The final report on the independent review into the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), conducted by Dr Jill Slay AM, was delivered on 2 February 2026 and was subsequently made public on 25 March 2026 (the Report). The Report points to structural reform of Australia's critical infrastructure regime. The practical question arising from the Report for boards and management is not whether the framework will change, but how quickly they can transition from documentary compliance to demonstrable operational assurance.
At a glance
- The Report concludes that the SOCI Act has improved board awareness, baseline governance and incident visibility, but requires major legislative change to address excessive complexity, regulatory duplication and transition from being compliance-driven to outcomes-driven.
- The formal recommendations focus on harmonisation, stronger enforcement, ASIC-style guidance, emerging-threat uplift, stronger Trusted Information Sharing Network (TISN) capability, and acceptance of proposed Critical Infrastructure Risk Management Program (CIRMP) amendments while the SOCI Act is simplified.
- Several issues widely discussed in the market - including AI services, hyperscale cloud, content delivery networks, drones, space assets, external assurance and broader sector definitions - have been identified as areas that should be further examined and accompanied with sector-specific guidance.
- Current SOCI Act obligations continue to apply unless and until the Australian Government responds and legislation changes.
This article summarises the Report and likely practical implications. The Report itself does not reflect an Australian Government response or enacted legislative change.
What the Report recommends
|
| ||
Recommendation 1 – Remove Commonwealth duplication | Reduce overlap across the Commonwealth framework. The Australian Government should map SOCI requirements against APRA CPS 230 and CPS 234, Privacy Act notification obligations, Protective Security Policy Framework (PSPF) or Defence Industry Security Program (DISP) requirements, telecommunications obligations and other sector-specific regimes with the strategic objective of simplification and consistency. For regulated entities, the priority should be developing an integrated control environment that produces outputs across multiple regulatory frameworks, rather than maintaining a standalone SOCI Act compliance silo. | ||
Recommendation 2 – Move from light-touch compliance to real enforcement | Shift from document-based administration to penalty-backed risk management. This is a direct signal that regulators will increasingly scrutinise whether controls are operating effectively in practice, whether risk treatment decisions are evidence-based, and whether boards can demonstrate the adequacy of their assurance – not merely the existence of a CIRMP. | ||
Recommendation 3 – Issue ASIC-style guidance | Develop worked examples, templates and plain-language guidance. Better regulatory guidance should improve consistency of approach across sectors; however, responsible entities should not await the publication of new templates before testing whether their existing policies, risk registers and incident playbooks are fit for purpose in a crisis. | ||
Recommendation 4 – Co-ordinate response to emerging threats and technologies | Home Affairs should work with TISN, Australian Signals Directorate, Australian Security Intelligence Organisation and other agencies on emerging threats, including AI, quantum risks, physical threat vectors and operational technology cyber risk. Organisations with operational technology, cloud dependencies, AI-enabled systems or complex third-party operating models should already be refreshing asset-level risk assessments and escalation pathways. | ||
Recommendation 5 –Lift TISN capability | Enhance TISN capability through education and information sharing. Expect stronger emphasis on sector co-ordination, threat intelligence sharing, cross-sector exercises and practical uplift tools that help responsible entities move from interpretation to implementation. | ||
Recommendation 6 – Accept CIRMP amendments while simplifying the SOCI Act | Accept the proposed CIRMP amendments in the near term, while moving toward a simpler principles-based SOCI Act supported by rules and thematic handbooks. In practice, this means the current CIRMP consultation process remains immediately relevant, whilst the longer-term legislative architecture may evolve toward a leaner SOCI Act with more flexible subordinate instruments and clearer compliance guidance. See our earlier article on the CIRMP proposed amendments and current consultation here. | ||
Recommendation 6(a) – Issues to examine | The Report also identifies a potential reform pipeline. Issues flagged for further examination include asset and sector definitions, register quality and information sharing, incident reporting obligations, self-attestation and the possible introduction of external assurance requirements, high-risk vendors, assets under construction, SoNS processes, and Ministerial Direction thresholds and CIRMP settings (the latter two which are currently undergoing consultation). These matters should be treated as likely subjects of future reform, not settled law. |
What the Report is signalling beyond the formal recommendations
|
| ||
Future scope questions | The Report records strong stakeholder support for expanding SOCI Act coverage to AI services, hyperscale cloud providers, content delivery networks, drones and space assets. Whilst not a legislative outcome today, organisations that own, operate, or rely upon those assets or services should anticipate some future inclusion in scope and assurance questions. | ||
Board assurance and self-attestation | The Report does not formally recommend mandatory independent assurance. Rather, it identifies external assurance as an issue warranting further examination. Boards should expect increasing scrutiny of self-attestation and a greater emphasis on evidence, testing and specialist assurance in the conduct of that process. | ||
Sector definitions and interdependencies | The Report suggests that some sector and asset-class definitions may no longer reflect operational reality, including in relation to higher education and research, healthcare, food supply, energy transition assets and complex corporate structures. Entities that own or operate mixed assets or shared services models, or form part of complex corporate structures should verify whether their current scoping assumptions remain reliable. | ||
Duplication and control rationalisation | Harmonisation is arguably the most significant theme in the Report. If regulatory duplication is reduced over time, entities that invest now in common controls, common evidence sets and integrated governance across cyber, privacy, operational resilience and critical infrastructure will be best positioned to benefit from that rationalisation. |
Why this matters now
The Report sits within a broader regulatory policy trend toward operational resilience, more robust consequence management, heightened scrutiny of outsourcing and supply chain risk, and closer attention to business-critical data, data hosting arrangements and third-party dependencies.
For responsible entities, the immediate risk lies in developing artefacts that satisfy technical compliance requirements but cannot withstand board challenge, regulatory scrutiny or the conditions of an actual incident. Many critical infrastructure businesses also operate in environments where business critical data, incident notification obligations, privileged investigations, offshore support arrangements and complex data flows are central to resilience. Boards should be approaching SOCI, privacy and operational resilience as intersecting governance considerations rather than separate workstreams.
What boards and management should do now
- Re-map the compliance stack. Identify where SOCI Act obligations overlap and intersect with other regulatory frameworks, and align controls, governance forums, evidence and reporting accordingly.
- Stress-test the CIRMP (if applicable). Conduct scenario exercises that test decision-making, escalation pathways, third-party co-ordination, information flows and operational recovery - not merely the existence of documented plans.
- Refresh board assurance. Assess if current board reporting supports defensible attestations. Consider where independent testing or external assurance would add value.
- Revisit the hard issues. Re-examine Foreign Ownership, Control and Influence (FOCI) risk, supply chain and outsourcing risk, operational technology security, privileged access, cloud and hosting arrangements, and business-critical data exposures.
- Prepare for the next wave of reform. Participate in current and future consultations (including the current consultation on the Ministerial Directions powers and CIRMP exposure draft) and the broader SOCI Act reform processes.
Three board questions to ask
- Where are we duplicating effort across SOCI Act obligations, privacy, operational resilience and sector-specific regulatory regimes, and what controls can be rationalised now?
- If the regulator or the board required evidence of SOCI Act compliance, what could we produce beyond policy documentation?
- Which dependencies - including operational technology, cloud, data hosting, outsourced operators, privileged third-party access and FOCI risk - are most likely to drive operational disruption or regulatory scrutiny?
How we can help
- Board and executive briefings on the Report, the current consultations on Ministerial Directions powers and CIRMP exposure draft, and likely regulatory direction of travel.
- SOCI compliance uplift and legal rationalisation programs across SOCI, CPS 230 or CPS 234, privacy, PSPF or DISP and other cyber and sector-specific frameworks.