Australia's SOCI Act and Cyber Security Strategy 2023-2030: critical infrastructure obligations in 2026

On 25 March 2026 the Cyber and Infrastructure Security Centre opened public consultation on lifting the corporate penalty cap for non-compliance with a Ministerial direction under the Security of Critical Infrastructure Act 2018 from roughly A$412,500 to A$3.3 million, an eight-fold increase that arrived the same quarter Epworth HealthCare disclosed a ransomware event affecting clinical operations. The ERP Act amendments commenced 20 December 2024 had already pulled data storage systems into scope, the Telecommunications Act Part 14 obligations folded into SOCI on 4 April 2025, and ASD's 2024-25 Annual Cyber Threat Report logged 1,200-plus incident responses with a 280 percent surge in DDoS activity. For CISOs at the 11 designated sectors and the managed-service providers they depend on, the tension is real. The Critical Infrastructure Risk Management Program annual board attestation is now sitting alongside a 72-hour ransomware payment report under the Cyber Security Act 2024, a 12-hour critical incident notification window, an OAIC that just won its first Federal Court civil penalty (A$5.8 million against Australian Clinical Labs on 8 October 2025), and APRA's June 2025 board-attested authentication uplift across superannuation. This guide walks through who is in scope, what the four Enhanced Cyber Security Obligations actually demand, how the 2023-2030 Cyber Security Strategy's six shields stack against the day-to-day controls your auditors will test, and which Essential Eight Maturity Level 2 controls satisfy multiple obligations in one go.

Boards keep asking whether their asset is still in scope after the December 2024 amendments. The short answer is that the SOCI Act now reaches further than at any point since it was passed in 2018, and the test is broader than ownership of a physical site. The 11 sectors named in the Act are communications, financial services and markets, data storage or processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage. Within those sectors the Act defines specific categories of "critical infrastructure asset" by reference to ownership, scale and function tests. A "responsible entity" is the operator that has direct control over the asset, while "direct interest holders" (investors or operators able to influence control) also pick up reporting duties under Part 2. The Enhancing Resilience Package (ERP) Act, which commenced 20 December 2024, did three things that materially changed scope. First, it brought data storage systems forming part of a primary critical infrastructure asset under SOCI even when operated by a third party. Second, it broadened "serious incident" beyond cyber to cover physical and natural hazards. Third, it absorbed the security obligations from Telecommunications Act Part 14 with effect from 4 April 2025, meaning carriers and carriage service providers are now regulated under one statute instead of two. If you operate a hyperscaler region serving a Commonwealth client, run a Manila-based contact centre that handles airline customer records (as the 30 June 2025 Qantas Salesforce breach made painfully clear), or hold a SaaS contract that processes patient data for a SOCI healthcare entity, your contract and your control environment now sit inside the Act's perimeter. A scoping exercise that maps every data flow against the Register of Critical Infrastructure Assets is the precondition for everything that follows.

The CIRMP is the spine of SOCI compliance, and the annual review cycle is non-negotiable. The situation many entities face in 2026 is that the first wave of CIRMPs adopted in 2023 are now being tested against a threat environment that has moved on, and against CISC's published expectations from the March 2026 consultation papers. Under the Act, responsible entities for relevant critical infrastructure assets must adopt and maintain a written CIRMP that identifies each material risk to the asset, the minimisation or mitigation measures in place, and the framework used. The Risk Management Program Rules recognise frameworks including AS ISO/IEC 27001:2022, the NIST Cybersecurity Framework 2.0, and the Essential Eight Maturity Model at Maturity Level 1, or an equivalent. Cyber and information security hazards must be addressed through one of those frameworks within the timeframe the Rules set. The board attestation must be signed annually and submitted to CISC. The attestation is not a tick-box. It must record that the board is satisfied the CIRMP is up to date, that the asset has complied with the Program, and that any variations during the year were reasonable. Directors are personally exposed where the attestation is misleading, and CISC has used direction notices through 2025 to compel updates where reviews lapsed. The annual review must, at minimum, reassess each material risk against the four hazard vectors (cyber and information security, personnel, supply chain, physical and natural), update mitigations, and document any incidents that exercised the program. We have seen penetration testing and red-team exercise reports become the strongest evidence in the supply chain hazard category because they show, with dates and findings, that the program was tested rather than written. The annual review is also where Essential Eight maturity assessments, third-party audit results and incident retrospectives should be stitched together rather than sitting in separate folders.

