Australia's critical infrastructure security regime underwent significant strengthening with the 2024 amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act). For organisations operating critical infrastructure assets, understanding what actually changed — and what is now in force — is essential. This article presents only verified facts.
The Legislative Foundation
The Security of Critical Infrastructure Act 2018 covers eleven critical infrastructure sectors, including energy, water, and transport, on the basis that their disruption would significantly impact the social or economic wellbeing of the nation. The Act was significantly amended in 2021 and 2022, and then again in 2024.
The 2024 amendment is the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 — commonly called the ERP Act. It was passed by the Australian Parliament on 25 November 2024 and received assent on 29 November 2024.
What the ERP Act Changed
The ERP Act makes several key changes. It clarifies that the SOCI Act applies to data storage systems that hold business critical data and form part of a primary critical infrastructure asset. It introduces enhanced obligations for critical telecommunications. It empowers regulators to direct entities to fix deficiencies in their risk management programs. And it broadens the government's incident response powers beyond cyber security incidents to any serious "all-hazards" incident affecting critical infrastructure.
What Is Now In Effect
The implementation followed a clear schedule. Schedules 1, 2, 3, 4, and 6 of the ERP Act commenced by proclamation on 20 December 2024. Schedule 5, covering critical telecommunications, commenced on 4 April 2025. These obligations are now fully in effect.
For the new telecommunications obligations specifically, the Telecommunications Security and Risk Management Program rules commenced on 4 April 2025, with the obligation to have and maintain a Critical Infrastructure Risk Management Program (CIRMP) for relevant critical infrastructure assets commencing on 4 October 2025 — six months after 4 April 2025 — for assets that existed as at 4 April 2025.
The Broader Package
The ERP Act does not stand alone. Together with the Cyber Security Act 2024 and the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024, it forms a comprehensive legislative package intended to protect Australian infrastructure under the 2023–2030 Australian Cyber Security Strategy. The Cyber Security Act 2024 adds measures including ransomware payment reporting and IoT security standards, with staged commencement dates through 2026.
Notably, the SOCI Act's review period was extended from three years to five years, signalling that this regulatory framework is settled and enduring.
What This Means for Security Testing
The SOCI Act imposes Positive Security Obligations on most critical assets and Enhanced Cyber Security Obligations on Systems of National Significance. For Systems of National Significance, obligations can include undertaking vulnerability assessments to identify vulnerabilities for remediation. The overarching intent of the 2024 reforms is to ensure that the controls protecting critical infrastructure work in practice, not just on paper.
How Simuna Infosec Helps
Our human-led VAPT methodology helps responsible entities demonstrate that their security controls perform against real-world attack techniques — not merely that they exist on paper. We provide the vulnerability assessment capability that the SOCI framework increasingly expects, helping critical infrastructure operators identify and remediate exposures before they can be exploited.
*This article reflects publicly available information as of mid-2026. Regulatory details evolve; consult qualified legal counsel for compliance decisions.*