The SOCI Act Deadline is Here: A Guide to the Critical Infrastructure Bill in 2023
The reliability and consistency of essential services have a significant impact on the security of Australia’s economy and society.
With critical infrastructure becoming more interconnected and interdependent, the risk of geopolitical tensions and cyber security incidents has become a pressing national security concern. Organisations and governments are under intense pressure to create and maintain trust around data.
In response to these threats, the Security of Critical Infrastructure Act 2018 (SOCI Act) was passed by the Federal Government to increase the security standards among key industries. Since then, the SOCI Act has undergone numerous revisions and amendments to include more industries and obligations.
However, now that the registration deadline and grace period have well and truly passed, it’s essential that businesses have a comprehensive understanding of the requirements and obligations that apply.
That’s why we’ve constructed this guide to shed some light on what the SOCI Act means for your business or organisation in 2023.
What is the SOCI Act 2018?
In July 2018, the Security of Critical Infrastructure Act 2018 introduced a mandatory framework for security compliance relevant to all critical infrastructure sectors and assets.
These measures were introduced as a part of Australia’s Cyber Security Strategy 2020 which included major critical infrastructure reforms, aimed at improving its protection and resilience.
The first stage of the critical infrastructure reforms came into effect on the 2nd of December 2021 as part of the Security Legislation Amendment Critical Infrastructure Act (SLACI Act). Whilst the second stage came into effect on 2 April 2022 as part of the Security Legislation Amendment Critical Infrastructure Protection Act (SLACIP Act), proposing expansions to the sectors and assets covered under the security legislation.
Timeline of the SOCI Act.
A brief overview of the reforms, events and deadlines regarding the SOCI Act can be seen below:
Data Storage and Processing: Why Data Centres are Key to National SOCI Compliance.
The SOCI Act specifically seeks to protect the interconnected data networks of the Australian economy as ultimately, data storage and processing are one of the most important critical infrastructure assets to keep secure.
This is because the data centre ecosystem is extremely subtle, yet complicated. Data centres represent the most tangible channel of a much larger picture; an extended chain of interconnected responsibilities that are relevant to most, if not, all of the affected sectors.
Moreover, with a myriad of modern businesses electing to operate in the cloud and with most organisations now running hybrid workspaces, physical IT infrastructure is often the first point of access to disrupt operations or steal data. No matter how distributed, all roads lead back to data centres.
This is why the SOCI Act is incredibly relevant to Data Centres in particular. As one of the most important cogs in a delicately balanced machine, it is imperative that data centre operations are compliant with these new obligations.
Why Does the Critical Infrastructure Act Matter to Your Business in 2023?
The Critical Infrastructure Act directly affects many Australian businesses, but in particular, any organisations operating as part of the 11 critical infrastructure sectors will have to ensure SOCI compliance.
Although the list of assets and sectors that are required to comply with each obligation may be different, it’s important to note that organisations that are affiliated with these sectors and assets may also be affected.
Who is Impacted by the SOCI Act?
People and organisations that are impacted by the SOCI Act can be broken down into two main groups and two subgroups:
Main Group
- Responsible Entities
- Direct Interest Holders
Their definitions and key responsibilities are noted below as per the information provided by the Critical Infrastructure Centre.
Responsible entities are defined as the body that owns, is licensed to operate or is responsible for the critical infrastructure asset.
It is worth noting, however, that responsible entities have sector-specific meanings. For instance:
- Critical Electricity Asset or Critical Gas Asset: The entity that holds the licence, approval or authorisation to operate the asset and provide the service that is delivered by the asset
- Critical Water Asset: The water utility that holds the licence, approval or authorisation under the law of the Australian Government (or State/Territory) to provide the service that is delivered by the asset
- Critical Port: The port operator (as per the Maritime Transport and Offshore Facilities Security Act 2003)
Direct interest holders are described as an entity that either:
- Together with any associates of the entity, holds an interest of at least 10 per cent in the asset (including the interests held jointly with one or more other entities), or
- Holds an interest in the asset that puts them in a position to directly or indirectly influence or control the asset.
Expanded Sectors and Assets Coverage
The reforms that were passed as part of the SLACI and SLACIP Act expanded the scope of entities bound by the legislation, effectively covering 11 sectors and 22 types of assets.
Critical infrastructure sectors and the critical infrastructure assets that pertain to them now include:
Critical Infrastructure Sector | Critical Infrastructure Asset |
Communications | Telecommunications Broadcasting Domain Name Systems |
Data Storage and Processing | Data Storage and Processing Facilities/Technology |
Defence Industry | Defence |
Energy | Electricity Gas Energy Market Operators Liquid Fuels |
Financial Services | Banking Superannuation Insurance Financial Markets Infrastructure Payment Services |
Food and Grocery | Food and Grocery |
Health and Medical | Hospitals |
Higher Education and Research | Education |
Space Technology | Space Technology |
Transport | Ports Freight Infrastructure Freight and Logistics Services Public Transport Aviation |
Water and Sewerage | Water and Sewerage Facilities |
An Overview of Key Obligations.
The key obligations laid out by the SOCI Act include 3 positive security obligations, as well as the addition of other enhanced cyber security obligations.
The positive security obligations listed in the act are as follows:
- Register of Critical Assets
- Mandatory Cyber Security Incident Reporting/Notification of Cyber Security Events
- Risk Management Program
Notification of Cybersecurity Incidents.
