In 2018, amendments to the Security of Critical Infrastructure Act 2018 (the SoCI Act) introduced some of the most significant reforms aiming at protecting Australia’s critical infrastructure sectors and assets.
This high-level summary provides a simple overview to help demystify the regime’s complexities.
Key takeaways
- The SOCI Act and associated rules are designed to manage security risks relating to Australia’s critical infrastructure including by:
- empowering the Australian Government to exercise information gathering, direction and intervention powers in respect of 11 “critical infrastructure sectors”,1
- imposing reporting and risk management obligations in respect of 22 “critical infrastructure asset” classes; and
- imposing enhanced cyber security obligations on assets designated as “systems of national significance”.
- Despite recent reform, assessing whether and how the regime applies to an organisation can still be complex. The legislation covers a broad range of assets and obligations extend to various participants in the supply chain including “responsible entities”, “reporting entities”, “direct interest holders”, “managed service providers” and “operators”.
- Many Australian corporates are now grappling with multiple regulatory regimes and regulators, in addition to the SOCI Act.
- In this high-level overview, we seek to demystify the regime’s key obligations and powers, and the impacted entities, sectors and assets. We look to simplify the regime, acknowledging that complexity exists below the surface and will invariably require a case-by-case assessment.
Latest reforms
In November 2024, the SOCI Amendment (Enhancement Response and Prevention) Act 2024 introduced several changes to the SOCI Act, which intended to address gaps in the regulatory framework and enhance the government’s ability to respond to a wide range of incidents.
The changes include:
- clarifying the SOCI Act applies to data storage systems that from part of a primary critical infrastructure asset;
- broadening the government assistance powers to all types of incidents (beyond cyber);
- empowering the regulator to compel a responsible entity to vary its “risk management program”;
- expanding the ability to share “protected information”;2 and
- bringing telecommunications security obligations out of the ‘Telecommunication Sector Security Reforms’ (TSSR) regime under Part 14 of the Telecommunications Act 1997 (Cth) and under the SOCI Act..
The amendments will take effect on 30 May 2025 (unless proclaimed sooner) and, in the case of the telecommunications sector reforms, no later than 30 November 2025.
For further information, please contact:
Cameron Whittfield, Partner, Herbert Smith Freehills
cameron.whittfield@hsf.com
