Insight,

SOCI Act update: Proposal to significantly extend and enhance the enforcement of the SOCI Act

AU | EN
Current site :    AU   |   EN
Australia
Singapore

Tell me in 30 seconds

The Department of Home Affairs (Department) has released the Streamlining and Modernising the Security of Critical Infrastructure Act 2018 Consultation Paper (Consultation Paper) here, proposing a second tranche of reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). The Consultation Paper sets out 21 proposed reforms, grouped according to three objectives:

  • reducing complexity, uncertainty and duplication in the existing framework (Part A);
  • bringing new asset classes within the scope of the SOCI Act, including space technology, hospitals and health infrastructure, distributed energy resources, offshore electricity, freight networks and logistics platforms, and university and research institutions (Part B); and
  • strengthening governance, enforcement and accountability (Part C).

These reforms mark some of the most significant developments in the SOCI framework to date. While framed as ‘streamlining and modernising’ the SOCI Act, in fact they have the effect of extending the SOCI Act to new asset classes, giving government more flexibility to fine tune SOCI obligations through exemption powers and significantly enhancing its enforcement powers.

What now?

Submissions are due by 31 July 2026, with three Town Hall sessions across July to support the consultation.

If your organisation falls within any of the sectors covered (or proposed to be covered) by the SOCI Act, you should:

1. Review the reforms that relate to your sector to see if they change your assessment of the applicability of the SOCI Act to your organisation. This is particularly important if your organisation could fall within the new or amended asset classes – including submarine telecommunications cables, data storage or processing, space technology, distributed energy systems, hospitals and health infrastructure, critical freight and higher education and research.

2. Review your current SOCI compliance governance arrangements against the reforms, noting the significant uplift in effort which will be needed to comply with some of the proposals – such as the requirement for approval by your Board of your CIRMP, the fact that the CIRMP annual report will be admissible evidence in civil penalty proceedings for SOCI Act non-compliance, and the requirement for independent third party assurance of your CIRMP.

3. Assess the impact of the new provisions on your supply chain arrangements, covering both:

  • subcontractors, MSPs and suppliers that are ‘relevant operators’ that supply critical services to you, and
  • related entities that are ‘connected entities’ that provide critical intercompany services to you,

noting that the reforms would impose direct SOCI Act obligations on those entities to assist you to comply with the SOCI Act.

If you consider that the proposed reforms will have a material impact on your organisation, we encourage you to make a submission and provide feedback to the Department. This is your best opportunity to shape the future direction of the reforms.

If you would like to discuss how the proposed reforms may affect your organisation, or if you are considering making a submission, please contact the authors.

From review to reform

Click to expand

Click to expand

The Independent Review of the SOCI Act, conducted by Dr Jill Slay AM between November 2025 and January 2026, set the scene for a new wave of reform. The final report was tabled in Parliament on 24 March 2026. The review found that while the SOCI Act has laid a strong foundation for critical infrastructure security, it requires major legislative change to reduce complexity, simplify its operation and keep pace with emerging threats. Six recommendations were made, all of which the Government has accepted in principle.

The Government released the first tranche of reforms for consultation on 25 March 2026 (see our earlier alerts: SOCI update: Exposure draft enhancements to CIRMP Rules and consultation on proposed amendments to Ministerial Directions Powers and SOCI Act update: Key Cyber Security and Critical Infrastructure Rules have been registered). The enhanced CIRMP Rules have since been made and took effect on 10 June 2026. The legislative amendments to the Ministerial Directions powers are still awaited.

The Streamlining and Modernising the Security of Critical Infrastructure Act 2018 Consultation Paper marks the beginning of Tranche 2. 

Key Insights on the Proposed Reforms

Spotlight on Parts A and B: ‘Simplification’ provisions; expanding and clarifying asset classes

The Consultation Paper proposes significant reforms to the SOCI Act asset framework. While it is framed as ‘modernising and streamlining’ the SOCI Act, it really does have the effect of extending it to a range of new asset classes, significantly strengthening the enforcement and compliance regime, and requiring greater focus on supply chain governance.

