Security of Critical Infrastructure: proposed changes to Critical Infrastructure Risk Management Program and enhanced Ministerial Powers
09 June 2026
Following an independent review into the Security of Critical Infrastructure Act 2018 (SOCI Act) conducted by Dr Jill Slay AM (the Review), the Department of Home Affairs (the Department) has released the first in a series of proposed changes aimed at implementing a comprehensive legislative restructure that will impact how relevant assets are managed.
The Review determined that while the SOCI Act had achieved a strong foundation for protecting Australia’s critical infrastructure assets, the Act’s ‘current complexity, regulatory overlap, weak enforcement posture, and gaps in addressing emerging threats’ required a comprehensive legislative restructure.
In response, the Department accepted all six of the Review’s recommendations in principle, proposing to respond in two tranches. The first tranche of initiatives is in part targeted at addressing recommendation 6 of the Review, and include:
- proposed amendments to Ministerial Directions Powers in Part 3 of the SOCI Act; and
- an Exposure Draft of proposed enhancements to the Critical Infrastructure Risk Management Program (CIRMP) rules.
In addition to enhancing the Minister’s powers to deal with security concerns more effectively, the consultation papers propose an enhanced set of CIRMP rules targeting several sectors of critical importance to Australian infrastructure and the broader economy. These changes will be accompanied by a second tranche of amendments at a later stage, which will seek to adopt the remaining recommendations. Further amendments are likely to include an expansion of the assets and sectors currently covered by the SOCI Act, the adoption of stricter penalties for non-compliance, and enhanced guidelines to address areas of emerging risk.
With the consultation period now concluded, organisations should begin considering how the proposed CIRMP rule changes will impact how relevant assets are managed. In this Insight, we detail the relevant sectors affected and outline the proposed enhanced obligations for those seeking regulatory certainty in the SOCI Act’s evolving framework.
Relevant sectors impacted by the CIRMP rule changes
The proposed enhancements to the CIRMP rules contained in the first tranche of initiatives are intended only to apply to a sub-set of ‘high-risk’ asset classes which are among those already required to develop and maintain a CIRMP under Part 2A of the SOCI Act. These are:
- critical broadcasting assets;
- critical domain name systems;
- critical electricity assets;
- critical energy market operator assets;
- critical freight infrastructure assets;
- critical freight services assets;
- critical gas assets;
- critical liquid fuel assets; and
- critical water assets.
The proposed assets were considered by the consultation paper to be high-risk, as they concern the ongoing availability of other critical infrastructure sectors and the broader economy. Further, the identified sectors were chosen in part due to intelligence assessments provided by the National Intelligence Community.
The initial consultation paper on the enhanced CIRMP obligations was delivered whilst the Review was being conducted. The Review recommended the amendments be accepted, noting that they would increase board and executive accountability for security outcomes by deepening the SOCI Act’s obligations under Part 2A. The Review broadly identified some challenges in implementing the new requirements, including shortages in specialist skills and a need to support smaller operators with limited internal security capabilities.
Proposed enhancements to the CIRMP rules
We have set out a summary of the proposed additional measures and relevant compliance timelines below.
All hazard measures
| Measure | Summary of proposed changes | Compliance timeline |
|---|---|---|
| Enhanced requirements | Responsible entities must consider any impairment to their asset's functions which could prejudice the social and economic stability, national security or defence of Australia. | Within 6 months of commencement. |
| Foreign ownership, control and influence (FOCI) | Responsible entities must consider and mitigate or eliminate the potential risk of compromise or impairment of their asset's functions arising from or in connection with FOCI. This includes risks from foreign-owned vendors, suppliers, managed service providers, components, systems, or software. | Within 6 months of commencement. |
Cyber and information security hazard measures
| Measure | Summary of proposed changes | Compliance timeline |
|---|---|---|
| Cyber security framework uplift | Responsible entities must comply with maturity level 2 (or equivalent) of a recognised cyber maturity framework, such as C2M2, AESCSF, AS ISO/IEC 27001:2023, the Essential Eight, or NIST CSF 2.0. This is up from the current obligation to comply with maturity level 1. | Within 24 months of commencement. |
| Critical systems network protection | Responsible entities must identify their critical systems in their CIRMP. They must also identify how they have implemented the greatest practical level of segregation between their asset’s critical systems and other components which could result in a compromise of the system. | Within 24 months of commencement. Note: a documented plan within the CIRMP will be required detailing how compliance will be accomplished leading to the attestation period. |
| Multi-factor authentication (MFA) | Responsible entities must implement phishing-resistant MFA to authenticate users to their organisation’s internet-facing networks, privileged and unprivileged users of critical systems, and remote access to network and systems. They must centrally log and Review both successful and unsuccessful authentication attempts. | Within 24 months of commencement. Note: a documented plan within the CIRMP will be required detailing how compliance will be accomplished leading to the attestation period. |
| Enhancing cyber material risks | The introduction of cyber and information hazard specific risks which a responsible entity will need to minimise or eliminate. These will include material risks arising from the deployment of advanced and emerging technology (including AI and quantum computing), offshore remote access to operational technology and business-critical data, and the failure to replace unsupported or end-of-life software, hardware, and systems. | Within 18 months of commencement. |
Supply chain hazard measures
| Measure | Summary of proposed changes | Compliance timeline |
|---|---|---|
| Supply chain vulnerability mapping | Responsible entities must establish and maintain a process to map their supply chain for major suppliers and critical systems to identify vulnerabilities and risks and implement mitigation measures. This includes supplier diversification and redundancy planning. | Within 18 months of commencement. Note: a documented plan within the CIRMP will be required detailing how compliance will be accomplished leading to the attestation period. |