The Enhanced Cyber Security Obligations (ECSOs) in Part 2C apply only after the Minister has declared an asset a System of National Significance. The situation in 2026 is that the SoNS register is small but growing, and the obligations are activated selectively rather than as a block. The four obligations, each with a specific trigger and reporting cadence, are: Statutory incident response planning : the responsible entity must adopt, maintain and comply with a written cyber security incident response plan. Activation requires a written notice from the Secretary. The plan must be tested at the cadence specified in the notice. Cyber security exercises : the Secretary may require the entity to undertake a cyber security exercise to test capability against all-hazards or specific scenarios. Independent observation, evaluation reports and remediation plans are mandatory outputs. Vulnerability assessments : the Secretary may direct a vulnerability assessment, conducted either by the entity, an external assessor or ASD itself, against named systems. Findings must be reported back within the specified period. System information : the most contentious obligation, requiring the entity to give system information, including periodic reports and event-based reports, to ASD. In some cases the entity must install ASD-approved software on its systems. Triggers tend to follow incidents or sector-wide intelligence. After the credential-stuffing wave on superannuation funds in 2024-25, after the Salesforce supply-chain campaign that hit Qantas and 700-plus global organisations in mid-2025, and after the ongoing AZURITE activity against engineering workstations, CISC and ASD have used ECSOs to mandate testing where voluntary uplift was judged insufficient. A live attack simulation program addresses obligations two and three at once, and a continuously monitored 24x7 SOC provides the telemetry that obligation four assumes you already collect.

Part 2B of the SOCI Act sets the dual reporting clocks that catch every responsible entity, not just SoNS. The situation through 2025 was that several responsible entities missed the 12-hour window because they confused the Cyber Security Act 2024 ransomware report with the SOCI critical incident report. They are different obligations with different recipients and different triggers. A critical cyber security incident, one that has had, is having or is likely to have a significant impact on the availability of the asset, must be notified to ASD within 12 hours of the responsible entity becoming aware. Other cyber security incidents that have had or are having a relevant impact must be reported within 72 hours. Layered on top, from 30 May 2025, the Cyber Security Act 2024 requires reporting entities (annual turnover above A$3 million, or any SOCI responsible entity) to report ransomware or cyber extortion payments to ASD via ACSC within 72 hours of making the payment or becoming aware that a related party made it. Failure to report attracts a civil penalty of 60 penalty units, currently around A$19,800. The limited-use protections in the Cyber Security Act constrain how voluntarily shared information can be used by Commonwealth bodies, but the carve-outs for proceedings under other Acts mean disclosures may still surface in OAIC penalty matters. The Notifiable Data Breaches scheme adds a third clock. APP entities must assess a suspected eligible breach within 30 days and notify the OAIC and affected individuals "as soon as practicable" if eligible. In Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224, Halley J treated delayed assessment (A$800,000) and delayed NDB notification (A$800,000) as separate contraventions on top of the underlying APP 11.1 failure (A$4.2 million). The total of A$5.8 million plus A$400,000 in costs was the first Federal Court civil penalty under the Privacy Act 1988 and the strongest signal yet that breach-response failures are now penalised independently of the breach.

The 2023-2030 Australian Cyber Security Strategy is the policy frame around which most of the legislative changes from late 2024 onward have been built. Boards need it on a slide because directors increasingly ask which shield a given control sits behind, and because budget submissions are landing better when they cite the Strategy's three horizons. The six shields, summarised: Shield 1, Strong businesses and citizens : cyber awareness, support to small business, identity verification reform, and ransomware reporting (operationalised through the Cyber Security Act 2024). Shield 2, Safe technology : smart device security standards, software supply chain assurance, and the Voluntary AI Safety Standard, with the October 2025 Guidance for AI Adoption now sitting alongside it. Shield 3, World-class threat sharing and blocking : real-time threat blocking, public-private intelligence sharing, and the limited-use protections introduced under the Cyber Security Act 2024 to encourage voluntary disclosure to ASD. Shield 4, Protected critical infrastructure : the SOCI Act regime, including ERP Act amendments, telco integration, the Cyber Incident Review Board operational since 30 May 2025, and the proposed penalty uplifts under consultation since 25 March 2026. Shield 5, Sovereign capabilities : domestic cyber workforce, professional standards, and onshore industry capability. Shield 6, Resilient region and global leadership : Pacific support, international cooperation, and norm-setting in cyber and AI governance. Horizon 1 (2023-25) focused on plugging the gaps the Optus and Medibank incidents exposed. Horizon 2 (2026-28) is about scaling the regulatory machinery, including the next SOCI consultation outcomes and any landing of Tranche 2 Privacy Act reforms. Horizon 3 (2029-30) targets sovereign capability. Aligning your CIRMP narrative to the relevant shield helps Boards see why the spend is happening this year and not in two years' time.

