occurrence, analyses, and response to threats. In case of ransom payments, while ambiguously legal, there is a requirement to report within 72 hours of the events under ransom payment notification obligations. Any changes related to the internal information management system such as contact information, reporting entity, change in ownership, or changes in power and control should be disclosed near-real-time. In consideration of an overall incident management uplift, reporting cyber incidents within the recommended timeframe will assist with response and recovery procedures.

According to the reforms, an ‘all-hazards’ approach should be followed, which includes, not only incidents post-occurrence but also consequence management of potential events like ransom payments.

To avoid legal risks and authorities’ limited ability, the SOCI Act allows government to intervene in case of significant threats and offer assistance to ensure quick response and recovery. The government will also provide instruction on using and disclosing sensitive information related to national security. By establishing a mechanism for sharing reports and information on critical infrastructure management, authorities can issue guidelines and remediation help in crisis management, through the framework.

Unsure where to get started?

Schedule a call with one of our cybersecurity experts to help with SOCI obligations under a CIRMP. Your first consultation is on us.

Schedule a Free Introduction Call

SOCI Act Timeline

SOCI Legislation Reforms and Amendments

The Security of Critical Infrastructure (SOCI) Act has undergone significant amendments and reforms since its enactment in 2018. The timeline highlights key developments in the legislation, aligning with the Australian Cyber Security Strategy 2023-2030.

Each update reflects stronger regulations, enhanced risk management and evolving compliance measures, to safeguard Australia’s digital and physical infrastructure. Explore the timeline to know more.

25th November 2024

Australian Parliament passed a suite of a cyber security legislation as a part of the Australian Cyber Security Strategy 2023-2030.

9th October 2024

SOCI Amendment Bill was introduced by the Australian parliament. It includes the update that SOCI Act obligations will extend to the data storage and processing systems whether is owned, operated, or involved through third-party connections to the critical asset.

17th August 2024

End of 12-month grace period for compliance with cyber and information security framework requirements under section 8(4) and 8(5) of a CIRMP rules.

17 August 2023

End of 6-month grace period for compliance with SOCI Act.

February 2023

Part 2A on (risk management program) switched on.

2nd April 2022

Security Legislation Amendment Critical Infrastructure Protection Act (SLACIP) 2022 was ‘passed’ by the Australian Parliament, with the mandate of a CIRMP reporting for Systems of National Significance (SoNS).

8th October 2022

6-Month grace period for SOCI Act Part 2 ends with asset registration.

8 July 2022

3-Month grace period ends for SOCI Act Part 2B (Incident Reporting) closes.

8th April 2022

Part 2 and 2B of SOCI Act switched on (PSO, enhancing asset information and cyber incident notification)

2nd April 2022

Second half of reforms made effective with Security Legislation Amendment Critical Infrastructure Protection (SLACIP) Act 2022.

2nd December 2021

First half of reforms made effective with Security Legislation Amendment Critical Infrastructure (SLACI) 2021, with new sectors.

11 July 2018

SOCI Act passed legislation.

circle-arrow-left
circle-arrow-right

Our Services

How OpusV Can Help

At OpusV Tech Group, we consult and equip asset owners and operators with cybersecurity tools, operational efficiency installations, and risk management solutions, while ensuring compliance with the Security of Critical Infrastructure (SOCI) Act and AESCSF framework. Our engineering expertise and cybersecurity capabilities help organisations safeguard their most vital assets

Incident Response

We help with incident remediation and reporting, covering event analysis, impact assessment, and assistance in recovery options.

Situational Awareness 

We assist with situational awareness as a crucial phase of risk assessment, detecting unusual activities in physical or digital environment, and conducting root-cause analysis.

Risk Management

We conduct regular risk assessment, ongoing monitoring, and develop proactive defence strategies that mitigate emerging risks, alongwith asset mapping.

Technology Operations and Maintenance Services
Learn More
Technology Operations and Maintenance Services

Threat and Vulnerability Management

We offer automated patching and remediation workflows along with continuous vulnerability scans, simulated tests, and OT configuration analyser.

Cybersecurity Operations
Learn More
Cybersecurity Operations

Identity and Access Management

IXID is a scalable, transferable, customisable, and always-on tool that ensures strong authentication, authorisation, and data management across assets, devices, and sites.

Identity and Access Management
Learn More
Identity and Access Management

Operations and Maintenance

We merge cybersecurity with operational excellence, ensuring that security investments drive efficiency without disrupting business operations.

Technology and Cybersecurity Solutions
Learn More
Technology and Cybersecurity Solutions
Contact Us

Let us help you stay ahead of cyber threats, ensure compliance, and build a resilient future.

Your first consultation is on us. Talk to us and learn more about securing your critical infrastructure, in compliance with SOCI Act!

Schedule a Free Introduction Call
Renewable energy battery energy storage system

Our Process

The Way Forward

Together with OpusV, you will be empowered proactively to protect your critical infrastructure, meet various legislative obligations, and keep your operations running and the business thriving.

01

Consult

Get guidance on how you can apply SOCI-approved practices to your critical infrastructure.

02

Comply

Invest in services and technology that provides you the risk resilience to confront risks, monitor progress, and report.

03

Capitalise

Enjoy the benefits of ongoing operational efficiencies, threat management, gaining industry credibility and saving remediation costs.

Invest in Your Critical Asset and Navigate SOCI Compliant Solutions with OpusV.

Protecting Top Industries In Australia & Beyond

Schedule a Free Introduction Call
A business man taking notes on a clipboard in a meeting
A wind turbine from below, clear skySydney opera house
Resources
Case Studies
© OpusV PTY LTD 2025