SOCI Act CIRMP Compliance

SOCI Act CIRMP Deadlines: What Responsible Entities Need to Know in 2026

Tech Blaze Consulting | January 2026 | 11 min read

The Critical Infrastructure Risk Management Program (CIRMP) obligations under the Security of Critical Infrastructure Act 2018 (SOCI Act) are no longer new. The CIRMP Rules commenced on 17 February 2023, with a grace period that ended on 18 August 2024. If you are a responsible entity for a critical infrastructure asset, you should already have a CIRMP in place, have submitted your first annual report, and be well into your second cycle.

The reality, based on what we see working with entities across multiple sectors, is that many organisations are still catching up. Some have a CIRMP on paper but have not operationalised it. Others have strong technical controls but weak governance documentation. A surprising number are uncertain about what their annual report should contain and whether their board has fulfilled its approval obligations.

This article provides a practical guide to where things stand in 2026, what the Cyber and Infrastructure Security Centre (CISC) expects, and what you need to do if you are behind.

Who Is Affected: Responsible Entities and Critical Infrastructure Assets

The SOCI Act applies to responsible entities for critical infrastructure assets across 11 sectors: communications, data storage and processing, defence industry, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, and water and sewerage.

If you are the owner or operator of an asset that is listed on the Register of Critical Infrastructure Assets (or should be), you are a responsible entity. The obligation to maintain a CIRMP applies to you. If you are not sure whether your asset qualifies, the CISC maintains the register and can provide guidance — but given that the obligation has been in force since 2023, uncertainty at this point is itself a compliance risk.

What a CIRMP Must Contain

The CIRMP Rules set out the minimum contents of a compliant CIRMP. This is not a suggestion — it is a legislative instrument with civil penalties for non-compliance.

Material Risk Identification

Identify all material risks to the critical infrastructure asset from each of the four hazard vectors: cyber and information security, personnel, supply chain, and physical security and natural hazards. This is not a generic risk register — it must be specific to the critical infrastructure asset and reflect the entity's actual threat landscape.

CIRMP Rules, s12

Risk Mitigation and Controls

For each identified material risk, the CIRMP must document the controls or strategies implemented to mitigate the risk to an acceptable level. For the cyber hazard vector, this means adopting at least one approved framework (Essential Eight, NIST CSF, ISO 27001, or a sector-specific alternative) and implementing it to a level commensurate with the risk.

CIRMP Rules, Schedule 1

Incident Response

The CIRMP must include, or reference, an incident response capability that covers detection, containment, response, and recovery from incidents affecting the critical infrastructure asset. This includes cyber incidents, personnel incidents, supply chain disruptions, and physical security events.

CIRMP Rules, s15

Ongoing Review and Improvement

The CIRMP is not a static document. It must be reviewed and updated at least annually, or whenever there is a material change to the risk environment, the critical infrastructure asset, or the entity's operations. The review must assess whether the risk mitigations remain effective and whether new risks have emerged.

CIRMP Rules, s16

Board Approval and Annual Reporting

The SOCI Act imposes specific board-level governance obligations. The CIRMP annual report must be:

Approved by the board (or the governing body for entities without a traditional board structure) before submission to the sector regulator
Submitted annually to the relevant Commonwealth regulator for the entity's sector. The exact deadline and regulator depend on the sector — for example, the Australian Energy Market Operator (AEMO) for energy sector entities, the Department of Health for health care entities
Honest and accurate — the board must be satisfied that the information in the annual report is true and correct. Directors who approve a misleading report face personal accountability

Board readiness: If your board has not been briefed on CIRMP obligations, this is urgent. Board members need to understand what they are approving, the legal consequences of the approval, and the entity's current compliance posture. A two-page board paper covering the CIRMP status, key risks, and remediation progress is the minimum. Detailed risk registers and technical assessments should be available as supporting material.

The Relationship Between CIRMP and Essential Eight

Many responsible entities have adopted the Essential Eight Maturity Model as their cyber security framework for the CIRMP cyber hazard vector. This is a valid choice under Schedule 1 of the CIRMP Rules. However, it is critical to understand what the E8 covers and what it does not.

The Essential Eight addresses one of four hazard vectors. It provides a structured approach to managing cyber and information security risks through eight mitigation strategies. But your CIRMP must also address personnel hazards, supply chain hazards, and physical security and natural hazards — none of which the E8 covers.

