Australia’s Cyber and Infrastructure Security Centre (CISC) begun industry consultation on a proposed package of targeted reforms aimed at strengthening the Ministerial Directions powers under the Security of Critical Infrastructure Act 2018 (SOCI), as part of a broader effort to sharpen government response capabilities during serious cyber incidents. The measures are designed to ensure authorities can act more decisively when critical infrastructure assets face threats that could trigger cascading disruptions across sectors and materially impact national security, economic stability, or essential services.
The proposed changes come amid a worsening threat environment, where disruptions to interconnected infrastructure systems can rapidly escalate beyond a single sector. Under the SOCI framework, the government already holds powers to intervene in extreme scenarios where operators are unable or unwilling to respond effectively, including directing actions or requesting assistance from national cyber agencies. The consultation signals a push to refine these mechanisms, balancing stronger intervention authority with proportionality and industry engagement as risks to critical infrastructure continue to evolve.
Australia is considering targeted amendments to Section 32 of the SOCI Act to improve clarity, operability and timeliness, while preserving existing safeguards. To support clarity, coherence and implementation, the government will work closely with the Office of Parliamentary Counsel (OPC) on the most appropriate legislative design for these reforms.
Following an independent review, the SOCI 2018 has been reaffirmed as a cornerstone of Australia’s approach to protecting nationally significant assets, while being flagged for targeted reform. Delivered on Jan.31, this year by Jill Slay, the review found the SOCI Act has materially strengthened national security and resilience, embedding a risk-based regulatory framework and improving coordination between government and industry. At the same time, it warns that an increasingly interconnected and complex threat landscape, coupled with the rise of new critical sectors and technologies, demands continuous refinement of the framework.
The review’s recommendations focus on cutting complexity and improving the Act’s agility and responsiveness, with a clear emphasis on legislative updates. In response, the Department of Home Affairs is advancing an initial tranche of reforms, including proposed amendments to Ministerial Directions powers under Part 3 of the SOCI Act, alongside an exposure draft to strengthen the Critical Infrastructure Risk Management Program Rules (CIRMP).
Australia is seeking industry views on a potential package of five targeted measures to enhance the Ministerial Directions Powers under Part 3. These measures aim to provide greater flexibility and precision in managing serious national security risks to critical infrastructure, while maintaining clear safeguards and accountability. They also respond to previous feedback from industry, including through submissions received on Developing Horizon 2 of the 2023–2030 Australian Cyber Security Strategy and the Independent Review of the SOCI Act, calling for greater clarity on how and when a direction may be used, and what procedural safeguards will apply.
The proposed reforms would introduce graduated intervention options to better manage serious national security threats to critical infrastructure before they escalate, including risks linked to foreign ownership, control or influence, malicious cyber pre-positioning, and vulnerabilities in vendor supply chains. They would also embed clearer statutory guardrails, requiring the Minister to weigh a broader set of factors before issuing a direction, including economic, commercial and social impacts, while continuing to pursue good-faith engagement with affected entities.
Alongside this, the reforms strengthen cross-government consultation, expanding engagement with Commonwealth ministers while maintaining mandatory consultation with states and territories, and preserving judicial oversight. The intent is to ensure decisions face deeper scrutiny, remain proportionate and commercially workable, and are exercised only after exhaustive consideration in the national interest.
These refinements aim to ensure the government can intervene decisively when required, while providing clearer expectations for responsible entities and maintaining a framework that is legally robust, operationally practical, and aligned with Australia’s national security interests. They reflect the need to act on credible intelligence to address extreme and persistent risks that cannot be delivered through regulatory mechanisms alone. These reforms would ensure Australia’s critical infrastructure remains resilient in an era of accelerating geostrategic competition.
“Our intent is to ensure that each measure’s policy objectives can be achieved, whether through targeted amendments to the existing section 32 directions power or through the creation of new, specific heads of power,” the document detailed. “We do not hold a fixed preference on the drafting pathway, provided the final design delivers clear authorities, robust safeguards, and a framework that is easily understood by industry and government alike.”
For consultation purposes, measures are described separately to draw out the distinct issues they address and to invite specific, granular feedback. This structure does not pre‑judge how the powers will ultimately be drafted. Instead, it reflects the government’s commitment to ensuring that the legislative framework supports transparent, proportionate and defensible decision‑making, with powers that are appropriately calibrated to the different types of risks they are intended to manage.
