A UK-headquartered firm winning a contract with an Australian energy retailer, telecoms operator, or healthcare provider inherits more than commercial obligations. It inherits direct regulatory exposure under the Security of Critical Infrastructure Act 2018 (SOCI Act), amended substantially by the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 — known in Canberra as the SLACIP Act. The Cyber and Infrastructure Security Centre (CISC), sitting within Australia's Department of Home Affairs, now actively audits responsible entities, and enforcement has moved past the warning-letter stage.

The problem we see repeatedly: UK boards assume their UK GDPR and NIS Regulations 2018 controls map cleanly to Australian obligations. They do not. SOCI imposes a distinct risk management programme, mandatory incident reporting windows, and — for entities designated as Systems of National Significance — enhanced cyber security obligations including statutory information-gathering and intervention powers that have no UK equivalent.

If your group operates a data centre, financial services platform, hospital, telco, water utility, food distribution network, or energy asset in Australia, this post is for you.

What the SOCI Act actually covers

The SOCI Act regulates 11 sectors and 22 asset classes, dramatically expanded from the original four-sector scope. The current regime captures: communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage. Any UK firm providing services into these sectors should assess whether its Australian operations fall within scope.

Three obligation tiers sit on top of asset classification:

  • Register of Critical Infrastructure Assets: responsible entities must provide operational and ownership information to CISC. This includes details of foreign ownership, which directly captures UK parent structures.
  • Mandatory cyber incident reporting: critical incidents within 12 hours, other reportable incidents within 72 hours, made to the Australian Cyber Security Centre (ACSC). The clock starts from the responsible entity's awareness — not from when the UK security operations centre picks up the ticket.
  • Critical Infrastructure Risk Management Program (CIRMP): a written, board-approved programme covering cyber, personnel, supply chain, and physical hazards, with annual attestation to the relevant Commonwealth minister.

Entities declared Systems of National Significance (SoNS) face additional enhanced cyber security obligations under Part 2C, including required cyber security exercises, vulnerability assessments, and system information provision. The enhanced obligations give the Australian government powers that go meaningfully beyond what UK regulations currently provide.

Why this matters now for UK firms with AU operations

The CIRMP rules took effect on 17 February 2023, with the cyber security framework requirement (entities must adopt one of: AESCSF, Essential Eight Maturity Level 1, NIST CSF, ISO/IEC 27001, or an equivalent) commencing 17 August 2024. Annual board attestations are now in cycle. CISC has confirmed publicly it is conducting compliance assessments and has issued formal information-gathering notices to entities it believes are not meeting their obligations.

The Cyber Security Legislative Package 2024, which received Royal Assent in late 2024, introduced the Cyber Security Act 2024 alongside further SOCI amendments — including expanded government powers over data storage systems holding "business critical data" and clarified ransomware payment reporting obligations for larger entities. These additions widen the net further for UK firms operating in Australia.

For UK groups, three jurisdictional traps recur:

  • Foreign ownership disclosures under the Register obligations capture UK parent structures. Incomplete declarations carry civil penalties that can be substantial, and CISC has shown willingness to investigate corporate group structures.
  • The 12-hour reporting clock starts at the responsible entity's awareness — not when the UK SOC triages the ticket at 09:00 GMT. This has direct implications for how UK firms structure their 24/7 incident response capability.
  • Australian directors of the local subsidiary carry personal attestation responsibility for the CIRMP. UK group CISO sign-off does not discharge this. Directors who sign off on a CIRMP without adequate evidence of implementation face personal liability.

