Skip to main content

Timeline

The Security of Critical Infrastructure Act 2018 (SOCI Act) establishes a regulatory framework to protect assets vital to Australia's national security, economy, and wellbeing across 11 sectors. It commenced 11 July 2018, administered by the Cyber and Infrastructure Security Centre (CISC).

Major Amendments

Rapid expansions since 2021 address cyber threats and resilience.

Year Amending Act Key Changes
2021 Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act) Expands to 11 sectors; introduces register of assets, risk management programs (RMPs), mandatory cyber incident reporting, government assistance powers.
2022 Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) Adds Systems of National Significance (SoNS) designation; enhanced cyber obligations (ECSOs) for SoNS; positive security obligations (PSOs).
2024 Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (SOCI Amendment Act) Includes data storage as CI; all-hazards government assistance; harms-based protected info sharing; risk management directions for deficiencies; integrates telecom security (TSSR); reduces direct interest holder burdens. Schedules commence Dec 2024–May 2025.

Timeline of Progression

  • Jul 2018: Original SOCI Act targets physical security for 5 sectors (energy, etc.).

  • Dec 2021: SLACI expands scope, adds PSOs/RMPs, incident reporting.

  • Apr 2022: SLACIP introduces SoNS/ECSOs.

  • Nov 2024: SOCI Amendment Act passed; Royal Assent, parts from 20 Dec 2024 (e.g., data storage), Schedule 5 telecom Apr 2025.

  • 2025: Rules registered (e.g., Cyber Security Rules); full effects by mid-2025.

  • Feb 2026: No further amendments; ongoing compliance via CISC.

Related Legislation

Integrates with cyber/privacy frameworks.

  • Cyber Security Act 2024: Ransomware reporting, IoT standards, NCSC info-sharing (package with SOCI Amendment).

  • Telecommunications Act 1997 (Part 14, transitioned): Telecom security reforms now in SOCI.

  • Privacy Act 1988: Data breach notifications for CI data.

  • Australian Prudential Regulation Authority Act 1998: Financial sector overlaps.

These updates reflect escalating threats, shifting from physical to cyber/all-hazards focus.

Back to top