Part A sets out a number of clarification and simplification provisions relating to things such as updating registrations, providing more flexibility to the CISC on specifying the form and content for CIRMP annual reporting, tweaking the definition of cyber security incident to cover incidents relating to AI and automated systems and amending the obligations imposed on systems of national significance (SONS).

Importantly, Part A also ‘clarifies’ uncertain asset boundaries. The ‘clarification’ would extend the SOCI Act to submarine telecommunications cables and associated infrastructure, whether or not owned or operated by a carrier or carriage service provider. It also redefines the data storage or processing assets that will be captured by the SOCI Act. In each of these cases it attempts to deal with ownership and control arising through consortium ownership structures and modern operational arrangements.

Part B ‘modernises’ sector and asset coverage. While no new sectors are added, there are asset classes which are either brought within scope of the SOCI Act for the first time (space technology) or are significantly changed with the effect that a whole range of new critical assets would be caught by the SOCI Act (hospitals and health infrastructure, distributed energy resources, offshore electricity assets, critical freight, and higher education and research).

Interestingly, some of the asset class redefinitions would have the impact of capturing software platforms and providers (for example, in relation to distributed energy systems or critical freight). While these platforms may be important to support the operation of critical infrastructure assets, it seems strange for a software platform or a related service itself to be designated as a critical infrastructure asset without this designation being somehow linked to the principal asset that it supports. This would also be a major change for the providers of those services, who, while they play a role in supporting operators of critical infrastructure, may not themselves currently have the infrastructure and processes to comply with the SOCI legislation.

The diagram below provides a snapshot of the proposed amendments to the asset classes and definitions:

Click to expand

Click to expand

Some of the key expansions and clarifications, and the entities most likely to be affected by these changes, are summarised in the table in Annexure 1, together with our key insights on each of the proposed reforms. A summary of all of the reforms is set out on page 9 of the Consultation Paper.

Spotlight on other Key Reforms: Part C Governance, Assurance and Accountability

Beyond the expansion of sectors and asset classes, the Consultation Paper proposes significant reforms relating to SOCI Act governance. In short, these reforms focus on increasing the enforceability of the SOCI Act and increasing assurance that responsible entities are actually complying with their SOCI Act obligations. We highlight some of the key proposals from Part C in Annexure 2.

Jump to your relevant section:

Annexure 1 – Key reforms

Proposal
The Problem Statement
The Proposed Solution
Key Insights

Part A: Clarifying Existing Boundaries

Measure 7: Submarine Telecommunications Cables and Associated Infrastructure

The current critical telecommunications asset framework is drafted in a way which creates uncertainty, particularly as it:

  • does not clearly reflect how modern submarine telecommunications cable systems are owned and operated. It assumes that the infrastructure is owned by carriers or carriage service providers, which makes it difficult to apply the framework where important physical or operational functions sit with entities that are not carriers or carriage service providers.
  • focuses on the cable on or beneath the seabed, but does not clearly identify which shore-end, landing, terminal, power, network-management or supporting operational components should be treated as part of the cable system, including where facilities are shared or components are physically separated; and
  • identifies interests based on ownership, but in practice parties may hold significant commercial interests in a cable system (such as indefeasible rights of use, consortium rights or long-term capacity arrangements) that confer substantive influence, exclusivity or dependency without constituting ownership. These interests fall outside the current framework.

Refine the critical telecommunications asset framework so nationally significant submarine telecommunications cable systems with an Australian landing are captured by reference to their operational components and responsible entities.

