AI That Works for Heavy Industry logo
← Back to the map

Who Must Comply · SOCI Act stream

Owners / operators of defined CI assets

Updated 15 Oct 2025

SOCI obligations attach to the responsible entity for a defined critical infrastructure asset — not to a whole sector. Whether you're caught depends on the asset class definition and any quantitative threshold.

Key obligations

  • Register the asset with the CISC.
  • Maintain a CIRMP if in a high-risk class.
  • Comply with cyber incident reporting (12 / 72-hour windows).
  • Notify the CISC of changes in direct interest holders (≥10%).

Key dates

  • OngoingRegistration and incident reporting are continuous.
  • AnnualCIRMP report due each financial year.

Who is affected

  • Responsible entities for the 22 defined CI asset classes.
  • Direct interest holders ≥10%.
  • Operational service providers materially involved in running the asset.

Source documents

Information is general in nature and not legal advice. Always confirm with the source documents and your own legal counsel.