If you operate critical infrastructure, the grace periods for the Security of Critical Infrastructure (SOCI) Act 2018 have largely expired. The Australian Signals Directorate (ASD) and the Cyber and Infrastructure Security Centre (CISC) have shifted from education to enforcement. Compliance is no longer a checklist exercise—it requires board-level sign-off and operationalised risk management across four distinct hazard domains: cyber, physical, personnel, and supply chain.
Overview of the Critical Infrastructure Act (SOCI)
The SOCI Act places obligations on entities that own or operate assets crucial to Australia's social or economic stability. It mandates positive security obligations, empowering the government to intervene during severe cyber attacks and requiring operators to manage all-hazards risks proactively. Achieving ACSC Critical Infrastructure Act compliance Australia involves satisfying the Cyber Security Framework (CSF) elements and maintaining an up-to-date Critical Infrastructure Risk Management Program (CIRMP).
Who Does the SOCI Act Apply To?
The Act categorises assets across 11 critical infrastructure sectors, including energy, communications, financial services, defence industry, higher education, healthcare, and transport.
If you own or operate an asset in these sectors, you are likely a responsible entity. However, the obligations scale depending on your classification. Systems of National Significance (SoNS) face enhanced cybersecurity obligations, including mandatory incident response planning and tabletop exercises managed by the ACSC. If you are unsure of your status, check the asset definitions in Part 1 of the SOCI Act directly; assuming you fly under the radar often results in missed reporting deadlines.
Key Compliance Obligations from ACSC
The ACSC provides the technical framework for the cyber component of the SOCI Act. For responsible entities, this translates into specific obligations:
- Register of Critical Infrastructure Assets: You must provide operational and ownership details to the CISC within 6 months of becoming a responsible entity. Updates are required within 30 days of any change.
- Cyber Security Incident Reporting: Mandatory notification of incidents with a significant or relevant impact on the availability of your asset.
- Adherence to a Cyber Framework: You must align your cybersecurity controls with a recognised framework. The ACSC recommends the Essential Eight, the Australian Energy Sector Cyber Security Framework (AESCSF), or the US NIST Cybersecurity Framework (CSF).
Decision Point: Choose your framework based on your existing maturity. If your systems handle Defence data, aligning with the Essential Eight maturity models usually provides the straightest path to dual compliance. If you operate primarily internationally, NIST CSF makes more sense.
Risk Management Programs Explained
A CIRMP is a living document, not a binder you put on a shelf. Part 2A of the Act requires your program to identify, prevent, and mitigate material risks from four hazard types:
- Cyber Information Security Hazards: Unauthorised access, data breaches, and ransomware. Controls often intersect with IRAP readiness requirements.
- Personnel Hazards: Insider threats, malicious actions by trusted employees, or physical access compromises.
- Supply Chain Hazards: Vulnerabilities introduced by third-party vendors, managed service providers, or software dependencies.
- Physical Security Hazards: Natural disasters, terrorism, or hardware sabotage.
Your board or governing body must submit an annual report attesting that the CIRMP is up to date and effective. The CISC actively audits these submissions.
Incident Reporting Requirements
Incident reporting under SOCI operates on strict statutory timelines. When a cyber attack occurs, your response clock starts the moment you become aware of the impact, not when you finish forensics.
- 12-Hour Requirement: If the incident causes a significant impact (the asset is severely impaired or unavailable), you have 12 hours to notify the ACSC verbally or in writing.
- 72-Hour Requirement: If the incident causes a relevant impact (the asset remains functional but is degraded), you have 72 hours to report it.
Following a verbal report, you must submit a formal written record within 84 hours. These reports trigger the government's assistance mechanisms, and failing to report results in civil penalties. Your internal Incident Response Plan must map directly to these 12- and 72-hour triggers.
Steps Towards Achieving and Maintaining Compliance
Meeting the obligations requires systematic execution. Here is the pragmatic path to building a defensible position:
- Map Your Assets: Identify all critical assets and document your supply chain dependencies. You cannot secure what you do not know you have.
- Draft the CIRMP: Appoint a cross-functional team (IT, HR, Facilities, Procurement) to draft risk treatments across the four hazard domains. Assign explicit ownership for every mitigation strategy.
- Implement the Cyber Framework: Measure your current state against your chosen cyber framework (e.g., Essential Eight) and execute a remediation plan to close identified gaps.
- Update Board Reporting: Modify your executive reporting packs to include CIRMP metrics, enabling the board to confidently sign the annual attestation.
- Test Incident Response: Run a tabletop exercise simulating a severe outage. Time your mock reporting process to ensure you can meet the 12-hour statutory deadline under pressure.