The government detailed that a central change would replace the current requirement for a formal adverse security assessment with a more flexible obligation for the Minister to obtain and consider advice from the Australian Security Intelligence Organisation. This shift reflects practical experience that the existing Part IV assessment framework can slow decision-making in time-sensitive scenarios.
The intent is not to dilute intelligence input, but to ensure threat advice is timely and fit for purpose, enabling proportionate and defensible action. The legal threshold remains unchanged. The Minister must still be satisfied that a material risk exists and that any direction is necessary and proportionate, with decisions continuing to be subject to judicial review and statutory safeguards.
The reforms would also introduce a limited carve-out from the prescribed administrative action framework by amending the ASIO Act to allow ASIO to provide tailored advice outside the formal security assessment process for directions issued to legal entities, aligning the framework with existing arrangements under the Foreign Acquisitions and Takeovers Act 1975. Where directions apply directly to individuals, however, formal security assessments would still be required to preserve notice, review rights and procedural fairness protections. In all cases, ASIO advice would remain a central input into the Minister’s broader national interest assessment.
Finally, the government is seeking to recalibrate the ‘regulatory exhaustion’ requirement so the Minister must consider whether other regulatory tools could more effectively address a risk, rather than being constrained to exhaust all alternatives before issuing a direction. This adjustment is intended to remove procedural bottlenecks while maintaining a disciplined, accountable approach to intervention.
The government identified that the Minister would continue to only be able to issue a direction if satisfied that the direction is reasonably necessary for the purposes of managing the risk, and that reasonable steps have been taken to negotiate with the entity in good faith to achieve the outcome of eliminating or reducing the risk without a direction being given. The additional considerations set out in subsection 32(4) of the SOCI Act and requirements to consult with the affected entity set out in section 33 would remain unchanged beyond any necessary consequential amendments.
The proposed measure would also expand consultation requirements to ensure that relevant Commonwealth Ministers and agencies for an affected industry sector must be consulted before any Part 3 power is used. Existing State and Territory consultation requirements would also be retained.
The government also proposed a new power allowing the Minister to impose targeted conditions on critical infrastructure entities where ownership, control, or governance structures pose a material national security risk that existing rules or voluntary measures cannot address.
These conditions would be tailored, proportionate, and used only as a last resort. Depending on the risk, they could include tighter access and personnel controls, restrictions on sensitive decision-making, strengthened board governance, mandatory cybersecurity baselines, and stricter incident response requirements. The proposal also emphasizes greater transparency, with obligations for disclosure, independent audits, and ongoing oversight to ensure accountability and sustained risk mitigation.
The Australian government is also considering a vendor-risk direction power to enable coordinated action where a specific vendor, or its products, equipment, services or technologies, presents a material national security risk. The aim is to address systemic supply chain vulnerabilities consistently across critical infrastructure sectors.
Under the proposal, the Minister would be able to issue targeted, risk-based directions to responsible entities, either individually or by class, where reliance on a vendor or technology creates a material risk. This would support coordinated and orderly removal, restriction or remediation of affected products and services, or the introduction of compensating security controls where immediate removal is not practical. The framework would also require consideration of reasonable transition timeframes to limit operational disruption and contractual impacts.
The proposed power aligns with comparable mechanisms, including those under the Protective Security Policy Framework and the Telecommunications (Security) Act 2021, enabling similar forms of direction against high-risk vendors and technologies.
The government is also seeking views on increasing the maximum civil penalty for non-compliance with a Ministerial direction under Part 3 to 2,000 penalty units, aligning it with the enforcement framework already operating in Part 2D of the SOCI Act for carriers and carriage service providers.
Restoring an effective and balanced deterrence regime across asset classes ensures that all entities are sufficiently motivated to comply. Importantly, the courts’ discretion to calibrate penalties to the misconduct’s magnitude and circumstances is preserved. This change would be accompanied by guidance to industry on expectations for compliance with directions and would apply prospectively. Existing enforcement tools such as civil penalty proceedings, enforceable undertakings, and injunctions would remain available, ensuring proportionate and graduated responses to non-compliance.
Last August, CISC sought expressions of interest from highly motivated individuals who would be keen to undertake a voluntary role as a member of the Resilience Expert Advisory Group. The Trusted Information Sharing Network’s (TISN) Resilience Expert Advisory Group (REAG) promotes organisational resilience in support of Australian critical infrastructure owners and operators. The initiative focuses on giving advice, guidance, and tools to mature security and resilience approaches.
