The most common concerns are whether an organisation or asset is captured and when the 12-hour or 72-hour incident clock starts. CIRMP scope, supplier flow-down, SoNS obligations and government intervention powers are less frequently discussed but create substantial governance and contract risk.
What is the SOCI Act and which businesses does it cover? (11 sectors, 22 asset classes)
The Security of Critical Infrastructure Act 2018 creates the Commonwealth framework for identifying, regulating and supporting infrastructure that is important to Australia's security, economy and essential services. It covers 11 sectors: communications, financial services and markets, data storage or processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage. Within those sectors, the legislation and rules currently identify 22 asset classes, each with its own definition, thresholds and responsible-entity rules. Being active in a listed sector does not automatically capture every business: the organisation must own, operate, control or hold a qualifying interest in an asset that meets a statutory or rules-based definition. Depending on the asset and the organisation's role, obligations can include registration, cyber incident reporting, a Critical Infrastructure Risk Management Program, data-provider notification and additional telecommunications or SoNS duties.
- Business operating in one of the 11 listed sectors — Map each facility, system, network and service against the relevant asset-class definition and threshold; sector membership alone is not conclusive.
- Business outside the listed sectors — The ordinary asset-class obligations are unlikely to apply directly, although the business may still receive contractual requirements as a supplier or may be covered by a private ministerial declaration.
- Organisation with multiple assets or business units — Assess each asset separately because different classes, responsible entities, regulators and obligations may apply within the same corporate group.
The organisation must maintain a documented assessment of whether any facility, system, network, service or data-processing arrangement meets a critical infrastructure asset definition under the Security of Critical Infrastructure Act 2018. The assessment must identify the applicable sector and asset class, statutory threshold, responsible entity, direct interest holders, operator, relevant regulator and each obligation that applies. The assessment must be reviewed when ownership, control, operations, capacity, customers, technology, legislation or prescribed thresholds change.
Am I a "responsible entity", "direct interest holder" or "operator"? How do I know if I'm captured?
Start with the asset class, because the Act defines the responsible entity differently for different types of assets. Depending on the class, the responsible entity may be an owner, operator, licence holder, body authorised to operate the asset or another entity specified by the legislation or rules. A direct interest holder generally has a direct or joint interest of at least 10%, together with associates, or an interest that gives it direct or indirect influence or control over the asset. Direct interest holders ordinarily have Register obligations, while responsible entities may also have incident-reporting, CIRMP, data-provider and other duties. Operator is an operational description rather than one universal liability category: an operator is directly captured where the relevant asset-class definition makes it the responsible entity or another provision applies to it.
- Owner, licence holder or operator of a potentially critical asset — Read the responsible-entity definition for the exact asset class in section 12L and any applicable rules or declarations.
- Investor, parent company, joint-venture participant or trust — Test the direct-interest threshold and the separate influence-or-control limb, including interests held together with associates.
- Complex corporate or operational structure — Document legal ownership, operational control, licences, contractual control, associated entities and the person responsible for each statutory submission.
For every potentially regulated asset, the organisation must document: the applicable asset class; the legal owner; each operator and licence holder; the entity satisfying the section 12L responsible-entity definition; each direct interest holder; relevant associates; and any person able to influence or control the asset. Legal, operational and ownership changes must be notified to the SOCI Compliance Owner before they take effect so that registration and other obligations can be reassessed.
The Register of Critical Infrastructure Assets — what must I report and when?
The Secretary of Home Affairs keeps the Register, and the Act expressly says it is not to be made public. A responsible entity generally provides prescribed operational information, while a direct interest holder provides prescribed interest and control information. The initial submission is generally due by the later of the end of the applicable grace period or 30 days after the entity becomes a reporting entity for the asset. Changes and other notifiable events generally have a 30-day reporting period. Because corporate restructures, licence changes, outsourcing and changes in operational control can alter Register information, the organisation needs an internal notification process rather than relying on an annual review.
- Responsible entity — Provide the prescribed operational information about the asset and keep it current.
- Direct interest holder — Provide prescribed ownership, interest and control information and report relevant changes.
- Merger, acquisition, restructuring or operational transfer — Assess the Register impact before completion and track the 30-day statutory period for resulting changes or notifiable events.
