SOCI Act compliance checklist for Australian responsible entities — mid-2026 edition

If your organisation owns or operates critical infrastructure assets in Australia, this checklist covers the key obligations you need to have in place under the Security of Critical Infrastructure Act 2018 (SOCI Act) as of May 2026. Use it to identify gaps, prioritise actions, and structure your compliance planning.

This is not legal advice. For obligations specific to your organisation, assets, and sector, seek appropriate professional guidance. What this checklist gives you is a practical, plain-English overview of what responsible entities need to be working through right now.

The regulatory context in mid-2026

Before working through the checklist, it's worth understanding where things stand. The SOCI Act has moved through its most significant reform period in 2025–26:

• August 2024 — CIRMP cybersecurity framework obligation became mandatory
• November 2024 — ERP Act passed, extending scope to data storage systems and strengthening government powers
• April 2025 — Telecommunications CIRMP rules commenced under Part 2D
• May 2025 — Mandatory ransomware payment reporting commenced under the Cyber Security Act 2024
• January 2026 — First Independent Review of the SOCI Act delivered by Dr Jill Slay AM
• March 2026 — Minister opened consultation on enhanced Ministerial Directions Powers and an Exposure Draft of enhanced CIRMP Rules — affecting energy, electricity, gas, liquid fuels, water, broadcasting, domain name systems, freight, and other sectors
• March 2026 — Mandatory IoT security standards took effect for smart devices supplied to critical infrastructure operators

The consultation on the enhanced CIRMP Rules closed on 1 May 2026. Implementation timelines for the reforms are yet to be confirmed at time of publication — responsible entities should monitor CISC guidance closely and engage with the ASE Tech SOCI compliance team if you need help understanding how the changes affect your obligations.

Before you start: confirm your scope

• Confirm whether your organisation is a "responsible entity" under the SOCI Act — you own or operate an asset meeting the definition of critical infrastructure in one of the 11 regulated sectors
• Identify which specific assets qualify as critical infrastructure assets under your sector's rules
• Confirm whether you are the responsible entity, a direct interest holder, or both
• Review whether the ERP Act (November 2024) brought data storage systems related to your assets into scope
• If you're in telecommunications, confirm your obligations under Part 2D (in effect April 2025)
• Review whether the proposed enhanced CIRMP Rules affect your sector and begin gap analysis against the proposed changes

Part 1 — Asset registration

• All qualifying critical infrastructure assets are registered on the Critical Infrastructure Asset Register maintained by the Department of Home Affairs
• Registration details are accurate and kept up to date
• Changes to direct interest holders notified within the required period
• New assets brought into operation are registered promptly
• Data storage systems related to critical assets are assessed for registration obligations under the ERP Act

Part 2 — Critical Infrastructure Risk Management Program (CIRMP)

Having a CIRMP in place:

• CIRMP is documented and covers all four hazard categories: cyber and information security, physical security and natural hazards, personnel security, and supply chain
• CIRMP has been formally approved by your board or governing body — directors are required to approve the CIRMP and receive regular cyber-risk reporting
• CIRMP covers all in-scope assets with specific risks identified for each
• CIRMP governance structure is documented with executive ownership and accountability

Cybersecurity component:

• A designated cybersecurity framework has been adopted (AESCSF, Essential Eight, NIST CSF, ISO 27001, or approved equivalent)
• Current maturity level has been assessed against the chosen framework
• A target maturity level has been defined and is realistic given your risk profile
• A remediation roadmap exists with clear milestones and ownership
• For energy sector operators: AESCSF maturity assessment completed and results documented — see our AESCSF guide for detail on what this involves
• IoT devices supplied to the organisation assessed against mandatory IoT security standards (in effect March 2026)

Physical security and natural hazards:

• Physical risks to critical assets identified and assessed
• Controls in place for unauthorised physical access to critical sites
• Natural hazard risks assessed with mitigating controls documented

Personnel security:

• Roles with access to critical systems or assets identified
• Background screening and vetting processes in place for those roles
• Insider threat controls and monitoring documented
• Onboarding and offboarding processes include security controls for critical access

Supply chain:

• Critical third-party suppliers and contractors identified
• Supply chain risk assessments documented for critical suppliers
• Contracts with critical suppliers include appropriate security obligations
• Process exists to review supply chain risk assessments when suppliers change

Part 3 — CIRMP annual reporting

• CIRMP Annual Report submitted to the Department of Home Affairs within the required window — 1 July to 28 September following end of financial year
• Annual report approved by the board before submission
• Report confirms whether the CIRMP was up to date at the end of the financial year
• Report describes any hazards that materially affected your assets during the year
• Report describes how the CIRMP responded to those hazards
• Report confirms whether the CIRMP was updated in response
• Records of previous annual reports retained
• Begin preparing the 2025–26 Annual Report now — the September 2026 deadline is approaching

Part 4 — Incident notification obligations

• Incident notification process documented and understood by the relevant team
• Threshold for a "notifiable" incident defined — staff trained to recognise it
• Notification can be completed within required timeframes: 12 hours for serious incidents, 72 hours for other notifiable incidents
• Log of incidents and notifications maintained
• Ransomware payment reporting: mandatory reporting process in place under the Cyber Security Act 2024 for organisations with annual turnover above $3 million (in effect May 2025)
• Post-incident review process exists to update the CIRMP if needed
• Enhanced government intervention powers (ERP Act) understood — ASD can be directed to operate systems in serious incidents

Part 5 — Telecommunications-specific obligations

If your organisation is a telecommunications carrier or carriage service provider:

• Obligations under Part 2D of the SOCI Act reviewed (in effect April 2025)
• Carrier assets assessed for inclusion in your CIRMP
• Telecommunications Security and Risk Management Program (TSRMP) rules reviewed and incorporated
• Notification obligations specific to the telecoms sector mapped to your incident response process

Part 6 — IoT security standards (March 2026)

• Smart devices supplied to your organisation assessed against the mandatory IoT security standards (in effect 4 March 2026 under the Cyber Security Act 2024)
• Procurement processes updated to require IoT security compliance from suppliers
• Existing IoT devices in your OT or corporate environments inventoried and assessed
• Non-compliant devices identified and remediation plan in place

Part 7 — Preparing for the enhanced CIRMP Rules

The proposed enhanced CIRMP Rules (consultation closed May 2026) are expected to introduce more specific requirements for a number of sectors. While implementation details are pending, responsible entities should be preparing now:

• Review the Exposure Draft of enhanced CIRMP Rules relevant to your sector
• Conduct a gap analysis against the proposed changes
• Engage legal and compliance advisors to understand implementation obligations once rules are finalised
• Review board reporting and governance structures — enhanced director obligations are proposed

Part 8 — Ongoing governance

• CIRMP reviewed at least annually — not just at reporting time
• Changes to infrastructure, operations, or regulatory environment trigger a CIRMP review
• Board receives regular reporting on cybersecurity posture and CIRMP status — quarterly is the expectation for director-level cyber-risk updates
• Staff with CIRMP responsibilities receive appropriate training
• Organisation monitors CISC guidance and regulatory updates — the pace of change in 2026 makes this essential

Where to focus first

If you're finding significant gaps, the priority order is:

1. Asset registration and scope confirmation — confirm whether the ERP Act or proposed enhanced CIRMP Rules have changed your scope.

2. CIRMP existence and board approval — if you don't have a documented, board-approved CIRMP, this is your most urgent action. CISC is auditing now.

3. Cybersecurity framework adoption and maturity evidence — choose your framework, get assessed, and document evidence that controls are actually operating — not just written down.

4. Ransomware payment reporting readiness — if your turnover exceeds $3 million, you need a process in place now.

5. IoT security standards — if you have smart devices in your environment, assess compliance against the March 2026 standards.

6. Enhanced CIRMP Rules preparation — begin your gap analysis now rather than waiting for final implementation guidance.

For organisations that need support, ASE Tech's SOCI compliance services cover gap assessment, CIRMP implementation, cybersecurity framework alignment, and audit preparation. Our cybersecurity team can help you build the underlying security controls a credible CIRMP requires. Contact us to discuss your current position.

‍