Australia's critical infrastructure is increasingly under threat

The Security of Critical Infrastructure Act 2018 (SOCI) provides a framework for managing and protecting critical infrastructure.

The amendments to the SOCI Act passed in two tranches: the first in December 2021 and the second in April 2022. Together, these amendments expand the reach of the Act from four to 11 sectors.

  • Are you SOCI-ready?

    Talk to us to get moving in the right direction

Key dates

8 July 2022

grace period ended for mandatory Cyber Incident Reporting

8 October 2022

grace period ended for registering ownership and operational information

17 August 2023

grace period ended for the Critical Infrastructure Risk Management Program (CIRMP) obligation.

30 June 2024 – 28 Sept 2024

First annual report due (must be submitted within 90 days after the end of the financial year)

17 August 2024

end of grace period to achieve cyber security legislation requirements against a recognised framework (AESCSF, NIST, ISO2700X, E8) or ‘an equivalent’

Navigating the SOCI legislation reforms

SOCI Act reforms at a glance

In April 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) expanded the SOCI Act to enforce improved preparedness and resilience. The Security of Critical Infrastructure Act 2022 framework includes these features:

  • a positive security obligation
  • government assistance measures
  • enhanced cyber security obligations.

There’s no cookie-cutter response to these reforms; genuinely delivering on the SOCI intent involves adapting and bringing common concepts and services together in a new way.

Our team has worked hard to develop capabilities that deliver practical advice to help organisations along their SOCI journeys, meeting them where they are.

SLACIP Act 2022

As an expansion of SOCI, the SLACIP Act introduces two new key features into the critical infrastructure framework:

  1. CIRMP: a new obligation for responsible entities to create and maintain a critical infrastructure risk management program.
  2. SoNS: a new framework for enhanced cyber security obligations required for operators of systems of national significance.

What is the CIRMP?

The Critical Infrastructure Risk Management Program (CIRMP) commenced on 17 February 2023. This program requires the responsible entities for relevant critical infrastructure assets to detail their processes or systems to identify hazards and mitigate the potential risks of those hazards. Responsible entities are required to cover all natural hazards and those related to physical, personnel, supply chain, and cyber and information security.

What are the SoNS?

The Systems of National Significance (SoNS) are the subset of critical infrastructure assets that would have disproportionate impacts on our society, economy and security if something were to disrupt operations. The Minister for Home Affairs and Cyber Security announced there are now 168 designated SoNS. The responsible entity for these SoNS is required to better prepare for cyber incidents, identify and fix vulnerabilities, and provide technical information to the government.

Which sectors are affected?

Sectors subject to the enhanced regulatory framework include:



Data Storage


Financial Services

Health & Medical

Space Technology

Grocery & Food

Water & Sewerage



How KPMG can help achieve reslient infrastructure

    KPMG’s approach is grounded in our deep understanding of the reforms’ intent.

    We utilise our vast expertise across relevant sectors and disciplines – legal, risk, cyber, supply chain, asset management, infrastructure and more – to deliver integrated, SOCI-ready advice.

KPMG can:

  • brief your board
  • implement your CIRMP and SOCI uplift program
  • provide advice on your asset security approach, including incident response plans
  • identify and manage cyber risks in relation to your organisation’s infrastructure
  • provide visibility or risks associated with your supply chain and the impact it will have on you, your people and the community
  • inform approaches to market for asset upgrades and refreshes
  • assess your security and physical risk posture and provide actionable strategies to address the fundamentals
  • integrate critical infrastructure requirements into your wider control environment and transformation activities.

Meet the team

Related services and insights

KPMG services, insights and thought leadership related to critical infrastructure.


How does the Privacy Act work alongside the SOCI Act to protect customer data?

The Privacy Act and the Security of Critical Infrastructure (SOCI) Act are both vital pieces of legislation in Australia aimed at safeguarding various aspects of data and security, including customer data. While they serve distinct purposes, they can overlap in some areas to provide comprehensive protection.

The Privacy Act primarily focuses on the privacy of personal information held by organisations. It sets out how organisations should handle, store, and protect personal data. This includes requirements for consent, data breaches, and the rights of individuals to access their data.

The SOCI Act, on the other hand, is primarily concerned with enhancing the resilience and security of critical infrastructure sectors, which may include organisations that hold sensitive customer data. It mandates specific cybersecurity measures and obligations for entities operating in these sectors.

In practice, the Privacy Act and the SOCI Act can work together to ensure robust protection of customer data. Organisations operating in critical infrastructure sectors need to comply with both acts. This means they must not only adhere to the Privacy Act's data protection provisions but also implement the additional cybersecurity measures required by the SOCI Act. By doing so, they can create a more comprehensive security framework to protect customer data from various threats.

How does the SOCI Act seek to uplift security resilience, including cyber, across critical infrastructure sectors?

