Overview
The
Security of Critical Infrastructure Act 2018 (the SOCI Act). outlines the legal obligations you have if you own, operate, or have direct interests in critical infrastructure assets. The SOCI Act also outlines how the government can support you if an incident occurs that impacts your critical infrastructure asset.
The SOCI Act applies to the following 11 sectors:
- Communications
- Financial services and markets
- Data storage or processing
- Defence industry
- Higher education and research
- Energy
- Food and grocery
- Healthcare and medical
- Space technology
- Transport
- Water and sewerage
Defining critical infrastructure
The 2023 Critical Infrastructure Resilience Strategy defines critical infrastructure as:
those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.
The
Security of Critical Infrastructure Act 2018 defines each class of critical infrastructure asset. A single critical infrastructure asset includes multiple parts which function together as a system or network. This includes premises, computers, and data.
If multiple components operate as a single system or network that meets the definition of a critical infrastructure asset, they are considered a single asset.
If components operate as separate systems or networks that each meet the definition of a critical infrastructure asset, they are considered separate assets.
Critical infrastructure is interconnected
Many hazards have the potential to significantly compromise the supply of essential services across Australia if they affect these critical assets.
Failure or disruption in one area of critical infrastructure can have flow on effects in others. This can affect our security, economy and sovereignty.
For example, prolonged and widespread failure in the energy sector could result in:
- shortages or destruction of essential medical supplies
- instability in the supply of food and groceries
- impacts to water supply and sanitation
- impacts to telecommunications networks, leaving Australians unable to communicate easily with family and loved ones
- disruptions to transport, traffic management systems and fuel
- reduced services or shutdown of the banking, finance and retail sectors
- an inability of businesses and governments to function.
Your obligations
The obligations and regulations in the SOCI Act likely apply to you if:
- your industry sector is listed above, and
- your organisation owns, operates, or has a direct interest in a critical infrastructure asset.
If your industry is not listed above, the SOCI Act likely does not apply to you.
The SOCI Act includes the obligation to notify data service providers, which applies to all critical infrastructure assets.
There are three positive security obligations that can apply to all critical infrastructure assets, depending on their asset class.
- Provide operational and ownership information to the Register of Critical Infrastructure Assets.
- Report cyber incidents which impact the delivery of essential services to the Australian Cyber Security Centre.
- Adopt, maintain and comply with a written risk management program.
You can read more about the three positive security obligations at
Regulatory obligations.
For assets deemed as Systems of National Significance (SoNS), there are also four Enhanced Cyber Security Obligations (ECSO).
- Develop cyber security incident response plans to prepare for a cyber security incident.
- Undertake cyber security exercises to build cyber preparedness.
- Undertake vulnerability assessments to identify vulnerabilities for remediation.
- Provide system information to develop and maintain a near real-time threat picture.
You can read more about these additional obligations at
Enhanced Cyber Security Obligations.
Government assistance
The SOCI Act also includes
government assistance measures. These measures outline how the government can help industry respond to cyber security incidents. These measures apply only to incidents that will cause serious harm to Australia’s prosperity, national security, or defence.
You can find more information about how the SOCI Act applies to your industry at
Information for your Industry.
Protected information
The SOCI Act protects information about critical infrastructure assets. This means that it is an offence to disclose information about these assets, even if you are a responsible entity, unless your disclosure complies with the SOCI Act. For information about who is allowed to disclose protected information and when they can do so, go to
protected information.
Note: protected information under the SOCI Act is different from the PROTECTED security classification under the Australian Government’s Protective Security Policy Framework.
Compliance regulatory posture
Our compliance focus for 2023–24 is on education and awareness raising. This does not include any detected egregious non-compliance. During the third and fourth quarters of 2023-24, we will undertake a limited series of trial audits. These audits will test industry compliance with SOCI Act obligations. This will inform and guide the commencement of compliance audit activities in 2024-25.
In 2024-25, our SOCI Compliance Regulatory Posture will aim to balance education and awareness raising activities, with compliance activities. This will effectively drive an uplift in regulated entity compliance.
You can read more about our regulation of the SOCI Act at Our regulatory principles and approach.