The SOCI Act directly captures owners and operators of designated critical infrastructure assets across 11 sectors. Most small and mid-sized Melbourne businesses are not caught. But if you supply, manage IT for, or sit in the supply chain of one of these entities, its obligations can land on your desk regardless.
That gap — between “the law doesn’t name me” and “I’m still on the hook” — is where most of the confusion sits. Here is who is actually captured, what they have to do, and how to tell whether any of it touches your business.
What the SOCI Act actually is
The Security of Critical Infrastructure Act 2018 (Cth) is Commonwealth legislation administered by the Department of Home Affairs through the Cyber and Infrastructure Security Centre (CISC). When it first passed it covered four sectors and did little more than require an asset register for electricity, gas, water and ports.
Two rounds of amendments changed that dramatically. The Security Legislation Amendment (Critical Infrastructure) Act 2021 expanded the sectors and introduced mandatory cyber incident reporting and government assistance powers. The 2022 Act, shortened to SLACIP, added the Risk Management Program obligation and enhanced duties for “systems of national significance”.
So the SOCI Act today means the 2018 Act as amended by those packages — the expanded version that now reaches businesses that never thought of themselves as critical infrastructure.
The 11 critical infrastructure sectors
The amended Act defines 11 sectors. If your organisation owns or operates an asset inside one of these, you are potentially in scope.
- Communications
- Financial services and markets
- Data storage or processing
- Defence industry
- Higher education and research
- Energy
- Food and grocery
- Health care and medical
- Space technology
- Transport
- Water and sewerage
Being in a sector is not the same as being captured. The Act bites on specific critical infrastructure assets defined by rules and thresholds within each sector. A small clinic in Camberwell sits within “health care and medical”, but the obligations attach to large hospitals and designated systems, not every GP practice. The sector tells you to keep reading; the asset thresholds tell you whether you are actually in.
The three core obligations
For captured entities, the Act imposes a tiered set of duties. Three are worth understanding in plain terms.
The asset register
Responsible entities must provide ownership and operational information about their assets to the Register of Critical Infrastructure Assets, held by the CISC: who controls the asset, who has access, and where interest or control sits offshore. The register is not public. It exists so government has visibility of who runs the country’s important infrastructure.
The Risk Management Program
This is the heart of the SLACIP amendments. Captured entities must adopt, maintain and comply with a Critical Infrastructure Risk Management Program (CIRMP) that identifies and manages hazards across four domains: cyber and information security, personnel, supply chain, and physical and natural hazards. Boards must approve it, and entities submit an annual report confirming the program is current and signed off at board level.
For the cyber domain, the rules point entities towards a recognised framework such as the Essential Eight maturity model or an equivalent standard like ISO 27001. This is where security posture stops being a nice-to-have and becomes a documented, board-signed legal obligation.
Mandatory cyber incident reporting
Captured entities must report cyber security incidents to the Australian Signals Directorate (ASD), in practice through the Australian Cyber Security Centre and coordinated with the CISC. There are two clocks, and the difference matters:
| Incident type | Reporting deadline | Method |
|---|---|---|
| Critical incident — significant impact on availability of an essential service | Within 12 hours of becoming aware | Verbal report acceptable, written follow-up |
| Other incident — relevant impact on the asset | Within 72 hours of becoming aware | Verbal or written report |
Twelve hours is a brutal window if you have not planned for it. A captured entity needs an incident response process that can detect, triage and report inside half a day — overnight, on a weekend, during a holiday. That is operational maturity, not a policy in a drawer, which is why our managed detection and response work exists.
Be honest: most Melbourne SMEs are not directly captured
This gets glossed over by anyone trying to sell you compliance product. The vast majority of small and mid-sized businesses in Melbourne are not responsible entities under the SOCI Act. A 25-person law firm in the CBD, a manufacturer in Dandenong, a logistics operator in Footscray — these are not critical infrastructure assets, and the asset register, CIRMP and 12-hour reporting clock do not apply to them directly.
The obligations are deliberately aimed at scale and national consequence: major energy networks, large hospitals, designated data centres, financial market operators, telecommunications carriers, significant ports and rail. If a cyber attack on you would disrupt an essential service for a meaningful slice of the population, you are the target of this law. If it would mostly hurt you and your customers, you almost certainly are not directly captured. Anyone telling a 30-person SME it must file a Risk Management Program because of the SOCI Act is either confused or selling something.
