As the 2025 financial year continues, businesses must stay aware of each Security of Critical Infrastructure Act (SOCI Act) compliance deadline as they arise. The initial grace periods have passed and now, if your organisation owns, operates, or has direct interests in critical infrastructure assets, you are subject to the requirements of the current regulations of the SOCI Act.
Soci Act Grace Periods Have Now Passed
The most recent deadline, on 17 August 2024, was effectively the red line, with Part 2A of the SOCI Act requiring responsible organisations to adopt and maintain a critical infrastructure risk management program (CIRMP) and comply with the necessary framework.
The Cyber and Infrastructure Security Centre (CISC) has recently implemented audits for responsible businesses. Any cases of egregious noncompliance carry a fine (CISC, 2024) ranging from $44,000 upwards (Leggat, 2024), with a corporation potentially being liable to pay up to five times this amount (Parliament of Australia, 2023).
The Next Compliance Deadline Approaches
September 28 is the upcoming deadline affecting businesses under the SOCI Act, as you must deliver your first annual CIRMP report to the Department of Home Affairs before this date. The CIRMPs are due within 90 days of the conclusion of the 2023-24 financial year, between 30 June and 28 September— and this requirement signals the beginning of the reporting phase of the new Act.
The annual report is essentially an inward look at your business’s security practices, assessing the maturity and efficacy of risk mitigation measures (Maydanov, 2024). The report must:
- State truthfully if your CIRMP was up to date at the end of the financial year
- Outline any hazards that impacted your business during the year, identifying the specific hazard, evaluating how effective the CIRMP was at addressing or mitigating the impact on the business’ asset, and outlining if this incident caused a variation on to the CIRMP (Lim et al., 2024)
- Be approved by the business’s board or relevant governing body
While this final step may be straightforward, it carries a critical weight: your business will need to have all relevant and up-to-date information, and you should be aware of the obligations that you’re now operating under.
Changes to the Cirmp Report Requirements
In a series of trial audits for responsible entities, the Cyber and Infrastructure Security Centre (CISC) found that while many businesses had the relevant processes and documents on hand, they had not been packaged into an annual report format (CISC, 2024).
As the governing body, CISC understand the obligation that these businesses are under, and in a welcome move, have made it clear that there is no need to rewrite or deconstruct this information to create a new report. Rather, businesses can meet their CIRMP annual report obligation by creating an overarching report document that references these processes and documents. The documents themselves are not required either, although there is the caveat that they must be available if requested (CISC, 2024).
In further positive news, CISC have also made it easier to lodge CIRMP reports. They have a created an online portal with a simple form, providing a series of questions and prompts that allow the user to upload their report document in a more streamlined way.
Remain Compliant With Your Soci Act Obligations
While new legislation and looming compliance milestones can feel demanding, the SOCI Act has been designed as a flexible framework for managing and protecting Australia’s critical infrastructure (Weber, 2024). When responsible businesses boost their resilience, it contributes to improving the security of the entire country.
For more information on how to manage your compliance requirements, get in touch with the expert team at Kinatico.
Weber, K. (2024, May 3). Dept Home Affairs continues building out the SOCI Act. Digital Nation. https://www.digitalnationaus.com.au/news/dept-home-affairs-continues-building-out-the-soci-act-607659 
References:
Cyber and Infrastructure Security Centre. (2024, March 6). SOCI Compliance Regulatory Posture 2024 and beyond [Press release]. https://www.cisc.gov.au/news-media/archive/article?itemId=1176
Cyber and Infrastructure Security Centre (CISC). (2024, June 28). SOCI Compliance – CIRMP Annual Report and Cyber Security Frameworks: How to be compliant & what to do if you won’t be [Press release]. https://www.cisc.gov.au/news-media/archive/article?itemId=1220
Leggat, H. (2024, May 27). Critical Infrastructure Compliance Deadlines. ICTLC Australia. https://www.ictlc.com/critical-infrastructure-compliance-deadlines/?lang=en
Lim, C., Eow, I., and Beh, J. (2024, March 15). SOCI roadmap – Where are we at now, and what’s coming up next? King & Wood Mallesons. https://www.kwm.com/au/en/insights/latest-thinking/soci-roadmap-where-are-we-at-now-and-whats-coming-up-next.html
Maydanov, M. (2024, February 20). The SOCI Act: Key Compliance Dates in 2024. Fivecast. https://www.fivecast.com/blog/the-soci-act-key-compliance-dates-in-2024/
Noggin. (2024, June 21). Major Deadlines for SoCI Act Compliance Loom. https://www.noggin.io/blog/major-deadlines-for-soci-act-compliance-loom
Parliament of Australia. (2023). Economics References Committee - 22/08/2023 – Influence of international digital platforms – Parliamentary Inquiry Spoken Question on Notice (Hansard). 2023, August 22. https://www.aph.gov.au/DocumentStore.ashx?id=d1dc8ea7-6eca-4247-9afd-5cb7c0a80d10#