The Security of Critical Infrastructure (SOCI) Act is a pivotal piece of legislation in Australia aimed at bolstering security resilience, particularly in the realm of cyber security, across various critical infrastructure sectors. It does this in several key ways:

  1. Mandatory reporting and compliance: The SOCI Act mandates that entities operating in critical infrastructure sectors must report significant cyber security incidents to the Australian Cyber Security Centre (ACSC). This ensures that potential threats are promptly identified and addressed.
  2. Cyber security obligations:The Act establishes specific cyber security obligations that organizsations within these sectors must adhere to. This includes implementing robust security measures, conducting risk assessments, and adhering to cyber security guidelines issued by the government.
  3. Government collaboration: The SOCI Act encourages collaboration between government agencies and critical infrastructure operators. This partnership facilitates the sharing of threat intelligence and best practices, helping organisations stay ahead of evolving cyber threats.
  4. Protection of essential services: The Act includes provisions for penalties in case of non-compliance, incentivising organisations to take cyber security seriously.
  5. Penalties for non-compliance: The Act includes provisions for penalties in case of non-compliance, incentivising organisations to take cyber security seriously.

In summary, the SOCI Act seeks to uplift security resilience, especially in the cyber realm, by imposing mandatory reporting and compliance requirements, specifying cyber security obligations, fostering collaboration, and ultimately protecting critical infrastructure and essential services.

What are the specific cyber security obligations involved with critical infrastructure under the SOCI Act?

The Security of Critical Infrastructure (SOCI) Act in Australia imposes specific cyber security obligations on organisations operating within critical infrastructure sectors. These obligations are designed to enhance the cyber security resilience of critical infrastructure entities and mitigate cyber threats. While the exact requirements may evolve over time, as of the last knowledge update in September 2021, here are some of the key cyber security obligations typically associated with the SOCI Act:

  • Incident reporting: Critical infrastructure entities are required to promptly report cyber security incidents to the Australian Cyber Security Centre (ACSC). This includes providing details of any significant cyber incidents that may have an impact on the availability, integrity, or confidentiality of their systems or services.
  • Risk management and assessment: Entities must conduct regular risk assessments to identify and understand their cyber security risks. This includes assessing potential vulnerabilities and threats to critical infrastructure assets.
  • Compliance with government standards: Critical infrastructure organisations are expected to comply with government-issued cyber security guidelines and standards. These may include specific controls and practices aimed at securing critical systems.
  • Security measures: Implementing robust cyber security measures is essential. This includes measures like network segmentation, access controls, intrusion detection systems, and encryption to protect sensitive data and critical systems.
  • Security audits and testing: Entities may be required to undergo cyber security audits and testing to assess their compliance with cyber security obligations and to identify vulnerabilities.
  • Information sharing: Critical infrastructure operators are encouraged to actively participate in information sharing and threat intelligence initiatives with government agencies and industry peers. Sharing information on cyber security threats and incidents can help the entire sector remain vigilant against emerging threats.
  • Cyber security training and awareness: Organisations should invest in training and awareness programs for their employees to ensure that they are knowledgeable about cyber security best practices and can recognise potential threats.
  • Supply chain security: Ensuring the security of the supply chain is crucial. Organisations may be required to assess and mitigate cyber security risks associated with their suppliers and third-party vendors.
  • Business continuity and recovery planning: Critical infrastructure entities must have robust business continuity and disaster recovery plans in place to ensure that essential services can be maintained or restored in the event of a cyber incident.
  • Penetration testing: Regular penetration testing and vulnerability assessments are often mandated to identify weaknesses in systems and networks.

It’s important to note that the specific cyber security obligations and requirements under the SOCI Act may vary depending on the sector and the criticality of the infrastructure. Additionally, regulations and guidelines may have evolved since September 2021, so it’s essential to refer to the latest government publications and seek legal or regulatory advice to ensure compliance with current obligations under the SOCI Act.

Why should I engage KPMG to help me with SOCI Act reforms?

EEngaging KPMG for assistance with Security of Critical Infrastructure (SOCI) Act reforms is a strategic decision with several compelling reasons:

  • Expertise and experience: KPMG is renowned for its expertise and experience in the field of SOCI Act reforms. The team includes leaders who played a pivotal role in developing the SOCI reforms, giving them an intimate understanding of the legislation’s intricacies.
  • Comprehensive support: KPMG offers comprehensive support to navigate the complexities of SOCI Act compliance. They can provide guidance on understanding and meeting your specific obligations under the Act.
  • Market recognition: KPMG’s reputation as leaders in the SOCI field demonstrates their commitment to staying at the forefront of regulatory changes and cyber security best practices. This can provide you with a competitive edge in compliance and security.
  • Wide-reaching network KPMG’s extensive network allows them to work with regulated entities across the country and various critical infrastructure sectors. This broad perspective ensures that you receive tailored solutions that align with your sector’s unique requirements.
  • Proven track record KPMG’s track record of assisting organisations with SOCI Act compliance speaks to their effectiveness in helping clients meet their obligations while enhancing security resilience.

In summary, engaging KPMG for SOCI Act reforms provides access to a team of experts with deep knowledge, experience, and a proven track record in the field. This partnership can help ensure that your organisation not only complies with regulatory requirements but also strengthens its overall security posture.