On 25 March 2026, the Minister for Home Affairs opened consultation on two significant reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act):
- Proposed amendments to the Ministerial Directions Powers under Part 3 of the SOCI Act.
- An Exposure Draft of the enhanced Critical Infrastructure Risk Management Program (CIRMP) Rules.
The proposed amendments aim to strengthen the government’s ability to manage national security risks to critical infrastructure, as well as introduce more prescriptive obligations for designated high-risk critical infrastructure asset classes across cyber, supply chain, personnel and physical security. Written submissions must be provided by 1 May 2026.
The key proposals are summarised below.
Consultation 1: Amendments to Part 3 Ministerial Directions Powers
These proposals strengthen the Minister's ability to manage national security risks to critical infrastructure through five targeted measures:
- Amended directions powers – replacing the requirement for an adverse security assessment from the Australian Security Intelligence Organisation (ASIO) with an obligation to obtain tailored ASIO advice, and recalibrating the 'regulatory exhaustion' requirement.
- New conditions power – enabling the Minister to impose targeted conditions (such as access controls, vetting requirements, or audit obligations) where ownership, control or governance arrangements create material national security risks.
- Delayed continuous disclosure – leveraging ASIC’s existing exemption powers or a new directions power under the SOCI Act to delay disclosure obligations under the Corporations Act where disclosure of high-risk cyber incidents could compromise national security.
- New vendor-risk direction power – allowing coordinated action where a specific vendor or its products, equipment, services or technologies present systemic supply chain vulnerabilities, including directions to cease use, isolate technologies or implement procurement restraints.
- Increased civil penalties – maximum penalties for non-compliance with ministerial directions would increase from $412,500 to $3.3 million for corporations.
For a detailed summary, see ‘Proposed amendments to Ministerial Directions Powers’ below.
Consultation 2: Exposure Draft of the enhanced CIRMP Rules
The Exposure Draft introduces more prescriptive obligations for responsible entities of designated high-risk critical infrastructure assets, covering the energy, communications, water and sewerage, and transport sectors.
Key requirements include:
- Cyber and information security – mandatory uplift to Maturity Level 2 under a recognised framework (Essential Eight, ISO 27001, NIST CSF 2.0, C2M2 or AESCSF), implementation of phishing-resistant MFA, and network segregation ensuring critical systems can operate independently for at least three months.
- Supply chain – mapping of major suppliers and critical systems, with vendor assessments addressing foreign ownership, control or influence (FOCI) risks, sanctions exposure and supplier access to critical assets.
- Personnel security – mandatory AusCheck background checks for critical workers (repeated every five years), with documented risk mitigations for offshore workers and ongoing monitoring of personnel suitability, including insider threat risks.
- Physical security – centralised management of physical security addressing site characteristics, critical components, sensitive areas and access controls, integrated with cyber, personnel and supply chain risk management.
Compliance timelines are staggered: 6 months for FOCI and all-hazards requirements; 18 months for personnel, supply chain and physical security; and 24 months for cyber maturity uplift, MFA and AusCheck implementation.
For a detailed summary, see ‘Exposure Draft of enhancements to CIRMP Rules’ below.
Actions for boards and management
Affected entities should engage with the consultations by providing feedback and submissions by 1 May 2026. The Department will hold townhalls and engage through the Trusted Information Sharing Network. There are a number of areas where proactive engagement with the consultations may be warranted for your organisation.
How we can help
Our Cyber Security and Critical Infrastructure team can assist with SOCI compliance reviews, board briefings, consultation submissions, updates to internal policies and processes, and alignment with broader cyber and privacy frameworks.
If you would like to discuss how these changes affect your organisation, please get in touch. Early preparation is the most effective kind.
See our previous articles on the Telecommunications assets and the SOCI Act, Cyber Security Legislative Package, the CIRMP Rules and uplift of the SOCI Act.
Following previous consultations on developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy and the Independent Review of the SOCI Act, the Government is seeking to introduce five targeted measures aimed at providing the Minister greater flexibility and precision in managing serious national security risks to critical infrastructure, each highlighted below.
Measure 1: Amendments to existing section 32 Ministerial Directions Powers
Currently, the Minister may issue directions to a reporting entity, or operator, of a critical infrastructure asset to manage risks that are ‘prejudicial to security’, subject to certain pre-conditions. To improve flexibility and speed of application in time-sensitive situations, the Government proposes to replace an existing requirement for the Minister to receive an adverse security assessment (ASA) from the Australian Security Intelligence Organisation (ASIO), with a more flexible obligation to obtain, and follow, tailored advice from ASIO.