Furthermore, even within the cyber hazard vector, the E8 does not cover:

Incident detection and response (the E8 is preventative, not detective or responsive)
Network security and segmentation
Security governance and risk assessment
Data protection and encryption
Security monitoring and log management (beyond what ML3 requires for specific strategies)

For a detailed mapping of how the E8 aligns to CIRMP obligations, including the specific gaps, see our E8-to-CIRMP Mapping Guide.

What CISC Expects: Regulatory Posture in 2026

The Cyber and Infrastructure Security Centre (CISC), within the Department of Home Affairs, administers the SOCI Act for cross-cutting matters and coordinates with sector-specific regulators. Based on public statements and regulatory guidance, CISC's focus in 2026 is on:

Compliance, not perfection — CISC has acknowledged that CIRMP compliance is a journey. The expectation is not that every risk is fully mitigated, but that entities have a compliant program in place, are actively managing material risks, and are demonstrating year-on-year improvement.
Quality of annual reports — regulators are looking at the substance of annual reports, not just whether they were submitted. Reports that are generic, lack specificity about the critical infrastructure asset, or do not address all four hazard vectors will attract scrutiny.
Board engagement — there is increasing focus on whether boards are genuinely engaged with CIRMP obligations or merely rubber-stamping reports. Regulators may request evidence of board discussions, risk committee papers, and governance records.
Incident reporting alignment — the Cyber Security Act 2024 introduced mandatory incident reporting obligations that intersect with CIRMP. Entities are expected to have integrated their incident reporting processes across both legislative frameworks.

Enforcement and Penalties

The SOCI Act provides civil penalty provisions for non-compliance with CIRMP obligations. These are not theoretical — CISC has indicated that enforcement action will be taken against entities that fail to meet their obligations.

Obligation	Consequence
Failure to have a CIRMP	Civil penalty of up to 200 penalty units
Failure to comply with CIRMP requirements	Civil penalty of up to 50 penalty units per contravention
Failure to provide annual report	Civil penalty; potential for enhanced regulatory scrutiny
Failure to review and update CIRMP	Civil penalty; evidence of non-compliance in any subsequent incident investigation

Note: A penalty unit is currently $330 (as of 2025-26). 200 penalty units equates to $66,000. These are per-contravention penalties, meaning ongoing non-compliance can result in escalating enforcement. Beyond financial penalties, non-compliance creates reputational risk and may impact the entity's ability to hold government contracts.

Practical Steps for Entities That Are Behind

If your organisation has not yet fully met its CIRMP obligations, here is a prioritised action plan.

Confirm your organisation is a responsible entity under the SOCI Act and identify all critical infrastructure assets in scope Conduct a material risk assessment across all four hazard vectors — do not limit this to cyber Select and formally adopt a cyber security framework per Schedule 1 of the CIRMP Rules Conduct a baseline assessment against your chosen framework (e.g., Essential Eight maturity assessment) Document risk treatments for all identified material risks with clear ownership and timelines Develop or update your incident response plan to cover all hazard vectors, not just cyber Brief the board on CIRMP obligations, the current risk posture, and the remediation roadmap Prepare the annual CIRMP report in the format expected by your sector regulator Obtain board approval for the annual report before the submission deadline Submit the annual report to your sector regulator within the required timeframe Review and update the CIRMP at least annually, or after any material change to the risk environment Consider independent assurance (IRAP assessment or equivalent) to validate your cyber framework implementation

Tech Blaze Consulting

Canberra, ACT

About the Author

Tech Blaze Consulting is a Canberra-based cybersecurity consultancy specialising in IRAP assessments, Essential Eight maturity assessments, and security advisory for critical infrastructure entities. Founded by an endorsed IRAP assessor with over 20 years of GRC experience.

When you engage Tech Blaze, you work directly with the assessor — no account managers, no junior analysts, no handoffs.

Learn More About Us Back to All Articles

Related Services and Resources

This article is general guidance only and does not constitute legal advice. Entities should seek specific legal advice on their obligations under the SOCI Act and CIRMP Rules.

Need Help with Your CIRMP?

Whether you need a CIRMP gap assessment, Essential Eight maturity validation, or board-ready reporting, we can help you meet your obligations with confidence.

Get in Touch