More critical infrastructure reforms are on the horizon 12 min read
In this Insight, we explain the implications of three recent major developments regarding the scope and operation of the Security of Critical Infrastructure Act 2018 (Cth) (the SoCI Act):
- the Final Report on the Independent Review of the SoCI Act by Dr Jill Slay AM (the Independent Review);
- a Consultation Paper on proposed reforms to the ministerial directions powers under Part 3 (the Ministerial Powers Consultation Paper); and
- an Exposure Draft of the proposed enhanced Critical Infrastructure Risk Management Program requirements for 'high-risk' asset classes1 (the CIRMP Rules Exposure Draft).
If the reforms contemplated in these papers, released in late March 2026, become law, they will collectively represent the framework's most substantial reshaping since the regime was expanded during 2021 to 2023. Importantly, they would require regulated entities to reassess their governance structures, risk management programs and compliance posture.
The proposals emphasise that while the current regime is driving compliance outcomes, it is not sufficient for the evolving threat environment.
Key takeaways
- Legislative overhaul—The SoCI Act is likely to be significantly overhauled in the short to medium term, including to: expand its coverage (to AI services, hyperscalers, content delivery networks, space assets, and drone detection and response); increase its agility; reduce complexity; and adopt a more holistic approach to national security and critical infrastructure resilience (eg by recognising social cohesion as a critical component of national security, and addressing physical security issues and risks that emerging technologies such as AI, quantum, drones and space-based dependencies pose).
- Financial services as a model—There is strong support for modelling the SoCI regime on Australian Prudential Regulation Authority (APRA)/Australian Securities and Investments Commission (ASIC)-style frameworks applicable to the financial services sector. These are outcomes based, principle driven, actively enforced, and supported by relevant, up-to-date and practical guidance.
- Greater powers and enforcement—We expect the Federal Government will shift its posture from encouraging compliance to visible enforcement, using expanded powers and penalty mechanisms to enhance deterrence and force sector-wide uplifts.
- Governance and accountability—The perceived emotional disconnect between the private sector's current approach to the defence and protection of critical infrastructure and the national security imperative (given the role critical infrastructure plays in socio-economic stability) is likely to drive renewed focus on governance and accountability for boards and executives. We expect to see the introduction of requirements for qualified experts with independent certifications to provide external assurance on risk management programs, in lieu of self-attestations. Requirements for external assurance on risk management programs would also align more closely with the approach taken in the financial services sector.
- Continued government focus on foreign ownership, control and influence (FOCI)—FOCI risks remain significant (and are growing). However, there is also recognition that regulation intended to manage them should be sensitive to: circumstances where there is no appropriate domestic alternative; and the cumulative burden of multiple layers of legislative requirements that must be met before operating in the Australian market, which can make foreign investment particularly challenging.
- Make a submission—Regulated entities should use the consultation period to assess these proposed reforms' potential impact on their operations, and consider making submissions on the Ministerial Powers Consultation Paper and the CIRMP Rules Exposure Draft. The deadline is 1 May 2026.
Background
The SoCI Act was enacted in response to growing recognition of the vulnerability of critical infrastructure to hostile actors, natural hazards and supply chain disruptions. Australia was among the first nations to establish a comprehensive cross-sector critical infrastructure security regime.
The SoCI Act recognises that the systems underpinning our economy's proper operation—power grids, water networks, financial systems, ports, hospitals, telecommunications—are not merely commercial assets. They are fundamental to national sustainability and social stability, and their disruption has consequences that dwarf any single corporate balance sheet.
Although the SoCI Act 'has successfully established Australia as a global leader in critical infrastructure security governance',2 geopolitical tensions, the emergence of AI and quantum technologies, increasing supply chain interdependencies, regulatory fragmentation and the global cyber skills gap all underscore the need for resilience efforts to be agile and move faster.
The Independent Review into the SoCI Act—findings and recommendations
The Independent Review was conducted between November 2025 and January 2026, according to the statutory review requirement under section 60G of the SoCI Act. It was designed to examine whether the SoCI Act is meeting its objectives and functioning as intended.
