INSIGHT

SoCI Act 2.0: Sweeping reforms proposed to Australia's critical infrastructure framework

By Valeska Bloch, David Rountree, William Coote, Elizabeth Brown, Matthew Joffe
AI Cyber Data & Privacy Technology, Media & Telecommunications

Regulated entities should engage with the consultation now 19 min read

Having accepted in principle all six recommendations made by an independent review of the Security of Critical Infrastructure Act 2018 (Cth) (the SoCI Act), the Federal Government is seeking feedback through a Consultation Paper, which sets out 21 proposed measures for streamlining and modernising the SoCI Act. Submissions close on 31 July 2026, and, if enacted, the reforms would constitute the most significant shake-up of the SoCI Act since its inception. In this Insight, we look at the potential wide-ranging impacts of the proposed reforms and explain what impacted entities should be doing to prepare.

Key takeaways 

  • Key impacts on organisations:
    • Expanding the regulatory perimeter (Measures 17–19): Three of the measures, if implemented, would extend the SoCI Act's reach beyond the 'responsible entity' for a regulated asset.
      • A new 'relevant operator' concept would directly regulate entities exercising material practical control over a critical infrastructure asset or critical function (ie managed service providers (MSPs) or operations and maintenance (O&M) contractors) (Measure 17).
      • A statutory cooperation duty would be imposed on connected corporate group entities on which a responsible entity has a material Critical Infrastructure Risk Management Program (CIRMP) dependency (Measure 18).
      • Responsible entities would also be required to assess and manage cyber risks from major suppliers through contractual or equivalent measures, with recognised certification or accreditation available as evidence of supplier due diligence (Measure 19).
    • Reducing duplication and simplifying compliance (Measures 1–4 and 6):
      • A consolidated exemptions framework would provide targeted, obligation-specific relief where another federal, state or Territory law or recognised framework delivers substantially equivalent outcomes (Measure 1).
      • Registration and annual reporting obligations would be restructured so that detailed requirements are prescribed in the subordinate rules, rather than fixed in primary legislation, making the framework more adaptable (Measures 2 and 3).
      • Notices regarding telecommunications assets (ie under section 30ED) would be clarified as point-in-time assessments, reducing uncertainty about when further notification is required as telecommunications projects evolve (Measure 4).
      • The Systems of National Significance (SoNS) framework would be simplified, replacing incident response planning with a broader resilience planning obligation, and making vulnerability assessments discretionary and all-hazards focused (Measure 6).
    • Modernising the cyber security incident definition (Measure 5): The definition of 'cyber security incident' would be amended to operate where automation, software agents or AI-enabled tools affect the mechanism, attribution or operation of a cyber incident—including where an authorised automated system is compromised, manipulated or materially uncontrolled in a way that causes cyber-related harm. Ordinary software defects, configuration issues, routine outages and general technology failures would not be captured merely because automation or AI is involved. The expanded definition will broaden the Part 2B notification obligations, and will also affect other provisions that use the defined term, including the Minister's step-in powers and the enhanced cyber security obligations for SoNS.
    • Closing sector gaps and refining asset coverage (Measures 7–14): The Consultation Paper proposes the expansion and refinement of numerous asset classes across subsea telecommunications cables, data storage or processing, space technology, health care and medical, distributed energy resources, offshore electricity, critical freight, and higher education and research. Operators of assets in the affected categories will need to reassess whether they or their assets are captured by the SoCI Act. In most cases, operative thresholds, exclusions and detailed boundaries will be prescribed in the Definitions Rules following further consultation.
    • Increased enforcement penalties (Measure 16): There will be an increase in the maximum penalty for preventive and assurance duties.
  • While the Consultation Paper represents a well-considered policy direction, significant work remains before regulated entities can assess their position with confidence. The Consultation Paper expressly defers many of the most consequential design questions to subsequent consultation on the Definitions Rules and other subordinate instruments.

