The Australian Government's Security of Critical Infrastructure (SOCI) Act, originally enacted in 2018 and substantially expanded by the SLACIP Act in 2022, carries significant implications for UK businesses operating in Australia — particularly those in critical infrastructure sectors. With the expanded scope covering 11 sectors and 22 asset classes, and the Cyber and Infrastructure Security Centre (CISC) actively auditing responsible entities, UK businesses must understand and comply with these requirements or face regulatory consequences.
For organisations already adhering to the NIST Cybersecurity Framework (NIST CSF) 2.0, integrating SOCI Act requirements can appear daunting. However, the two frameworks align on core security outcomes, and our consultants have found that organisations with a strong NIST CSF foundation are well positioned to meet SOCI obligations — provided they address the specific areas where Australian requirements diverge from US and UK norms.
UK businesses operating in Australia should also understand the role of the Australian Cyber Security Centre's (ACSC) Essential Eight mitigation strategies. Unlike NIST CSF 2.0's outcome-based approach, the Essential Eight provides a specific, prioritised set of technical controls that organisations must implement to protect against cyber threats. Organisations that already operate a mature security programme under NIST CSF will typically find the Essential Eight achievable, but the mapping between frameworks must be documented and evidenced.
What the SOCI Act requires in practice
The SOCI Act is legislation aimed at protecting Australia's critical infrastructure from cyber threats and physical security hazards. It requires organisations in specified sectors to implement specific cybersecurity measures, report incidents on defined timelines, and maintain a documented risk management programme. The Act also establishes a framework for the Australian government to respond to cybersecurity incidents and provides for information sharing between government agencies and industry partners.
The three-tier obligation structure is central to compliance. Every responsible entity must register its critical infrastructure assets with CISC, maintain a Critical Infrastructure Risk Management Program (CIRMP) covering cyber, personnel, supply chain, and physical hazards, and report cyber security incidents to the ACSC within 12 hours (critical) or 72 hours (other reportable incidents). Entities designated Systems of National Significance face enhanced obligations including mandatory cyber security exercises and vulnerability assessments.
For UK businesses, the CIRMP requirement is the most substantial operational lift. The programme must be documented, board-approved, and attested to annually. The cyber security component must align with an accepted framework — NIST CSF, ISO/IEC 27001, the Australian Energy Sector Cyber Security Framework (AESCSF), or Essential Eight at Maturity Level 1 — and the scope must explicitly cover the Australian asset.
Why SOCI Act compliance matters now
The CIRMP requirements commenced in phases, with the cyber security framework obligation becoming mandatory in August 2024. Annual board attestations are now in cycle, and CISC has confirmed it is actively conducting compliance assessments. The Cyber Security Act 2024, passed in late 2024, introduced further obligations including ransomware payment reporting for larger entities and expanded powers over data storage systems.
UK businesses should also be aware that the SOCI Act is not the only Australian cybersecurity regulation to consider. The Privacy Act 1988, the Notifiable Data Breaches scheme, and the forthcoming Cyber Security Act amendments all create overlapping obligations. A compliance programme that addresses SOCI in isolation will leave gaps.
Our consultants regularly see UK firms discover SOCI obligations only after a contract is signed and the Australian asset is operational — at which point retrofitting CIRMP compliance is significantly more expensive than designing it in from the start. The most cost-effective approach is to assess SOCI applicability during the pre-contract due diligence phase.
Aligning NIST CSF 2.0 with SOCI Act requirements
NIST CSF 2.0, released in February 2024, expanded the framework's five core functions (Govern, Identify, Protect, Detect, Respond, Recover) and introduced a new "Govern" function that maps well to SOCI's governance requirements. The framework's outcome-based structure allows organisations to demonstrate how their existing controls satisfy SOCI obligations.
Our consultants use the following mapping approach:
- Govern (GV): Maps to the CIRMP governance and board oversight requirements. Document how organisational context, risk management strategy, and oversight mechanisms satisfy SOCI's governance expectations.
- Identify (ID): Maps to asset classification, risk assessment, and supply chain requirements. This is where you document the Australian operational context and identify critical assets.