Additionally, the Minister proposes to re-calibrate the ‘regulatory exhaustion’ requirement, so that the Minister must consider whether other regulatory mechanisms could more effectively address the risk, rather than being required to be satisfied that no existing regulatory system could be used. Directions must still be reasonably necessary and reasonable steps taken to have good faith negotiations with an entity, before a direction can be issued.
Measure 2: New conditions power
A new measure is being proposed that enables the Minister to impose targeted, fit-for-purpose conditions on reporting entities where ownership, control, or governance arrangements create a material risk to national security. Conditions that may be imposed are contemplated to range from role-based access controls and security vetting requirements to targeted voting exclusions, requirements for Australian security-cleared directors, requirements to uplift security baselines, and potential audit obligations.
Any conditions imposed would be tailored, time-bound and constrained to the minimum necessary to mitigate an identified risk. Certain pre-conditions (similar to those mentioned in Measure 1) must also be met before a condition direction is issued. This new measure is intended to complement (and not duplicate) the existing framework in the Foreign Acquisitions Takeovers Act 1975 (Cth) for foreign investment, and directions will be subject to periodic reviews.
Measure 3: New vendor-risk direction power
The Government proposes a new directions power to enable coordinated action where a specific vendor (or its products, equipment, services or technologies) presents a material risk to national security. Aimed at addressing systemic supply chain vulnerabilities, the power would allow the Minister to issue directions to responsible entities (individually or by class) where a vendor or technology dependency creates a material national security risk. Examples of directions include to cease using specified products/services, isolate identified technologies, implement procurement restraints, or compensating controls. The Minister would be required to consider whether a direction is necessary (including whether there is a material risk which is prejudicial to national security), and social, economic and availability implications, before issuing a direction.
Measure 4: Delay to continuous disclosure requirements
This measure proposes a limited, time-bound power to delay an entity’s disclosure obligations under the Corporations Act 2001 (Cth) (Corporations Act), where public disclosure of high-risk cyber security incidents would risk compromising national security (for instance, undermine coordinated responses, reveal vulnerabilities, or heighten systemic risks). The Government is seeking input on whether to:
- Option 1: Leverage ASIC’s existing exemption power under section 111AT of the Corporations Act to exempt entities from disclosure obligations in the event of a high-risk cyber incident, for a specific timeframe; or
- Option 2: Insert a new directions power under the SOCI Act to allow the Minister to delay disclosure of a cyber security incident for a prescribed period.
Measure 5: increased civil penalties
The Government proposes to increase the maximum civil penalty for non-compliance with a Ministerial direction under Part 3 from 250 penalty units (or 1250 penalty units for corporations) to 2000 penalty units (or 10,000 penalty units for corporations), aligning it with the enforcement framework under Part 2D of the SOCI Act for carriers and carriage service providers. At today’s penalty unit rate of $330 per unit, this increases the potential exposure for corporations for non-compliance from $412,500 to $3.3 million.
The Exposure Draft follows consultation on an Enhancing the CIRMP Rules Consultation Paper (9 December 2025 to 13 February 2026), during which the Department received over 60 submissions and engaged over 1,900 stakeholders. Submissions were broadly supportive but raised concerns about implementation timeframes and costs. The Exposure Draft contains amendments made in response to that feedback, while maintaining a principles-based approach with the as far as reasonably practicable standard applying across all hazard categories.
Applicable asset classes
The enhanced requirements apply only to responsible entities of designated high-risk asset classes. Other asset classes subject to existing CIRMP Rules (or equivalent frameworks such as the Telecommunications Security and Risk Management Program) continue under current baseline requirements.
| |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Summary of proposed changes
- All-hazards: responsible entities are required to consider all material risks to the security of critical infrastructure assets, including risks arising from the impairment of asset functions that could prejudice Australia's social or economic stability, national security or defence, as well as risks associated with FOCI. Following consultation, the Department moved away from a prescriptive ‘specified risk advice’ measure in favour of a principles-based approach, while retaining the requirement that material risks must still be assessed and addressed by responsible entities.
