May 4, 2026

SOCI Act 2025: What has changed and what Australian operators need to do now

The ERP Act, telecoms rules, and ransomware reporting have reshaped SOCI obligations in 2024–25. Here's what's changed and what your organisation needs to do.

SOCI Act 2025: What has changed and what Australian operators need to do now

Australia's Security of Critical Infrastructure Act has been through its most significant set of changes since its original 2018 enactment. If you're a responsible entity under the SOCI Act, the regulatory landscape you're operating in today looks quite different from even 18 months ago.

Here's a plain-English summary of what's changed, what it means for your organisation, and what you should be doing about it.

The Enhanced Response and Prevention (ERP) Act — November 2024

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 — known as the ERP Act — passed in November 2024 and came into force in December 2024. It represents the most substantive expansion of SOCI obligations to date.

Key changes under the ERP Act

Data storage systems brought into scope

One of the most significant changes is the extension of CIRMP obligations to data storage systems related to critical assets. If your organisation stores or processes data connected to a critical infrastructure asset — even if you're not the primary owner or operator of that asset — you may now have direct SOCI obligations. This has significant implications for cloud providers, data centres, and managed service providers serving regulated sectors.

Clarified responsibilities for responsible entities

The ERP Act clarifies who bears notification obligations in complex asset ownership structures. Previously, both direct interest holders and responsible entities had overlapping notification duties. Under the amended framework, notification responsibility sits clearly with the responsible entity — reducing duplication but increasing accountability at the operator level.

Strengthened government intervention powers

The government's ability to intervene in critical infrastructure incidents has been expanded. In situations of significant risk, the Australian Signals Directorate (ASD) can be directed to provide assistance to — or operate systems on behalf of — a responsible entity. This is a meaningful shift from advisory to operational involvement.

Telecommunications rules — April 2025

The Telecommunications Security and Risk Management Program (TSRMP) Rules came into effect on 4 April 2025, bringing telecommunications carriers formally into the CIRMP framework under a new Part 2D of the SOCI Act.

Previously, telecommunications security obligations sat under the Telecommunications Act 1997. The April 2025 changes consolidate these into SOCI, meaning:

  • Carriers must now implement a Critical Infrastructure Risk Management Program that covers their carrier assets
  • Notification obligations have been updated — responsible entities bear the duty of notifying relevant regulators
  • Telecommunications operators face the same annual reporting requirements as other SOCI-regulated sectors

If you operate in the telecoms sector and haven't yet reviewed your CIRMP obligations under the new Part 2D, this is an urgent priority.

Ransomware payment reporting — May 2025

From 30 May 2025, mandatory ransomware payment reporting commenced for all SOCI entities under the Cyber Security Act 2024. Organisations with annual turnover above $3 million that make a ransomware payment must report it to the Australian Signals Directorate.

This requirement exists alongside — not instead of — your existing SOCI incident notification obligations. A ransomware attack affecting a critical infrastructure asset triggers both reporting streams simultaneously.

What's coming next

The regulatory reform cycle isn't finished. Two further changes are on the near-term horizon:

  • March 2026 — Mandatory IoT security standards take effect for smart devices supplied to critical infrastructure operators. If your OT environment includes connected devices, these standards will affect your procurement and configuration requirements.
  • Ongoing — The CISC's audit program is maturing. The 2024–25 audit cycle has now been completed and findings have been shared with audited entities. The 2025–26 program is underway, and the scope is expected to broaden.

What responsible entities should be doing now

Given the pace of change, here's a practical checklist for SOCI-regulated organisations:

Review your CIRMP scope immediately. The ERP Act's data storage provisions and the telecoms rules may have brought new assets into scope. If you haven't revisited your asset register since mid-2024, do so now.

Check your incident notification procedures. The ERP Act clarified notification duties — make sure your internal escalation and reporting processes reflect the current framework, not the pre-November 2024 version.

Prepare for ransomware reporting. If you don't already have a ransomware response plan that includes regulatory notification, build one. The $3 million turnover threshold is low enough to capture most responsible entities.

Assess your IoT and OT environment. The March 2026 IoT standards deadline is closer than it looks. If you have operational technology infrastructure, now is the time to begin assessing which devices will be affected and what remediation looks like.

Engage with the audit process proactively. If you haven't been selected for a CISC audit yet, that doesn't mean you won't be. The evidence you'd need to demonstrate compliance — documented CIRMP, board approval, framework alignment, incident records — should be maintained continuously, not assembled in response to an audit notification.

How ASE Tech can help

Keeping pace with evolving SOCI obligations while running critical infrastructure is genuinely difficult. The legislative changes outlined above require not just policy updates but changes to technology controls, vendor management, and board governance.

ASE Tech works with Australian critical infrastructure operators to implement the security controls that underpin SOCI compliance — from identity and access management and continuous vulnerability scanning to SIEM and OT security. We help organisations understand where they sit against the current framework and build a practical roadmap to close the gaps.

Book a SOCI compliance assessment with our team to understand where your obligations stand today.

Technology without compromise starts here
For more than 20 years, ASE Tech has helped Australia’s most critical industries cut waste, reduce risk, and keep systems performing 24×7. Now we bring the same engineer-led approach to your business, delivering technology chosen on merit, built for resilience, and proven to deliver better outcomes.
Book a Call Today
All rights reserved. 2026 ASE Tech.