The Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) provides the Australian Government with visibility on who owns and controls critical infrastructure in Australia, assurance as to how risk to its functionality is being managed and intervention options where the failure of infrastructure would have national and damaging consequences.

Following an independent review of the SOCI Act by Dr Jill Slay AM and with recent global crises informing an increased focus on security, in March 2026, the Federal Minister for Home Affairs (Minister) announced proposed reforms to that Act. That announcement was accompanied by an exposure draft of proposed changes aimed at strengthening the "critical infrastructure risk management program" (CIRMP) rules in the SOCI Act (Exposure Draft).

The announcement stated the Government’s intention to:

1. amend the Minister’s directions power under Part 3 of the SOCI Act; and

2. introduce greater risk management requirements for certain high-risk critical infrastructure asset classes.

Proposed enhancements to ministerial powers

The Government proposes to strengthen the Minister’s power to give directions under the SOCI Act, to allow for faster and more robust responses to critical infrastructure risks, particularly in urgent situations.

Currently, section 32 of the SOCI Act empowers the Australian Government to issue a direction to a reporting entity of critical infrastructure if "there is a risk of an act or omission that would be prejudicial to security".* This power currently requires the Minister to obtain an Adverse Security Assessment (ASA) from ASIO* (ASA Requirement) and be satisfied that no existing regulatory system could address a given risk (Regulatory Exhaustion Requirement).

The key proposed changes to this power are:

1. To replace the ASA Requirement with a requirement that the Minister obtain and consider tailored ASIO advice.*

2. Reduce the Regulatory Exhaustion Requirement and replace it with a requirement that the Minister be satisfied that no less intrusive or existing mechanism would be more effective.

3. To give the Minister the power to impose conditions on an entity where it faces persistent governance risks (e.g. role-based security vetting, access controls, changes to audit obligations and uplifts to cyber security).

4. To allow the Minister to address systemic vendor risks across entities or sectors by giving directions to multiple entities at once on items such as stopping the use of certain products, the isolation of technologies, restriction of procurement and controls to be applied.*

5. To allow an entity to delay disclosure of a cyber security incident where such disclosure would threaten Australia’s national security or public safety.

*See Australian Security Intelligence Organisation Act 1979 (Cth).
*See SOCI Act s 32(3)(c).
*See Australian Government Department of Home Affairs, Proposed amendments to enhance the Critical Infrastructure Risk Management Program Rules (CIRMP Rules) (Consultation Paper, 2026).
*See Australian Government Department of Home Affairs, Proposed amendments to the Ministerial Directions Powers in Part 3 of the Security of Critical Infrastructure Act 2018 (Consultation Paper, 2026) 14.

Proposed increases to penalties

The amendments also propose an increase in penalties.

Currently, under Part 3 of the SOCI Act, non-compliance with a ministerial direction carries a maximum penalty of $82,500 (250 penalty units) for individuals and $412,500 (1,250 penalty units) for corporations. The proposed changes will see the maximum penalty increased to $660,000 (2,000 penalty units) for individuals and $3,300,000 (10,000 penalty units) for corporations.

Enhanced CIRMP Rules for responsible entities

A "responsible entity" is a person or body that owns, operates, uses or is otherwise legally designated as responsible for a critical infrastructure asset. A responsible entity is required to adopt and comply with a CIRMP, that is, a written program which identifies and attempts to mitigate the risk of hazards to its critical infrastructure assets.*

Under the power found in section 61 of the SOCI Act*, the Minister created the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023 (Cth) (CIRMP Rules).

The Exposure Draft proposes amendments to the CIRMP Rules introducing "enhanced CIRMP requirements", which would go beyond the existing "baseline CIRMP requirements". The enhanced CIRMP requirements would apply only to high-risk critical infrastructure assets in sectors such as energy, communications, water and transport* (High Risk Assets).

Summary of key proposed changes to the CIRMP Rules 

What SOCI Act businesses should be thinking about now

Consultation on the proposed reforms to the ministerial directions power and the Exposure Draft close on 1 May 2026. Recordings of the "town hall" presentation and discussion sessions are available here. Entities planning to provide feedback on both proposals should note that separate submissions are required for each.

Although the reforms are subject to consultation and yet to be made, the direction of policy is clear for businesses that own, operate or support critical infrastructure which can prepare by:

1. assessing whether any of their assets would be a High Risk Asset under the proposed section 4A(1) in the Exposure Draft;

2. mapping their supply chains and identifying FOCI;

3. reviewing their cyber security systems and policies;

4. reviewing personnel security controls;

5. reviewing their governance arrangements; and

6. conducting gap analysis against the Exposure Draft, particularly in relation to cyber security.

For further information relating to the SOCI Act, please contact the Technology & Data team.