- Cyber and information security: Responsible entities must:
- uplift to Maturity Level 2 (or equivalent) under a recognised framework (Essential Eight, ISO 27001, NIST CSF 2.0, C2M2 or AESCSF);
- as far as is reasonably practicable:
- implement phishing-resistant MFA with central logging. Where MFA cannot be implemented due to legacy system limitations, alternative mitigations are permitted;
- implement network segregation and operational independence between critical systems and other networks, and ensure critical systems can remain operational for at least three months when other networks are impacted and are being restored; and
- specifically address in the CIRMP new material risks, including legacy and unsupported systems, emerging technology (its use both by the organisation and also against it) and offshore remote access to operational technology control systems or business-critical data.
- Supply chain: entities must map major suppliers and critical systems across physical and cyber supply chains, identifying vulnerabilities, maximum tolerable outages and mitigation measures. Vendor assessments must address FOCI risks, sanctions exposure, supplier access and control over critical assets. The Department confirmed it does not intend to whitelist or blacklist specific vendors; entities must assess risks and mitigate as far as reasonably practicable.
- Personnel security: AusCheck background checks will be mandatory for onshore critical workers with access to critical systems (unless they hold NV1 or higher clearance). No foreign check is considered equivalent to AusCheck and offshore workers require documented risk mitigations. Background checks must be repeated every five years. Following consultation, the proposed provisions now include a new requirement for ongoing monitoring of personnel suitability, including insider threat risks.
- Physical security: entities must centrally manage physical security with attention to cross-cutting risks from cyber, personnel and supply chain hazards. The CIRMP must address site characteristics, physical critical components, sensitive areas and access controls including surveillance systems. The Department confirmed it will not mandate a particular standard or format for the physical security plan.
We note that, in part, particularly with respect to the supply chain aspects noted above, the proposed enhanced CIRMP requirements align with concepts under APRA’s Prudential Standard CPS 230 (Operational Risk Management). We have advised on CPS 230 for a number of years and have a suite of clauses for use in third party contracts which help organisations manage compliance with these types of requirements.
Timelines
The Exposure Draft provides staggered grace periods from commencement:
- 6 months: FOCI and All-hazards material risk requirements.
- 18 months: personnel access management, supply chain mapping and physical security.
- 24 months: cyber maturity uplift (extended from originally proposed 18 months), network protection, phishing-resistant MFA and personnel background checking (AusCheck).
The Department is also considering introducing an additional reporting requirement that would require responsible entities to provide updates on implementation of the enhanced CIRMP obligations as part of their annual reporting under section 30AG of the SOCI Act.
Actions for boards and management
We expect limited changes to be made to the current draft given previous consultation occurred on the enhanced CIRMP Rules. Whilst engagement in the open consultation should definitely occur (as applicable), we suggest Boards should begin preparing by taking the following steps:
- Confirm scope: validate which assets fall within high-risk categories to calibrate compliance obligations. In particular, the proposed definition of “critical system” is worthy of attention. At its broadest, it includes all systems or components the compromise of which may have a “relevant impact” on the asset. Given the need for operational segregation of critical systems and specific enhanced cyber resilience measures contemplated above, we recommend you consider how this may impact you.
- Commission gap analysis: assess current state against cyber maturity (Maturity Level 2), critical systems segregation, phishing-resistant MFA (or alternative mitigations for legacy systems), and identity/access management for networks that connect to critical systems in particular.
- Assess FOCI exposure: undertake structured assessment across enterprise and supply chain as a priority given the 6-month compliance window.
- Map supply chains: identify major suppliers, critical systems, vulnerabilities, maximum tolerable outages and concentration risks. We conducted a tabletop exercise with the Centre for Cybersecurity Policy and Law with the Australian Government (along with leading tech vendors) to explore and address IT concentration risk (you can access the report here). The learnings and recommendations from this report are directly relevant to the new supply chain hazard measures contemplated above. Please reach out if you would like to discuss in more detail.
- Uplift personnel security: plan for AusCheck implementation, address offshore worker risks with documented mitigations, and develop personnel security plan covering insider threat and ongoing suitability monitoring.
- Develop physical security plan: address site characteristics, critical components, sensitive areas and access controls; integrate with cyber, personnel and supply chain risk management.
- Establish governance: boards should establish oversight structures with milestone tracking aligned to grace periods (noting the extended 24-month cyber timeframe).