Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Compliance and Regulations
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
SLACIP: How to Comply
Last updated
December 2, 2025
{x} minute read

SLACIP: How to Comply

Download the PDF guide
Free trial
Written by
Edward Kost
Senior Cybersecurity Writer
Edward is a cyber writer with a mechanical engineering background. His work has been referenced by academic institutions and government bodies.
Reviewed by
Cindy Ruan
Lead GRC specialist
Cindy combines degrees in Computer Science and Law with expertise in GRC, and she has presented her insights at the Australian Cyber Conference.
Table of contents

On March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament. The SLACIP Act aims to build upon the SOCI Act framework to improve the security of Australia’s critical infrastructures.

To learn how the SOCI Act reforms will affect you and for guidance on how to comply with its new risk management requirements, read on.

What is the SLACIP Act?

The SLACIP Act modifies the SOCI Act to introduce security risk management and cyber threat resilience as mandatory requirements for critical infrastructure entities. 

The SLACIP Act aims to improve information exchange between critical infrastructure industries and the government to keep the Australian government informed of emerging threats to national security.

The SLACIP Act aims to give Australians increased peace of mind about the safety of the nation’s essential services.

The SLACIP Act was developed to address the intersection of two significant trends - Australia's increasing dependency on digital solutions and the increasing sophistication of cyberattacks.

What’s the Difference Between the SLACIP Act and the SOCI Act 

The SLACIP Act modifies the SOCI Act by introducing a new obligation and a new framework.

  • Entities responsible for critical infrastructures are now obligated to create and maintain a risk management program.
  • Operators of Systems of National Significance (SoNS) - entities responsible for Australia’s most important critical infrastructure assets - must comply with a new framework with enhanced cyber security standards.

The SLACIP Act centralizes critical infrastructure security guidelines into one legislation to address the interconnected nature of all SoNS.

Who is Responsible for Complying with the SLACIP Act?

Responsibility for compliance will sit with either the Responsible Entity or Direct Interest Holders of critical infrastructures.

What is a Responsible Entity?

A Responsible Entity includes anybody with ultimate operational responsibility for a critical infrastructure asset.

What is a Direct Interest Holder?

A Direct Interest Holder is either:

  • Any entity holding direct or joint interest of at least 10% in a critical infrastructure asset
  • Any entity that holds a critical infrastructure asset interest and is in a position of direct or indirect influence over the control of an asset

The SLACIP Act Risk Management Plan

The Risk Management Program introduced in the SLACIP Act requires responsible entities to comply with a risk management program designed to identify and mitigate all material risks to critical infrastructure assets as much as reasonably practicable.

A material risk includes risks threatening the availability, integrity, reliability, or confidentiality of critical infrastructure assets. 

Under SLACIP, the following categories of critical infrastructure assets are subject to SLACIP’s risk management plan rules:

  • Critical broadcasting assets
  • Critical domain name system
  • Critical data storage or processing assets
  • Critical hospitals
  • Critical energy market operator assets
  • Critical water assets
  • Critical electricity assets
  • Critical gas assets
  • Critical liquid fuel assets
  • Critical financial market infrastructure assets that are specified payment systems operator assets

The design of a risk management program must meet the following obligations:

1. Identify all Material Risks

Responsible entities need to follow an All-Hazards approach when identifying potential threats to their critical infrastructure assets' availability, reliability, and confidentiality.

An All-Hazards approach considers the events and processes impacting preparedness for all emergencies and disasters, both natural and human-made.

The SLACIP Act expects responsible entities to focus on four primary categories of hazard vectors:

  • Physical and Natural - Any physical and natural risks to critical infrastructure asset functionality, such as a thunderstorm disrupting physical access to a control room.
  • Cyber and Information Security - Any cyber threats to the digital ecosystem of a critical infrastructure asset. 
  • Personnel - Any risk of an insider threat within a critical infrastructure workforce.
  • Supply Chain - Any risk of supply chain disruption impacting critical infrastructure operations.

2. Continuously Reduce Security Risk Exposure

Responsible entities need to develop strategies for minimizing the security risks increasing critical infrastructure asset vulnerability to material risks. Risk management efforts should be both proactive and ongoing.

A proactive and ongoing risk management strategy aims to discover and address security risks before cybercriminals exploit them.

3. Minimize the Impacts of all Security Incidents

The security incidents that bypass boundary security controls must be contained and swiftly addressed to minimize impacts on business operations. SLACIP requires entities to have robust processes for reducing the effects of realized incidents and processes for rapid recovery following an incident.

These requirements can be met in an updated and frequently tested incident response plan.

4. Establish Risk Oversight Arrangements

Entities bound to the SLACIP must establish risk management oversight arrangements with their relevant Commonwealth regulators. Regulators will evaluate and test an implemented risk management program to assess SLACIP compliance. 

SLACIP Annual Reporting Requirements

Entities need to submit an annual report summarizing the yearly efforts of their risk management program to their relevant Commonwealth regulator or the Secretary of the Department of Home Affairs.

Before submission, reports must be approved by the entity’s board, council, or other governing body.

Annual SLACIP reports must be submitted within 90 days after the end of the financial year.

