Skip to content

Casting a wider net: Expanding the reach of critical infrastructure regulation

Market Insights

Introduction

The Department of Home Affairs has released its consultation paper (Consultation Paper) on the proposed Tranche 2 reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), representing the next stage of the Government’s response to the 2025-26 Independent Review of the SOCI Act.

Where Tranche 1 reforms focused on immediate risk management, incident response and government intervention powers, the Tranche 2 proposals address broader structural issues within the SOCI framework. The Consultation Paper contains proposals intended to reduce regulatory duplication, redefine the categories of regulated critical infrastructure, clarify asset ownership and operational responsibility, and strengthen governance and assurance obligations.

Many of these measures have the potential to significantly expand both the assets and entities captured by the SOCI framework. Organisations operating in data infrastructure, health, energy, telecommunications, transport and research sectors especially should carefully consider the implications of the proposed reforms.

In this article, we discuss the key themes emerging from the Consultation Paper and their likely implications for regulated entities.

Reducing duplication and improving workability

One of the central themes of the Consultation Paper is reducing unnecessary regulatory overlap.

Many organisations that operate critical infrastructure are already subject to multiple Commonwealth, State and Territory regulatory regimes. In some cases, those regimes require organisations to undertake similar risk management, security, reporting or assurance activities to those required under the SOCI framework.

To address this issue, the Government is proposing a new exemptions framework. Under the current regime, exemptions are generally limited and often operate on an ‘all-or-nothing’ basis. The proposed framework would allow the Government to grant more tailored exemptions where another regulatory regime delivers substantially equivalent outcomes.

For example, if an organisation is already required to maintain risk management or security controls under another law, the Government could exempt that organisation from the equivalent SOCI requirement rather than requiring compliance with both regimes. However, the Government may still retain certain SOCI obligations that are considered important from a national security perspective, such as obligations relating to asset visibility, incident notification, assurance or information sharing.

In practical terms, the proposal is intended to reduce duplication and compliance burden without removing the Government’s ability to obtain information about nationally significant assets and risks. If implemented effectively, it could provide a more flexible mechanism for recognising existing compliance obligations while preserving the core objectives of the SOCI framework.

The Consultation Paper also proposes changes designed to simplify the administration of the SOCI regime. This includes reforms to the Register of Critical Infrastructure Assets and annual reporting requirements. Rather than prescribing detailed information requirements in the SOCI Act itself, many of these requirements would instead be dealt with through Rules and approved forms. This would allow reporting requirements to be updated more easily as risks, technologies and sectors evolve, without requiring amendments to the legislation each time a change is needed. For regulated entities, this may lead to a more streamlined and adaptable compliance framework over time.

Expanding and modernising sector coverage

A significant feature of the Consultation Paper is the proposed expansion of the sectors, assets and functions that may be regulated under the SOCI framework. While many of the detailed thresholds and exclusions will be developed through future consultation on the Rules, the proposals indicate a clear intention to modernise SOCI so that it better reflects emerging technologies, contemporary business models and evolving national security risks.

For the technology sector, the Government is proposing a new approach to regulating data storage and processing assets. Where currently data facilities are captured by the SOCI Act depending on the customers they serve, the proposed model would instead assess providers by reference to factors such as facility size, service scale, certification status and government dependency. This could bring a broader range of data centre operators, cloud service providers and managed hosting providers within scope of the SOCI framework.

The Consultation Paper also proposes new asset classes in the space technology sector, covering infrastructure that supports satellite operations, positioning and timing services, earth observation capabilities and space situational awareness. In the health sector, the Government is considering new asset classes for critical blood supply functions, integrated pathology systems and nationally significant laboratory capabilities, together with broader application of risk management obligations to critical hospitals.

Similarly, the proposed energy reforms would expand SOCI’s focus beyond traditional generation and network assets by addressing distributed energy resources such as battery storage systems, virtual power plants and aggregation platforms. The Consultation Paper recognises that systemically significant risk may arise from the coordinated control of distributed assets rather than from individual facilities alone.

The higher education and research sector would also be substantially reformed. The current critical education asset concept would be replaced with a critical research asset framework focused on nationally significant research activities involving sensitive technologies or a defined national security nexus. These reforms could extend SOCI obligations beyond universities to a broader range of public and private research organisations.

Clarifying asset boundaries and responsibility

Another key theme of the Consultation Paper is clarifying what infrastructure is regulated and which entities should be responsible for compliance.

