SOCI Act mandatory cyber incident reporting — the 12 and 72-hour clocks

What Part 2B requires

Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) establishes mandatory cyber incident reporting obligations. The responsible entity for a critical infrastructure asset must report certain cyber security incidents to ASD. These reports are submitted to the Australian Cyber Security Centre, which operates via ASD.

These reporting obligations are not universal. They apply only to assets that are switched on under the SOCI Act. Furthermore, reporting is triggered only when prescribed thresholds are met.

It is important to note that Part 2B reporting is separate from voluntary incident reporting arrangements introduced under the Cyber Security Act 2024 (Cth).

The 12-hour clock — significant impact

The SOCI Act requires mandatory reporting of certain cyber security incidents. If a cyber security incident has a 'significant impact' on the availability of an asset, reporting must occur within 12 hours of the entity becoming aware of the incident.

The initial report can be made verbally. However, following a verbal report, a written report must be submitted within 84 hours.

The definition of 'significant impact' is detailed in section 12N of the SOCI Act and determines whether this accelerated 12-hour reporting obligation applies.

The 72-hour clock — relevant impact

The SOCI Act requires reporting of cyber security incidents within 72 hours when a cyber security incident has a ‘relevant impact’ on the asset. This reporting obligation applies from the time the entity becomes aware of the incident. Reports must be made in writing.

‘Relevant impact’ is a key determinant for triggering the 72-hour reporting timeframe. It encompasses incidents that affect the availability, integrity, reliability, or confidentiality of the asset.

The definition of ‘relevant impact’ is detailed in section 12M of the SOCI Act and dictates whether the 72-hour reporting obligation is engaged.

Penalties

Failure to comply with the mandatory cyber incident reporting obligations outlined in the *Security of Critical Infrastructure Act* (SOCI Act) constitutes a civil penalty contravention. This means that organisations and individuals who fail to report as required may face financial penalties.

The maximum civil penalty for an individual who contravenes the reporting obligations is 50 penalty units. For a body corporate (such as a company), the maximum civil penalty is 250 penalty units. The value of a penalty unit is determined separately and is subject to change.

While enforcement action is possible, the Australian Signals Directorate (ASD) generally prioritises cooperation and remediation efforts over enforcement for genuine first-time reporters. Reports made in compliance with the SOCI Act are protected under the Act’s regime, meaning they are not admissible in civil proceedings against the reporter.