In undertaking the Independent Review, Dr Jill Slay AM (the appointed independent reviewer) added an objective: assessing the SOCI Act’s ability to deal with emergent threats, given the speed of development of new technology and the multiple times it has already been modified.
The Independent Review made the following findings:
- SoCI has laid a strong foundation, but it's not enough. The existing regime has raised executive and board awareness, established foundational governance and accountability, improved asset visibility and incident reporting, and created a common cross-sector risk language—but it is not adequate to address modern threats, complex corporate structures and emerging technologies.
- The regime should be comprehensively restructured, and transition from a compliance-driven to outcome-driven model, with genuine security as its goal. The Independent Review found that the regime's 'complexity, regulatory overlap, weak enforcement posture, and gaps in addressing emerging threats necessitate comprehensive legislative restructure rather than further incremental amendment',3 recommending a simplified architecture comprising minimal principles-based legislation, dynamic rules and contextual guidance for each asset class.
- Many of those involved in SoCI compliance lack the emotional connection to defending and protecting Australia and its citizens that characterises those with defence and intelligence backgrounds. The Independent Review attributes this to a disconnect between the regime's underlying national security purpose and compliance focus and a widespread perception that the SoCI Act is 'toothless'4.
- The regime should expressly recognise social cohesion as a 'centre of gravity' that, if disrupted, significantly weakens national resilience. The fact Australia's regime does not explicitly recognise social cohesion as being 'equally critical to national security' as technical and physical resilience is an important gap. Australia should look to the UK's more holistic approach as a guide.
- The SoCI Act is not equipped to handle emerging threats. Although it has been modified multiple times, it is too slow to keep pace with rapidly evolving threats, and is overly focused on cyber security while neglecting physical and personnel security.
For example, the SoCI Act does not explicitly address:- AI and quantum risks: AI-enabled attacks, offshore AI dependencies, data poisoning, agentic AI risks, and quantum cryptography vulnerabilities; and
- physical threat vectors: unauthorised drones, and systemic reliance on space-based services (global positioning systems/position, navigation and timing, satellite communications).
- written submissions 'overwhelmingly support' expanding coverage to include AI services, content delivery networks, hyperscale cloud providers, space assets, and drone detection and response capabilities; and
- the SoCI Act does not adequately address, compared with cyber threats, physical security, personnel security and supply chain resilience, despite their importance to infrastructure protection.
- The regime will require continuous refinement 'as the threat environment continues to evolve, as infrastructure systems become more interconnected and complex, and as new sectors and technologies emerge as nationally significant'.
| 'The success of the SoCI Act framework … depends on several key factors including regulatory coherence across government agencies, practical guidance to ensure that industry responses to identified risk are strategic rather than merely reactive, and flexibility to accommodate rapid technological change and emerging threats without the constant need to amend the legislation in such an environment.' |
The Independent Review's formal recommendations are more targeted and near-term in nature than its broader findings:
| Recommendation | Description |
|---|---|
|
1. Remove regulatory duplication |
Remove federal regulatory duplication, to harmonise obligations and reduce the administrative burden. |
|
2. Meaningful enforcement |
Move from a light-touch compliance focus on administration and documentation to penalty-based mechanisms and real enforcement. |
| 3. Provide more practical regulatory guidance | Develop ASIC-style regulatory guides with worked examples, templates and plain language materials. |
| 4. Consider emerging technology coordination | Coordinate across the trusted-information sharing network (TISN) community and relevant agencies,5 to address AI, quantum, physical attack vectors and operational technology security. |
| 5. Enhance TISN capabilities | Enhance TISN education and information-sharing capabilities, to build sector-wide resilience knowledge. |
| 6. Accept CIRMP Rule amendments, and simplify and restructure the regime |
Accept the proposed CIRMP Rule amendments, and simplify the SoCI regime to be a principles-based legislative one supported by flexible rules and detailed operational handbooks. As part of this recommendation, Dr Slay AM advocated further examination of the following matters (among others):
|
The Ministerial Powers Consultation Paper
Following the delivery of the Independent Review—and, in particular, in light of Dr Slay AM's recommendation that 'the [SoCI] framework will require continuous refinement'—the Department of Home Affairs (the Department) commenced exploring more fulsome legislative reforms. After feedback, both as part of the Independent Review and, more broadly, in response to the 2023–30 Australian Cyber Security Strategy, the Department released the Ministerial Powers Consultation Paper, seeking input on a proposed package of five measures to enhance the ministerial powers currently in Part 3 of the SoCI Act.