    This includes: the operative thresholds and technical boundaries for each of the four proposed space technology asset classes; the capacity metrics and aggregation rules that will determine which electricity storage systems, virtual power plants and distributed energy resources portfolios are captured; the scale thresholds for critical pathology systems and blood supply functions; the facility-based rated IT load threshold for data centre capture (currently proposed at 1 MW, but explicitly flagged as a starting point subject to further evidence); the sensitive research fields and national security nexus pathways that will define the scope of the proposed critical research asset class; and the role categories and checking requirements that will give practical content to the reformed critical worker definition.

    Until those Rules-level thresholds are settled, many entities will be unable to determine with certainty whether they fall within the reformed framework, which obligations will apply to them, or what the practical compliance burden will be.
  • Make a submission—Regulated entities and those newly in scope should engage with the consultation now, as submissions on the Act-level architecture will directly shape the parameters within which subordinate instruments are subsequently developed. Submissions are due at midnight (AEST) on 31 July 2026.

Background

The Independent Review into the SoCI Act (the Independent Review) recommended that the SoCI Act be comprehensively restructured to remove regulatory duplication, enable meaningful enforcement, clarify its scope and requirements, and better address modern threats, complex corporate structures and emerging technologies.

Please see our more detailed analysis of the Independent Review's findings and recommendations in Why Australia's critical infrastructure regime is about to change.

About the Consultation Paper

Having accepted in principle all six recommendations made by an independent review of the SoCI Act, the Government is now seeking feedback through a Consultation Paper outlining 21 measures that aim to:

  • reduce duplication;
  • simplify administration, reporting and notification;
  • simplify enhanced-obligation architecture;
  • clarify uncertain asset boundaries;
  • modernise and refine sector and asset coverage; and
  • enhance governance, assurance and accountability.

It also includes a preliminary impact analysis for each measure.

Appendix A of the Consultation Paper maps the recommendations of the Independent Review as to the Government's proposed SoCI Act reforms.

How will the reforms be rolled out?

The Government proposes to implement reforms to the SoCI framework in two stages:

  1. Tranche 1, which addresses immediate risk, prevention and intervention settings. These reforms are already in train via:
    1. amendments to enhance the CIRMP Rules, including changes to specified all-hazards, cyber, supply chain, physical and personnel-security settings for specified high-risk asset classes, which took effect from 10 June 2026, and then variously commence following the relevant 12–24-month grace periods depending on the relevant measure; and
    2. the consultation on proposed amendments to the Ministerial directions framework in Part 3 of the SoCI Act (the Ministerial Directions Consultation), including amendments to the existing general direction power in section 32, and new powers relating to governance-related conditions, high-risk vendors, delaying continuous disclosure obligations, and civil penalties for non-compliance with directions.
    You can read more about the updates to the CIRMP Rules and the Ministerial Directions Consultation in Why Australia's critical infrastructure regime is about to change.
  2. Tranche 2 (the subject of this latest consultation and this Insight), which aims to improve the underlying architecture of the SoCI Act so it is clearer, more targeted, easier to operate, and better able to support assurance of practical security and resilience outcomes. Further consultation is expected on amendments to subordinate legislation.

Proposed reforms 

Although regulated and soon-to-be regulated organisations should read the Consultation Paper in full, we recommend engaging particularly with the following proposed measures:

A new exemptions framework

Measure 1 would introduce a single, consolidated exemptions framework that would provide relief from compliance where another law or recognised enforceable framework delivers substantially equivalent or stronger outcomes for the same asset, entity, function or risk.

Impact

The practical value of this measure will depend on which frameworks are recognised and how quickly equivalence assessments are progressed. Entities already subject to overlapping regulatory regimes—particularly Australian Prudential Regulation Authority (APRA)-regulated entities, energy market participants and telecommunications carriers—stand to benefit most.

However, relief will not be automatic. Entities seeking an exemption will need to demonstrate that their existing obligations deliver outcomes at least as strong as the corresponding SoCI requirement.

Class exemptions initiated by the Commonwealth may require less entity-level effort, but affected entities will still need to confirm applicability and update their compliance processes.

Expanded definition of cyber security incident to address automation, agents and AI

Measure 5 would amend the definition of 'cyber security incident' to:

  1. clarify that access, modification or impairment is not excluded merely because it is caused by or through an automated system, software agent, AI-enabled tool or comparable technology; and
  2. address serious incidents involving authorised automated or AI-enabled systems where the system is compromised, manipulated or materially uncontrolled in a way that causes cyber-related harm.

