= Security of Critical Infrastructure Act 2018 =

Infobox
- Short Title: Security of Critical Infrastructure Act 2018
- Legislature: Parliament of Australia
- Long Title: An Act to create a framework for managing risks to national security relating to critical infrastructure, and for related purposes
- Citation: Act No. 29 of 2018
- Royal Assent: 11 April 2018
- Date Commenced: 11 July 2018
- Administered By: Department of Home Affairs

The Security of Critical Infrastructure Act 2018 (SOCI 2018) establishes a national framework to identify, manage and reduce national security risks to Australia's critical infrastructure. It covers assets across 11 industries and provides for an asset register, risk-management programs, incident reporting and ministerial directions.

== History ==
The Act received royal assent on 11 April 2018 and commenced on 11 July 2018. Parliament later expanded the framework in two tranches: the Security Legislation Amendment (Critical Infrastructure) Act 2021 and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022. The 2022 advisory report of the Parliamentary Joint Committee on Intelligence and Security examined the Bill and recommended refinements adopted by government.

The Act has been amended several times. In 2024 this was by the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (SOCI Amendment Act). Together with the Cyber Security Act 2024, and the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 this provides a comprehensive package of measures intended to protect Australian infrastructure with a strategy up to 2030. Amongst others, these amendments explicitly stated the inclusion of data storage, not merely operational infrastructure, as one of the protected resources.

== Scope ==
The framework applies to assets designated under the Act and rules across multiple industries. Positive security obligations and enhanced cyber obligations can be applied to specified assets, including those declared systems of national significance.

The SOCI Act applies to the following 11 sectors:
- Communications
- Financial services and markets
- Data storage or processing
- Defence industry
- Higher education and research
- Energy
- Food and grocery
- Healthcare and medical
- Space technology
- Transport
- Water and sewerage

== Provisions ==
The Act's main aspects are:
; Positive obligations:
 Organizations are required to take pro-active preventive measures beforehand.
; Asset register:
Assets deemed to fall under critical infrastructure are to be notified to the central register of such. Industry sectors affected are specified and their 'switch on' dates informed on a sector-by-sector basis.
; Mandatory incident reporting:
 Any cyber incident that significantly impacts operation must be reported within 72 hours, 12 hours for critical events. This includes outages, attacks and threatened attacks, including ransomware.
; Government assistance:
 The Act grants government the power to either assist in a crisis, to direct a particular course of action, or to intervene and take charge of it.
; Risk management:
 Risks must be formally assessed regularly, and a risk management program must be put in place to ameliorate these. These assessments must be reported to the government's Cyber and Infrastructure Security Centre (CISC).

Failure to comply is backed up by the potential for significant penalties, including fines or enforcement actions.

== Administration and enforcement ==
The Cyber and Infrastructure Security Centre within the Department of Home Affairs administers the regime, including compliance, incident reporting and engagement with industry. Sectoral coordination occurs with other regulators where relevant; for example, a memorandum of understanding sets out cooperation with the Reserve Bank of Australia for payments systems. Independent scrutiny has included a performance audit by the Australian National Audit Office on administration and regulation of critical infrastructure protection policy.