It proposes more flexible and precise intervention options for government, with clear safeguards and accountability. If enacted, these will have a significant practical impact on regulated entities across the board.
The Ministerial Powers Consultation Paper posits that in a world where the threat environment is now more dynamic, diverse and degraded, existing government powers are no longer sufficient. The Federal Government needs tools to anticipate, prevent and neutralise threats before they crystallise.
Proposed measure
The proposal would replace the Adverse Security Assessment (ASA) requirement with an obligation to obtain and have regard to Australian Security Intelligence Organisation (ASIO) advice; introduce a limited carve-out of certain decisions from the administrative action framework; and recalibrate the 'regulatory exhaustion' requirement.
Explanation and commentary
Section 32 of the SoCI Act empowers the Minister to give directions to entities responsible for critical infrastructure assets where their acts or omissions pose a risk of prejudice to security.
It is currently difficult to invoke in time-sensitive scenarios due to two preconditions: the need for an ASIO ASA; and the need for the Minister to be satisfied that no other federal, state or territory regulatory system could adequately address the risk.
These thresholds, designed as safeguards, have in practice rendered the power unusable when it may have been most needed.
Proposed measure
The power would allow tailored, ongoing governance controls to be imposed via operating conditions on regulated entities.
Potential conditions—analogous to those the Treasurer imposes under the Foreign Acquisitions and Takeovers Act 1975 (Cth) (FATA) as Foreign Investment Review Board conditions—include role-based access limits, security vetting requirements, information-handling restrictions, board voting exclusions, requirements for Australian security-cleared directors, independent security risk committees, cyber baseline controls, incident-response exercising, prohibitions on offshore access to critical systems, and periodic independent audit and reporting.
Explanation and commentary
The proposed power is positioned as a graduated escalation step on top of the proposed enhanced CIRMP obligations (discussed further below).
It is intended to complement the foreign investment conditions framework by filling a gap: FATA conditions attach at the point of approval, and are not designed to address risks that emerge post-acquisition, such as changes in foreign laws or evolving threat profiles.
This is the most consequential of the five proposed measures. It acknowledges that a critical infrastructure asset's risk profile can change dramatically after acquisition—driven by more than just ownership changes—and that the current toolkit is not agile enough to respond in a targeted and proportionate way.
Proposed measure
Proposed examples include directing regulated entities to cease using specified products or services by a particular date, segmentation, remediation, procurement bans, and compensating controls such as supplier assurance and access controls.
Explanation and commentary
Recognising global supply chain dependence, this proposal would allow directions to be made to manage systemic vendor and technology risks that an entity cannot efficiently handle itself.
The efficacy of Australia's critical infrastructure depends on globally sourced vendors, products and services. The concentration of certain technology supply chains—particularly operational technology systems—in a small number of jurisdictions creates systemic risks that individual entities cannot address alone.
Proposed measure
Proposed safeguards include time limits, partial delays, notifications, consultation requirements and revocation provisions.
Explanation and commentary
The paper presents two options for effecting this change: using ASIC's existing exemption power under s111AT of the Corporations Act 2001 (Cth) with specific guidance; or creating a new SoCI-specific directions power to prohibit disclosure for a defined period in certain circumstances.
It will be difficult to get this power right, given the tension between shareholder disclosure to limit value erosion in the wake of a cyber incident and the national security lens that the power is aimed at protecting.
