Tell me in 30 seconds
The Department of Home Affairs (Department) has released the Streamlining and Modernising the Security of Critical Infrastructure Act 2018 Consultation Paper (Consultation Paper) here, proposing a second tranche of reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). The Consultation Paper sets out 21 proposed reforms, grouped according to three objectives:
- reducing complexity, uncertainty and duplication in the existing framework (Part A);
- bringing new asset classes within the scope of the SOCI Act, including space technology, hospitals and health infrastructure, distributed energy resources, offshore electricity, freight networks and logistics platforms, and university and research institutions (Part B); and
- strengthening governance, enforcement and accountability (Part C).
These reforms mark some of the most significant developments in the SOCI framework to date. While framed as ‘streamlining and modernising’ the SOCI Act, in fact they have the effect of extending the SOCI Act to new asset classes, giving government more flexibility to fine tune SOCI obligations through exemption powers and significantly enhancing its enforcement powers.
What now?
Submissions are due by 31 July 2026, with three Town Hall sessions across July to support the consultation.
If your organisation falls within any of the sectors covered (or proposed to be covered) by the SOCI Act, you should:
1. Review the reforms that relate to your sector to see if they change your assessment of the applicability of the SOCI Act to your organisation. This is particularly important if your organisation could fall within the new or amended asset classes – including submarine telecommunications cables, data storage or processing, space technology, distributed energy systems, hospitals and health infrastructure, critical freight and higher education and research.
2. Review your current SOCI compliance governance arrangements against the reforms, noting the significant uplift in effort which will be needed to comply with some of the proposals – such as the requirement for approval by your Board of your CIRMP, the fact that the CIRMP annual report will be admissible evidence in civil penalty proceedings for SOCI Act non-compliance, and the requirement for independent third party assurance of your CIRMP.
3. Assess the impact of the new provisions on your supply chain arrangements, covering both:
- subcontractors, MSPs and suppliers that are ‘relevant operators’ that supply critical services to you, and
- related entities that are ‘connected entities’ that provide critical intercompany services to you,
noting that the reforms would impose direct SOCI Act obligations on those entities to assist you to comply with the SOCI Act.
If you consider that the proposed reforms will have a material impact on your organisation, we encourage you to make a submission and provide feedback to the Department. This is your best opportunity to shape the future direction of the reforms.
If you would like to discuss how the proposed reforms may affect your organisation, or if you are considering making a submission, please contact the authors.
From review to reform
Click to expand
The Independent Review of the SOCI Act, conducted by Dr Jill Slay AM between November 2025 and January 2026, set the scene for a new wave of reform. The final report was tabled in Parliament on 24 March 2026. The review found that while the SOCI Act has laid a strong foundation for critical infrastructure security, it requires major legislative change to reduce complexity, simplify its operation and keep pace with emerging threats. Six recommendations were made, all of which the Government has accepted in principle.
The Government released the first tranche of reforms for consultation on 25 March 2026 (see our earlier alerts: SOCI update: Exposure draft enhancements to CIRMP Rules and consultation on proposed amendments to Ministerial Directions Powers and SOCI Act update: Key Cyber Security and Critical Infrastructure Rules have been registered). The enhanced CIRMP Rules have since been made and took effect on 10 June 2026. The legislative amendments to the Ministerial Directions powers are still awaited.
The Streamlining and Modernising the Security of Critical Infrastructure Act 2018 Consultation Paper marks the beginning of Tranche 2.
Key Insights on the Proposed Reforms
Spotlight on Parts A and B: ‘Simplification’ provisions; expanding and clarifying asset classes
The Consultation Paper proposes significant reforms to the SOCI Act asset framework. While it is framed as ‘modernising and streamlining’ the SOCI Act, it really does have the effect of extending it to a range of new asset classes, significantly strengthening the enforcement and compliance regime, and requiring greater focus on supply chain governance.
Part A sets out a number of clarification and simplification provisions relating to things such as updating registrations, providing more flexibility to the CISC on specifying the form and content for CIRMP annual reporting, tweaking the definition of cyber security incident to cover incidents relating to AI and automated systems and amending the obligations imposed on systems of national significance (SONS).
Importantly, Part A also ‘clarifies’ uncertain asset boundaries. The ‘clarification’ would extend the SOCI Act to submarine telecommunications cables and associated infrastructure, whether or not owned or operated by a carrier or carriage service provider. It also redefines the data storage or processing assets that will be captured by the SOCI Act. In each of these cases it attempts to deal with ownership and control arising through consortium ownership structures and modern operational arrangements.