The expanded definition would not convert ordinary software defects, configuration issues, routine outages, model errors, technology failures or non-security AI issues into cyber security incidents merely because automation or AI is involved.

A key challenge is that the line between an automated system being 'materially uncontrolled' (reportable) and an ordinary software malfunction (not reportable) will not always be obvious in real time. The Consultation Paper acknowledges this and flags that further guidance will be needed.

Impact

This will expand the circumstances in which incidents must be reported under Part 2B of the SoCI Act. Any serious cyber event involving automation, software agents or AI-enabled tools that meets the existing impact threshold would fall within the scope, even where attribution is uncertain or the harmful conduct originates from a system the entity itself authorised.

Importantly, the term 'cyber security incident' is used across multiple parts of the SoCI Act, including the Minister's step-in powers under section 35AB and the enhanced cyber security obligations for SoNS. Broadening the definition will lower the threshold for Government intervention powers.

In practice, this means that responsible entities deploying automation will need to:

  • consider whether their reporting triggers are appropriate;
  • in many cases, uplift supplier contracts for AI tools, software agents and automation platforms deployed in connection with critical infrastructure assets, to ensure that notification triggers are adequate; and
  • consider any indirect impacts of this expanded term on their internal cyber incident response processes, and determine whether uplifts are required to cyber incident response processes, plans and playbooks  
Proposed updates to notification triggers and requirements

Register of Critical Infrastructure Assets—The trigger for notification of changes to information recorded on the Register would be clarified to focus on reasonable awareness of the prescribed change, rather than on a comparison with information previously submitted. The categories of information that need to be provided on the Register will also be extended to include key systems, key suppliers and material dependencies relevant to the operation, control or continued functioning of the asset.

Notification obligations—Changes have also been proposed to notifications under Part 2B and 2D of the SoCI Act and the annual CIRMP reporting obligation:

  • Cyber security incident notifications under Part 2B of the SoCI Act will be impacted by the expanded definition of cyber security incident.
  • While the notification for reporting entities will not change under Part 2D of the SoCI Act, the Secretary will be required in their written notices in relation to proposed changes to critical telecommunications assets under section 30ED of the SoCI Act to specify that it applies at a point in time.
  • The current CIRMP annual reporting obligation will be updated to instead provide a simpler annual compliance report in an approved form. The Department is also exploring whether a single member of a corporate group could report on behalf of the other group members.
Impact

Entities that have already registered their interest will not need to re-register. The shift to a 'reasonable awareness' trigger should reduce compliance friction, as the current model requires entities to compare new information against what was previously submitted—an exercise that becomes increasingly difficult over time.

However, the proposed expansion of registrable information to include key systems, suppliers and material dependencies means that entities need to disclose considerably more about their operational architecture than is currently required.  

Expanding sector coverage

The Consultation Paper proposes the expansion and refinement of numerous asset classes, achieved through amendments to the legislation itself and further refinement at the subordinate legislation level. The types of assets proposed to be impacted are:

  • subsea telecommunications cables (including attributing multiple responsible entities to relevant components/functions);
  • data storage or processing assets (by shifting the current customer-dependent assessment criteria to be provider facing);
  • space technology (establishing four new asset classes for ground segment infrastructure, position, navigation and timing support infrastructure, earth observation data infrastructure and space situational awareness infrastructure);
  • the health care and medical sector (establishing new asset classes for critical blood supply, critical pathology and nationally significant high-containment or specialised laboratory capability);
  • distributed energy resources (including storage, controllable demand and demand-response capability);
  • offshore electricity assets (expanding critical electricity assets to include offshore electricity infrastructure);
  • critical freight (broader scope); and
  • higher education and research (shifting from education assets to research assets).

Operators of assets in the affected categories will need to consider whether they or their assets are captured by the SoCI Act and/or whether their obligations have changed.

Impact

The breadth of several proposed asset classes should be closely considered by potentially impacted entities.