Under this proposed model:

  • The responsible entity would be the owner or operator of the relevant component or function, regardless of whether that entity is a carrier or carriage service provider.
  • The asset boundary would extend to associated shore-end, landing, terminal, power and network-management components where they form part of the operational cable system. Co-located but unrelated infrastructure would not be captured merely because of proximity.
  • The direct interest holder concept would be updated so that indefeasible rights of uses (IRUs), long-term capacity leases and consortium rights are capable of treatment as direct interests where they confer substantive influence, exclusivity or dependency. Ordinary wholesale or customer capacity arrangements would not be treated as direct interests merely because they involve use of cable capacity.
  • The reform is likely to capture additional entities that are not carriers or carriage service providers, but who own or operate components of nationally significant submarine cable systems, particularly consortium members and operators of landing stations or shore-end facilities.
  • It is not clear at this stage what a ‘nationally significant submarine cable system’ is, and whether these will be specifically identified, or be identified by reference to a range of criteria to be set out in the Rules.
  • As the reform will operate within the existing telecommunications asset class, it will extend the telecommunications SOCI obligations to persons who own or operate components of nationally significant submarine cable systems. Presumably this will include the obligations to have a CIRMP and comply with the Telecommunications Risk Management Rules here.
  • Given that consortium ownership is the industry norm, a single cable system will typically have multiple responsible entities, each accountable for its own component. While coordination risks are intended to be managed through each entity's CIRMP, the effectiveness of this approach depends on alignment across owners who may have very different risk appetites and governance arrangements.

Measure 8: Data storage or processing

  • The current definition of "critical data storage or processing asset" no longer provides a clear, self-assessable basis for identifying nationally significant data storage or processing facilities and services. It identifies assets by reference to information that may sit with the customer rather than the provider.
  • This makes self-assessment difficult for providers and can produce inconsistent outcomes.

Replace the current customer driven capture model in section 12F with a multi-pathway framework for data storage and processing assets.

  • Facility-based capture would apply where a data centre meets a prescribed rated IT load threshold. The proposed starting point for consultation is 1 MW of rated IT load.
  • Service-based capture is not materially changed under the proposals, but would have Australian-facing scale thresholds by reference to Australian revenue, customer numbers, data volume, employee headcount or a combination. This pathway remains complex and difficult to interpret.
  • Certification based capture would apply based on an objective certification held by the provider (such as the Commonwealth HCF certification)
  • A fourth limited reserve Ministerial designation pathway would apply for exceptional cases of government dependency not captured by the other pathways.
  • Facility Threshold: It is estimated that the 1MW rated load would capture approximately 100 of the 162 operational data centres in Australia, meaning the majority of the commercial data centre market would be brought within scope.
  • SaaS and enterprise software: The application of the data storage or processing definition to SaaS or other enterprise software service providers has always been problematic, particularly where there is an element of storage or processing involved in most of those services.
  • The service-based capture is not intended to depend on whether the provider operates the underlying physical infrastructure, calling into question how widely this will capture and be enforced against offshore providers.

Part B: Adding New Sectors and Asset Classes

Measure 9: Space Technology

  • The SOCI Act identifies a space technology sector, but no operative asset classes have been prescribed. As a result, no space-related assets are currently regulated under SOCI.
  • Some space-related infrastructure may be captured incidentally under other asset classes, such as telecommunications or data storage, but that can create uncertainty about which obligations apply.

Introduce four initial asset classes for the space technology sector:

  • ground segment infrastructure,
  • positioning, navigation and timing (PNT) support infrastructure services,
  • earth observation data infrastructure and
  • space situational awareness infrastructure.


  • The framework would focus on terrestrial systems in Australia, with the Rules prescribing the specific assets and thresholds within each class.
  • The responsible entity for these assets will be their owner or operator. If ownership, operation and control are split, the responsible entity would be the entity best placed to manage the security and resilience risk.
  • A limited reserved pathway is also being considered for Australian-registered, Australian-licensed or Australian-supervised satellites and other orbital assets.
  • These changes would move the space technology sector from a placeholder in the SOCI Act to an operative regulated sector.
  • The proposal would make space technology an operative SOCI sector, but it is unclear whether the new space asset classes would also be subject to CIRMP obligations or only to baseline SOCI obligations such as registration and reporting.