Financial services responsible entities are now answering to two parallel regulators. The situation is that APRA wrote to all RSE licensee Board chairs in June 2025 demanding board-attested authentication uplift by 31 August 2025 after the credential-stuffing attacks on AustralianSuper, Rest, Insignia and UniSuper, and that letter is operationally indistinguishable from a SOCI direction notice from CISC. Prudential Standard CPS 234 requires APRA-regulated entities (ADIs, insurers, RSE licensees) to maintain information security capability commensurate with the threats faced, test controls regularly, and notify APRA of material information security incidents within 72 hours. Material control weaknesses must be reported "as soon as possible" under paragraph 36. CPS 230, which replaced the outsourcing standard from 1 July 2025, adds a board-approved operational risk profile, identification of critical operations, service-provider risk management with formal agreements, and business continuity testing. The Financial Accountability Regime makes named Accountable Persons (typically the CRO, CIO or CISO depending on the entity's accountability map) personally liable for information security and operational risk failures. After APRA imposed a A$250 million additional operational risk capital charge on Medibank in 2023 and licence conditions on Cbus and United Super in 2024-25, the enforcement signal is clear. For a SOCI-regulated bank or super fund the practical compression is this: a single material control weakness in MFA can trigger a CPS 234 paragraph 36 notification to APRA, a SOCI 72-hour incident report to ASD if exploited, a NDB assessment, and a board attestation issue at the next CIRMP review. A coordinated VAPT program that produces evidence acceptable to both regulators reduces the duplicate reporting burden and tightens the audit trail FAR Accountable Persons now demand.

The Essential Eight has moved from a Commonwealth baseline to the de facto benchmark for "reasonable steps" under APP 11.1. The Federal Court in the ACL case treated the Essential Eight as a relevant reference point in calibrating what reasonable steps require, and CISC has signalled the same expectation in CIRMP consultation papers. The eight mitigation strategies are application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Maturity Level 2 has been mandatory for non-corporate Commonwealth entities under the Protective Security Policy Framework since July 2022. The November 2023 update tightened two controls in particular: ML2 now requires phishing-resistant MFA (FIDO2 security keys, passkeys or Windows Hello for Business) for high-value data and privileged actions, and centralised event log collection with protection against tampering. ML3 extends phishing-resistant MFA further and demands tighter patch cadences for internet-facing services with exploitable vulnerabilities. The ASD Information Security Manual provides the underlying control set referenced by both the Essential Eight and the PSPF. ISM controls are organised against the cybersecurity risk management framework (govern, identify, protect, detect, respond, recover), aligning with both NIST CSF 2.0 and ISO/IEC 27001:2022. A single ISM-aligned control library can therefore satisfy SOCI CIRMP framework selection, Essential Eight reporting to Commonwealth clients, and CPS 234 evidence requirements. The practical play in 2026 is to stand up phishing-resistant MFA across all administrative and high-risk user activities, centralise event logging into a SIEM that the SOC actually monitors, run a quarterly Essential Eight maturity assessment, and tie the output into both the annual CIRMP attestation and the privacy program's reasonable-steps file. The same evidence then supports OAIC defensive positioning under APP 11.1, the statutory tort that commenced 10 June 2025, and any class-action filing of the type Slater & Gordon and Maurice Blackburn are now bringing.

The question this guide opened with is what an Australian responsible entity should actually do in the next four quarters. The honest answer is that the heavy lifting is in evidence and integration, not new policy documents. A pragmatic 12-month sequence: Q1 : Re-scope assets against the ERP Act amendments. Confirm whether any data storage system, BPO or SaaS provider has come into the SOCI perimeter post-20 December 2024. Update the Register of CI Assets and refresh direct interest holder records. Q2 : Run a CIRMP gap assessment against the chosen framework (ISO/IEC 27001:2022, NIST CSF 2.0, Essential Eight ML1 or equivalent). Test the incident response plan against the 12-hour SOCI critical incident clock, the 72-hour Cyber Security Act ransomware clock, the 72-hour APRA CPS 234 clock (if regulated), and the 30-day NDB assessment window. Q3 : Commission a third-party penetration test and a red-team exercise that exercises the supply-chain hazard category. Close findings before the board attestation cycle. Map Essential Eight ML2 controls against APP 11.1 reasonable-steps documentation. Q4 : Complete the annual CIRMP review, sign the board attestation, file the privacy policy ADM transparency update ahead of the 10 December 2026 commencement, and rehearse the Cyber Incident Review Board cooperation playbook. For Australian responsible entities and the managed-service supply chain behind them, Certbar Security operates as a CERT-In empanelled VAPT, 24x7 SOC and compliance partner delivered from India. The practical value for Australian boards is threefold: cost-effective offshore delivery against the Essential Eight, ISM, ISO/IEC 27001:2022 and NIST CSF 2.0 control libraries; SOC monitoring that covers the overnight Australian Eastern hours without on-call rotation fatigue; and audit evidence packaged in formats CISC, APRA and OAIC counterparties accept. AI risk assessment support is available for entities preparing for the 10 December 2026 ADM transparency commencement and the still-open question of mandatory AI guardrails. The penalties have moved from theoretical to real (A$5.8 million for ACL, A$250 million capital charge for Medibank, civil penalty proceedings against Optus pleaded per affected individual). The reporting clocks are short. The board attestation is personal. Treat 2026 as the year the SOCI Act stopped being a compliance document and started being the operating system for Australian critical infrastructure security.