Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Compliance and Regulations
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
SOCI Act Explained: Compliance Rules & Requirements
Last updated
December 2, 2025
{x} minute read

SOCI Act Explained: Compliance Rules & Requirements

Get a demo
Free trial
Download the PDF guide
Free trial
Written by
Leah Sadoian
Content Writer
Leah is an experienced cybersecurity writer. Her work is read by leaders in security, tech, education, healthcare, and government.
Reviewed by
Cindy Ruan
Lead GRC specialist
Cindy combines degrees in Computer Science and Law with expertise in GRC, and she has presented her insights at the Australian Cyber Conference.
Table of contents

The Security of Critical Infrastructure (SOCI) Act is one of Australia’s key regulations designed to protect essential services from cyber and physical threats. As cyberattacks become more frequent and sophisticated, the SOCI Act continues to evolve, introducing new measures to safeguard critical infrastructure assets like energy, communications, and healthcare.

This blog explores the SOCI Act, its key components, recent amendments, and annual reporting requirements. This guide aims to help the general public and responsible entities understand the SOCI ACT's importance and how it impacts organizations operating in Australia’s critical infrastructure sectors.

Enhance your organization’s risk management program with UpGuard Breach Risk >

What is the SOCI Act?

The Security of Critical Infrastructure (SOCI) Act is an Australian regulation designed to protect key sectors like energy, water, and transport from cyber threats and cybersecurity incidents. The Act mandates enhanced security protocols, risk management, and incident reporting to ensure national resilience and safeguard essential services.

The SOCI Act explained

The SOCI Act is part of the Australian government’s broader efforts to protect its essential services from cyber threats and physical disruptions. First introduced as The Security of Critical Infrastructure Act 2018, the Act was expanded in following years to promote a stronger critical infrastructure risk management program.

The SOCI Act was implemented due to the increasing risk of disruptions to critical infrastructure sectors, whether from cyberattacks, natural disasters, or other threats. These sectors include energy market operators, healthcare, communication service providers, water and sewerage systems, and financial services—making their protection a national security priority. Other sectors include higher education and research, space technology, and the defence industry.

The growing reliance on digital systems is rapidly increasing cybersecurity risks, and critical infrastructure sectors must enhance their risk management and national preparedness. Organizations can use the SOCI Act as a regulatory framework to reduce vulnerabilities and uplift crisis response times by focusing on risk management, incident reporting, and government assistance mitigation.

The SOCI Act applies to any organization responsible for Australia’s critical infrastructure, specifically 22 asset classes across 11 industries. Compliance is mandatory for both public and private sector organizations.

SOCI Act compliance rules & requirements

The SOCI Act places significant obligations on entities that manage or operate systems of national significance in Australia, ensuring they take proactive steps to manage and mitigate risks. Compliance with the SOCI Act requires organizations to meet several key responsibilities designed to safeguard essential services. The main rules and requirements under the Act include:

  • Positive Security Obligations (PSO): Organizations are required to implement risk management programs that cover both cyber and physical security. These programs must identify potential vulnerabilities, minimise risks, and ensure the security and resilience of critical infrastructure.
  • Mandatory cyber incident reporting: Organizations must report any cyber incident that significantly impacts the operation of critical infrastructure to the Australian Cyber Security Centre (ACSC) within 12 hours of becoming aware of it. The incident reporting system is designed to help the government track, assess, and respond to major threats in realtime.
  • Government assistance measures: In cases of severe cyber threats or attacks, the SOCI Act grants the government powers to intervene and assist organizations in managing the crisis. This may involve directing the providers to take specific actions to mitigate the threat or, in extreme cases, allowing the government to step in and take control of certain aspects of the response.
  • Risk Management Program (RMP) requirements: Critical infrastructure entities must establish and maintain comprehensive risk management programs. These programs should outline the organization’s approach to identifying, assessing, and addressing risks that may compromise their operations. Management plans must also be reviewed annually and updated as necessary to reflect emerging risks.
  • Critical infrastructure risk assessments: Organizations are required to conduct regular vulnerability assessments of their critical assets, which are reported to the Cyber and Infrastructure Security Centre (CISC). This requirement ensures that organizations stay ahead of potential threats and adapt their strategies to deal with new risks, such as advances in cyber threats or changes in geopolitical dynamics.

Failure to comply with these requirements can result in significant penalties, including fines or enforcement actions. Understanding these compliance requirements is crucial for organizations to effectively navigate the obligations set by the SOCI Act. However, the regulatory landscape has evolved since the Act’s introduction, leading to recent amendments that further strengthen Australia’s critical infrastructure protections.

SOCI Act amendments

Since its introduction, the SOCI Act has undergone several amendments to adapt to the evolving threat landscape and better protect Australia’s critical infrastructure. The rise in cyberattacks and increasingly sophisticated information security hazards has made it necessary to enhance the scope and depth of the Act’s security measures. Each amendment was introduced to address emerging material risks and refine how organizations safeguard their operations.

Together, these amendments reflect a proactive approach to protecting critical infrastructure in an increasingly complex and interconnected world. Each update has strengthened the SOCI Act, ensuring that Australia remains resilient in the face of ever-evolving cyber and physical threats.

SOCI Act 2021

In 2021, the Australian Department of Home Affairs introduced The Security Legislation Amendment (Critical Infrastructure) Act, which significantly expanded the original SOCI Act. This amendment broadened the definition of “critical infrastructure” to include sectors like education, communications, financial services, and data storage.