The proposed reforms recognise that critical infrastructure is often operated through complex ownership, outsourcing and service delivery arrangements that do not fit neatly within traditional concepts of ownership and control. As a result, the Consultation Paper seeks to align SOCI obligations more closely with the entities and functions that are most important to the operation and resilience of critical infrastructure assets.

For example, in the telecommunications sector, the Government proposes a broader, function-based approach to submarine cable systems that would extend beyond the physical cable itself to include associated infrastructure such as landing stations, power systems and network management functions. This is intended to better reflect modern operating models involving consortia, special purpose vehicles and shared infrastructure arrangements.

Similarly, the freight proposals would expand SOCI coverage beyond traditional freight assets to include nationally significant logistics nodes, distribution facilities and supply-chain chokepoints where disruption could have broader economic or national resilience consequences.

The Consultation Paper also proposes significant reform of the Systems of National Significance (SoNS) framework. The existing focus on cyber incident response planning would be replaced with a broader resilience model centred on business continuity, recovery and restoration of critical services. The reforms are intended to simplify the SoNS regime, reduce duplication with equivalent frameworks and place greater emphasis on demonstrating practical resilience outcomes for nationally significant assets.

Strengthening governance and accountability

The Consultation Paper proposes a significant increase in governance, assurance and accountability obligations across the SOCI framework.

One of the most significant reforms is the introduction of mandatory independent assurance of Critical Infrastructure Risk Management Programs (CIRMPs). Rather than relying primarily on self-assessment, responsible entities would be required to obtain periodic independent reviews of whether their risk management programs are appropriately designed, implemented and operating effectively. This is likely to increase governance expectations and compliance costs for regulated entities.

The Consultation Paper also recognises that critical infrastructure is often operated by entities other than the asset owner. To address this, the Government proposes new obligations for ‘relevant operators’, such as managed service providers, outsourced operators and other entities that exercise material operational control over critical infrastructure assets or critical functions. In addition, entities within the same corporate group may be required to cooperate where they perform security-critical functions on which the responsible entity relies.

Taken together, these reforms could extend aspects of the SOCI framework beyond traditional asset owners and place greater responsibility on service providers, operators and related entities that play a significant role in the operation and security of critical infrastructure.

The Consultation Paper also proposes a range of supporting governance reforms, including enhanced supply-chain cyber security assurance requirements, stronger CIRMP review and oversight obligations, and updated concepts of critical workers and critical components. These measures reflect an increasing focus on organisational resilience, supply-chain risk management and demonstrable security outcomes.

Consultation process

The Consultation Paper is open for consultation until 31 July 2026. While the paper outlines the broad direction of the reforms, many of the most significant details, including thresholds, exclusions and implementation settings, will be developed through future amendments to the Rules. As a result, stakeholder feedback at this stage is likely to have a significant influence on the eventual scope and operation of the regime. Organisations that may be affected by the reforms should therefore consider participating in the consultation process to help ensure the final framework is workable, proportionate and aligned with existing regulatory obligations.

Next steps

The Consultation Paper signals a significant evolution of Australia’s critical infrastructure regulatory framework.

While many of the proposals are intended to reduce duplication and improve regulatory clarity, they would also expand the scope of the SOCI framework into new sectors and introduce more robust governance and assurance obligations for affected entities. In particular, the proposed reforms could extend regulatory obligations beyond traditional asset owners to operators, service providers, corporate group entities and organisations undertaking research activities of national significance.

With submissions due by 31 July 2026, for organisations operating in the data infrastructure, health, energy, telecommunications, transport and research sectors, the consultation process presents an important opportunity to influence the thresholds, exclusions and implementation mechanisms that will ultimately determine the practical reach of the reforms.

HWLE Lawyers’ IP and IT team has extensive experience advising clients on SOCI compliance, cyber security governance and critical infrastructure regulation. If you would like to understand how the proposed reforms may affect your organisation, please contact us to discuss how we can assist.

This article was written by Daniel Kiley, Partner, Ashlee Broadbent, Associate, and Max Soulsby, Associate.

Important Disclaimer: The material contained in this publication is of general nature only and is based on the law as of the date of publication. It is not, nor is intended to be legal advice. If you wish to take any action based on the content of this publication we recommend that you seek professional advice.

Subscribe for publications + events

HWLE regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business. To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

* indicates required fields

This field is for validation purposes and should be left unchanged.
Interests **
This field is hidden when viewing the form
Email preferences*
What type of content would you like to receive from us?