Security of Critical Infrastructure Act 2018

The Security of Critical Infrastructure Act 2018 (SOCI 2018) establishes a national framework to identify, manage and reduce national security risks to Australia's critical infrastructure. It covers assets across 11 industries and provides for an asset register, risk-management programs, incident reporting and ministerial directions.^[1]

The Act received royal assent on 11 April 2018 and commenced on 11 July 2018.^[2] Parliament later expanded the framework in two tranches: the Security Legislation Amendment (Critical Infrastructure) Act 2021 and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022.^[3][4] The 2022 advisory report of the Parliamentary Joint Committee on Intelligence and Security examined the Bill and recommended refinements adopted by government.^[5]

The Act has been amended several times. In 2024 this was by the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (SOCI Amendment Act).^[6] Together with the Cyber Security Act 2024, and the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 this provides a comprehensive package of measures intended to protect Australian infrastructure with a strategy up to 2030.^[7] Amongst others, these amendments explicitly stated the inclusion of data storage, not merely operational infrastructure, as one of the protected resources.^[8]

The framework applies to assets designated under the Act and rules across multiple industries. Positive security obligations and enhanced cyber obligations can be applied to specified assets, including those declared systems of national significance.^[9][10]

The SOCI Act applies to the following 11 sectors:^[1]

• Communications
• Financial services and markets
• Data storage or processing
• Defence industry
• Higher education and research
• Energy
• Food and grocery
• Healthcare and medical
• Space technology
• Transport
• Water and sewerage

The Act's main aspects are:^[11]

Positive obligations

Organizations are required to take pro-active preventive measures beforehand.^[11]

Asset register

Assets deemed to fall under critical infrastructure are to be notified to the central register of such.^[12] Industry sectors affected are specified and their 'switch on' dates informed on a sector-by-sector basis.^[13]

Mandatory incident reporting

Any cyber incident that significantly impacts operation must be reported within 72 hours, 12 hours for critical events. This includes outages, attacks and threatened attacks, including ransomware.^[11][14][15]

Government assistance

The Act grants government the power to either assist in a crisis, to direct a particular course of action, or to intervene and take charge of it.^[9][11]

Risk management

Risks must be formally assessed regularly, and a risk management program must be put in place to ameliorate these. These assessments must be reported to the government's Cyber and Infrastructure Security Centre (CISC).^[11][16][17]

Failure to comply is backed up by the potential for significant penalties, including fines or enforcement actions.^[11]

The Cyber and Infrastructure Security Centre within the Department of Home Affairs administers the regime, including compliance, incident reporting and engagement with industry. Sectoral coordination occurs with other regulators where relevant; for example, a memorandum of understanding sets out cooperation with the Reserve Bank of Australia for payments systems.^[12][18] Independent scrutiny has included a performance audit by the Australian National Audit Office on administration and regulation of critical infrastructure protection policy.^[19]