  • Data centres: the proposed 1 MW rated IT load threshold for facility-based data centres is acknowledged by the Department as low relative to Australian market norms. Commercial colocation and hyperscale facilities typically operate in facilities with load thresholds of 15 MW to well over 100 MW. At 1 MW, the threshold would capture the vast majority of commercial data centre facilities in Australia, potentially drawing in smaller providers and new market entrants. The Department has flagged this as a starting point for consultation. Potentially impacted entities should engage on whether a higher minimum load threshold would more appropriately identify systemically significant facilities without imposing a disproportionate burden on smaller operators.
  • Subsea cables: The functional asset boundary and distributed responsible entity model will bring new entities into scope, particularly owners and operators of shore-end, landing station and terminal infrastructure that are not carriers or carriage service providers, and holders of long-term capacity arrangements.
  • Higher education and research: The shift from a university-based to a research-function-based asset class may cause some currently captured entities to fall outside the scope while bringing non-university research bodies into the framework.

Across all of these measures, the operative thresholds, exclusions and detailed boundaries are deferred to consultation on subordinate Rules in due course, meaning entities cannot yet determine with certainty whether they will be captured.

Impose new requirements on and in relation to 'relevant operators'

While the responsible entity would remain the primary regulated entity and would not be relieved of its broader SoCI obligations, the new framework would:

  • require that responsible entities identify entities that exercise material practical control over a critical infrastructure asset, or over a critical function, system or service on which the asset materially depends; and
  • impose limited direct obligations on the relevant operator to the extent relevant to their role, knowledge and practical control. These include:
    • a duty to cooperate, so far as reasonably practicable, with the responsible entity’s compliance with Part 2A, including by providing reasonable access to information, systems and personnel where needed for risk management, assurance, incident response or remediation. At this stage, it is not clear how this cooperation duty would extend Part 2A compliance requirements to relevant operators, and how 'cooperation' obligations will be enforced;
    • a duty to notify the responsible entity, without unreasonable delay, of events, changes or circumstances within the operator’s knowledge that could materially affect the operation, availability, integrity or security of the asset; and
    • a duty not to take, or omit to take, action that the operator ought to know would materially compromise the security, integrity, availability or operation of the asset, except where acting under a lawful direction, court order or statutory requirement. It could include misuse of legitimate access, unsafe or unauthorised configuration changes, manipulation of control systems, pre-positioning for later compromise, or unauthorised exposure or redirection of security-relevant data flows.

The cooperation duty, notification duty and duty not to materially compromise the asset would be civil penalty provisions enforceable against the relevant operator.

Not all entities that provide substantive practical control over the asset/critical function would be considered a relevant operator—eg it will not be sufficient to meet the threshold of relevant operator if services provided are limited to elements such as providing professional advice, monitoring-only services, minor maintenance or emergency support.

A limited safe harbour will be available to responsible entities that seek appropriate arrangements with a relevant operator that cannot be obtained. The responsible entity would then need to introduce an appropriate mitigation plan and make the necessary disclosures in its annual reporting.

Impact
  • Responsible entities will need to identify and register their relevant operators, and negotiate (or renegotiate) arrangements that support CIRMP compliance, incident response and remediation. Where a relevant operator refuses to cooperate, the responsible entity may invoke a limited safe harbour, but only after documenting the refusal, implementing a mitigation plan and disclosing the gap in annual reporting. Responsible entities should begin mapping now which service providers exercise material practical control, rather than waiting for commencement.
  • Relevant operators (eg MSPs, O&M contractors, original equipment manufacturers (OEMs) and platform administrators that exercise material practical control over critical infrastructure assets) will become directly regulated by the SoCI Act, and therefore not only subject to contractual requirements imposed by responsible entities but also civil penalty provisions enforceable by the regulator. Affected service providers should assess their client portfolios against the proposed 'relevant operator' test and prepare for compliance obligations that will apply regardless of what their existing contracts say.
Clarification of supply chain cyber security assurance

Measure 19 would clarify how the CIRMP framework should address cyber-specific assurance for major suppliers and service providers whose products, services, access, role or dependency are material to the asset’s risk profile. Relevant relationships may include managed service providers, cloud and hosting providers, operational technology vendors, software and platform providers, OEMs, remote support providers, specialist integrators and comparable service providers. Contract value or commercial size would not itself be determinative.