| Vendor assessment (vendors of concern) | Responsible entities must develop and maintain a process to assess and mitigate the risks associated with existing or proposed major suppliers. This process must consider any legislative requirements to which the supplier is subject, restrictions or sanctions in the supplier's jurisdiction, and the access, influence, and control the supplier has over the asset. | Within 18 months of commencement. Note: a documented plan within the CIRMP will be required detailing how compliance will be accomplished leading to the attestation period. |
Personnel security hazard measures
| Measure | Summary of proposed changes | Compliance timeline |
|---|---|---|
| Personnel security plan | Responsible entities must establish and maintain a personnel security plan. This must incorporate processes to minimise or eliminate risks associated with unauthorised or unsupervised access to critical systems, the compromise and misuse of credentials and privileged access, and access to the asset by persons other than critical workers. | Within 18 months of commencement. Note: a documented plan within the CIRMP will be required detailing how compliance will be accomplished leading to the attestation period. |
| Strengthened background checking | All onshore and offshore critical workers must undergo an AusCheck background check (or hold an AGSVA Negative Vetting 1 clearance), with revalidation at minimum every five years. Offshore critical workers unable to obtain an intelligence-based check must have their associated risks identified and mitigated in the CIRMP. | Within 24 months of commencement. Note: a documented plan within the CIRMP will be required detailing how compliance will be accomplished leading to the attestation period. |
| Mapping of onshore and offshore critical workers | Responsible entities must establish and maintain a process to assess the suitability of an onshore or offshore critical worker that has access to critical systems. This will include proactively monitoring, identifying and acting to address any developments that may affect the suitability of an offshore or onshore critical worker. | Within 24 months of commencement. |
Physical and natural hazard measures
| Measure | Summary of proposed changes | Compliance timeline |
|---|---|---|
| Enhanced requirements | Responsible entities must centrally manage physical security and natural hazards. This includes outlining the location and nature of the site where the asset is located, identifying physical critical components and sensitive areas, and implementing physical access controls, surveillance, and security alarm systems for critical systems and components. The responsible entity must also mitigate associated risks where practicable to do so. | Within 18 months of commencement. |
Possible further amendments to come in tranche 2
As mentioned above, the Department will soon propose further amendments in line with the remaining recommendations contained in the Review. These amendments will likely include a shift to a penalty-based risk management process with a greater focus on enforcement. The adjustment comes as the Review proposes broad changes to enhance the SOCI Act’s ability to respond to emerging technologies and associated threats. Recommendations in the Review include creating a power for the Department to ban dangerous technologies or suppliers. The recommendations recognise the need for the Department to work with other agencies to respond to concerns on emerging technologies (including AI, quantum, physical threat vectors and the role of Operational Technology Cybersecurity). Finally, the Review suggests introducing a requirement for qualified independent experts (such as chartered cyber engineers) to provide external assurances on the organisation’s risk management program.
The Review also recommends broadening the definition of critical infrastructure in a variety of ways. Recommendation 6(a) suggests expanding the definition to capture new assets and sectors, as well as modifying existing classes to extend the SOCI Act’s current coverage. Suggested changes include covering ‘corporate groups’ (though it is not clear from the Review what is intended to be covered by this proposal), adding space assets to the SOCI Act’s coverage (given its importance to the supply of communications services), and expanding the healthcare and food supply chain protections by adding additional methods of approach.
The Review specifically calls for consideration to be given to a new definition of the higher education and research sector. The proposed change aims to capture all forms of Higher Education research and institutions such as CSIRO, NHMRC and other medical research, co-operative research centres and projects and Defence-funded research carried out in universities. The proposed amendment comes after the Review concluded that current university foreign interference guidelines are ‘static’ and applied inconsistently, representing a deficiency in an area that faces foreign interference risks around research security.
Further changes may also be made to the CIRMP rules, with the Review recommending that amendments work towards the simplification and rationalisation of the SOCI Act’s framework to develop a ‘new simpler principles-based SOCI Act.’
Next steps in implementing critical infrastructure changes
The consultation period on the proposed amendments closed on 1 May 2026, with the Department now reviewing submissions and determining next steps. While the Exposure Draft is still subject to change, relevant entities for affected ‘high risk’ asset classes should review their existing CIRMP and consider what systems or procedures may need to change to meet the new obligations. Specifically, entities should:
- identify and segregate critical systems;
- consider any required uplifts to their cyber security measures, including compliance with relevant frameworks and the implementation of MFA;
- ensure appropriate physical security measures and access controls are in place for critical systems;
- review their supply chains and consider any risks from major suppliers, including lack of diversification and FOCI;
- review current personnel security measures; and
- consider whether key supplier contracts require uplifting to ensure compliance with the proposed CIRMP requirements (for example, obligations on vendor personnel to undergo relevant background checks or achieve security clearances).
Authors
Head of Technology, Media and Telecommunications
Partner
Special Counsel
Senior Associate
Lawyer
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.
Key Contacts
Other Contacts
