Announcement dates
10 December 2020
10 February 2022
16 February 2023
21 February 2023
23 March 2026
Links to announcements
https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6657
https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6833
https://www.legislation.gov.au/F2023L00112/asmade/text
https://minister.homeaffairs.gov.au/ClareONeil/Pages/world-leading-protection-australias-critical-infrastructure.aspx
https://www.aph.gov.au/Parliamentary_Business/Tabled_Documents/15638
Critical infrastructure is essential for Australia’s social and economic prosperity, national security and defence, and facilitating the provision of essential services across Australia. However, risks to Australia’s critical infrastructure have evolved in recent years. These risks are inherently complex and reflect factors including increased cyber connectivity and greater participation in, and reliance on, global supply chains to support the provision of essential services. The increased threat environment requires a regulatory environment that is proportionate to the potential damage caused by the disruption of one or many critical infrastructure assets.
Regulatory reforms to protect critical infrastructure and systems of national significance were enacted through several amendments and rules made under the Security of Critical Infrastructure Act 2018 (SOCI Act).
- The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SLACI Bill) was first introduced to Parliament on 10 December 2020 and sought to amend the SOCI Act to include more sectors with positive security obligations. As part of positive security obligations, the SLACI Bill also sought to introduce compliance with an all-hazards Risk Management Program for particular critical infrastructure assets. The regulatory impact of the SLACI Bill’s positive security obligations were considered in a 2020 Impact Analysis, with further information provided in a subsequent Addendum for Critical Telecommunications Assets.
- Following a review by the Parliamentary Joint Committee on Intelligence and Security, the SLACI Bill was split into two Bills: the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (SLACI Bill 2021, now an Act), and the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2021 (SLACIP Bill, also now an Act). The SLACIP Bill included the positive security obligation requiring operators of 13 critical infrastructure asset classes to develop and maintain a Risk Management Program, to be implemented by the making of subordinate regulation.
- In 2023, the Government finalised the (then) Risk Management Program framework as a part of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (registered on 16 February 2023). An obligation to produce and comply with a critical infrastructure risk management program (CIRMP) for asset classes listed in the Rules commenced 17 February 2023 and was supported by further Impact Analysis for the making of those rules.
Holistically, these regulatory reforms had a Post-Implementation Review requirement initially due 5 years after implementation (February 2028). The Australian Centre for Evaluation agreed the Post Implementation Review requirement could be acquitted earlier as part of a broader legislated review of the SOCI Act.
An Independent Review of the Security of Critical Infrastructure Act 2018 (SOCI Act) was conducted by Dr. Jill Slay over the period of November 2025 – January 2026. The review assessed whether the SOCI Act is achieving its intended objectives, functioning as intended, and is not producing unintended consequences. The review examined the SOCI Act's operation through comprehensive stakeholder engagement including 50 written public submissions, surveys from 89 respondents, interactive roundtables with over 600 participants, federal government department submissions, and international legislative comparisons.
Assessment comments
Since 1 July 2023, responsibility for Australian Government evaluation processes rests with the Australian Centre for Evaluation (ACE). ACE’s assessment of the PIR is that it contains an adequate level of analysis to inform the decision-maker on the efficiency and effectiveness of the regulation. As per the Government’s Policy Impact Analysis requirements, publication is required on the Department of the Prime Minister and Cabinet’s website