Loading

    SOCI Act 2018 (SOCI) for communications

    ​​​The legal obligations that apply to owners, operators, and direct interest holders of critical infrastructure assets are outlined in the Security of Critical Infrastructure Act 2018 (SOCI Act). The SOCI Act also outlines how the government can support you if an incident occurs that impacts your critical infrastructure asset. 

    In the communications sector, different regulatory obligations apply to owners and operators of different asset classes.

    Responsible entities for all asset classes must comply with the obligation to notify data service providers. They must notify their third-party data storage or processing provider that the provider is storing or processing business critical data for a critical infrastructure asset.

    Only responsible entities and direct interest holders of broadcasting assets and domain name systems currently need to comply with the following positive security obligations:

    • Provide operational and ownership information to the Register of Critical Infrastructure Assets.
    • Report cyber incidents.
    • Adopt, maintain and comply with a written critical infrastructure risk management program.

    If you own or operate a System of National Significance, you may be subject to Enhanced Cyber Security Obligations (ECSO).

    If you own, operate, or have a direct interest in a telecommunications asset, you have obligations under Part 14 of the Telecommunications Act 1997. These are known as the Telecommunications Sector Security Reforms (TSSR). For more information, go to Telecommunications.

    The SOCI Act also includes Government Assistance measures. These measures outline how the Government can help industry respond to cyber security incidents. These measures only apply to incidents that will cause serious harm to Australia’s prosperity, national security, or defence.

    The communications sector includes stakeholders who:

    • supply or are used in connection with the supply of a carriage service
    • provide a broadcasting service
    • own or operate assets that are used in connection with the supply of a carriage service
    • own or operate assets that are used in connection with the transmission of a broadcasting service
    • administer an Australian domain name system.

    Communications critical infrastructure assets

    There are three types of critical communications sector assets:

    • critical telecommunications asset
    • critical broadcasting asset
    • critical domain name system.
    ​​