SOCI Act explained: Compliance rules and requirements

For CISOs, compliance leaders, and security teams, SOCI is more than just a legal requirement. It is a framework that demands continuous visibility into risk across IT, OT, and increasingly complex digital environments. In practice, that includes application-layer risk – the security of the web applications and APIs that now underpin essential service delivery and access to business-critical data.

Key takeaways

• The SOCI Act establishes mandatory cybersecurity, governance, and reporting obligations for critical infrastructure entities across multiple Australian sectors.
• Responsible entities must register assets, implement and maintain a Critical Infrastructure Risk Management Program (CIRMP) where applicable, and meet strict cyber incident reporting timelines.
• CIRMP requirements extend beyond cyber to include personnel, supply chain, and physical security risks, requiring a coordinated and continuously updated risk management approach aligned to recognized frameworks.
• Compliance depends on timely detection, clear risk prioritization, executive oversight, and defensible governance processes.
• Invicti’s unified application security platform, which stands apart for its proof-based, DAST-first verification and posture management, can support SOCI readiness by helping teams find, validate, and prioritize real, exploitable risk across applications and APIs.

What is the SOCI Act and why was it introduced?

The Security of Critical Infrastructure Act 2018 is Australia’s primary legislative framework for managing risks to essential services and systems. It was introduced to protect critical infrastructure from cyber threats, foreign interference, physical disruption, and other national security risks.

Originally focused on electricity, gas, water, and maritime ports, the Act has since expanded through several amendments (notably in 2021, 2022, and 2024) to cover 22 asset classes across multiple sectors. These reforms introduced mandatory cyber incident reporting, Critical Infrastructure Risk Management Programs, enhanced cybersecurity obligations for certain high-impact assets, and broader government assistance powers.

The rationale is straightforward. Disruption in one critical sector such as energy or communications can cascade across healthcare, finance, transport, and public safety. As digital systems underpin more essential services, cybersecurity has become a core resilience requirement rather than a technical afterthought.

Who must comply with the SOCI Act?

The SOCI Act applies to “responsible entities” for designated critical infrastructure assets. A responsible entity is typically the organization that owns or operates the asset. Covered sectors currently include:

• Electricity and gas
• Water and sewerage
• Maritime ports
• Communications
• Data storage and processing
• Financial services and markets
• Healthcare and medical
• Higher education and research
• Transport
• Defence industry
• Space technology
• Food and grocery

The Act also recognizes “direct interest holders” and, in some circumstances, third-party operators with operational control over critical assets. This means compliance obligations may extend beyond asset owners to include managed service providers and infrastructure partners.

For security and compliance teams, determining whether an asset qualifies – and who holds responsibility – is a foundational step in SOCI readiness.

What assets are covered under the SOCI Act?

A “critical infrastructure asset” under SOCI is defined by sector-specific rules and thresholds. These assets typically support the delivery of essential services or the functioning of key supply chains.

The 2024 amendments clarified that data storage and processing systems holding business-critical data may be deemed part of a primary critical infrastructure asset. This legislative expansion followed major breach events and reflects the reality that digital platforms, customer data systems, and application environments are integral to essential service delivery.

For many regulated entities, those data environments are reached through application and API pathways, making application security a practical part of protecting the asset.

Accurate asset classification is essential because it determines:

• Registration obligations
• CIRMP requirements
• Incident reporting thresholds
• Potential enhanced cybersecurity obligations

For many organizations, asset visibility is the first operational challenge. Distributed applications, APIs, cloud workloads, and hybrid infrastructure can expand the attack surface beyond what traditional inventories capture.

What are the core SOCI Act compliance requirements?

At a high level, SOCI compliance includes four primary obligation areas:

1. Asset registration: Responsible entities must register critical infrastructure assets with the relevant government authority.
2. Cybersecurity incident reporting: Entities must report certain cyber incidents within defined timeframes.
3. Risk management program adoption: Applicable entities must establish and maintain a written Critical Infrastructure Risk Management Program (CIRMP).
4. Government assistance measures: In serious incidents, the government may exercise step-in or direction powers to manage risks to national security.

Importantly, these are all ongoing obligations, so compliance is not achieved through a one-time assessment but through continuous risk governance and operational oversight.

What is a Critical Infrastructure Risk Management Program (CIRMP)?

The Critical Infrastructure Risk Management Program (CIRMP) is the centerpiece of SOCI compliance for many entities. CIRMP requirements apply to 13 prescribed asset classes under the SOCI framework, while certain sectors such as telecommunications operate under separate risk management programs.

A CIRMP is a documented, board-approved framework that identifies and manages material risks to critical infrastructure assets. It must be regularly reviewed and updated to reflect changes in threat landscape, asset configuration, and business operations. CIRMP rules require responsible entities to address at least four hazard categories, namely cyber and information security risks, personnel risks, supply chain risks, and physical security risks (discussed in detail below).

From August 2024, entities subject to CIRMP must align their cyber risk management approach with one of five recognized frameworks: the Essential Eight, NIST Cybersecurity Framework, C2M2, ISO 27001, or the Australian Energy Sector Cyber Security Framework.

Responsible entities must review their CIRMP at least every 12 months and after any material change to the asset or risk environment. An annual report on the effectiveness of the CIRMP must be provided to the board and submitted within 90 days of the end of the entity’s financial year.

CIRMP is not intended to be a static compliance document. It formalizes a continuous risk management approach that aligns cybersecurity, operational resilience, and executive oversight.

What cybersecurity risks must CIRMP address?

