Key dates

    • 8 July 2022: Grace period ended for Mandatory Cyber Incident Reporting
      8 October 2022: Grace period ended for Registering ownership and operational information

Australia's critical infrastructure is increasingly under threat.


Are you on the front-foot? New legislative requirements are in place for owners and operators of critical infrastructure. We can help you navigate your obligations:


Understand exactly where you are now, where you need to be, and what you need to do to get there.


Take action to implement and actively manage your plan.


Keep looking for ways to integrate and strengthen resilience throughout your organisation.

Overview of the new requirements

The enhanced Security of Critical Infrastructure Act (2018) (SOCI) passed in two tranches: the first in December 2021 and the second in April 2022.

Together these amendments expand the reach of the Act from 4 to 11 sectors, and create a framework with the following features:

This comprises:

  • Provision of ownership and operational information to the Register of Critical Infrastructure Assets
  • Mandatory cyber incident reporting obligations within certain timeframes
  • Development, adoption, and maintenance of a Risk Management Program with a particular focus on cyber, physical, personnel and supply chain risks (not yet commenced).

These apply to all critical infrastructure assets, with three distinct elements:

  • Information gathering powers
  • Action directions
  • Intervention powers.

These apply only to designated ‘Systems of National Significance’ that include:

  • Incident Response Planning
  • Cyber Security Exercises
  • Vulnerability Assessments
  • Provision of system information.

Which sectors are affected?

Sectors subject to the enhanced regulatory framework include:



Data Storage


Financial Services

Health & Medical

Space Technology

Grocery & Food

Water & Sewerage



Achieving resilient infrastructure

KPMG has deep knowledge across all of the critical risk domains and sectors. We can help: 

  • Provide foundational support to understand what the changes mean to you.
  • Assess your baseline security and physical risk and provide actionable strategies to address the fundamentals.
  • Identify and manage cyber risks in relation to your organisation's infrastructure.
  • Provide visibility of risks associated with your supply chain and the impact it will have on you, your people and the community.
  • Integrate critical infrastructure requirements into your wider control environment and transformation activities.

Key benefits

KPMG provides four key benefits:


Gain clarity on where to start and how establish core foundational elements so that you can demonstrate that your programme covers the most significant risks facing your most critical assets.


Turn a legislative requirement into an opportunity to realise operational optimisation.


Ongoing assurance that all aspects of threat exposure are considered, including cyber, people and your supply chain.


Beyond compliance, security and resilience in your operations bolsters the trust of your customers, employees and the wider community. 

Related services and insights

KPMG services, insights and thought leadership related to critical infrastructure.

Meet the team

    KPMG knows SOCI inside out. That’s because our team includes leaders who developed the underpinning policy architecture for the reforms while working in Government, as well an experienced core team who have been engaged by the Department of Home Affairs since 2021 to co-design the rules and frameworks to bring the reforms to life.

We are passionate about these reforms, and want to support businesses make the most of the opportunity this provides to really focus on your resilience.

If you want to know more about what the reforms mean to you, and the practical steps you can take to get on the front-foot, please get in touch.

Contact our KPMG professionals below, or use the enquiry form

Enquire now

To understand what the changes mean for you, connect with us today to receive an individual briefing.

Click here