The SOCI Act in 2023

Understanding the new compliance regulations for critical industries

What is the SOCI Act?

The Security of Critical Infrastructure Act (SOCI Act) regulates the security and resilience of critical infrastructure in Australia and has recently been amended to include a swathe of new sectors.

Companies affected have been given a six-month window to achieve compliance, ending on August 17, 2023. With this deadline fast approaching, you’ll need to begin actioning the requirements, or you’ll be facing financial penalties for non-compliance.

Key Critical Infrastructure Industries

  • Disability

    As part of the healthcare and medical sector, disability providers are now included under the SOCI Act’s critical infrastructure regulations.


    • Create and maintain a critical infrastructure Risk Management Program (RMP)
    • Register critical assets and report any cybersecurity events
  • Aged Care

    Also part of an industry in the healthcare and medical sector, aged care providers are now affected by the SOCI Act’s compliance regulations.


    • Create and maintain a critical infrastructure Risk Management Program (RMP)
    • Register critical assets and report any cybersecurity events
  • Resources

    Under the SOCI Act, a company is considered part of the energy and resources sector if it involves:

    • The production, transmission, distribution, or supply of electricity.
    • The production, processing, transmission, distribution, or supply of gas.
    • The production, processing, transmission, distribution, or supply of liquid fuel.

    So, if your company fits those criteria, then you need to:

    • Register critical assets and report any cybersecurity events
    • Devise a Risk Management Program (RMP)
  • Finance

    Under the SOCI Act, the financial services and markets sector includes companies in:

    • Insurance
    • Banking
    • Superannuation
    • Financial markets
    • Clearing and settlement facilities
    • Derivative trade repositories
    • Financial benchmarks
    • Payment systems
    • Credit facilities

    So, if your company fits those criteria, then you need to:

    • Register critical infrastructure assets
    • Complete mandatory cyber incident reporting
    • Create a Risk Management Plan (RMP)
  • Education

    In the education sector, the SOCI Act affects higher education providers—in other words, universities. A university will be considered a critical education asset if it’s owned or operated by an entity that is registered as an Australian university on the National Register of Higher Education Providers.

    Requirements for critical education assets:

    • Register critical infrastructure assets
    • Complete cyber incident reporting
    • Create a Risk Management Plan (RMP)
  • Utilities

    Under the SOCI Act’s critical infrastructure, utility providers must now comply with new regulations which require them to:

    • Create and maintain a critical infrastructure Risk Management Program (RMP)
    • Register critical assets and report any cybersecurity events

Does your sector need to conform to the SOCI Act?

  • Communications
  • Data storage or processing
  • Financial services and markets
  • Water and sewerage
  • Energy
  • Health care and medical
  • Higher education and research
  • Food and grocery
  • Transport
  • Space technology
  • Defence

What is your responsibility?

The Bill requires owners of certain assets to “adopt, maintain and comply with” an all-hazards critical infrastructure risk management program. Impacted owners operate across multiple sectors including communications, transport, financial services, defence, higher education, energy, health care, water and sewerage.

According to a breakdown of the new laws by, “all-hazards” includes physical security hazards, natural hazards, cyber and information security hazards, supply chain hazards, and (crucially), personnel hazards.

The Bill requires asset owners to create a risk management program that includes a risk identification process, a risk management process for each material risk to an asset that will minimise or eliminate the risk, and a process for reviewing the program. A Critical Asset Register (CAR) includes people risk; the threat of employees, contractors and other personnel exploiting a physical or IT vulnerability.

Achieve Compliance Without The Paperwork

For highly regulated industries, compliance admin consumes valuable time. Automation is the answer—we’ve got a technology solution that eliminates manual data entry.
Get The Advice You Need

How To Comply With The SOCI Act Requirements

  1. Registering Critical Infrastructure Assets

    A reporting entity needs to register the government operational, ownership, interest, and control information of your critical assets.

  2. Cyber Incident Reporting

    You must report any cyber security incidents and events, both critical and non-critical via the Australian Cyber Security Centre’s online cyber incident reporting portal.

  3. Create a Risk Management Program (RMP)

    You need to identify potential hazards, then minimise or remove the risk of the hazard occurring, and mitigate the impact if it does happen.

How To Create A Risk Management Program (RMP)

An RMP sounds like a monstrous project, so we’ve broken it down into some clear steps.

Step one: Understand the landscape

What is the context surrounding your individual organisation, within both the sector and the Australian economy? There is no one-size-fits-all RMP, you need to determine the best methods for your organisation.

Step two: Identify your critical assets

What assets does your organisation need to protect? What is valuable? Which services and components would impact the organisation if they were disrupted or damaged?

Step three: Define threats and hazards

Identify and then analyse the threats and hazards that could harm your critical infrastructure assets. If you’re unsure, check what similar organisations have identified.

Step four: Evaluate risk

Assess the risk of each threat and hazard, how likely are they to occur? If they do, what will the consequences be?

Step five: Implement controls

Determine whether the initial outcome of each risk is manageable or whether more controls are required. Create the necessary controls and then update the risk profile.

Step six: Monitor risk

Risk management needs to be ongoing to manage evolving threats and changing assets and infrastructure. You will need to check the progress and effectiveness, and continually improve your processes.

How We Can Help

  1. Only order what you need

    Prepare a risk management plan

  2. Service your SOCI screening requirements

  3. Provide monitored compliance oversight

  4. Provide supply chain monitored compliance oversight

Real measurable business outcomes you can expect

  • Ongoing proactive workforce compliance management
  • Business process improvements
  • Reduced administration
  • Reduced complexity
  • Successful collaboration across organisations & supply chain
  • Report on exceptions across staff and supply chain
  • Restrict physical access to assets if non-compliant
Find Out More

Industry Insights

See how organisations across Australia are meeting the requirements of the SOCI Act.

Read More

Experienced & Trusted Compliance Services Provider

Here’s why more than 26,000 businesses trust CVCheck to manage their employee screening

Government Accredited

CVCheck is accredited by the Australian Criminal Intelligence Commission and has been providing police checks since 2007.

Experts in Screening

CVCheck is a founding member of the APAC Council of the Professional Background Screening Association.

Award-Winning Service

Recognised as a leader in Pre-Employment Screening & Psychometric Assessments at the HRD Service Provider Awards.

ISO 27001 Certified

CVCheck is ISO 27001 certified, so you can have complete confidence in how data is handled and managed.

Pursuing Excellence

CVCheck is a member of The RegTech Association and proud to be advocating the adoption of regulatory technology.

Prioritising Data Security

Rest assured that your personal information is kept secure and protected under Australia’s privacy laws.

Need A Compliance Translator?

Avoid sifting through dense legal jargon, we can explain how the SOCI Act changes apply to you—and help you meet the requirements.