On 10 June 2026, the Enhanced Critical Infrastructure Risk Management Program Rules became law, and the SOCI Act quietly became the most demanding cyber security regulation most Australian operators have ever faced. The uncomfortable part: plenty of businesses are captured by the Act and do not know it, and plenty more sit one contract away from inheriting its obligations through a customer’s supply chain requirements.
This is our masterclass on SOCI Act compliance. What the Act requires, who it captures, what changed in June 2026, and what a sensible compliance program looks like if you run or support a critical infrastructure asset in Australia.
The Security of Critical Infrastructure Act 2018 is the Australian Government’s framework for protecting the assets the country cannot function without. It started narrow, covering electricity, gas, water and ports, and has since expanded through amendments in 2021, 2022 and 2024 to cover 11 sectors and 22 asset classes.
The 11 sectors are communications, data storage or processing, defence industry, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, and water and sewerage.
Read that list again. This is not just power stations and ports. A data centre operator, a food distributor, a private hospital, a freight company, or a business providing data storage or processing services to government can all be responsible entities under the Act. The obligations attach to whoever owns or operates a designated critical infrastructure asset, and the definitions in the Security of Critical Infrastructure legislation are broader than most people expect. In our experience, the businesses most surprised to find themselves in scope are in data storage and processing, because the test turns on whose data you hold, not how big you are.
If you are a responsible entity, three obligations apply. Which ones have been switched on for your asset class depends on the rules, but the full set looks like this.
1. Register your asset. Responsible entities must provide ownership and operational information to the Register of Critical Infrastructure Assets, run by the Cyber and Infrastructure Security Centre, and keep it current when things change.
2. Report cyber incidents on the clock. A cyber incident with a significant impact on your asset must be reported to the Australian Cyber Security Centre within 12 hours of you becoming aware of it. An incident with a relevant but lesser impact must be reported within 72 hours. If the first report is verbal, a written report follows within 84 and 48 hours respectively. These clocks are unforgiving, and they assume you can detect an incident, assess its impact, and brief someone senior enough to make the call, all inside half a working day. Most incident response plans we review were not written with a 12-hour regulatory clock in mind. This sits alongside the separate 72-hour ransomware payment reporting rule under the Cyber Security Act, which we covered in our guide to mandatory ransomware reporting.
3. Maintain a Critical Infrastructure Risk Management Program. The CIRMP is the centrepiece of SOCI Act compliance, and it is where most of the work lives. More on it below, because it deserves its own section.
A fourth layer applies to a small set of assets declared Systems of National Significance. These carry Enhanced Cyber Security Obligations, including incident response plans, cyber exercises and vulnerability assessments on direction from government.
A CIRMP is a written, board-owned program that identifies the material risks to your asset and sets out how you minimise and mitigate them, so far as is reasonably practicable. It must cover four hazard domains: cyber and information security, personnel, supply chain, and physical and natural hazards. Cyber gets the attention, but an auditor will look at all four.
On the cyber domain, the CIRMP Rules require you to meet one of five recognised frameworks, or an equivalent you can defend. The options are ISO 27001, the ASD Essential Eight at Maturity Level One, the NIST Cybersecurity Framework, the US Department of Energy’s C2M2 at MIL-1, or the AESCSF at Security Profile 1 for energy entities. Most Australian operators outside energy choose the Essential Eight or ISO 27001, and the honest answer is that the strongest programs use both: ISO 27001 for governance and the Essential Eight for the technical controls that actually stop attacks.
The governance obligations are specific. The CIRMP must name the position accountable for it. It must be reviewed at least annually and after any material change. And every year, within 90 days of the end of your financial year, the board must approve an annual report on the program and submit it to the regulator. That last point changes the conversation: SOCI compliance is a director-level accountability, not an IT project.
Two things happened this year that reset the baseline.
First, the Independent Review of the SOCI Act, delivered by Dr Jill Slay AM on 31 January 2026, found the Act had built a strong foundation but was not keeping pace with the threat environment. One of its sharper findings was that CIRMP assurance had become too documentary: programs that read well on paper without evidence the controls work.
Second, and more concretely, the Enhanced CIRMP Rules were made on 4 June 2026 and commenced on 10 June 2026. They apply to nine designated high-risk asset classes, including energy market operators, electricity, gas, liquid fuel, water, broadcasting, domain name systems and freight. If you are a responsible entity for one of these, the grace-period clocks are already running.
| Deadline | What lands |
|---|---|
| Now | Existing CIRMP obligations continue: four hazard domains, framework compliance, annual board report |
| Mid-2027 (12 months from commencement) | Additional material risks including national security impairment, patching and legacy technology measures, first personnel security measures |
| Mid-2028 (24 months from commencement) | Step up to level 2 of your chosen cyber framework (Essential Eight ML2, AESCSF SP-2 or equivalent), phishing-resistant MFA, lateral movement controls, supply chain and physical security measures |
The level 2 requirement is the big one. Moving from Essential Eight Maturity Level One to Maturity Level Two is a genuine uplift in application control, privileged access, patching cadence and MFA, not a paperwork exercise. We wrote a full breakdown in our Essential 8 Maturity Level 2 guide, and our position is simple: two years sounds generous until you factor in operational technology change windows, budget cycles and the evidence you need to gather along the way. Start now.