Measure 10: Health Care and Medical Sector

The current SOCI framework only captures part of the health care and medical sector. In particular there are coverage gaps for:

  • systemically significant health and medical functions, include pathology networks, blood and blood product supply, and other concentrated health functions where disruption could affect patient safety, emergency care, public health response and confidence in the health system.
  • key cyber, personnel, supply chain and governance controls that are often managed at the network or corporate-operator level, meaning that applying CIRMP obligations only to a subset of designated hospitals can create unnecessary complexity.

Apply CIRMP obligations more consistently to critical hospitals, and introduce new asset classes for nationally significant health and medical functions.

  • The proposed asset classes would including critical pathology assets, critical blood and plasma assets and other prescribed critical health and medical assets.
  • Rules level thresholds would be developed following further consultation, and duplication with existing health, accreditation, therapeutic goods, biosecurity and laboratory frameworks would be managed through the proposed exemptions framework.
  • The proposal would also align CIRMP obligations more consistently across all critical hospitals, addressing the current split between hospitals captured under SOCI and the subset subject to CIRMP obligations.
  • Under the proposed reform, all critical hospitals would be subject to a CIRMP obligation, not just those on the current list of designated hospitals. If your hospital meets the critical hospital definition but has not previously been subject to CIRMP obligations, you should begin assessing your readiness for risk management, reporting and governance requirements.
  • Operators of large pathology networks, blood and plasma services and other concentrated health functions should assess whether they may be captured and consider how their existing regulatory arrangements could support an exemption or reduced compliance burden. 

Measure 11: Distributed Energy Resources

  • The current electricity framework is designed around centralised, site-based generation and does not clearly capture electricity-system significance arising from distributed energy resources, including storage, controllable demand, demand-response capability, or the coordinated operation of many smaller assets through aggregation, orchestration or dispatch platforms.
  • This leaves virtual power plants, DER aggregation and software-enabled control models uncertain under the existing framework.
  • Update the critical electricity asset to include distributed generation, distributed storage, controllable demand or demand-response capable assets, and aggregation, orchestration or dispatch platforms.
  • Rules-level thresholds would be developed using metrics such as nameplate capacity, dispatchable capacity or aggregated portfolio size.
  • Household or behind-the-meter batteries would generally only be relevant where aggregated as part of an in-scope portfolio.
  • Software and services providers (including VPP operators, DER aggregation and demand-response aggregation platforms) would be caught where they have substantive operational, dispatch or orchestration control.
  • DER aggregators, VPP operators and large-scale storage operators should assess whether their portfolios could meet the proposed thresholds.
  • Feedback is sought on whether metering infrastructure should also be caught by the SOCI Act obligations. Metering providers should consider this carefully and make submissions where appropriate.
  • Despite multiple touchpoints across the DER value chain, only a single responsible entity would be designated for each DER asset, with the Rules and guidance to determine how the responsible entity is identified. We hope this guidance will be extended across the asset class, not just to DER as it has been a great source of uncertainty to date.

Measure 12: Offshore Electricity Assets

  • The SOCI Act currently limits capture by reference to asset location.
  • This means electricity infrastructure located beyond the territorial sea, such as offshore wind farms, can fall outside the SOCI framework even where it is regulated under Commonwealth offshore legislation and would otherwise meet the critical electricity asset threshold.

Disapply the geographic limitation for critical electricity assets in Commonwealth offshore areas.

  • Offshore electricity infrastructure would be assessed against the ordinary critical electricity asset thresholds. 
  • The proposal is technology-neutral and could apply to offshore wind, subsea cables, offshore substations and other enabling infrastructure. 
  • This is a targeted reform to remove a location-based gap. It would not change the underlying criticality test, and the affected population is likely to be small and already subject to a dedicated Commonwealth licensing framework.

Measure 13: Critical Freight

The current freight framework is narrow, geographically constrained and difficult to apply to modern freight and supply-chain operations. This is problematic because:

  • nationally significant freight infrastructure, such as intermodal terminals, automated container terminals or critical cold-chain facilities, or freight management platforms and control systems are not clearly captured;
  • the current asset boundary, framed around the 'network' used by a freight business, makes it difficult to distinguish between an entity's own systems and the public infrastructure it relies on.

