Lander & Rogers logo
1 Insights

SOCI Act 2026 reforms: what responsible entities for critical infrastructure assets need to know

SOCI Act 2026 reforms: what responsible entities for critical infrastructure assets need to know

On 3 July 2026, the Department of Home Affairs released a consultation paper on the second tranche of proposed amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). The reforms respond to the Independent Review of the SOCI Act delivered by Dr Jill Slay AM in January 2026, and are intended to reduce complexity, enhance accountability and modernize the legislative framework.

For entities that are currently "responsibility entities" under the SOCI Act, the proposed changes are significant. While a number of the proposed reforms build on changes introduced in June 2026 through the Security of Critical Infrastructure Legislation Amendment (Enhanced Critical Infrastructure Risk Management Program) Rules 2026, the amendments and clarifications go beyond CIRMP requirements - including increased civil penalties and strengthened governance requirements.

The consultation period closes on 31 July 2026.

Key takeaways

The consultation paper recommends 21 measures be implemented. Current and prospective responsible entities should be aware of the following key changes:

  • Classes of critical infrastructure assets would be expanded. New and refined critical infrastructure assets would include space industry assets, health assets, energy assets, and research assets.
  • Stronger governance and mandatory independent assurance of CIRMPs. The reforms would require board or senior-manager involvement in development of CIRMPs, review of CIRMPs at least every 24 months, and periodic independent assurance of CIRMP design, implementation and effectiveness.
  • New obligations in relation to third-party operational dependencies. Responsible entities would be required to identify and register "relevant operators" who have operational influence over critical infrastructure assets or critical functions supporting those assets, maintain appropriate contractual arrangements with them, and address operational dependency risks through their CIRMP.
  • Clearer and more prescriptive supply chain cyber security expectations. Responsible entities would be expected to assess and manage cyber risks from major suppliers through cyber-specific due diligence, contractual or equivalent measures. Amendments would allow for supplier certification and accreditation schemes to be developed to assist in cyber security due diligence.
  • Management of equivalent regulatory regimes will be simplified. A new exemptions framework and streamlined annual reporting would reduce duplication for entities subject to overlapping regimes.
  • Civil penalties for core risk management duties would increase from 200 to 500 penalty units. These increased penalties would apply in relation to obligations to establish, maintain, comply with, review and update CIRMPs.

Key themes

Expanded asset classes

As part of modernising the legislation and ensuring that the regime is appropriately targeted, the consultation paper proposes to expand and refine the classes of critical infrastructure assets to which the SOCI Act applies.

The proposed changes include:

establishing new asset classes:

  • in the space sector, including ground segment infrastructure and positioning, navigation and timing support infrastructure;
  • for critical blood supply functions, critical pathology systems and specialized laboratory capabilities;
  • for critical research assets which go beyond assets owned by universities.

clarifying or expanding existing asset categories to include:

  • modern energy infrastructure such as distributed energy resources and virtual power plants;
  • offshore electricity infrastructure such as offshore wind turbines; and
  • further freight assets including distribution facilities, cold chain facilities and logistics platforms.

Strengthened governance, assurance and accountability requirements

The most consequential changes for existing responsible entities fall under governance and assurance. The reforms would require the responsible entity's governing body or, in some cases, a senior manager approve the establishment, review, update and variation of the CIRMP (in addition to existing obligations for the entity's governing body to approve annual CIRMP reports). Further, the reforms clarify review timeframes, requiring that CIRMPs be reviewed at least every 24 months and earlier where specified events occur, including significant cyber incidents, material changes to the operating environment, relevant risk information communicated by the Department of Home Affairs, or findings from audits, exercises or vulnerability assessments.

In a significant change, responsible entities would be required to obtain periodic independent assurance that CIRMPs are appropriately designed, implemented and operating effectively. The base assurance cycle would be at least every three years, with more frequent review for higher-risk entities or in elevated threat environments. Assurance reports would be provided to both the responsible entity and CISC. Where material deficiencies are identified, the responsible entity would be required to prepare a remediation plan.

The consultation proposes an increase of maximum civil penalties for breaches of core preventative and assurance obligations (including obligations to have and comply with a CIRMP) from 200 to 500 penalty units.

Managing dependencies on third-parties suppliers

The consultation proposes that responsible entities would be subject to new obligations to identify and manage their dependencies on third-party suppliers. Under the "relevant operator" framework, a responsible entity would be required to identify third parties that the responsible entity has an operational dependency on. A supplier will be relevant operator where:

  • it has the ability to operate, configure, maintain, disable, restore, materially alter or materially influence the operation, availability, integrity or security of the asset or a critical function; and
  • the responsible entity depends on the exercise of that control for the continued operation, availability, integrity or security of the asset.

Responsible entities would then be required to provide information about relevant operators to CISC, and maintain appropriate contractual, governance or operational arrangements with each relevant operator to support the responsible entity's compliance, incident response, oversight, assurance, testing and remediation. The responsible entity's CIRMP would also need to address risks arising from the entity's dependency on the relevant operator, including risks to continuity if the operator fails, withdraws or is compromised.

A limited safe harbour from the obligation to maintain appropriate contractual, governance or operational arrangements is proposed where a responsible entity makes a written request for necessary arrangements, the relevant operator refuses or provides inadequate terms, and the responsible entity implements a documented mitigation plan and discloses reliance on the safe harbour through annual reporting.

The reforms also envisage that relevant operators will be subject to direct obligations, explored in our article here.

Management of supply chain cyber security risks

Measures proposed in the consultation paper would clarify and strengthen CIRMP expectations for supply chain cyber security management. Responsible entities would be required to assess cyber risks in relation to "major suppliers" whose products, services, access or role are material to the asset, and to implement contractual or equivalent measures to manage these risks at contract entry, renewal or material variation.

Responsible entities would also need to consider cyber risks in relation to material subcontractors of major suppliers, although they would not be required to assess or contract directly with every supplier in the chain.

The concept of a major supplier which is currently used in the CIRMP rules is separate to, and broader than, the concept of a relevant operator.

The measures also contemplate establishment of a framework for certification or accreditation of suppliers' cyber security measures. This process is intended to assist responsible entities in conducting cyber risk due diligence.

Reduced complexity and regulatory overlap

Not all changes increase the regulatory burden. A new consolidated exemptions framework would provide targeted relief from certain SOCI obligations where another regulatory framework delivers substantially equivalent or stronger outcomes. The regime may provide exemptions for entities also regulated under regimes including APRA CPS 230 and CPS 234, transport security legislation, and the Protective Security Policy Framework.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.