Why it still matters to SMEs: the supply chain flow-down
Direct capture is not the only way SOCI obligations reach you. The Risk Management Program explicitly requires captured entities to manage supply chain hazards — a legal duty to assess and control the security risk posed by their vendors, contractors and IT providers.
So the obligation flows downhill through contracts. A captured hospital cannot meet its CIRMP duty unless it can demonstrate its suppliers are secure, so it pushes security requirements into procurement and supplier agreements. If you sell software, provide IT support, host data, supply equipment or deliver professional services to a captured entity, you will increasingly be asked to prove your security posture as a condition of doing business.
We see this constantly. A professional services firm in Hawthorn that works for a captured energy operator suddenly receives a security questionnaire demanding evidence of multi-factor authentication, patching cadence, access controls and an incident response plan — Essential Eight territory. The firm is not captured by the SOCI Act, but its client is, and the client’s obligation has become the firm’s commercial reality.
This is the honest reason SMEs should care. Not because the regulator is coming for you, but because your captured customers are. Losing a contract because you cannot answer a supplier security assessment is a far more immediate risk than any enforcement action. Aligning to the Essential Eight is the most efficient way to be ready, and it is the same framework the captured entities are pointed to.
How do I know if any of this applies to me?
A practical test, in order:
- Are you in one of the 11 sectors? If not, the SOCI Act does not directly apply, though you may still face flow-down obligations if you supply someone who is.
- Do you own or operate a defined critical infrastructure asset? Each sector has thresholds — capacity, customer numbers, designation by the Minister. Most SMEs fall well under them. The CISC publishes the authoritative guidance on which assets are caught.
- Have you been notified? Responsible entities are generally aware they are captured; the framework is not a hidden trap. If no regulator or rule has identified you as one, you very likely are not.
- Do your contracts impose security obligations? This is the one that catches SMEs. Read your supplier agreements and any new security schedules from larger clients — that is where SOCI reaches you in practice.
If you are genuinely unsure whether you are captured, that is a legal question worth getting right. Where we add value is the technical side: building the controls and evidence that either satisfy a direct CIRMP obligation or answer the supplier assessments flowing down from your captured clients. Our virtual CIO engagements often start here — turning a vague “our client wants us to be secure” into a concrete, costed plan.
What TechAssist does about it
We are a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma. That on-shore, around-the-clock capability matters here, because the 12-hour reporting clock does not respect business hours. For captured entities, we build the cyber domain of a Risk Management Program: Essential Eight uplift, documented controls, monitoring, and an incident response process that can actually meet a 12-hour deadline. For the far larger group of SMEs facing flow-down pressure, we get your posture to where supplier questionnaires become a formality rather than a fire drill. Either way it is real engineering, not a compliance binder, and it sits inside our standard cybersecurity services.
Frequently asked questions
Does the SOCI Act apply to small businesses?
Almost never directly. The Act captures owners and operators of defined critical infrastructure assets, which are large-scale and nationally significant. A typical Melbourne SME is not a responsible entity. The real exposure is indirect — security obligations flowing down through contracts from captured customers.
What are the SOCI Act reporting timeframes?
Captured entities must report a critical cyber incident with significant impact within 12 hours of becoming aware, and an incident with relevant impact within 72 hours. Reports go to the Australian Signals Directorate via the Australian Cyber Security Centre.
What is a Risk Management Program under the SOCI Act?
The CIRMP, introduced by the 2022 SLACIP amendments, requires captured entities to identify and manage hazards across cyber, personnel, supply chain and physical domains, have the board approve it, and report annually that it is current.
I supply a captured entity. What will they ask me for?
Typically evidence of multi-factor authentication, patching, access controls, backup and recovery, logging, and an incident response plan — broadly the Essential Eight. Getting these in place and documented is the most efficient way to keep those contracts.
The short version
The SOCI Act is real and serious, and mostly not aimed at you if you run a Melbourne SME. What is aimed at you is the security pressure your captured customers are now legally required to push down their supply chains. The smart move is not to panic about direct capture, but to get your security posture to a standard that satisfies both your clients and your own risk. For a straight answer on where you sit, talk to us.
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