To learn more about the proposed Risk Management Program Rules, refer to this draft policy document.

Systems of National Significance and the SLACIP Act

The SLACIP act includes a regime specifically focused on Australia’s most critical infrastructure assets to prevent catastrophic disruptions following a nation-state cyberattack. These entities have been grouped into a separate category known as Systems of National Significance (SoNS).

What are Systems of National Significance?

Systems of National Significance (SoNs) include any critical infrastructure entities that:

  • Are crucial to Australia’s operations
  • Have multiple dependencies across different sectors
  • Could potentially cause cascading disruptions to other connected critical infrastructure assets in a cyberattack.

The criticality of Systems of National Significance makes these entities highly vulnerable to sophisticated nation-state attacks. By enforcing improved cyber resilience across all of Australia’s SoNS, the SLACIP Act will significantly reduce the nation’s potential of falling victim to a catastrophic nation-state cyberattack.

Which Critical Infrastructure Entities are Classified as SoNS?

Only critical infrastructure assets of national significance are classified as a SoNS asset. Only a small subset of the nation's critical infrastructure assets are grouped in this category.

Two primary factors are considered when determining whether an asset is of national significance:

  • Does the asset have interdependencies with other critical infrastructure assets?
  • Would the asset’s compromise significantly impact Australia's national security, defense, or social/economic stability? 

SoNS Obligations Under the SLACIP Act

In addition to all of the obligations outlined for critical infrastructure assets under the SLACIP Act, SoNS must also comply with Enhanced Cyber Security Obligations (ECSO).

ESCO requirements may include the following:

1. The Development of a Cyber Security Incident Response Plan

An incident response plan is a written document detailing how a critical infrastructure entity will respond to different cyber security incidents. After completion, the incident response plan must be submitted to the Secretary of the Department of Home Affairs.

2. Cyber Security Exercises

SoNS may be required to undertake cyber security exercises to test cyberattack readiness against specific threats. These exercises will involve a simulation of a cyber incident and may require observance by Department officers or designated officers from the Australian Cyber Security Centre (ACSC).

3. Security Assessments

SoNS may be required to complete vulnerability assessments evaluating the security postures of all critical infrastructure systems.

Under the SLACIP Act, these assessments may be designated to the ACSC by the Department.

4. Provision of System Information 

SoNs may be required to supply system information to the ACSC under the request of the Secretary of the Department.

There are two different system information reporting tiers based on reporting frequency:

  • Periodic reporting of system information 
  • Event-based reporting of system information

ESCO may also require SoNS to:

  • Register their critical infrastructure assets
  • Submit cyber security incident reports
  • Implement risk management programs

For more information on SoNS obligations under the SLACIP Act, refer to the Systems of National Significance fact sheet.

SLACIP Act Compliance with UpGuard

UpGuard monitors the entire attack surface of security vulnerabilities facilitating data breaches and system compromise.

By extending security vulnerability detection to the third, and even fourth-party attack surface, UpGuard is the perfect solution for SLACIP-bound entities tracking security posture improvements across their entire IT ecosystem. 

Here are just some of the UpGuard features that could support SLACIP compliance:

  • Vulnerabilities scanning to identify material risks internally and across the vendor network.
  • A managed Third-Party Risk Program for scaling material risk mitigation and uplifting core security practices.
  • Data leak detection extending to the third-party attack surface to minimize security risk exposure.
  • One-click executive reporting to help address risk oversight arrangements.
  • Vulnerability assessments based on popular cybersecurity frameworks, including the Essential Eight.
  • Multiple subsidiary tracking to monitor security postures of all SoNS and interconnected critical asset entities

To learn more about how UpGuard can help you comply with the SLACIP Act, click here to request a free demo of the platform now.

Related posts

Learn more about the latest issues in cybersecurity.
Compliance and Regulations

NIST compliance in 2025: A complete implementation guide

NIST compliance ensures alignment with leading cybersecurity frameworks. Explore how the NIST standards can safeguard sensitive data and manage third-party
Edward Kost
Edward Kost
December 2, 2025
Compliance and Regulations

Introducing UpGuard’s DPDP Act Security Questionnaire

Discover the latest addition to UpGuard's industry-leading Questionnaire Library and learn how to achieve comprehensive DPDP compliance.
Nicholas Sollitto
Nicholas Sollitto
November 18, 2024
Compliance and Regulations

From NIS to NIS2: What Your Organization Needs to Know

Understanding the transition from NIS to NIS2 is crucial for protecting your organization. Explore the key changes and compliance steps in this blog.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

How to Prepare for a Cyber Essentials Plus Audit

Learn more about the Cyber Essentials Plus independent assessment process, and steps your organization can take to prepare.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

PSPF 001-2024: Safeguarding GovTech from Foreign Influence

Explore Australia’s new PSPF Direction, including key components and strategies to help government entities prevent foreign influence over tech assets.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

GDPR's Influence on Indian Data Protection Practices

Explore the impact of the GDPR on India's cyber regulations, comparing pre-GDPR and post-GDPR data protection laws.
Leah Sadoian
Leah Sadoian
July 10, 2025
All posts