Responsible entities would be expected to assess and manage cyber risks posed by major suppliers and service providers, through pre-contractual assessments, contractual or equivalent controls. As part of any assessment and imposition of contractual obligations, responsible entities should consider the quality and resilience of supplied products and services, alongside appropriate or expected cyber security measures and practices undertaken by the relevant supplier (eg patching, vulnerability management, secure update mechanisms, privileged or remote access controls). Responsible entities must also consider how cyber risk management is addressed in contractual arrangements with major suppliers, including when requirements can be reviewed and uplifted (eg at commencement, renewal or variation). Where formal contractual terms cannot reasonably be agreed, responsible entities should also consider whether any equivalent measures to manage supplier risks should be taken, including documented commercial, procurement, technical, operational or assurance arrangements.

Any assessment and the ultimate set of controls implemented would be proportionate to the relevant supplier’s role and access to the asset.

Impact

Regulated entities will be required to ensure their major supplier contracts reflect adequate cyber security assurance controls. Entities will need to identify which suppliers are 'major' (having regard to their role, access and criticality), conduct cyber-specific risk assessments, and either secure contractual protections or document why equivalent measures are sufficient. Recognised certifications can be relied upon, but only to the extent they are current, relevant and appropriately scoped. This will make for a significant procurement and contract remediation exercise, particularly at upcoming renewals. APRA-regulated entities already subject to CPS 230 (Operational Risk Management) may find their existing supplier assurance frameworks provide a head start, but alignment will need to be verified.  

A new statutory duty on group entities

Measure 18 would impose a limited statutory duty on group entities on which a responsible entity has a material CIRMP dependency. A material CIRMP dependency would exist where the responsible entity relies on the connected entity to provide, manage or control a function material to the responsible entity’s ability to comply with its CIRMP obligations. This may include functions relevant to cyber and information security, personnel security, supply chain security or physical security—eg groupwide IT systems, security operations centres, identity and access management, workforce screening, procurement, vendor management, shared physical security, governance approvals or incident response capability.

The duty would require the connected entity, to the extent reasonable in the circumstances, to support the responsible entity’s CIRMP compliance. This support would include:

  • a duty not to take action, or fail to take action, that the connected entity knows or ought reasonably to know would materially prevent or undermine the responsible entity’s CIRMP compliance;
  • a duty, on reasonable request, to provide information, access or assistance reasonably necessary for the responsible entity to establish, maintain, comply with and review its CIRMP; and
  • a duty to notify the responsible entity of incidents, changes or circumstances that could materially affect the security of the asset or the responsible entity’s ability to manage CIRMP risks.

The duty would be capable of being extended to foreign-incorporated connected entities where they are within the same corporate group and the responsible entity has a material CIRMP dependency on them.

Impact

This measure targets circumstances where the responsible entity is legally accountable for its CIRMP, but the parent company or shared services entity actually controls the security functions. Corporate groups that centralise IT, cyber security, procurement or workforce management will be directly affected. Responsible entities will need to:

  • identify which intragroup dependencies are 'material' to CIRMP compliance; and
  • develop or update intragroup service agreements to impose cooperation, notification and non-frustration obligations, and establish escalation pathways.

Corporate groups should begin this mapping exercise now.

Simplification of the SoNS framework

Measure 6 would replace the current SoNS incident response planning obligation with a broader resilience planning obligation. Responsible entities for SoNS assets would be required to maintain arrangements for managing disruption affecting the relevant SoNS asset, maintaining or restoring its critical functions, and supporting recovery, restoration and resumption of services. However, the resilience planning requirements would be attached to the declared SoNS asset and its critical functions or services, rather than extending to be a general enterprise-wide obligation.

Cyber security exercises would be an ongoing requirement for responsible entities of SoNS assets.

Responsible entities for SoNS may leverage existing plans, exercises and continuity arrangements implemented to comply with equivalent resilience regulatory frameworks to satisfy their obligations under the revised SoNS framework. Where material gaps exist, the responsible entity would only need to supplement its existing resilience arrangements to meet the SoNS requirements.