The SOCI Compliance Owner must maintain a current Register submission record for each regulated asset, including all operational, ownership, interest and control information required under Part 2 of the SOCI Act. Any proposed or actual change to ownership, beneficial interests, associates, influence, control, operators, licences, locations or prescribed operational information must be escalated immediately. Required initial information and updates must be submitted within the statutory period, ordinarily no later than 30 days after the relevant trigger unless a different grace period or exemption applies.
Mandatory cyber incident reporting to ASD/ACSC — the 12-hour and 72-hour clocks.
A responsible entity covered by Part 2B must report a critical cyber security incident to ASD's Australian Cyber Security Centre as soon as practicable and no later than 12 hours after becoming aware of it. The 12-hour category applies where the incident has had, or is having, a significant impact on the availability of the asset, meaning it materially disrupts essential goods or services provided using the asset. Other reportable cyber incidents must be reported as soon as practicable and no later than 72 hours where they have had, are having or are likely to have a relevant impact on the asset's availability, integrity, reliability or confidentiality. An initial report may be oral or written; an oral critical report requires a written report within 84 hours, while an oral other-incident report requires a written report within 48 hours. If an incident first reported under the 72-hour category later becomes significant, a further critical-incident report is required within 12 hours of becoming aware of that escalation.
- Critical cyber security incident — Report to ASD's ACSC as soon as practicable and within 12 hours of awareness where essential goods or services are materially disrupted.
- Other relevant cyber security incident — Report as soon as practicable and within 72 hours where availability, integrity, reliability or confidentiality has been or is likely to be affected.
- Impact or classification is uncertain — Escalate immediately, preserve the awareness timestamp and seek guidance rather than waiting for complete technical or forensic certainty.
Every suspected cyber security incident affecting a regulated critical infrastructure asset must be escalated immediately to the SOCI Incident Lead. The Lead must record when the responsible entity became aware of the incident and assess significant and relevant impact without waiting for complete forensics. A critical cyber security incident must be reported to ASD's ACSC as soon as practicable and within 12 hours. Any other reportable cyber security incident must be reported as soon as practicable and within 72 hours. Oral reports must be followed by the required written report within 84 hours for a critical incident or 48 hours for another incident.
Critical Infrastructure Risk Management Program (CIRMP) — what it requires and the annual board-approved report.
The CIRMP obligation applies to responsible entities for asset classes specified by the rules or assets otherwise brought within Part 2A; it does not apply identically to every one of the 22 asset classes. A covered entity must adopt, maintain, comply with, regularly review and keep current a written program that identifies material risks and, so far as reasonably practicable, minimises or eliminates those risks and mitigates relevant impacts. The current rules address four core hazard domains: cyber and information security, personnel, supply chain, and physical security and natural hazards. Current 2026 rules also impose enhanced CIRMP requirements on specified higher-risk asset classes, with transitional periods for different controls. Within 90 days after the end of each Australian financial year, the responsible entity must submit an approved annual report to the relevant regulator; where the entity has a board, council or other governing body, that body must approve the report.
- Responsible entity for an asset specified by the CIRMP Rules — Maintain a written, current, operating CIRMP covering all prescribed hazards and submit the annual report.
- Responsible entity for an enhanced-requirement asset class — Map the additional 2026 controls and applicable 12-month or 24-month transitional period rather than relying only on the baseline program.
- Board, council or other governing body — Approve the annual report and obtain sufficient evidence to assess whether the program remained current and effective.
Where Part 2A applies, the organisation must adopt, maintain, comply with, regularly review and keep current a written Critical Infrastructure Risk Management Program. The CIRMP must identify the asset's operational context, dependencies, material risks and controls across cyber and information security, personnel, supply chain, physical security and natural hazards. So far as reasonably practicable, the organisation must minimise or eliminate material risks and mitigate each relevant impact. A board-, council- or governing-body-approved annual report must be submitted to the relevant regulator within 90 days after each Australian financial year-end.
Enhanced cyber security obligations (SoNS — Systems of National Significance).
A System of National Significance is a critical infrastructure asset privately declared by the Minister because of its national significance and the consequences that disruption could create. SoNS assets are a small subset of critical infrastructure assets, not a status automatically applied to every large or important operator. The responsible entity may be directed to meet one or more Enhanced Cyber Security Obligations in addition to its ordinary SOCI duties. The four obligation types are statutory incident response planning, participation in cyber security exercises, vulnerability assessments, and provision of system information through periodic or event-based reporting or installed software. The specific obligations are activated individually, and SoNS declarations and related information are protected rather than published as a public list.