Broaden and refine the freight framework.

  • The proposed reforms would broaden the freight perimeter so the Act sets out broader classes of freight-related assets that may be captured where nationally significant, including freight nodes, intermodal interfaces, distribution points, logistics platforms, nationally significant technology platforms and discrete chokepoints, as well as intrastate dependencies.
  • The freight-services asset boundary would be clarified so it refers to the entity's own freight systems, facilities and operational capabilities rather than public infrastructure. Connected transport systems (for example port access, rail marshalling) would also be capable of capture where they materially affect freight operations.
  • Potential inclusion of a targeted connected transport systems pathway to include systems such as traffic management centres, electronic tolling systems and adaptive traffic control systems. It remains undecided whether to address this within the freight framework or a distinct asset concept.
  • If implemented, the reforms would give clearer coverage to nationally significant freight infrastructure, logistics hubs and freight management systems. Duplication with transport security, port and aviation frameworks would be managed through the proposed exemptions framework.
  • Feedback is sought on whether targeted connected transport systems should be caught. These are systems used to monitor, control or manage traffic or transport operations at significant scale (traffic management centres, smart motorway control systems, electronic tolling systems etc). Providers of these systems should consider this carefully and make submissions where appropriate.
  • We question whether suppliers of software platforms or services to freight providers should be captured as separate responsible entities, particularly where they are not directly connected to an asset.

Measure 14: Higher Education and Research

  • The current critical education asset class is limited to university-owned or university-operated assets and relies on a "program of research" that is "critical to" another sector, defence or national security.
  • This means equivalent nationally significant research conducted by non-university entities (for example public research bodies, cooperative research structures) is not captured and sustained research functions, secure data environments and collaborative structures do not fit the current model.
  • The 'critical to' test can be difficult to apply consistently because there is no clear statutory method for determining whether research is critical to another infrastructure sector, defence, or national security.
  • The framework's reliance on university ownership also creates gaps where research of genuine national significance is conducted through other institutional arrangements.

Replace the current critical education asset class with a critical research asset class.

  • The responsible entity would be the entity with governance, operational or management control of the organised research function. Where research is conducted through a consortium, joint venture, collaborative centre, shared facility or security data environment, a test of primary responsibility would apply.
  • Research would be captured under the new asset class if it is considered an organised research function, within a prescribed research field under a prescribed national security nexus pathway. Of these potential pathways, the broadest and most problematic is research that involves technology, goods, software, technical data or know how subject to a prescribed export control, sanctions, defence trade or comparable national security control framework..
  • The asset class is not limited to universities and could apply where equivalent research is conducted by another research entity
  • Ordinary teaching, individual researchers, isolated grants and ordinary commercial research would remain outside scope.
  • If implemented, the reform would decouple critical research from the university-ownership model and provide a more targeted basis for capture. Some universities currently captured may fall outside scope if their research does not meet the cumulative model, while some non-university research entities may come into scope for the first time.
  • The scope of the pathway raises questions about whether it could inadvertently capture startups or private enterprise researching or developing emerging dual use technologies (such as quantum technology) that may be subject to export controls but are not the intended target of the regime.

Annexure 2 – Governance reforms

Theme
The Problem Statement
The Proposed Solution
Key Insights

Measure 15: CIRMP Governance and Assurance

The Consultation Paper identifies the following 3 key issues with the current CIRMP framework:

  • Admissibility of Annual compliance reports: current admissibility restrictions prevent annual reports from being relied on in civil penalty proceedings, creating a disconnect between the reporting mechanism and the enforcement framework;
  • Governance of the CIRMP: the SOCI Act requires CIRMPs to be reviewed "regularly" and kept "up to date", but these concepts are vague and are not clearly tied to board or senior management oversight. This can cause the CIRMP to operate as a compliance document rather than a practical risk management tool; and
  • CIRMP Assurance: the current regime relies heavily on self-assessment and governing-body attestation, with limited independent evidence that the CIRMP is effective in practice.

