Legislative information and reforms

​​​​​​​​​​​​​​​​​​​​​​​​Critical Infrastructure

​​​​​​​​​​​​​​​​​​​​Changes to curr​​ent regulation​

The regulation of critical infrastructure under the Security of Critical Infrastructure Act 2018 (the SOCI Act) places obligations on responsible entities for certain critical infrastructure assets in relevant critical infrastructure sectors.

The SOCI Act aims to strengthen the security and resilience of critical infrastructure by capturing sectors and asset classes essential to Australia. See the following fact sheets to learn more about your obligations.​

The SOCI Act contains definitions that outline each of the 11 critical infrastructure sectors. Definitions were developed in consultation with industry to ensure clear articulation of what constitutes a critical infrastructure asset within each sector.

Obligations may apply to responsible entities for critical infrastructure assets and entities who have a direct interest in the critical infrastructure asset. If you are not sure whether you are a responsible entity, or direct interest holder, refer to our Asset Class Definition Guidance Factsheet.

Although your business may be captured by the SOCI Act, not all obligations in the SOCI Act may be extended to your CI asset. Our General Guidance for Critical Infrastructure Assets Factsheet provides more information on the obligations relevant to each asset class.


Systems of National Significance

I often get the question what is a System of National Significance or a SONS?


The Security of Critical Infrastructure Act 2018 outlines the 11 critical infrastructure sectors and then the 22 different type of critical infrastructure assets that make up those sectors.


SONS are a very, very small subset of these critical infrastructure assets that the Minister for Home Affairs has determined are of particular national significance.


In other words SONS are the really critical infrastructure assets that have a level of interdependence and would have disproportionate impacts on our society, economy, stability or security if an incident were to successful disrupt their operations.


Declaration of SONS is a way of calling out those critical infrastructure assets that are at the core the functioning of how we live.


SONS are a focal point also for our engagement and big focus of effort for us.  This includes through the application of Enhanced Cyber Security Obligations which can be asked of SONS.


Our approach is to have in place for each SONS the incident response plans to ensure that we are able to respond to an incident that relates to the operation of the system or a critical infrastructure incident. 


Equally, there will be emergent vulnerabilities or helpful exercises that can usefully be undertaken to understand and identify vulnerabilities or test response mechanisms.


Finally, the provision of systems information to the Australian Cyber Security Centre may also help for provision of better advisories and advice to mitigate against cyber attacks.


We view SONS and the associated Enhanced Cyber Security Obligations as a legal framework for collaboration, a focal point for our engagement and an operational necessity given the global threat environment that we face.


SONS are so critical to our nation not only for operating the essential service that they provide but underpin the essential fabric of our society, our economy or our security.

If you’d like to know more about SONS, please reach out to enquiries@cisc.gov.au.

The following factsheets provide further information about these amendments to the SOCI Act:

We will continue to work in partnership with owners and operators of critical infrastructure assets to assist their uplift and ensure extensive consultation for any new requirements.