Enhanced Cyber Security Obligations

​​​​​​​​​​​Systems of National Significance (SoNS)

Some critical infrastructure assets will be declared a System of National Significance (SoNS). These assets are the most crucial to the nation, due to the cascading consequences that may occur if disrupted.

Entities responsible for SoNS may need to meet Enhanced Cyber Security Obligations (ECSO). These are in addition to the obligations listed above.

Which ECSO apply to a SoNS asset can depend on the circumstances for the sector and similar assets. We recognise that different sectors have different networks and systems, and could face different risks.

The Secretary of the Department of Home Affairs (the Secretary) must consider a number of factors when deciding which ECSO to apply to each responsible entity, including:

  • the likely cost to the affected entity of complying with the obligations
  • the reasonableness and proportionality of the decision
  • any other matter the Secretary considers relevant.

ECSOs can only be applied to SoNS, not critical infrastructure more broadly.


I often get the question what is a System of National Significance or a SONS?

The Security of Critical Infrastructure Act 2018 outlines the 11 critical infrastructure sectors and then the 22 different type of critical infrastructure assets that make up those sectors.

SONS are a very, very small subset of these critical infrastructure assets that the Minister for Home Affairs has determined are of particular national significance.

In other words SONS are the really critical infrastructure assets that have a level of interdependence and would have disproportionate impacts on our society, economy, stability or security if an incident were to successful disrupt their operations.

Declaration of SONS is a way of calling out those critical infrastructure assets that are at the core the functioning of how we live.

SONS are a focal point also for our engagement and big focus of effort for us.  This includes through the application of Enhanced Cyber Security Obligations which can be asked of SONS.

Our approach is to have in place for each SONS the incident response plans to ensure that we are able to respond to an incident that relates to the operation of the system or a critical infrastructure incident. 

Equally, there will be emergent vulnerabilities or helpful exercises that can usefully be undertaken to understand and identify vulnerabilities or test response mechanisms.

Finally, the provision of systems information to the Australian Cyber Security Centre may also help for provision of better advisories and advice to mitigate against cyber attacks.

We view SONS and the associated Enhanced Cyber Security Obligations as a legal framework for collaboration, a focal point for our engagement and an operational necessity given the global threat environment that we face.

SONS are so critical to our nation not only for operating the essential service that they provide but underpin the essential fabric of our society, our economy or our security.

If you’d like to know more about SONS, please reach out to enquiries@cisc.gov.au.

Enhanced Cyber Security Obligations (ECSO)

There are four ECSO which can be applied to SoNS.

For more detailed information about the ECSO, read the Enhanced Cyber Security Obligations Framework Factsheet.

For more information on critical infrastructure assets and your industry, go to Information for your Industry.

If you have any questions about your regulatory obligations, email enquiries@cisc.gov.au.​​