The Security of Critical Infrastructure Act 2018 (SOCI Act) is the principal Australian statute regulating cybersecurity of critical infrastructure. It was significantly expanded by amendments in 2021 and 2022 to cover eleven sectors: communications, financial services and markets, data storage or processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage.
The substantive obligations include registration of responsible entities for declared critical infrastructure assets, a Critical Infrastructure Risk Management Program (CIRMP) covering cyber, personnel, physical and supply-chain hazards, mandatory incident reporting to the Australian Cyber Security Centre, and government assistance powers including step-in rights in serious cyber incidents.
Mid-market firms in covered sectors may have SOCI obligations even where they do not consider themselves 'critical infrastructure' in everyday terms. Data centres above certain thresholds, hospital-care providers above bed thresholds, and financial-market participants of various sizes can all fall in scope. Threshold analysis is the first step.