- Responsible entity notified that its asset is a SoNS — Treat the declaration and related directions as protected information and establish an executive-controlled compliance program.
- Statutory incident response planning obligation — Adopt, maintain, comply with, review and update the required plan and provide a copy to the Secretary as directed.
- Exercise, vulnerability or system-information obligation — Comply with the particular notice or determination, preserve evidence and assign technical and executive owners.
Any notification, determination or direction concerning a System of National Significance must be escalated immediately to the Chief Executive, General Counsel, Chief Information Security Officer and SOCI Compliance Owner. The organisation must protect the existence and contents of the declaration and related information in accordance with the SOCI Act. Each activated Enhanced Cyber Security Obligation must have a named owner, implementation plan, evidence register, deadline and executive oversight process in addition to the organisation's ordinary SOCI obligations.
Government assistance / intervention powers (directions, information gathering, action).
Part 3A gives the Commonwealth last-resort powers to respond to serious incidents affecting critical infrastructure. The threshold is high: the incident must have occurred, be occurring or be imminent, create a material risk of serious prejudice to Australia's social or economic stability, defence or national security, and not be capable of being addressed practically and effectively through another existing regulatory system, subject to the Act's emergency pathway. The Minister must personally authorise the use of information-gathering directions, action directions or, for cyber incidents, an intervention request to an authorised agency such as ASD. Necessity, proportionality, technical feasibility and consultation safeguards apply, although consultation can be curtailed where delay would frustrate the response. These powers do not replace the entity's duty to lead its own response and cooperate promptly.
- Information-gathering direction — The Secretary may require information needed to understand or respond to the serious incident.
- Action direction — The Secretary may direct a relevant entity to take, or refrain from taking, specified action within the authorised response.
- Cyber intervention request — An authorised agency may be requested to take specified technical action, with access and assistance obligations subject to statutory limits.
Any ministerial authorisation, information-gathering direction, action direction or intervention request under Part 3A must be escalated immediately to the Chief Executive, General Counsel, Incident Commander and SOCI Compliance Owner. The organisation must verify the instrument, preserve it as protected information, identify conflicts with existing duties, provide required access or assistance, maintain a decision and evidence log, and comply within the stated period. No employee may obstruct, conceal information from or independently negotiate with an authorised government team.
Penalties, enforcement and how SOCI interacts with the NDB scheme and Cyber Security Act.
The SOCI Act uses civil penalties, infringement notices, enforceable undertakings, injunctions, monitoring and investigation powers, and selected criminal offences. Common maximums include 50 penalty units for failures involving the Register or mandatory cyber incident reports, 200 penalty units for core CIRMP and many enhanced-obligation failures, and 150 penalty units for the annual CIRMP report. SOCI incident reporting is separate from the Privacy Act NDB scheme: SOCI focuses on operational impact to a critical infrastructure asset, while NDB focuses on personal information and likely serious harm, with an expeditious assessment capped at 30 calendar days and notification as soon as practicable after reasonable belief. The Cyber Security Act 2024 creates a third, separate clock where a covered entity makes or becomes aware of a ransomware or cyber-extortion payment: that payment report is due within 72 hours. One incident can therefore require a 12-hour SOCI report, an NDB assessment and later OAIC and individual notification, and a separate 72-hour payment report.
- SOCI cyber incident reporting — Report to ASD's ACSC within 12 or 72 hours according to the impact on the critical infrastructure asset.
- Privacy Act NDB scheme — Assess personal-information harm expeditiously within the 30-calendar-day maximum and notify the OAIC and affected individuals as soon as practicable once reasonable belief exists.
- Cyber Security Act ransomware-payment reporting — Where the entity and payment are covered, report the payment or benefit within 72 hours of making it or becoming aware it was made on the entity's behalf.
For every incident, the Incident Commander must maintain a regulatory reporting matrix that separately records each legal or contractual trigger, awareness time, decision-maker, deadline, recipient and submission status. The matrix must separately assess SOCI cyber incident reporting, the Privacy Act Notifiable Data Breaches scheme, Cyber Security Act ransomware-payment reporting, Security of Critical Infrastructure obligations, sector regulators, contracts and insurance. No report is treated as satisfying another obligation unless the applicable law expressly provides that result.