Strengthen the CIRMP framework by improving the enforcement, governance and assurance setting

  • Admissibility of Annual compliance reports: Remove admissibility restrictions on annual compliance reports where the report is relevant to serious or repeated non-compliance, or are otherwise materially false, misleading or incomplete.  
  • Governance of the CIRMP: the governing body or in specified circumstances, the nominated senior manager would become responsible for approving the establishment, review, update and variation of the CIRMP and ongoing risk management under it.
  • Strengthen CIRMP review and currency obligations with clearer triggers (for example material changes to operations, supply chains, risk information, or assurance findings).
  • The Paper also proposes adding in criteria to assist bodies in assessing when they need to review their CIRMP (at least once every 24 months or upon an event-based trigger) and criteria around when a CIRMP is not up to date.
  • Assurance: Responsible entities would also be required to obtain periodic independent assurance of the design, implementation, appropriateness and operational effectiveness of their CIRMP. The base review cycle would be at least once every three years.
  • This represents a significant shift from a compliance approach to an enforcement approach. The CIRMP Annual Report would no longer be non-admissible and could be used in civil penalty proceedings for failure to comply.  
  • This moves well away from the philosophy in the Explanatory Memorandum to the SOCI Act, where the non-admissibility provision was justified on the basis that it would increase openness and transparency.
  • Governing bodies would effectively be required to take a much more significant and active role in relation to the establishment, review, update and variation of a CIRMP. This is a material step-up from the current SOCI obligation to approve the CIRMP Annual Report.

Measure 17: Operations, Maintenance and Managed Service Providers

  • Critical operational functions are often performed by outsourced operators, MSPs, OEMs or platform administrators exercising material practical control without being the responsible entity.
  • The current framework does not deal consistently with these third parties or provide a clear basis for cooperation.  This creates a gap between accountability and practical control.

Introduce a 'relevant operator' concept for entities exercising material practical control over a critical infrastructure asset or critical function.

  • Under this model, a person would be a relevant operator where they have both practical operational authority and material operational dependency over the asset.
  • Relevant operators would be subject to limited direct duties proportionate to their role. (including to avoid materially compromising the asset.)
  • Relevant operators would be subject to specific SOCI Act obligations such as targeted registration, a set of limited direct duties to cooperate, notify and to avoid materially compromising the asset.
  • They would also have a duty to notify the responsible entity of events, change or circumstances that could materially affect the operation, availability, integrity or security of the asset.
  • The concept is broad and could catch a wide range of service providers given the test is whether the responsible entity relies on the service provider for continued operation, availability, integrity or security of the asset or critical function. For example, this could capture SaaS software providers or providers of one aspect of an organisation’s security (such as a SIEM, SOC, or identity service provider).
  • Relevant operators would now be subject to direct obligations under the SOCI Act, which is a significant change to the scope of the Act and could increase their liability to responsible entities arising out of an incident, for example if they are found to have breached their direct obligations under the SOCI Act in connection with an incident.

Measure 18: Corporate Group Cooperation

  • The current framework does not account for the fact that functions material to CIRMP compliance (for example group-wide IT, security operations, workforce screening, procurement) are often controlled by a parent company or shared services entity, not the responsible entity. 
  • This means that the responsible entity may be legally accountable for CIRMP compliance, despite the fact that they are unable to compel cooperation from the group entity holding practical control.

Impose a limited statutory cooperation duty on connected entities within corporate groups where the responsible entity has a material CIRMP dependency on the connected entity.  

