Source of Law / Policy · SOCI Act stream
SOCI Act 2018 + CIRMP
Regulator: Home Affairs / CISC · Legislation
LIVEUpdated 15 Oct 2025
The Security of Critical Infrastructure Act 2018 (SOCI) regulates 22 defined classes of critical infrastructure asset. Responsible entities for high-risk classes must maintain a Critical Infrastructure Risk Management Program (CIRMP) addressing four hazard vectors: cyber & information security, personnel, supply chain, and physical & natural hazards. AI deployed in operational technology (OT) is now treated as a material change requiring CIRMP coverage.
Key obligations
- Confirm whether each asset crosses the SOCI definition and threshold (e.g. ≥30 MW electricity generation).
- Establish, maintain, review and comply with a written CIRMP.
- Treat new AI in OT as a material risk — update the CIRMP, run hazard analysis across all four vectors.
- Submit annual CIRMP reports approved by the board (or equivalent) to the CISC.
- Notify cyber incidents within statutory timeframes (12 / 72 hours depending on impact).
Key dates
- Aug 2023CIRMP Rules took effect — 12-month grace period began.
- 17 Aug 2024Full CIRMP compliance (including cyber framework adoption) required.
- OngoingAnnual board-approved report due each financial year.
Who is affected
- Responsible entities for the 22 defined CI asset classes — energy, water, comms, data storage, transport, food & grocery, defence, finance, healthcare, higher ed.
- Direct interest holders (≥10% interest) and certain operational service providers.
- Asset thresholds matter — sub-threshold assets are not caught.