If I'm a smaller supplier to critical infrastructure — how does SOCI reach me indirectly?
Supplying a critical infrastructure entity does not automatically make a smaller business a responsible entity under the SOCI Act. It can still be directly captured if it owns, operates or holds a qualifying interest in an asset that meets an asset-class definition, including in some circumstances a critical data storage or processing asset. Indirectly, a regulated customer must manage supply-chain hazards through its CIRMP, including malicious or unauthorised supplier access, privileged access, disruption, concentration risk and over-reliance on particular suppliers. Current enhanced requirements for specified asset classes add deeper supplier mapping, critical-component analysis, foreign ownership, control or influence assessment, access analysis and outage-risk assessment. Contracts therefore commonly flow down incident-notification, access-control, personnel-screening, resilience, evidence, audit, subcontractor, data-location and exit requirements, even when the supplier has no direct SOCI filing duty.
- Managed service provider, cloud provider or data processor — Assess whether the service itself meets a critical data storage or processing definition and expect notification where business-critical data for a critical asset is stored or processed.
- Supplier with privileged, remote or operational access — Expect stronger contractual controls, named personnel, access monitoring, rapid incident escalation, resilience testing and offboarding requirements.
- Major supplier or provider of a critical component — The customer's CIRMP may require documented mapping and assessment of jurisdiction, ownership, influence, control, dependencies and outage consequences.
Before engaging a supplier that can affect a regulated critical infrastructure asset, business-critical data or a critical component, the organisation must assess the supplier's ownership, jurisdiction, access, personnel, subcontractors, resilience, concentration risk, incident capability and exit arrangements. Contracts must require timely incident notification, cooperation with statutory reporting, evidence preservation, access control, security obligations for subcontractors, audit or assurance rights, continuity arrangements, data return or destruction and prompt removal of access. The contract owner must record whether the supplier may itself be directly regulated under the SOCI Act.
What's my next step?
Common misconceptions
- Every business in one of the 11 sectors is automatically regulated by every SOCI obligation. VERIFIED
- The SOCI Act applies only to government-owned infrastructure. VERIFIED
- There is one universal definition of responsible entity that applies in the same way to all 22 asset classes. VERIFIED
- Only entities holding exactly 10% or more can be direct interest holders; influence or control without that percentage is irrelevant. VERIFIED
- The Register of Critical Infrastructure Assets is a public list of regulated organisations and assets. VERIFIED
- Every cyber incident affecting a critical infrastructure entity has a 72-hour reporting period. VERIFIED
- A responsible entity can wait until the root cause and full forensic scope are known before starting the 12-hour or 72-hour SOCI clock. INFERRED
- Every one of the 22 asset classes has the same CIRMP requirements and the same commencement date. VERIFIED
- Every critical infrastructure asset is a System of National Significance. VERIFIED
- The government can intervene in an ordinary operational incident without satisfying the serious-incident thresholds, safeguards and ministerial authorisation requirements. VERIFIED
- A SOCI incident report automatically satisfies the Privacy Act NDB scheme. INFERRED
- The Cyber Security Act requires a 72-hour ransomware report whenever a ransom demand is received, even if no payment or benefit is provided. VERIFIED
- A small supplier has no SOCI-related exposure unless it is itself named as a responsible entity. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Initial Register of Critical Infrastructure Assets information | Cyber and Infrastructure Security Centre, Department of Home Affairs | An entity becomes a responsible entity or direct interest holder for an asset to which Part 2 applies. | Generally by the later of the end of the applicable grace period or 30 days after becoming a reporting entity. | Civil penalty: 50 penalty units. |
| Ongoing Register updates and notifiable events | Cyber and Infrastructure Security Centre, Department of Home Affairs | Required operational, ownership, interest or control information changes, or another notifiable event occurs. | Generally within 30 days after the event or the entity becoming aware of the relevant change. | Civil penalty: 50 penalty units. |
| Notification to an external data service provider | Cyber and Infrastructure Security Centre, Department of Home Affairs | A responsible entity becomes aware that a commercial data service provider stores or processes business-critical data for its critical infrastructure asset. | Take reasonable steps to notify the provider as soon as practicable. | Civil penalty: 50 penalty units. |
