Multi-regulator obligations on one event
Cyber Security & SOCI hub
A single cyber incident can fire 4+ separate regulator clocks: SOCI (Home Affairs), CPS 234 (APRA), NDB (OAIC), and ASIC reportable situations. Plus the Essential Eight baseline and the Australian Cyber Security Strategy 2023-2030. Here's the map.
Australian cyber obligations don't sit with one regulator — they're spread across the Security of Critical Infrastructure Act 2018 (SOCI), the Privacy Act's Notifiable Data Breaches scheme, APRA's CPS 234 (Information Security) and CPS 230 (Operational Risk), the ASIC reportable situations regime for AFS and credit licensees, and the Australian Signals Directorate's Essential Eight maturity model.
When a cyber incident hits, you don't get to choose which clock starts — multiple regulators expect notification within different timeframes (SOCI critical-incident notification within hours; CPS 234 within 72 hours; NDB assessment within 30 days, notification as soon as practicable; ASIC reportable situations within 30 days).
The tools and articles below cover the prevention layer (Essential Eight, CPS 230, CPS 234) and the response layer (the multi-regulator notification map). Run the Compliance Fingerprint for a personalised list of which cyber obligations apply to your specific business.
Free tools
Regulators
FAQ
Which regulators get notified after a cyber incident?
It depends on what you do. If you're a SOCI responsible entity, Home Affairs (Cyber and Infrastructure Security Centre). If you're APRA-regulated, APRA under CPS 234 (within 72 hours of a material information-security incident). If personal information is involved and you're an APP entity, the OAIC under the NDB scheme. If you hold an AFS or credit licence, ASIC under the reportable situations regime. The cyber incident notification tool maps every clock that fires for your profile.
What is the Essential Eight?
The Australian Signals Directorate's baseline set of eight mitigation strategies. Maturity levels run ML0 (significant weaknesses) to ML3 (defends against adaptive adversaries). Your overall maturity is the lowest of the eight. Government contractors are often required to demonstrate ML2 under Right Fit For Risk.
How is CPS 234 different from CPS 230?
CPS 234 (in force since 2019) is APRA's information-security standard. CPS 230 (in force for ADIs + insurers from 1 July 2025, RSE licensees from 1 July 2026) is the broader operational-risk standard that includes cyber as one component of overall operational resilience.
What is SOCI?
The Security of Critical Infrastructure Act 2018 imposes positive cyber-security and risk-management obligations on responsible entities for assets across 11 critical-infrastructure sectors. Material cyber incidents must be notified to the Cyber and Infrastructure Security Centre within tight timeframes.
How long do I have to notify a Notifiable Data Breach?
Up to 30 calendar days to assess whether a suspected breach is an eligible data breach. Once confirmed eligible, you must notify the OAIC and affected individuals as soon as practicable. Track both clocks with the NDB notification timer.
What is a reportable situation under RG 78?
AFS and credit licensees must report certain breaches (including deemed-significant breaches) to ASIC within 30 days. Failure to report is itself a contravention. See our reportable situations explainer.
Free assessment
What compliance applies to my business?
2-minute structured check → personalised list of obligations.
AI advisor (waitlist)
Ask any compliance question
Coming Phase 2 — grounded answers with citations.