Loading

    SOCI Act 2018 for data storage and processing

    ​​​The legal obligations you have if you own, operate, or have direct interests in critical infrastructure assets are outlined in the Security of Critical Infrastructure Act 2018 (SOCI Act). The SOCI Act also outlines how the government can support you if an incident occurs that impacts your critical infrastructure asset. 

    In the data storage and processing sector, responsible entities for all asset classes must comply with the obligation to notify data service providers. They must notify their third-party data storage or processing provider that the provider is storing or processing business critical data for a critical infrastructure asset.

    All responsible entities and direct interest holders also need to comply with the following positive security obligations​:

    • Provide operational and ownership information to the Register of Critical Infrastructure Assets.
    • Report cyber incidents.
    • Adopt, maintain and comply with a written critical infrastructure risk management program.

    If you own or operate a System of National Significance, you may be subject to Enhanced Cyber Security Obligations (ECSO).

    The SOCI Act also includes Government Assistance measures​. These measures outline how the government can help industry respond to cyber security incidents. These measures apply only to incidents that will cause serious harm to Australia’s prosperity, national security, or defence.

    Critical data storage or processing assets

    A data storage or processing asset is critical if:

    • it is owned or operated by an entity that is a data storage or processing provider, and
    • it is used wholly or primarily to provide a data storage or processing service that is provided by the entity on a commercial basis to an end-user that is a Commonwealth, State or Territory, or legislated body corporate, and
    • the entity knows that the asset is used as described above.

    OR

    • it is owned or operated by an entity that is a data storage or processing provider, and
    • it is used wholly or primarily to provide a data storage or processing service that:
      • is provided by the entity on a commercial basis to an end-user that is the responsible entity for a critical infrastructure asset, and
      • relates to business critical data, and
    • the entity knows that the asset is used as described above.