Part B ‘modernises’ sector and asset coverage. While no new sectors are added, there are asset classes which are either brought within scope of the SOCI Act for the first time (space technology) or are significantly changed with the effect that a whole range of new critical assets would be caught by the SOCI Act (hospitals and health infrastructure, distributed energy resources, offshore electricity assets, critical freight, and higher education and research).
Interestingly, some of the asset class redefinitions would have the impact of capturing software platforms and providers (for example, in relation to distributed energy systems or critical freight). While these platforms may be important to support the operation of critical infrastructure assets, it seems strange for a software platform or a related service itself to be designated as a critical infrastructure asset without this designation being somehow linked to the principal asset that it supports. This would also be a major change for the providers of those services, who, while they play a role in supporting operators of critical infrastructure, may not themselves currently have the infrastructure and processes to comply with the SOCI legislation.
The diagram below provides a snapshot of the proposed amendments to the asset classes and definitions:
Click to expand
Some of the key expansions and clarifications, and the entities most likely to be affected by these changes, are summarised in the table in Annexure 1, together with our key insights on each of the proposed reforms. A summary of all of the reforms is set out on page 9 of the Consultation Paper.
Spotlight on other Key Reforms: Part C Governance, Assurance and Accountability
Beyond the expansion of sectors and asset classes, the Consultation Paper proposes significant reforms relating to SOCI Act governance. In short, these reforms focus on increasing the enforceability of the SOCI Act and increasing assurance that responsible entities are actually complying with their SOCI Act obligations. We highlight some of the key proposals from Part C in Annexure 2.
Jump to your relevant section:
- Measure 7: Submarine Telecommunications Cables and Associated Infrastructure
- Measure 8: Data storage or processing
- Measure 9: Space Technology
- Measure 10: Health Care and Medical Sector
- Measure 11: Distributed Energy Resources
- Measure 12: Offshore Electricity Assets
- Measure 13: Critical Freight
- Measure 14: Higher Education and Research
- Measure 15: CIRMP Governance and Assurance
- Measure 17: Operations, Maintenance and Managed Service Providers
- Measure 18: Corporate Group Cooperation
- Measure 19: Supply Chain Cyber Security Assurance
- Measure 21: Critical Workers and Critical Components
Annexure 1 – Key reforms
|
Proposal
|
The Problem Statement
|
The Proposed Solution
|
Key Insights
|
|
Part A: Clarifying Existing Boundaries |
|||
|
The current critical telecommunications asset framework is drafted in a way which creates uncertainty, particularly as it:
|
Refine the critical telecommunications asset framework so nationally significant submarine telecommunications cable systems with an Australian landing are captured by reference to their operational components and responsible entities. Under this proposed model:
|
|
|
|
Replace the current customer driven capture model in section 12F with a multi-pathway framework for data storage and processing assets.
|
|
|
|
Part B: Adding New Sectors and Asset Classes |
|||
|
Introduce four initial asset classes for the space technology sector:
|
|
|
|
The current SOCI framework only captures part of the health care and medical sector. In particular there are coverage gaps for:
|
Apply CIRMP obligations more consistently to critical hospitals, and introduce new asset classes for nationally significant health and medical functions.
|
|
|
|
|
|
|
|
Disapply the geographic limitation for critical electricity assets in Commonwealth offshore areas.
|
|
|
|
The current freight framework is narrow, geographically constrained and difficult to apply to modern freight and supply-chain operations. This is problematic because:
|
Broaden and refine the freight framework.
|
|
|
|
Replace the current critical education asset class with a critical research asset class.
|
|
|
Annexure 2 – Governance reforms
|
Theme
|
The Problem Statement
|
The Proposed Solution
|
Key Insights
|
|
The Consultation Paper identifies the following 3 key issues with the current CIRMP framework:
|
Strengthen the CIRMP framework by improving the enforcement, governance and assurance setting
|
|
|
|
Introduce a 'relevant operator' concept for entities exercising material practical control over a critical infrastructure asset or critical function.
|
|
|
|
Impose a limited statutory cooperation duty on connected entities within corporate groups where the responsible entity has a material CIRMP dependency on the connected entity. Connected entities would be required to:
|
|
|
|
Establish a structured cyber assurance framework for major suppliers, operating within the existing CIRMP. Under this model:
|
|
|
|
Replace the consequence based definition with an access-based and authority-based model determined by role, access or authority.
|
|