Key changes in this amendment included:

  • Expanded Positive Security Obligations (PSO): The amendment required a wider range of entities to adopt the PSOs, ensuring a consistent approach to managing risks across more sectors.
  • Mandatory incident reporting: The 2021 changes formalized the requirement for organizations to report significant cyber incidents within 12 hours, creating clearer guidelines for incident response plans and government intervention.
  • Government assistance measures: The amendment introduced powers allowing the government to intervene in the event of a major cyberattack or crisis, enabling them to direct or assist organizations in responding to and mitigating threats.

This amendment was critical in recognizing that the risks faced by essential services extended far beyond the Act's original scope, especially with the growing interdependence of digital infrastructure.

SOCI Act 2022

In 2022, further amendments enhanced regulatory oversight and ensured that entities were not only implementing but maintaining robust security measures. Specifically, The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 introduced the following key measures:

  • Critical Infrastructure Risk Management Program Requirements: Organizations must implement comprehensive risk management programs that address both physical and cyber threats. These programs should identify key assets, assess vulnerabilities, and regularly update measures to mitigate risks, ensuring ongoing security and resilience.
  • Enhanced cybersecurity obligations framework: Entities adhere to stricter cybersecurity measures, including mandatory cyber incident reporting, regular vulnerability assessments, and collaboration with government bodies to ensure rapid response to significant threats and cyberattacks.

The reforms in the SLACIP Act aim to establish risk management, preparedness, prevention, and resilience as standard practices for the owners and operators of critical infrastructure assets. The goal is to enhance information exchange between industry and government to develop a more comprehensive understanding of threats. These reforms will provide Australians with the reassurance that our essential services are resilient and well-protected.

SOCI Act 2023

The 2023 amendments to the SOCI Act introduced significant new obligations, particularly focusing on enhancing risk management programs across critical infrastructure sectors.

  • Supply chain security: Organizations now need to identify major suppliers and evaluate potential risks that could affect their operations. Entities also need to assess personnel risks and ensure that workers with access to critical components are properly vetted for suitability.
  • Critical Infrastructure Risk Management Program (CIRMP) Rules: The CIRMP Rules require organizations to adopt a written risk management program that addresses a range of hazards, including cybersecurity, supply chain vulnerabilities, personnel risks, and physical security threats.

CRIMP must be reviewed regularly and kept up-to-date. Organizations had a grace period until August 2024 to fully implement a mandatory cybersecurity framework as part of these broader risk management obligations. CIRMP outlines several framework options required for compliance, including the Australian Signals Director’s Essential Eight framework, NIST CSF, ISO 2700, AESCSF Framework Core, and others.

SOCI Act Annual Report

One critical compliance requirement under the SOCI Act is the submission of an annual report by organizations operating in Australia’s critical infrastructure sectors. Entities must prepare and submit these reports in accordance with Australia’s financial year and regulatory guidelines.

The SOCI Act Annual Report serves as a comprehensive review of an organization’s efforts to comply with the Positive Security Obligations (PSO), maintain the security of its operations, and reduce the relevant impact of any incidents. These reports must detail the risk management measures in place, any significant incidents that occurred during the year, and how the organization responded to those incidents. Additionally, organizations are required to include updates on how they are addressing new or emerging risks, such as implementing cybersecurity exercises or evaluating their supply chains.

The purpose of these reports is twofold: first, to provide transparency to regulators about the security status of critical infrastructure sectors, and second, to ensure that organizations are continuously reviewing and improving their security posture. By submitting an annual report, entities demonstrate their commitment to national security and their readiness to respond to threats, both physical and cyber in nature.

The deadline for the 2023-2024 reporting year was September 28th, 2024. However, if your organization missed this date, there’s still an opportunity to engage with the Cyber and Infrastructure Security Centre (CISC). CISC encourages any non-compliant entities to reach out and discuss any challenges they’ve faced in the compliance process. The CISC is particularly interested in understanding potential obstacles and reviewing your plan for achieving compliance.

How UpGuard helps organizations achieve SOCI compliance in 2025

The SOCI Act requires entities to implement robust cybersecurity measures to protect Australia’s critical infrastructure. UpGuard BreachSight is the premier external attack surface management tool (EASM), integrating critical features in a user-friendly platform that enhances your organization’s security posture.

BreachSight helps you understand the risks impacting your external security posture and ensures your assets are constantly monitored and protected. View your organization’s cybersecurity at a glance and communicate internally about risks, vulnerabilities, or current security incidents. Other features include:

Related posts

Learn more about the latest issues in cybersecurity.
Compliance and Regulations

NIST compliance in 2025: A complete implementation guide

NIST compliance ensures alignment with leading cybersecurity frameworks. Explore how the NIST standards can safeguard sensitive data and manage third-party
Edward Kost
Edward Kost
December 2, 2025
Compliance and Regulations

Introducing UpGuard’s DPDP Act Security Questionnaire

Discover the latest addition to UpGuard's industry-leading Questionnaire Library and learn how to achieve comprehensive DPDP compliance.
Nicholas Sollitto
Nicholas Sollitto
November 18, 2024
Compliance and Regulations

From NIS to NIS2: What Your Organization Needs to Know

Understanding the transition from NIS to NIS2 is crucial for protecting your organization. Explore the key changes and compliance steps in this blog.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

How to Prepare for a Cyber Essentials Plus Audit

Learn more about the Cyber Essentials Plus independent assessment process, and steps your organization can take to prepare.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

PSPF 001-2024: Safeguarding GovTech from Foreign Influence

Explore Australia’s new PSPF Direction, including key components and strategies to help government entities prevent foreign influence over tech assets.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

GDPR's Influence on Indian Data Protection Practices

Explore the impact of the GDPR on India's cyber regulations, comparing pre-GDPR and post-GDPR data protection laws.
Leah Sadoian
Leah Sadoian
July 10, 2025
All posts