Practical implementation steps

For UK firms with material Australian operations, our consultants work through a defined sequence:

  1. Asset classification confirmation. Map every Australian operation against the 22 asset class definitions in the SOCI Rules. A UK SaaS provider hosting Australian customer data on AWS Sydney may qualify as a critical data storage or processing asset if the customer is itself a responsible entity. The analysis must consider not just what your firm owns, but who your customers serve.
  2. CIRMP design with cyber framework selection. If the group already runs ISO/IEC 27001:2022, extend the ISMS scope statement to cover the Australian asset and document the SOCI-specific hazard categories (cyber, personnel, supply chain, physical/natural). Do not retrofit Essential Eight if 27001 already operates — pick one and evidence it properly. Auditors look for consistent application, not framework maximalism.
  3. Incident response playbook split. Build a separate Australian incident pathway with ACSC notification templates, the 12/72-hour clocks hard-coded, and a named local incident officer appointed and trained. Run a tabletop within 90 days of implementation that specifically tests the 12-hour notification window.
  4. Board attestation pipeline. Schedule the annual attestation 60 days before deadline. The board needs evidence packs, not assurances. Build a board pack template that includes the CIRMP status, asset register currency, incident history, and testing outcomes.
  5. Supply chain risk register. SOCI explicitly requires hazard treatment for supply chain. Document each material supplier with access to the critical asset, including UK group functions providing shared services such as IT, HR, and finance platforms.

Common mistakes we see

The recurring failures in our SOCI readiness reviews fall into a predictable pattern. Treating SOCI as a paperwork exercise remains the most common. CISC officers ask for evidence of testing, not just policy. A CIRMP without a tabletop record, without evidence that the board reviewed it, is a finding waiting to happen.

Assuming Cyber Essentials Plus or ISO/IEC 27001 alone satisfies the cyber framework requirement without scope mapping is another frequent error. The Australian asset must be inside the certified scope, and the certificate must be current at attestation date. A UK-wide ISO 27001 certificate that excludes the Australian subsidiary does not help.

Missing the ransomware payment reporting obligation under the Cyber Security Act 2024 for entities meeting the turnover threshold — a separate reporting stream from SOCI incident notification — creates additional compliance risk that UK firms often overlook.

Perhaps most critically, letting the UK SOC own Australian incident response without a local escalation path is a design flaw that undermines the entire compliance posture. The 12-hour clock does not pause for UK business hours, and ACSC expects to deal with a named local contact, not a London-based duty manager.

Frequently asked questions about SOCI Act compliance for UK firms

Does a UK firm need to register if we only have a small Australian office?

The registration obligation depends on whether your Australian operations meet the asset threshold definitions, not on the size of your office. Any UK firm providing services classified as critical infrastructure assets — including data storage and processing or financial services — should conduct a classification assessment. Our team recommends erring on the side of registration if there is any doubt, as late registration carries civil penalty exposure.

Can we use our existing ISO 27001 certification to satisfy the CIRMP cyber framework requirement?

Yes, ISO 27001 is one of the accepted frameworks, provided the Australian asset falls within the certified scope and the certificate remains current at each attestation date. UK firms should extend their ISMS scope statement to explicitly include the Australian operation and ensure the internal audit programme covers it.

What are the penalties for non-compliance?

Non-compliance with SOCI Act obligations can result in substantial civil penalties. CISC also has information-gathering powers and can issue directions to responsible entities. For Systems of National Significance, the government has additional intervention powers. Our consultants advise treating SOCI compliance with the same rigour as UK regulatory obligations.

How Pyralink helps

Pyralink Innovation Ltd advises UK-headquartered groups on extraterritorial cyber regulation. Led by Michael Adedeji (CISM, CISA, CC, MSc Data Science), our team builds CIRMP frameworks that align with existing UK ISMS investment — extending ISO/IEC 27001:2022 controls into the Australian operational context rather than running parallel programmes.

Our service lines cover asset classification, CIRMP design and documentation, incident response pathway design with ACSC notification templates, board attestation preparation, and supply chain risk register development. We carry £5M professional indemnity insurance and work under UK jurisdiction.

If your group has Australian operations that may fall within SOCI's scope, our team can conduct a preliminary classification assessment and gap analysis:

Run a free CloudAuditX scan →