| Critical cyber security incident report | Australian Signals Directorate, Australian Cyber Security Centre | A covered responsible entity becomes aware that a cyber security incident has occurred or is occurring and has had or is having a significant impact on the availability of the asset. | As soon as practicable and within 12 hours; an oral report must be followed by a written report within 84 hours. | Civil penalty: 50 penalty units. |
| Other cyber security incident report | Australian Signals Directorate, Australian Cyber Security Centre | A covered responsible entity becomes aware that a cyber security incident has occurred, is occurring or is imminent and has had, is having or is likely to have a relevant impact on the asset. | As soon as practicable and within 72 hours; an oral report must be followed by a written report within 48 hours. | Civil penalty: 50 penalty units. |
| Critical Infrastructure Risk Management Program | Cyber and Infrastructure Security Centre or another relevant Commonwealth regulator | The entity is the responsible entity for an asset to which Part 2A applies after any applicable grace period. | Ongoing: adopt, maintain, comply with, regularly review and keep the CIRMP current. | Civil penalty: generally 200 penalty units for failure to have, comply with, review or update the program. |
| CIRMP annual report | Cyber and Infrastructure Security Centre or another relevant Commonwealth regulator | A responsible entity had a CIRMP obligation during the relevant Australian financial year. | Within 90 days after the end of the Australian financial year; approval by the board, council or other governing body is required where one exists. | Civil penalty: 150 penalty units. |
| Enhanced Cyber Security Obligations for a System of National Significance | Cyber and Infrastructure Security Centre, Department of Home Affairs | The asset is privately declared a System of National Significance and the responsible entity receives a determination or notice activating an enhanced obligation. | As specified in the relevant determination, notice, exercise, assessment or reporting requirement. | Many ECSO compliance provisions carry a civil penalty of 200 penalty units. |
| Part 3A information-gathering direction | Department of Home Affairs | The Minister authorises use of the serious-incident powers and the Secretary gives an information-gathering direction to a relevant entity. | Within the period stated in the direction and while the ministerial authorisation remains in force. | Civil penalty: 150 penalty units. |
| Part 3A action direction | Department of Home Affairs | The Minister authorises use of the serious-incident powers and the Secretary directs a relevant entity to take, or refrain from taking, specified action. | Within the period and conditions stated in the direction. | Criminal penalty for intentional non-compliance: imprisonment for up to 2 years, 120 penalty units, or both, subject to the statutory defence. |
| Privacy Act Notifiable Data Breaches assessment and notification | Office of the Australian Information Commissioner | A Privacy Act-covered entity suspects or believes that an eligible data breach involving personal information has occurred. | Reasonable and expeditious assessment within a maximum of 30 calendar days after suspicion; notify the OAIC and affected individuals as soon as practicable after reasonable belief. | |
| Cyber Security Act ransomware or cyber-extortion payment report | Department of Home Affairs | A covered reporting business entity makes, or becomes aware that another entity made on its behalf, a payment or benefit directly related to a ransomware or cyber-extortion demand. | Within 72 hours after making the payment or becoming aware that it was made. | Civil penalty: 60 penalty units. |
Sources
- Security of Critical Infrastructure Act 2018 primary
- Security of Critical Infrastructure Act 2018 (SOCI) primary
- SOCI Act regulatory obligations primary
- Critical Infrastructure Asset Class Definition Guidance primary
- Critical Infrastructure Asset Registration Form Guidance primary
- Notification of Cyber Security Incidents Guidance primary
- Security of Critical Infrastructure Act 2018 obligations factsheet primary
- Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 primary
- Guidance for the Critical Infrastructure Risk Management Program primary
- Responsible Entity Critical Infrastructure Risk Management Program Annual Report primary
- Enhanced Cyber Security Obligations primary
- Cyber Security Legislative Reforms primary
- Quick reference guide for responding to data breaches primary
- Cyber Security Act 2024 primary
- Cyber Security (Ransomware Payment Reporting) Rules 2025 primary
- Mandatory ransomware and cyber extortion payment reporting factsheet primary
- Gross misconduct forum
- Optus network outage deaths forum
- Nab Vietnam: As a security professional, this infuriates me to the max. forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.