Proposed measure
The increase would be from 250 to 2,000 penalty units.
Explanation and commentary
This would assist with deterrence.
It also aligns directly with the Independent Review's finding that toothless penalties may be the cause of the compliance focus and lack of engagement across the regime.
The CIRMP Rules Exposure Draft
The CIRMP Rules Exposure Draft (the Exposure Draft) is where the other two papers' policy intent meets operational reality.
The Exposure Draft follows consultation conducted from December 2025 to February 2026 regarding the adequacy of existing CIRMP requirements for high-risk asset classes. These proposed reforms have progressed further than the recommendations in the Independent Review and the Ministerial Powers Consultation Paper.
Submissions were broadly supportive in principle but raised concerns about implementation difficulties, cost and timeframes. The Department used that feedback to prepare the current Exposure Draft, extending grace periods for key obligations, to acknowledge the practical realities of compliance uplift.
Summary of enhanced CIRMP Rules proposals
Proposed enhanced requirements
Entities must consider in their CIRMP:
- impairment of their asset's functions that could prejudice Australia's social or economic stability, national security or defence; and
- the potential risk of compromise of, or impairment to, their asset connected with FOCI.
Proposed enhanced requirements
Entities must maintain processes to address the risks associated with unsupported/unpatched/superseded software and hardware; legacy and obsolete systems; deployment of advanced or emerging technologies, and the use of these technologies against the asset; and offshore remote access to operational technology control systems and business-critical data.
Entities must also have processes or systems to:
- implement phishing-resistant multi-factor authentication (MFA) controls for authentication, and the logging and monitoring of MFA attempts; and
- identify critical systems, segregate them from other networks, and recover and restore those systems during cyber incidents or other compromise events.
Entities must also comply with an approved cyber maturity framework at maturity level two (uplifted from the current CIRMP requirement of maturity level one).
Proposed enhanced requirements
Entities must manage access to critical systems, map onshore and offshore critical workers, assess suitability for access by certain workers, proactively monitor for developments affecting ongoing suitability, and conduct AusCheck background checks for certain workers.
Proposed enhanced requirements
Entities must map their supply chain for major suppliers and critical systems; identify vulnerabilities and maximum tolerable outage thresholds; and assess (and then develop systems and processes to mitigate or eliminate) FOCI-related risks, sanctions, supplier access and influence, and mitigation steps for all existing and proposed major suppliers.
Proposed enhanced requirements
Entities must maintain a process to minimise or eliminate additional specified risks from physical and natural hazards, including by documenting asset locations, physical critical components, access controls, surveillance systems and out-of-hours protective measures.
Next steps
Regulated entities should monitor these developments closely. Implementation challenges—including the need for clearer accountability mechanisms, removal of regulatory duplication, and more visible enforcement —remain live issues that may shape any legislative amendments' final form. A regime that buries regulated entities in overly complex and burdensome compliance obligations produces box-ticking, not resilience.
The consultation period for the Ministerial Powers Consultation Paper and the CIRMP Rules Exposure Draft closes on 1 May 2026. The Department will hold public town halls and engage with impacted entities via the TISN throughout the consultation period. Affected entities should consider engaging promptly, given the limited time remaining.
For assistance with submissions, navigating these reforms or understanding their practical implications (including for organisations potentially caught by an expanded regime), please see further information about Allens' capabilities.
Footnotes
-
Energy market operator assets, electricity assets, gas assets, liquid fuel assets, broadcasting assets, domain name systems, water assets, freight services assets and freight infrastructure assets.
-
Independent Review, p.10.
-
'The complexity arises from the layered obligations, sector-specific requirements, and the interaction between registration, reporting, risk management, and enhanced security obligations for different types of assets.'
-
Independent Review, p. 47.
-
Agencies include Home Affairs; Australian Signals Directorate; ASIO; the National Cyber-Security Co-ordinator; the Department of Industry, Science and Resources, particularly the Space Agency; and the Department of Foreign Affairs and Trade Cyber Ambassador.