SOCI reforms | FAQs | Key dates | How KPMG can help | SOCI videosGet in touch

Critical infrastructure protection explained

The Security of Critical Infrastructure Act 2018 (SOCI Act) is a framework for managing critical infrastructure security in Australia.

Designed to uplift Australia’s critical infrastructure protection, successive changes to the SOCI Act put requirements on responsible entities across 11 critical sectors.

Drawing on experience across legal, risk, cyber, supply chain, asset management and infrastructure, KPMG offers comprehensive support to help you navigate the interconnected complexities of SOCI compliance, stay on top of evolving risks, and strengthen your organisation’s security and resilience culture.


  • SOCI Act: What happens next?

    SOCI Act obligations don't end with your annual report submission. Learn more about ongoing compliance obligations.

Contact us

SOCI Act: insights and facts

Critical infrastructure cyber security, risk management and government assistance measures

Between the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI) that came into effect in December 2021, and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP) that came into effect in April 2022, the Australian Government has expanded the SOCI Act to promote improved preparedness and resilience of critical infrastructure assets in Australia. 

The  SOCI framework includes: 

  • Positive Security Obligations (PSO) 
  • Government assistance measures 
  • Enhanced Cyber Security Obligations (ECSO)

With requirements differing across sectors and entities, there is no cookie-cutter approach to SOCI compliance. Genuinely delivering on the SOCI Act’s intent involves adapting and bringing common concepts and services together in a new way. 

Drawing on our experience and cross-sector capabilities, we provide practical advice to help organisations along their SOCI journeys, meeting them where they are.

Find out more about SOCI Act requirements and obligations in our FAQs and via our video explainers.

FAQs: SOCI Act 2018

What is the purpose of SOCI?

SOCI aims to ensure critical infrastructure assets and services across 11 sectors are protected and resilient to disruptions that would severely impact Australia’s society, economy, and security. The SOCI Act reflects how important critical infrastructure is to Australia, the potential for cascading consequences, and the public’s expectation that the government will be able to respond to emergencies.

What sectors does the SOCI Act apply to?

SOCI applies to 22 asset classes across 11 sectors of the economy:

  • communications
  • data storage and processing
  • defence industry
  • higher education and research
  • energy
  • financial services and markets
  • food and grocery
  • healthcare and medical
  • space technology
  • transport
  • water and sewerage.

Not all obligations have been ‘switched on’ for every sector, so it is important to make sure you check the relevant obligations for your asset class.

What does the SOCI Act do?

The SOCI Act is  aimed at bolstering security, particularly cyber security, across 11 critical infrastructure sectors in Australia. It does this through a framework with the following components:

Positive Security Obligations (PSO)

  • Register of Critical Infrastructure Assets
  • Mandatory Cyber Incident Reporting
  • Critical Infrastructure Risk Management Program

Government assistance measures

  • Information gathering directions
  • Action directions
  • Intervention request

Enhanced Cyber Security Obligations (ECSO) for Systems of National Significance

  • Incident Response Plans
  • Cyber Security Exercises
  • Vulnerability Assessments
  • Provision of System Information

What is a CIRMP?

Under the SOCI Positive Security Obligation, responsible entities in 13 asset classes from page 2 of: CISC Fact Sheet – Overview of SOCI Obligations (PDF 560KB) must have a Critical Infrastructure Risk Management Program (CIRMP) that outlines and maintains their processes and systems to identify hazards and mitigate potential risks. A CIRMP needs to take an ‘all hazards’ approach across 4 key vectors: physical security and natural hazards; personnel hazards; supply chain hazards; and cyber security and information security hazards.

What are the penalties for non-compliance with SOCI?

Non-compliance with critical infrastructure security legislation can result in legal proceedings, significant penalties and reputational damage.

Failing to comply can expose responsible entities to cyber security incidents with major impacts on their organisation and national security.

I missed the CIRMP Annual Report deadline. What do I do?

There is no legal basis to be granted an extension for submission of the CIRMP 28 September 2024 Annual Report deadline. However, the Cyber and Infrastructure Security Centre (CISC) has strongly encouraged any entities that won’t be compliant to engage with them directly. The CISC is particularly interested in understanding any barriers or roadblocks, and what your plan for compliance looks like. Contact KPMG if you would like to discuss your situation.

How do I submit my CIRMP annual report?

Your CIRMP Annual Report must be submitted via the approved form available on the CISC website. Responsible Entities must complete the form within 90 days of the end of the financial year – ie: 28 September 2024. The Annual Report must be approved by your Entity’s board, council or other governing body. KPMG can provide support with this process.

SOCI Act: Key compliance dates


Earlier

Grace periods have ended for reporting cyber incidents, registering ownership and operational information and meeting CIRMP obligations. These are now mandatory.

17 August 2024

Conclusion of the grace period for achieving cyber security requirements against a recognised framework (AESCSF, NIST, ISO 2700X, E8) or equivalent.

28 September 2024

The first annual report was due (within 90 days of 30 June 2024).

How KPMG can help you achieve resilient infrastructure

Understand

Monitor your obligations and
master the basics

  • Assess your cyber maturity and identify risk scenarios
  • Provide actionable strategies to address the fundamentals
  • Brief your board
  • Establish annual reporting processes

Act

Uplift to meet SOCI requirements

  • Implement, review and/or update your CIRMP
  • Provide advice on your approach
  • Build incident response and asset upgrade plans
  • Assess your security and physical risk posture and
  • Meet SoNS requirements

Transform

Leverage critical infrastructure protection

  • Embed a security culture across your organisation
  • Integrate critical infrastructure requirements into your wider control environment and transformation activities
  • Use SOCI alignment for a competitive edge


  • Are you an operator of critical infrastructure?

    Download our factsheet to explore six facts about SOCI.

Download PDF now

Watch: SOCI Act video explainer


Meet KPMG's SOCI Act specialists

KPMG’s SOCI team includes leaders who helped to shape and drive the SOCI reforms.

Gregory Miller blog posts
Gregory Miller
Partner, Cyber Security – Critical Infrastructure & Government Lead
KPMG Australia
Profile | | Phone
Gavin Rosettenstein blog posts
Gavin Rosettenstein
Partner, Third Party Risk Management
KPMG Australia
Profile | | Phone
Stefanie Cordina blog posts
Stefanie Cordina
Director, Technology Risk & Cyber Security
KPMG Australia
Profile | | Phone

With our firsthand knowledge of the SOCI Act and its intent, we can help responsible entities across critical infrastructure sectors meet their obligations.