CIRMP rules require responsible entities to address at least four hazard categories:

1. Cyber and information security risks: Threats such as unauthorized access, exploitation of software vulnerabilities, ransomware, and data compromise. This includes exploitation paths that commonly start with web applications and APIs, such as injection, broken access control, and authentication weaknesses.
2. Personnel risks: Insider threats, inadequate background checks, or insufficient security awareness.
3. Supply chain risks: Vulnerabilities introduced through third-party vendors, service providers, or technology suppliers.
4. Physical security risks: Unauthorized physical access, sabotage, or environmental disruption.

From a cybersecurity perspective, CIRMP expectations align with the need for continuous vulnerability identification, timely remediation of exploitable weaknesses, assurance that exposed applications and APIs are monitored and assessed, and executive reporting on risk posture.

In practice, this means organizations need clear visibility into the vulnerabilities that are actually reachable and exploitable in their running environments, not just theoretical weaknesses in source code.

What are SOCI Act cyber incident reporting obligations?

The SOCI Act imposes strict cyber incident reporting requirements to the Australian Cyber Security Centre (ACSC). There are two primary categories:

• Critical cyber incidents must be reported within 12 hours of becoming aware of the incident.
• Other cyber incidents must be reported within 72 hours of becoming aware of the incident.

A “critical” cyber incident generally involves significant impact on asset availability, integrity, or confidentiality. Organizations must also provide ongoing updates if requested.

Effective incident reporting depends on timely detection. Without visibility into live systems and exposed applications, identifying qualifying incidents within the required timeframe can be difficult.

What penalties apply for SOCI Act non-compliance?

Non-compliance with SOCI obligations can result in significant civil penalties, including fines of up to $330,000 AUD per day for certain CIRMP breaches, as well as regulatory directions and potential government intervention in serious cases.

Regulators may also issue directions to review or remediate deficiencies in a CIRMP. Given the potential operational and reputational consequences, compliance should be treated as a core governance issue rather than a technical checklist.

For critical infrastructure operators, maintaining compliance is directly tied to the ability to continue operating without regulatory disruption.

How does the SOCI Act affect vulnerability management and security testing?

SOCI does not mandate specific security tools. However, its requirements strongly reinforce certain operational capabilities.

To support CIRMP and incident reporting obligations, organizations should be able to:

• Continuously identify vulnerabilities in externally exposed systems
• Assess exploitability and business impact
• Prioritize remediation based on real risk
• Document risk treatment decisions for governance and audit purposes

For SOCI purposes, it’s not enough to know a vulnerability exists somewhere in the estate. Teams also need to know whether it is reachable in production, whether it is exploitable, and which assets it affects, so that remediation decisions and risk acceptance are defensible in CIRMP governance and annual reporting.

Modern critical infrastructure environments rely heavily on web applications and APIs to deliver services. These components often form a substantial part of the attack surface. Runtime visibility into these systems, including the ability to validate whether vulnerabilities are actually exploitable, helps security teams focus remediation on material risks.

This is where Invicti fits in: as a unified application security platform that correlates findings across testing signals and uses a DAST-first, proof-based verification layer to help teams focus on issues that are demonstrably exploitable in running applications and APIs. By testing running applications and correlating findings across multiple testing methods, organizations gain a much clearer insight into which weaknesses represent genuine exposure.

How organizations can prepare for SOCI Act compliance (step-by-step guide)

1. Identify regulated assets: Conduct a detailed assessment to determine which systems qualify as critical infrastructure assets.
2. Register assets: Ensure timely and accurate registration with the relevant authority.
3. Determine whether CIRMP applies to your asset class: Confirm whether your asset falls within the 13 prescribed asset classes subject to CIRMP obligations.
4. Align to a recognized cybersecurity framework: Adopt and document alignment with one of the five approved frameworks where required.
5. Implement continuous vulnerability management: Maintain ongoing discovery and testing of applications, APIs, and supporting systems to identify exploitable weaknesses and produce evidence that supports CIRMP risk decisions and board reporting.
6. Define incident response and reporting workflows: Align detection, escalation, and ACSC reporting processes with 12-hour and 72-hour timelines.
7. Establish annual governance review processes: Ensure board review, annual reporting within 90 days of financial year end, and reassessment following material changes.

In addition, automation and centralized visibility across application assets can greatly simplify documentation, reporting, and executive oversight, particularly in large or distributed environments.

How does SOCI compliance compare to other cybersecurity regulations?

SOCI shares common themes with many recognized international security frameworks, including:

• NIS2: Essential entity resilience and incident reporting in the European Union
• DORA: Operational resilience in the EU financial sector
• Cyber Resilience Act (CRA): Product security obligations within the EU
• ISO 27001: Risk-based information security management framework

What distinguishes SOCI is its sector-specific focus on critical infrastructure and its formalized CIRMP requirement covering multiple hazard categories beyond cyber alone.

Organizations operating globally may find that a unified, risk-based security governance model supported by continuous technical validation helps align SOCI obligations with other regulatory frameworks.

Conclusion: SOCI compliance requires continuous risk visibility

The SOCI Act establishes a clear expectation: critical infrastructure operators must understand, manage, and report on risks to essential systems in a continuous and structured way. Because essential services increasingly run through internet-facing software, SOCI cyber risk management often comes down to how well you govern and reduce application and API exposure over time.

CIRMP formalizes this expectation, requiring governance, hazard identification, annual review, and board-level oversight across cyber, personnel, supply chain, and physical domains. For cybersecurity teams, this translates into a practical need for real-time insight into exposed applications, APIs, and supporting infrastructure.

A comprehensive application security platform can help transform compliance from a documentation exercise into an operational capability. By combining continuous testing, centralized visibility, and risk-based prioritization, organizations can strengthen both their regulatory posture and their real-world resilience.

To see how unified application security testing and risk management can support SOCI readiness in complex environments, request a demo to explore how the Invicti platform brings runtime validation and centralized AppSec visibility together in practice.

‍