Following a recent independent review, the Security of Critical Infrastructure Act 2018 (Cth) (SoCI Act) that provides a structure for managing Australia’s critical infrastructure appears to be set for further evolution.

In 2022, the SoCI Act was overhauled to create a framework for managing risk and creating government oversight in key infrastructure sectors like energy, water, transport, communications and data store and processing. Operators of critical infrastructure assets in relevant sectors are required to register with the Commonwealth Government, notify the Government of cyber breaches within very strict timelines, maintain complaint Critical Infrastructure Risk Management Programs (CIRMP), and follow certain Government directions. Our summary of relevant obligations is set out in an article from when these changes commenced. That framework always appeared unlikely to be the final form of the legislation in a developing space, and we now have indications as to the next likely evolution of the SoCI Act.

On 2 February 2026, Dr Jill Slay AM completed her Independent Review (Review) of the amendments to the SoCI Act. The purpose of the Review was to assess whether the SoCI Act is achieving its intended objectives, functioning as intended, and not producing unintended consequences.

In response to the Review, the Department of Home Affairs has released consultation papers on proposed amendments to the SoCI Act (SoCI Amendments, available here) and to the Critical Infrastructure Risk Management Program Rules (CIRMP Amendments, available here) (Consultation Papers). The Consultation Papers propose fairly substantive changes to the SoCI Act and CIRMP Rules to address the recommendations made in the Review.

The Review

According to the Review, the SoCI Act has:

• ‘increased executive and board-level awareness of infrastructure vulnerabilities‘;
• ‘established baseline governance frameworks and accountability structures‘;
• ‘improved asset visibility and incident reporting mechanisms‘;
• ‘created a common language for discussing critical infrastructure risks across sectors‘; and
• ‘successfully established Australia as a global leader in critical infrastructure security governance‘.

However, despite this, the ‘overarching conclusion [of the Review] is that the SOCI Act requires major legislative change to remove complexity and confusion while becoming more agile and responsive‘. This conclusion is based on feedback that the SoCI Act:

• is unclear, duplicates regulatory requirements and enforcement action, and has unclear accountability mechanisms;
• is not equipped to handle emerging threats such as AI and unauthorised drones and space-based service dependencies; and
• focuses too heavily on cybersecurity.

Based on the above, the Review had six recommendations for changes to be made to the SoCI Act to assist in addressing these concerns.

Recommendation 1

Recommendation 1 is that the SoCI Act should be amended to remove all possible Commonwealth regulatory duplication.

This change would be a clear quality of life improvement for entities subject to multiple different regulatory obligations regarding the same asset (for example, notification obligations under SoCI and the Privacy Act 1988 (Cth)). However, implementing this change in a constantly shifting regulatory landscape may be challenging when other regulatory obligations change.

Recommendation 2

Recommendation 2 is that the SoCI Act move from a ‘light touch’ compliance approach to a risk-management process with the real enforcement of penalties.

This recommendation is particularly interesting as it shows that the government is considering modifying how it enforces penalties for SoCI Act non-compliance. This highlights the importance for direct interest holders and responsible entities for critical infrastructure assets to ensure that they are in compliance with the SoCI Act before any changes to how the legislation is enforced are implemented and the risk for non-compliance increases.

This recommendation is consistent with our general anticipation that the Government is likely to increasingly use existing mechanisms in the SoCI Act to enforce compliance, now that industry has several years of experience with the laws.

Recommendation 3

Recommendation 3 is that ASIC style regulatory guidelines with examples and templates are developed.

As with recommendation 1, this would be a clear quality of life improvement that would assist entities in meeting SoCI obligations. However, unlike recommendation 1, this is not dependent on potentially shifting regulatory obligations and should be implementable in isolation.

Recommendation 4

Recommendation 4 is that the Department of Home Affairs works with other Commonwealth Departments and organisations to respond to concerns on emerging technologies.

This recommendation seems logical but is unlikely to have any practical effect on SoCI obligations until any such response is formulated.

Recommendation 5

Recommendation 5 is that Trusted Information Sharing Network capability is enhanced through education and information sharing.

Recommendation 6

The SoCI Amendments propose five measures to amend the SoCI Act.  These measures go beyond simply addressing the concerns raised in the Review and also touch upon a number of other topics.

SoCI Amendments

The SoCI Amendments propose five measures to amend the SoCI Act.  These measures go beyond simply addressing the concerns raised in the Review and also touch upon a number of other topics.

Measure 1

Section 32 allows the Government to issue a direction to a reporting entity for, or an operator of, a critical infrastructure asset to do or refrain from doing an act or thing, if satisfied that there is a risk of an act or omission that would be prejudicial to security.

According to the Consultation Paper, the intention behind section 32 is to enable the Government to manage national security risks by providing directions to relevant entities, however, this power is impractical to use due to the procedural and legal requirements.