There is also more change coming. A parallel consultation on stronger Ministerial directions powers closed on 1 May 2026, with proposed penalties for non-compliance with a direction rising to $3.3 million for corporations, and the review has flagged further expansion of the assets and sectors covered. The direction of travel is one way.
Here is the part that matters for most Australian SMBs. The Enhanced CIRMP Rules require responsible entities to manage supply chain risk, map their significant vendors, and document risks from foreign ownership, control and influence across their supply chain. That obligation does not stop at their front door. It flows into yours.
If you sell software, services, logistics, maintenance or data handling to an electricity distributor, a water utility, a hospital or a freight operator, expect security questionnaires, contract clauses requiring a recognised framework, and evidence requests. We have watched the same pattern play out in defence: DISP membership moved from differentiator to tender prerequisite in about three years. Critical infrastructure supply chains are on the same path. Being able to show Essential Eight maturity with evidence is becoming the price of staying on the vendor panel.
These frameworks overlap deliberately, and a smart compliance program exploits that. The Essential Eight satisfies the SOCI cyber framework requirement, the DISP cyber requirement at ML2, and most cyber insurance questionnaires, all from one set of controls. ISO 27001 gives you the risk management, governance and audit machinery the CIRMP expects, plus the personnel and supplier controls the other three hazard domains need. Build once, attest many times.
The trap is treating each regime as a separate project with separate documents and separate spreadsheets. That triples the cost and produces the documentary compliance the Independent Review criticised. One control set, one evidence base, mapped to every obligation you carry. That is the whole trick, and it is what we run for clients through our managed cyber security service: controls operating continuously, evidence collected as a by-product, reports generated when the regulator, the board or the customer asks.
Confirm whether you are captured. Work through the asset class definitions for your sector, and get a legal read if it is ambiguous. Then check your customer base: if any customer is a responsible entity, review your contracts for security obligations that already apply to you. Guessing wrong in either direction is expensive.
Test your incident reporting against the clocks. Run a tabletop exercise against the 12-hour and 72-hour timelines with the people who would actually make the call. If your detection, escalation and decision chain cannot produce an ACSC report inside 12 hours on a Saturday night, fix that before an incident finds the gap for you.
Get your Essential Eight maturity independently assessed. Whether you are a responsible entity heading for ML2 by 2028 or a supplier who will be asked for evidence next tender round, the starting point is the same: know where you stand today, with evidence. We run these assessments for businesses across Australia, and after 22 years and a 98 per cent client retention rate, we are comfortable telling you the unvarnished version. Contact us on 1300 EPIC IT for a security gap analysis.
The Security of Critical Infrastructure Act 2018 is Australia’s framework for protecting critical infrastructure across 11 sectors and 22 asset classes, from energy and water to data storage, food and health care. It requires responsible entities to register assets, report cyber incidents within 12 to 72 hours, and maintain a Critical Infrastructure Risk Management Program. SOCI Act compliance is regulated by the Cyber and Infrastructure Security Centre within Home Affairs.
Responsible entities, meaning the owners and operators of designated critical infrastructure assets across the 11 sectors. You do not need to be a large company: data storage and processing providers, food distributors, private hospitals and freight operators can all be captured. Suppliers to responsible entities are not directly regulated but increasingly inherit obligations through contracts and supply chain risk requirements.
A Critical Infrastructure Risk Management Program is a written, board-approved program that identifies and manages material risks to a critical infrastructure asset across four hazard domains: cyber and information security, personnel, supply chain, and physical and natural hazards. It must meet a recognised cyber framework such as the Essential Eight or ISO 27001, be reviewed at least annually, and be reported to the regulator within 90 days of each financial year end.
The Enhanced CIRMP Rules commenced on 10 June 2026 for nine high-risk asset classes. They add obligations around patching and legacy technology, personnel and supply chain security, phishing-resistant MFA, and a step up to level 2 of the chosen cyber framework, with grace periods running to roughly mid-2027 and mid-2028. An Independent Review delivered in January 2026 has also set up further reforms, including stronger Ministerial directions powers and higher penalties.
Critical cyber incidents, those with a significant impact on the asset, must be reported to the ACSC within 12 hours of the entity becoming aware. Other incidents with a relevant impact must be reported within 72 hours. Verbal reports must be followed by written reports within 84 and 48 hours respectively. Ransomware payments carry a separate 72-hour reporting obligation under the Cyber Security Act.
Partly. The Essential Eight at Maturity Level One is one of the recognised frameworks for the CIRMP cyber domain, and the Enhanced Rules point high-risk asset classes to level 2 by mid-2028. But SOCI Act compliance also requires incident reporting capability, personnel, supply chain and physical hazard management, and board-level governance, which sit outside the Essential Eight. Most entities pair it with ISO 27001 or equivalent governance controls.