The SOCI Act introduced mandatory cyber security incident reporting in an attempt to protect the integrity of Australia’s essential services.
This means that responsible entities for applicable critical infrastructure are now required to report all cyber security incidents to the Government to aid the development of an aggregated threat picture and comprehensive understanding of cyber security risks.
The SOCI Act defines a cyber security incident as unauthorised access to data or impairment to infrastructure. These incidents are classified into two different levels of concern which are as follows:
- Critical cyber security incidents: Caused/Causing a significant impact on the critical asset’s ability to deliver services. These must be reported within 12 hours of detection.
- Other cyber security incidents: Caused/Causing a relevant impact on the critical asset’s availability, reliability or integrity. These must be reported within 72 hours of detection.
Sectors and assets that are required to comply with the notification of cybersecurity incidents include:
Critical Infrastructure Sector | Critical Infrastructure Asset |
Communications | Broadcasting Domain Name Systems |
Data Storage and Processing | Data Storage and Processing Facilities/Technology |
Energy | Electricity Gas Energy Market Operators Liquid Fuels |
Financial Services | Banking Superannuation Insurance Financial Markets Infrastructure Payment Services |
Food and Grocery | Food and Grocery |
Health and Medical | Hospitals |
Higher Education and Research | Education |
Transport | Ports Freight Infrastructure Freight and Logistics Services Public Transport Aviation |
Water and Sewerage | Water and Sewerage Facilities |
Register of Critical Infrastructure Assets.
The responsible entity for a critical infrastructure asset must provide operational information (who/what it serves) and contact details. Whilst a direct interest holder of the asset must give interest and control information, to the Secretary of the Department of Home Affairs to be included in the Register of Critical Infrastructure Assets.
This obligation to give information is ongoing. In the event that the provided operational, interest, or control information becomes inaccurate or incomplete, then the Responsible Entity or Direct Interest Holder has an obligation to notify the Secretary of the notifiable event and correct or complete that information.
Since the obligation was fully instated on 8 October 2022, failure to comply with the registration of assets in 2023 will result in a civil penalty of $11,100 per case.
Sectors and assets that are required to comply with the register of critical infrastructure assets include:
Critical Infrastructure Sector | Critical Infrastructure Asset |
Communications | Broadcasting Domain Name Systems |
Data Storage and Processing | Data Storage and Processing Facilities/Technology |
Energy | Electricity Gas Energy Market Operators Liquid Fuels |
Financial Services | Payment Services |
Food and Grocery | Food and Grocery |
Health and Medical | Hospitals |
Transport | Ports Freight Infrastructure Freight and Logistics Services Public Transport |
Risk Management Program.
The risk management program necessitates that responsible entities of critical infrastructure assets must adopt, maintain and comply with a structured risk management plan.
This also entails a regularly scheduled review of the plan, as well as the responsibility of ensuring that the program is always up to date. Although the risk management program is still under construction after the initial industry consultation process, it is intended to uplift core security practices. The framework may potentially cover:
- Cyber
- Physical
- Personnel
- Supply Chain
A draft explanation of the risk management program can be found on the Department of Home Affairs’ website.
Critical Infrastructure Sector | Critical Infrastructure Asset |
Communications | Broadcasting Domain Name Systems |
Data Storage and Processing | Data Storage and Processing Facilities/Technology |
Energy | Electricity Gas Energy Market Operators Liquid Fuels |
Financial Services | Payment Services |
Food and Grocery | Food and Grocery |
Health and Medical | Hospitals |
Transport | Freight Infrastructure Freight and Logistics Services |
Water and Sewerage | Water and Sewerage Facilities |
Government Assistance for Incident Response.
Mandatory assistance is considered a last resort when dealing with cyber incidents of national significance.
In the event that an important critical infrastructure asset experiences a serious cyber attack and the responsible entity was not able to respond effectively even after following key measures, the Government will step in to provide assistance.
Government intervention is an absolute final strategy, as it requires approval from the Prime Minister and Defence Minister.
What Does the SOCI Act Mean for Multinationals Expanding to Australia?
Recent adjustments to data sovereignty laws and concerns for national security across the world have made understanding compliance requirements crucial for global enterprises.
With the introduction of an enhanced regulatory framework, businesses expanding to the Australian market will need to check if they are included within the list of impacted entities to ensure smooth operations.
Not all requirements in the SOCI Act may be relevant to your business, however, it is imperative for organisations entering Australia to identify if they are included within the SOCI Act and gauge whether additional responsibilities may apply in future.
Make Sure Your Infrastructure is SOCI-Compliant with Macquarie Data Centres.
At Macquarie Data Centres, we’ve built our entire model through customer centricity and that’s why we are always looking to conform to all security and compliance measures that are essential for the safe hosting of data.
Furthermore, with 42% of Australian Federal Government operations entrusting their critical IT infrastructure with us, you can feel confident knowing that our colocation solutions are built to protect and secure your essential operations.
Macquarie Data Centres: Sovereign and Secure Sydney North Zone Data Centres.
Strategically positioned in the heart of the Sydney North Zone, our Macquarie Park Data Centre Campus has been delivering custom colocation solutions for over a decade.
As a leading pioneer in the Australian Data Centre industry, our sovereign and secure facilities are built for scale and are adaptable to provide the ideal environment for your business needs.