The SOCI Act: likely changes that you should know about.

Australia's Department of Home Affairs has opened a consultation on enhanced CIRMP Rules (Critical Infrastructure Risk Management Plans). 

And if you operate critical infrastructure—or supply to those who do—the next three weeks matter. The proposed changes would represent the most significant tightening of critical infrastructure security obligations since SOCI was enacted. This is not a routine regulatory update. It is a recalibration driven by intelligence assessments that concluded the current baseline is insufficient for the threat environment Australia now faces.The consultation paper does not mince words about what prompted this. 

ASIO's Director-General Mike Burgess has stated publicly that nation state actors are "increasingly mapping and targeting critical infrastructure." The ASD's ACSC reported that 13% of cyber incidents last year came from critical infrastructure entities—and the figure is climbing. Volt Typhoon and Salt Typhoon, Chinese state-sponsored groups, have been caught pre-positioning in US critical infrastructure with the apparent intent to disrupt during a future crisis. But the paper goes further than cyber. It references the recent discovery of undeclared communication equipment in foreign-manufactured solar inverters deployed across US energy infrastructure—equipment capable of remotely altering inverter settings, destabilising grids, and triggering blackouts. The same inverters, the paper notes, are deployed across Australia's residential and commercial renewable energy sector.

Who Is In Scope

The enhanced rules would apply to a defined set of high-risk asset classes: energy (electricity, gas, liquid fuels, market operators), water and sewerage, broadcasting, domain name systems, and freight transport. If your organisation falls into one of these categories, you are in scope. Notably, banking, insurance, defence industry, aviation, and ports are carved out—not because they are less important, but because they already face equivalent obligations under APRA, DISP, or transport security legislation. The proposals are designed to close the gap for sectors that have operated under the existing CIRMP baseline, which the government now considers inadequate.

What Is Changing

Four domains of change deserve attention.

General cybersecurity uplift.

The headline is a mandatory move from Maturity Level 1 to Maturity Level 2 of your chosen framework—whether that's the Essential Eight, AESCSF, NIST CSF, or ISO 27001. For organisations that have treated Level 1 as a ceiling rather than a floor, this will require substantive investment. Beyond framework maturity, the proposals mandate critical systems network segregation—your operational technology and critical components must be architecturally separated from IT networks to the point where they can be isolated for three months while maintaining operations. Phishing-resistant MFA becomes mandatory for all sensitive system access. And a new category of "cyber material risks" would require explicit consideration of offshore remote access to OT systems, emerging technology threats (AI, quantum), and legacy systems that cannot be patched.

Supply chain obligations.

These would sharpen considerably. Entities would need to map their supply chains for critical suppliers and systems, identify vulnerabilities, and document redundancy plans. More pointed is the "vendors of concern" provision—a requirement to assess suppliers for foreign ownership, control, and influence (FOCI) risks and either mitigate or document why alternatives are not feasible. The government is not naive about market realities; the paper acknowledges that diversification is sometimes impossible. But it wants responsible entities to demonstrate they have considered the risk and implemented compensating controls. This is where the consultation paper's example of Chinese solar inverters carries weight—you may not be able to avoid certain suppliers, but you can no longer pretend the risk does not exist.

Personnel security.

This moves from general principle to specific obligation. The proposals would require formal personnel security plans, mandatory AusCheck background checks for all "critical workers" (with revalidation every five years), and explicit consideration of insider threat as a material risk. The $324.8 million figure cited in the consultation—the estimated cost of a single insider threat incident involving state or state-sponsored actors—gives context to why government is pushing here. This will affect not just direct employees but contractors and managed service providers with privileged access.

Specified risk advice.

Perhaps the most strategically interesting proposal. This would allow the Department to formally designate certain government advisories—potentially including PSPF directions—as material that CIRMP entities must consider. The example given is the PSPF Direction 001-2025, which required Australian Government entities to remove DeepSeek products due to security concerns. Under the proposed mechanism, such a direction could be "specified" for critical infrastructure, meaning you would not be required to comply, but you would be required to formally assess the risk and document your response. This is a clever regulatory design: it creates a channel for government to communicate intelligence-driven concerns to industry without mandating specific outcomes, while ensuring boards cannot claim ignorance.

Beyond Asset Owners

Who should be paying attention beyond the asset owners themselves? Managed service providers with critical infrastructure clients. OEMs and vendors selling into these sectors—especially those with FOCI exposure. Consultancies and system integrators who will be asked to help clients meet the 30 June 2028 compliance deadline. And boards of directors who will be attesting annually that their CIRMPs are current and compliant. The personal accountability element of SOCI has always been there; these proposals raise the bar for what "compliant" means.

What This Means for Leaders

Three observations for leaders navigating this. 

First, the two-year runway to 30 June 2028 is not as generous as it appears. Achieving Maturity Level 2, implementing network segregation, and standing up a vendor assessment program are multi-year efforts in most organisations. Starting in 2027 means failing in 2028. 

Second, the consultation is genuine—the Department explicitly states this will not be the only consultation, and feedback will shape the final design. If you have concerns about feasibility, cost, or unintended consequences, now is the time to articulate them.

Third, the proposals reflect a fundamental shift in how government views critical infrastructure security: from a baseline hygiene requirement to a domain of active national security concern. The language about state-sponsored actors, espionage costs, and strategic pre-positioning is not rhetorical. It is the intelligence community's assessment, translated into regulatory form.The CIRMP consultation closes 13 February 2026. If you operate critical infrastructure in Australia, or support those who do, read the paper. Assess what compliance would require. And decide whether you want to shape the rules or simply receive them.