https://www.aph.gov.au/Parliamentary_Business/Tabled_Documents/15638
An independent review of Australia’s Security of Critical Infrastructure (SoCI) Act has delivered a damning verdict, finding that the legislation is widely perceived as ineffective and failing to deliver meaningful security improvements. The review found that penalties under the Act are viewed as a “cost of doing business” rather than a genuine driver of security upgrades, with the word “toothless” described as a pervasive sentiment across the industry. Consultations also revealed that operators found the Act “confusing”, “complex”, and “complicated” — signs that its core purpose was being lost amid an over-emphasis on paperwork and administrative compliance.
The review concluded that the current framework has produced documentation rather than demonstrable security outcomes. She recommended that SoCI shift from a light-touch, documentation-focused compliance model to a penalty-based risk management approach with real enforcement consequences. It also raised a deeper cultural concern, noting that many stakeholders deeply involved in SoCI compliance lacked an emotional connection to the goal of protecting Australian infrastructure — with meaningful exceptions only found among those with defence and intelligence backgrounds.
The review called on the government to fully restructure the SoCI Act, removing duplication with other regulatory obligations and drafting it in a way that won’t require constant amendment as technology and geopolitical threats evolve. It also found broad support for expanding the Act’s coverage to include AI services, content delivery networks, hyperscale cloud providers, space assets, and drone detection capabilities. The review warned that anything short of a complete overhaul would be naïve given the current landscape of geopolitical and all-hazard threats facing Australia’s critical infrastructure.