The Consultation Paper proposes to address this by amending the existing directions power in section 32 of the SoCI Act to make this power easier to use.

Measure 2

The Consultation Paper raises concerns about the Government’s lack of ability to impose conditions or otherwise impose ongoing governance controls as the directions power in section 32 is not appropriate for this use.

The Consultation Paper proposes to address this by introducing a new power for the Minister to impose targeted, fit-for-purpose conditions on reporting entities where ownership, control, or governance arrangements create a material risk to national security that cannot be sufficiently mitigated through existing regulatory obligations or voluntary measures.

Measure 3

The Consultation Paper raises concerns around the use of high-risk vendors by critical infrastructure assets, especially in relation to vendors subject to foreign laws that allow extrajudicial direction, who have opaque ownership or governance structures, or who are based in high-risk jurisdictions for coercion or interference.

The Consultation Paper propose introducing a new power for the Minister to make directions where a specific vendor or its products, equipment, services or technologies, presents a material risk to national security.

Measure 4

The Consultation Paper raises concerns that continuous disclosure requirements owed by some organisations such as listed companies may pose a security risk by undermining coordinated responses, revealing vulnerabilities, or heightening systemic risks. The Consultation Paper proposes to address this issue by introducing a new power even in the SoCI Act or the Corporation Act 2001 (Cth) to allow the Government to exempt entities from disclosure obligations when a risk is present.

Measure 5

The final measure proposed in the Consultation Paper is to increase civil penalty provisions for non-compliance with Ministerial direction under Part 3 in the SoCI Act to 2,000 penalty units. This amounts to $660,000 for a company, a significant increase on the current maximum penalty of $82,500.

CIRMP Amendments

Under the Critical Infrastructure Risk Management Program Rules (Rules), many categories of critical infrastructure assets are required to have a formal Critical Infrastructure Risk Management Program (CIRMP) in place. This CIRMP needs to outline the steps being taken by the responsible entity for the asset to address particular risks.

The CIRMP Amendments propose a number of changes to the way in which a CIRMP would need to address all hazard, cyber and information security hazards, supply chain hazards, and personnel hazard risks.

Specifically, the CIRMP Amendments propose:

• enabling the government to specify risk advice that affected responsible entities must consider and, to the extent that it poses a material risk to the availability or function of their asset, minimise or eliminate as far as reasonably practical;
• requiring responsible entities to consider foreign ownership, control, and influence risks as part of their CIRMP, including in relation to the foreign ownership, control and influence of their vendors;
• requiring entities in certain asset classes (such as electricity or gas assets) to comply with higher cyber security standard and have a greater level of maturity in relation to their chosen cyber maturity framework;
• obligating responsible entities to outline in their CIRMP how they have implemented the greatest practical level of segregation between the critical systems and internet-connected or otherwise less secure components;
• ensuring that responsible entities outline how they are using phishing-resistant MFA in their CIRMP;
• requiring responsible entities to establish and maintain a process or system to map their supply chain for major suppliers and critical systems across their physical and cyber supply chains;
• obligating responsible entities to establish and maintain a personnel security plan for their organisation;
• mandating identification of all critical workers and requiring all onshore critical workers to undergo an AusCheck background check as part of pre-employment screening unless they hold Negative Vetting 1 or above; and
• requiring responsible entities to identify risks associated for offshore critical workers and outline in their CIRMP how they are managing these risks.

These changes would be significant, given that the existing CIRMP Rules largely leave infrastructure operators with a degree of autonomy to work out how best to address relevant risks, where the new requirements would be much more prescriptive on a number of respects.

If these proposed measures are implemented, then this will impose additional obligations on responsible entities for creating and managing their CIRMP. Given that these changes to the CIRMP Rules would not need to be passed by Parliament, we anticipate that they are likely to materialise sooner than the proposed amendments to the SoCI Act itself.

Takeaways

The key takeaway from the Review and the Consultation Papers is that they show an awareness of the complexity and difficulties associated with the SoCI Act and an appetite for addressing these concerns. While some of the changes proposed to the legislation itself may assist to simplify the implementation of SoCI Act requirements and reduce regulatory duplication, but changes to the CIRMP Rules may require significant uplift by critical asset operators if they are yet to meaningfully grapple with risk management.

One of the other key takeaways from the Review and the Consultation Paper is that they highlight an awareness that enforcement measures may need to be improved. This emphasises the importance for entities to ensure that they are in compliance with SoCI obligations as soon as possible to reduce the risk of being subject to enforcement action.

HWLE has extensive experience in advising businesses regarding critical infrastructure assets. If you are concerned about meeting your SoCI obligations, please contact us for further information on how we can assist you

This article was written by Daniel Kiley, Partner and Maximilian Soulsby, Associate.