The Australian federal government’s Department of Home Affairs has released a consultation paper introducing a platform of five reforms to the Security of Critical Infrastructure Act 2018, or SOCI Act.
The paper outlines proposed reforms to the ministerial directions powers under the act, a key legislative framework designed to protect critical infrastructure from national security threats such as cyber attacks, espionage, and sabotage.
The reforms are part of a broader 2026 review aimed at improving the act’s flexibility, clarity, and responsiveness to an increasingly complex and rapidly evolving threat environment.
The SOCI Act allows the Minister for Home Affairs to issue directions to critical infrastructure entities in serious situations, typically as a “last resort” when other regulatory mechanisms are insufficient.
The review found, however, that while the framework is effective overall, the current directions can be complex, unclear in scope, and not sufficiently adaptable to modern and emerging risks.
The consultation paper proposes a package of five targeted reforms to enhance how these powers operate. The reforms seek to strike a balance between enabling swift government intervention during crises and maintaining industry confidence and accountability.
A key proposal is to clarify the threshold for issuing a direction, including when a situation qualifies as a serious national security risk. This aims to give infrastructure operators greater certainty about when government intervention may occur. Closely related is a proposal to better define the scope of directions, ensuring they are tailored to specific risks and do not extend unnecessarily into broader business operations.
Another major reform area focuses on procedural safeguards and transparency. The paper proposes clearer requirements for consultation with affected entities where feasible, as well as stronger documentation and oversight of decisions. This is intended to ensure that directions are used only when genuinely necessary and that their use can be scrutinised.
The reforms also aim to improve operational flexibility, allowing directions to be used more effectively across a wider range of scenarios, including complex, multi-sector incidents. As critical infrastructure systems become more interconnected, risks are less likely to be isolated to a single asset or sector, necessitating more agile intervention tools.
Importantly, the paper acknowledges industry concerns about the potential burden and impact of directions. It emphasises that powers should remain a measure of last resort, used only when no other regulatory or cooperative options are sufficient.
The consultation seeks feedback on how to minimise compliance costs, avoid duplication with existing regulations, and ensure that entities are not subject to conflicting obligations.
Disclosure delays and vendor restrictions
Digging a little deeper, one of the key aspects of the proposed reforms is delaying continuous disclosure requirements under the act.
“Currently, there is no mechanism used by the Australian Securities and Investments Commission (ASIC) or available to the government to temporarily delay disclosure solely to prevent broader harm. The government is considering a limited, time-bound power to delay an entity’s disclosure obligations under the Corporations Act 2001,” the consultation paper said.
“The intent is not to shield entities from commercial impacts, but to prevent disclosure from compromising national security, including significant flow-on impacts across the economy. Similar powers exist internationally, including in the United States.”
The government is also proposing restrictions on products, vendors, and services that it considers to pose a “high risk” to Australian entities and operators.
“The government is considering a vendor-risk direction power to enable coordinated action where a specific vendor or its products, equipment, services or technologies presents a material risk to national security,” the paper said.
“This power would ensure systemic supply chain vulnerabilities can be managed consistently across affected critical infrastructure entities and sectors.”
Arguably, the most controversial element of the paper, however, is the provisions for increased civil penalties where entities are found to be non-compliant with a ministerial direction.
“The government is seeking views on increasing the maximum civil penalty for non-compliance with a ministerial direction under Part 3 to 2,000 penalty units, aligning it with the enforcement framework already operating in Part 2D of the SOCI Act for carriers and carriage service providers,” the government said.
“Restoring an effective and balanced deterrence regime across asset classes ensures that all entities are sufficiently motivated to comply. Importantly, the courts’ discretion to calibrate penalties to the misconduct’s magnitude and circumstances is preserved. This change would be accompanied by guidance to industry on expectations for compliance with directions and would apply prospectively.”
You can read the full consultation paper here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.