Amendment timeline
SOCI Act 2018
Security of Critical Infrastructure Act 2018 (Cth)
About this Act
The federal Act regulating critical infrastructure — originally only electricity, gas, water and ports, now expanded to 11 sectors covering communications, data storage and processing, defence, energy, financial services, food and grocery, healthcare, higher education, space tech, transport and water. Requires reporting entities to register on the Register of Critical Infrastructure Assets, notify cyber incidents to ASD/CISC, maintain a Risk Management Program, and (in some sectors) accept enhanced government assistance powers.
- Original Royal Assent
- 11 April 2018
- Original commencement
- 11 July 2018
- Administered by
- HOME-AFFAIRS-SOCIASD
Amendment timeline
Chronological list, oldest to newest. Each entry cites the legislation.gov.au compilation or as-made source and, where available, regulator guidance.
Security Legislation Amendment (Critical Infrastructure) Act 2021
SLACI Act 2021
Royal Assent
2 December 2021
Commencement
Staged: positive security obligation 8 Apr 2022 onwards
What changed
First major SOCI expansion. Broadened the scope from 4 sectors to 11 sectors (added communications, data storage, defence, financial services, food and grocery, healthcare, higher education, space tech, transport). Introduced mandatory cyber incident reporting (12 hours for critical impact, 72 hours for other significant incidents) and gave the Government 'last resort' enhanced cyber security obligations and assistance powers.
Who's affected
Responsible entities for assets in 11 critical infrastructure sectors; direct interest holders.
Security Legislation Amendment (Critical Infrastructure Protection) Act 2022
SLACIP Act 2022
Royal Assent
1 April 2022
Commencement
Staged from 2 Apr 2022; RMP obligations 17 Feb 2023
What changed
Introduced the Critical Infrastructure Risk Management Program (CIRMP) obligation under Part 2A of the SOCI Act. Responsible entities must adopt, maintain, comply with and review a written program identifying material risks (cyber, physical, supply chain, personnel) and reasonable mitigation steps. Also added the Systems of National Significance (SoNS) category attracting enhanced cyber security obligations (vulnerability assessments, system information requirements, ASD-approved incident response plans).
Who's affected
Responsible entities for critical assets in financial services, communications, data storage, defence, energy, food and grocery, healthcare, higher education, space tech, transport and water sectors; SoNS-declared entities face enhanced obligations.
Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023
Royal Assent
2023-02-16 (registered)
Commencement
17 Feb 2023 (grace period to 17 Aug 2024 for cyber framework adoption)
What changed
Subordinate instrument operationalising the CIRMP obligation. Requires entities to identify a recognised cyber security framework (Essential Eight Maturity Level 1, ISO/IEC 27001, NIST CSF, AESCSF, COBIT 2019 or SOC 2) and apply it within 18 months. Sets the four hazard categories (cyber and information security, personnel, supply chain, physical and natural). Annual board attestation required.
Who's affected
Critical broadcasting, domain name, data storage and processing, financial market infrastructure, food and grocery, hospital, freight infrastructure, freight services, public transport, liquid fuel, energy market operator, electricity, gas, water and sewerage entities.
Cyber Security Legislation Package 2024
Cyber Security Act 2024 + SOCI Amendment (Enhanced Response and Prevention) Act 2024
Royal Assent
29 November 2024
Commencement
Staged: ransomware reporting from 30 May 2025; data storage clarifications from late 2024
What changed
Government's cyber security package. Made ransomware payment reporting mandatory for entities with $3M+ turnover (within 72 hours of payment), gave the National Cyber Security Coordinator a legislated 'limited use' obligation on information shared during cyber incidents, expanded SOCI to clarify that data storage systems holding business-critical data are within scope, and gave the Minister direct powers over critical telco infrastructure.
Who's affected
All businesses with annual turnover $3M+ that pay ransomware (mandatory reporting); responsible entities under SOCI for data storage systems.
What's coming next
Home Affairs has consulted on expanding SoNS declarations in the financial services and data sectors. A 2026 SOCI biennial review is in flight examining whether further sectors (advanced manufacturing, agriculture) should be brought in, and whether the CIRMP cyber-framework grace period should be tightened. Watch for new Cyber Security Rules under the Cyber Security Act 2024 on incident-response data sharing.
Why this matters now
Mandatory 12/72-hour cyber incident reporting catches most ASX-listed entities and substantial private companies. The CIRMP regime requires board-level attestation annually — non-compliance is a civil penalty up to 200 penalty units. The 2024 ransomware payment reporting obligation applies to any business with $3M+ turnover, not just SOCI entities — much wider footprint than most boards realise.
Frequently asked
Which sectors are caught by SOCI now?
11: communications, data storage and processing, defence, energy, financial services, food and grocery, healthcare and medical, higher education and research, space technology, transport, and water and sewerage. Each has sector-specific 'critical asset' definitions in the SOCI Rules.
What's the difference between 12-hour and 72-hour reporting?
12 hours: a 'critical cyber security incident' that has significant impact on the availability of an asset. 72 hours: any 'cyber security incident' that has a 'relevant impact' on the asset (broader category — could be confidentiality or integrity). Both go to ASD via the CIRR portal.
When must we adopt a recognised cyber framework?
18 months from the CIRMP Rules commencement (so by 17 August 2024 for original responsible entities). New responsible entities have 18 months from when they become a responsible entity. The recognised frameworks are Essential Eight ML1, ISO/IEC 27001, NIST CSF, AESCSF, COBIT 2019 or SOC 2.
Do small businesses have to report ransomware payments?
No — the 72-hour ransomware payment reporting obligation under the Cyber Security Act 2024 applies only to entities with $3M+ annual turnover. Smaller entities are encouraged to report voluntarily through ReportCyber.
Who signs off on the CIRMP annual attestation?
The entity's board (or governing body) must annually attest in a written report to the Department of Home Affairs that the entity has, during the reporting period, complied with the program, reviewed it, and applied the recognised cyber framework. Penalty for false attestation: up to 200 penalty units plus possible criminal exposure.
Other amendment timelines
Rules Mate summarises and links to legislation.gov.au and regulator guidance. We do not republish statutory text. Every date in this timeline has been verified against the Federal Register of Legislation as at 6 June 2026. Always verify against the live source before acting. Compliance tools, not legal advice. Consult a qualified professional.