The Security of Critical Infrastructure Act 2018 (SOCI Act), substantially amended by the Security Legislation Amendment (Critical Infrastructure) Acts of 2021 and 2022, establishes a regulatory framework for the protection of critical infrastructure assets across eleven sectors.
Which Sectors Are Covered
The eleven sectors are: communications, data storage and processing, defence industry, education and research, energy, financial services and markets, food and grocery, health care and medical, space technology, transport, and water and sewerage. The reach within each sector is defined by asset thresholds and ownership criteria.
Core Obligations Under the Act
Register of Critical Infrastructure Assets
Responsible entities must register their assets with the Department of Home Affairs. Registration provides the government with visibility of ownership and operational details.
Risk Management Programs
Regulated entities must adopt and maintain a risk management program that identifies hazards, assesses risks, and implements mitigation strategies. The program must address physical security, personnel security, cyber security, and supply chain security.
Incident Reporting
Cyber security incidents affecting critical infrastructure assets must be reported to the Australian Signals Directorate within defined timeframes — some as short as 12 hours for the most significant incidents.
Government Assistance Powers
The Act includes powers for the government to direct entities to take action in response to significant cyber incidents, and in extreme cases to authorise government intervention in the management of a critical infrastructure asset.
Does the SOCI Act affect supply chain vendors?
The risk management program requirements explicitly include supply chain security — meaning regulated entities must assess the security posture of their significant suppliers. This has flow-on effects for technology vendors, IT service providers, and managed service providers serving regulated industries.
