Loading

SOCI Act 2018 for water and sewerage

​​​The legal obligations you have if you own, operate, or have direct interests in critical infrastructure assets are outlined in the Security of Critical Infrastructure Act 2018 (SOCI Act). The SOCI Act also outlines how the government can support you if an incident occurs that impacts your critical infrastructure asset. 

In the water and sewerage sector, responsible entities for all asset classes must comply with the obligation to notify data service providers. They must notify their third-party data storage or processing provider that the provider is storing or processing business critical data for a critical infrastructure asset.

You must also comply with the following positive security obligations:

  • Provide operational and ownership information to the Register of Critical Infrastructure Assets.
  • Report cyber incidents.
  • Adopt, maintain and comply with a written critical infrastructure risk management program.

If you own or operate a System of National Significance, you may also need to comply with the Enhanced Cyber Security Obligations.

The SOCI Act also includes Government Assistance measures. These measures outline how the government can help industry respond to cyber security incidents. These measures only apply to incidents that will cause serious harm to Australia’s prosperity, national security, or defence.

The water and sewerage sector includes stakeholders who:

  • operate water or sewerage systems or networks
  • manufacture or supply goods that are used to operate water or sewerage systems or networks
  • provide services that are used to operate water or sewerage systems or networks.

Water and sewerage critical infrastructure assets

A critical water asset is a water or sewerage system or network that:

  • is managed by a single water utility
  • ultimately delivers services to at least 100,000 water connections or 100,000 sewerage connections.

Owners and operators of critical water assets (identified by Government) must meet certain legislative obligations if they:

  • hold the licence, approval or authorisation (however described), under a law of the Commonwealth, a State or a Territory, to provide the service to be delivered by the asset, or
  • if another entity is prescribed by the rules in relation to the asset.