- Protect (PR): Maps to the Essential Eight technical controls and SOCI's safeguard requirements. Identity management, access control, and data security controls from NIST CSF directly address these.
- Detect (DE): Maps to the continuous monitoring and incident detection expectations under SOCI and the ACSC's reporting framework.
- Respond (RS) and Recover (RC): Maps to the incident response and business continuity components of the CIRMP, including the 12/72-hour reporting timelines.
Organisations using NIST CSF 2.0 should document this mapping explicitly in their CIRMP. The ACSC and CISC accept NIST CSF as an equivalent framework, but they expect evidence that the framework has been implemented, not just selected.
Practical implementation steps for UK businesses
Implementing SOCI Act requirements alongside NIST CSF 2.0 requires a structured approach. Our consultants recommend starting with a risk assessment to identify your Australian critical assets and the potential cyber threats they face. This forms the foundation of your CIRMP and the systems of national significance analysis.
Next, map your existing NIST CSF 2.0 controls to the SOCI obligation tiers. Identify gaps where Australian-specific requirements — particularly around personnel security, physical hazards, and supply chain — are not addressed by your existing NIST CSF implementation.
Third, establish an incident response process that specifically addresses the ACSC's 12-hour and 72-hour reporting windows. Most UK firms' existing incident response plans are designed around UK GDPR's 72-hour breach notification timeframe — the 12-hour SOCI clock for critical incidents is materially tighter and requires a dedicated escalation pathway.
Finally, implement the Essential Eight technical controls that are not already covered by your NIST CSF controls. Application patching, macro restriction, and user application hardening are areas where organisations running a high-level NIST CSF implementation may have gaps compared to the Essential Eight's specific technical requirements.
Common mistakes and how to avoid them
The most common mistake our consultants see is failing to conduct a thorough asset classification that considers the full 22 asset classes. This results in organisations implementing controls that are not tailored to their specific asset types — either missing requirements entirely or over-investing in controls that do not apply.
The second mistake is treating the CIRMP as a one-time documentation exercise. The CIRMP must be a living programme with evidence of testing, review, and board oversight. A document written in 2024 and never revisited will not survive a CISC compliance assessment in 2026.
The third mistake is failing to involve the Australian subsidiary's local directors in the compliance programme. Personal attestation responsibility rests with them, and they cannot delegate this to the UK group CISO. Our consultants recommend establishing a local compliance committee with clear reporting lines to the UK board.
Frequently asked questions about SOCI Act and NIST CSF alignment
Can NIST CSF 2.0 be used as a CIRMP framework?
Yes, NIST CSF is listed as one of the accepted cyber security frameworks under the SOCI Act's CIRMP requirements. You must evidence that the framework has been implemented across the four CIRMP hazard categories (cyber, personnel, supply chain, and physical) and that the Australian asset falls within scope.
Does the Essential Eight replace NIST CSF for SOCI compliance?
No. The Essential Eight is a separate accepted framework under the SOCI Act, not a replacement. Organisations already operating NIST CSF do not need to switch to Essential Eight, though the ACSC encourages implementing Essential Eight controls as complementary technical measures. The key requirement is that your chosen framework is implemented effectively and documented within your CIRMP.
What happens if we miss the 12-hour incident reporting deadline?
Missing the 12-hour notification window for critical cyber incidents carries potential civil penalty exposure under the SOCI Act. The ACSC also uses incident reports to coordinate sector-wide responses, so late notification can affect broader critical infrastructure resilience. Our team recommends practising the 12-hour clock through tabletop exercises before an actual incident occurs.
How Pyralink helps
Pyralink Innovation Ltd is a UK cybersecurity firm that helps businesses navigate complex extraterritorial cybersecurity regulations including the SOCI Act. Our consultants have expertise in implementing NIST CSF 2.0, the Essential Eight, and the CIRMP framework. We provide fractional vCISO services, ISO 27001 support, compliance programme management, and cybersecurity consulting for UK businesses with Australian operations.
Our team conducts the asset classification analysis, CIRMP design and documentation, framework mapping (NIST CSF, Essential Eight, or ISO 27001 to SOCI Act requirements), and board attestation preparation that UK firms need to satisfy CISC expectations without duplicating their existing compliance investments.