Connected entities would be required to:

  • provide assistance to the responsible entity to maintain, comply with and review its CIRMP;
  • notify the responsible entity of circumstances that could materially affect asset security or ability to manage CIRMP risks; and
  • not take or fail to take action that the connected entity knows or ought to reasonably know would materially prevent or undermine the responsible entity’s CIRMP compliance
  • Corporate groups which have established centralised security, IT or procurement functions are most likely to be affected.
  • These centralised entities would now be subject to direct obligations under the SOCI Act, which again is a significant extension of the scope of the Act. It may also be significant from an intragroup arrangements perspective, supplementing contractual and operational arrangements with a statutory overlay.
  • Foreign-incorporated connected entities could be caught by the duty, although practical enforcement against offshore entities with limited Australian presence may be difficult.

Measure 19: Supply Chain Cyber Security Assurance

  • The CIRMP framework requires responsible entities to manage supply chain hazards, but does not clearly explain what entities should do to assess cyber risks from major suppliers, including risks from supplied products, embedded security measures, and supplier practices such as patching, vulnerability management and privileged access controls.
  • Entities and suppliers may also repeat bespoke assessments in different formats, creating duplication. 

Establish a structured cyber assurance framework for major suppliers, operating within the existing CIRMP.

Under this model:

  • Responsible entities would assess cyber risks from major suppliers and address those risks through contractual or equivalent measures, applied prospectively at commercial touchpoints such as contract entry, renewal or material variation.
  • Where measures cannot reasonably be obtained, responsible entities would document exceptions in their CIRMP, including the residual risk, alternative controls and review timeline.
  • Recognised cyber security certification or accreditation could be relied on as evidence of supplier cyber maturity, where it is current, relevant and appropriately scoped.
  • The framework would also require consideration of material sub-tier dependencies, though there would be no requirement to identify, assess or contract directly with every supplier in the chain.
  • Suppliers would not become directly regulated under SOCI. Responsible entities would manage supplier cyber assurance through governance, procurement, contracting, risk management and review.
  • This specifically sets out cyber risk assessment as an assurance activity (in addition to the existing all hazards requirement that CIRMPs are currently required to address).
  • The framework would require risk assessment of both direct major suppliers and material sub-tier dependencies, with risk management implemented through contractual or equivalent measures. Departures from those measures would need to be documented as exceptions in the CIRMP.
  • The reforms note that there is no need to identify, assess or contract directly with every supplier in a chain. But would there be a need to do so for some of them?

Measure 21: Critical Workers and Critical Components

  • The current critical worker definition relies on consequence-based judgments and links to the critical component concept, creating circularity. 
  • This produces uncertainty about which workers are critical and can result in under- or over-identification.  The lack of a clear, objective threshold makes consistent application difficult. 

Replace the consequence based definition with an access-based and authority-based model determined by role, access or authority.

  • A worker will be classified as a critical worker where they hold security-sensitive access, operational authority, access to a critical component, or a prescribed role
  • The critical component definition would be retained and refined to support the revised critical worker concept.
  • The concept would apply to personnel of responsible entities, relevant operators, connected entities and managed service providers. 
  • The rules would prescribe different obligations for different classes of critical workers.
  • The clearer definition is expected to reduce uncertainty over time, although initial reassessment would fall most heavily on entities with large or distributed workforces and complex access-control environments.
  • What access, authority or information holdings will trigger critical worker status remains to be settled through Rules consultation. Entities should monitor this closely as it will determine the practical scope of the obligation.
Latest Thinking
Insight
The past four months tested something that is difficult to assess in stable conditions: whether organisations operating across Asia have genuine capability, or whether they have presence and assumed it would be enough. The Hormuz disruption exposed that gap - not universally, but unevenly, and in ways that had less to do with resources or intent, than with what had already been built.

09 July 2026

Insight
In this digest we provide a summary of key judgments and proceedings against company directors in Australian courts and tribunals in 2025.

09 July 2026

Insight
Following the passage of the domestic capital gains tax reforms announced in this year’s Federal Budget, the Treasury Laws Amendment (Strengthening Accountability for Tax Adviser Misconduct and Other Measures) Bill 2026 (the Bill) was introduced into Parliament on 2 July 2026.

08 July 2026