Impact

Existing cyber incident response plans must be expanded into broader resilience plans covering continuity, recovery and restoration across all hazard types. However, entities that already maintain mature business continuity, crisis management or operational resilience documentation can rely on those arrangements to the extent they adequately address the declared asset. The key action is to conduct a gap analysis and update them accordingly.

Specified risk information

Measure 20 permits the Secretary to formally designate specific material (ie threat advisories and risk assessments) as content that responsible entities within the relevant sectors must consider in preparing or updating their CIRMP. Following a notice being issued by the Secretary, the responsible entity must consider the specified material, assess its relevance and document the outcome of its assessment.

Impact

Responsible entities will be required to engage more often with their CIRMP to accommodate the designation of threat advisories and risk assessments, which are becoming increasingly frequent. Entities will need a standing process to monitor notices, direct them to appropriate decision-makers and maintain an auditable record of their response. The real compliance risk lies not in the substance of any particular notice, but in failing to demonstrate that the required review and consideration process occurred.

Critical workers and critical components

Measure 21 proposes to replace the current critical worker definition with an access and authority-based test built on four alternative limbs (security-sensitive access, operational authority, access to a critical component, or a prescribed role). A person would only need to satisfy one element to be considered a critical worker. The definition of critical component will also be updated, allowing the subordinate legislation to prescribe the kinds of components, systems, environments, facilities or other parts of an asset that may be considered critical in a particular sector or asset class.

Impact

This amendment will change which individuals are classified as critical workers and, consequently, which checking, monitoring and access-control requirements apply. Responsible entities will need to reassess their workforce against the revised definition and take appropriate actions to meet their CIRMP obligations. The exercise extends beyond the entity's own workforce to personnel of relevant operators, connected entities, MSPs and contractors. For entities with large or distributed workforces, or complex outsourcing arrangements, this will be a substantial undertaking. Entities should begin by mapping roles with privileged system access, operational authority over critical functions, and unescorted access to restricted areas.

Graduated civil penalty settings

Currently, lower-tier administrative and visibility obligations attract a maximum penalty of 200 penalty units. Core preventive and assurance duties attract a maximum penalty of 1,500 to 2,000 penalty units. Measure 16 would create a new middle tier of penalties for selected core preventive and assurance duties, from 200 penalty units to 500 penalty units. The new middle tier of penalties would apply to obligations to have, comply with, review and update critical infrastructure risk management programs and equivalent assurance settings, together with related obligations concerning incident response planning, cyber security exercises, vulnerability assessments and associated compliance architecture.

What is not addressed in the Consultation Paper?

The Consultation Paper leaves a number of significant issues unresolved—either deferred to further consultation or not addressed at all. The most consequential gaps include:

  • the reliance on subordinate legislation to define the operative scope of most proposed measures. For most reforms, the Act-level changes establish only the enabling framework. Thresholds, exclusions, technical boundaries and sector-specific definitions that will determine whether an entity is actually captured are reserved for subsequent Rules consultation. This means that entities cannot yet assess their regulatory exposure (or the compliance burden) with confidence.
  • the underestimation of cumulative CIRMP compliance costs. The Consultation Paper assesses the regulatory burden measure by measure, but the reforms do not operate in isolation. Responsible entities face uplift obligations across supply chain cyber assurance, relevant operator arrangements, corporate group cooperation, independent CIRMP assurance and the expanded critical worker framework. Many of these requirements extend deeply into third-party relationships. This will require regulated entities to identify, map, assess and contractually manage suppliers, relevant operators and connected group entities. The aggregate compliance cost, particularly for entities with complex outsourcing arrangements or concentrated supply chains, is likely to be materially higher than any individual measure impact analysis suggests.
  • specific coverage and policy gaps that the Consultation Paper acknowledges but does not resolve, including: (i) assets under construction—pre-operational security requirements for projects under development are not addressed, leaving entities involved in major infrastructure development without clarity on whether SoCI obligations may attach before an asset becomes operational; (ii) the food and grocery sector —the Consultation Paper does not specifically consider any amendments to the sector; and (iii) broader incident reporting—no wholesale redesign of broader incident reporting requirements, which are separate to the cyber security incident definition amendments, is proposed. This is despite the Independent Review's finding that the incident reporting obligations should better address physical, personnel and all-hazards risks.