SOCI Act & Cyber Security Act 2024: Document Verification for Critical Infrastructure

European organisations subject to the EU's NIS2 Directive frequently ask whether Australian entities face equivalent obligations. They do — but under a distinctly Australian legislative architecture. The Security of Critical Infrastructure Act 2018 (SOCI Act), as substantially amended in 2021 and 2022, the Cyber Security Act 2024, and the Australian Prudential Regulation Authority's (APRA) Prudential Standard CPS 234 together constitute Australia's critical infrastructure cybersecurity framework. For compliance officers and document management teams inside Australia's eleven regulated sectors, these obligations carry direct and specific implications for how identity documents, personnel records, vendor credentials, and incident reports are handled, verified, and retained.

This article maps those obligations against day-to-day document verification practice and explains the timelines that responsible entities and their boards must meet in 2026.

---

Australia's critical infrastructure cybersecurity framework in 2026

Australia's critical infrastructure security framework has evolved rapidly since 2018. The original SOCI Act created a Register of Critical Infrastructure Assets (RCIA) and established a framework for government assistance during serious cyber incidents. The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 dramatically expanded the framework's scope and obligations, introducing the Critical Infrastructure Risk Management Program (CIRMP) requirement, mandatory cyber incident reporting, and enhanced powers for the Australian Signals Directorate (ASD).

The Cyber and Infrastructure Security Centre (CISC), operating within the Department of Home Affairs, is the primary regulatory authority under the SOCI Act. The Australian Cyber Security Centre (ACSC), part of ASD, functions as Australia's national Computer Security Incident Response Team (CSIRT) and provides technical guidance through the Essential Eight framework and other advisories.

The eleven sectors captured by the SOCI Act are: communications, data storage and processing, financial services and markets, defence industry, energy, food and grocery, health, higher education and research, space technology, transport, and water and sewerage. Responsible entities — those who own or operate assets designated as critical infrastructure — carry the primary compliance burden.

Alongside the SOCI Act, the Cyber Security Act 2024 came into effect in January 2025, introducing mandatory ransomware payment reporting and establishing minimum cybersecurity standards for smart devices (effective 4 March 2026). For financial sector entities, APRA's Prudential Standard CPS 234 (Information Security) imposes parallel obligations on authorised deposit-taking institutions, insurers, and superannuation trustees, including a requirement to notify APRA within 72 hours of a material information security incident.

Together, these instruments create a layered document compliance landscape that extends well beyond technical controls and into the governance, personnel, and supply chain documentation that responsible entities must maintain, verify, and produce on demand.

---

SOCI Act: critical infrastructure risk management program documentation

The centrepiece of the post-2022 SOCI Act framework is the Critical Infrastructure Risk Management Program (CIRMP). Every responsible entity subject to the CIRMP rules must adopt, maintain, and annually review a written program that identifies and manages hazards across four dimensions: cyber and information technology, physical and natural, supply chain, and personnel and insider threats.

The annual CIRMP report is a formal governance document. It must be approved and signed by the board, submitted to the Secretary of the Department of Home Affairs by 28 September each year, and accompanied by an attestation that the responsible entity has complied with the CIRMP rules during the preceding financial year. This board-level accountability means that document verification practices — including the records that underpin personnel screening, vendor onboarding, and access management — are directly in scope for board oversight and regulatory examination.

From a document management perspective, the CIRMP creates several concrete obligations. The responsible entity must be able to demonstrate, if audited or investigated by CISC, that it has identified critical workers and contractors with access to critical systems, verified their identities and credentials using appropriate documents, assessed insider threat risks, and maintained records supporting each of these activities. A CIRMP that references identity verification processes but cannot produce the underlying documentation is unlikely to satisfy CISC scrutiny.

Responsible entities should also ensure their CIRMP documentation is version-controlled and retained for at least the period of any limitation applicable to regulatory action. CISC has indicated that records supporting CIRMP compliance should be maintained for a minimum of seven years, consistent with broader government record-keeping expectations.

---

APRA CPS 234: document obligations for financial institutions

For the financial sector, APRA's Prudential Standard CPS 234 sits alongside the SOCI Act and imposes its own document obligations. CPS 234 applies to APRA-regulated entities — banks, credit unions, insurers, and superannuation trustees — and requires each entity to maintain a documented information security policy framework, define information security roles and responsibilities in writing, and implement controls commensurate with the sensitivity and criticality of the information assets involved.

The documentation obligations under CPS 234 are not merely administrative formalities. APRA expects entities to be able to produce, on request, their information security policies, evidence of third-party security assessments where information assets are managed by service providers, and records of testing the effectiveness of security controls. Where a third-party provider manages critical or sensitive data, CPS 234 requires the APRA-regulated entity to assess that provider's information security capability and to retain documentation of those assessments.

Incident notification requirements under CPS 234 are particularly demanding. An APRA-regulated entity must notify APRA as soon as possible and no later than 72 hours after becoming aware of a material information security incident — meaning an incident that has materially affected, or has the potential to materially affect, the entity or its customers. The notification itself must be documented, and the entity must be able to demonstrate the timeline of its awareness and response. This means that internal records — system logs, incident tickets, communications, and escalation records — carry evidentiary weight in any post-incident regulatory review.

ASIC has also signalled that cybersecurity and information security governance are active areas of regulatory focus for financial services licensees, independent of APRA's direct supervision. Entities holding an Australian financial services licence (AFSL) should treat document and record-keeping obligations under CPS 234 as a floor, not a ceiling.

---

Supply chain security: verifying vendor documentation under CISC guidance

Supply chain risk is one of the four hazard categories that the SOCI Act's CIRMP rules require responsible entities to address. CISC guidance published in 2023 and updated in 2025 makes clear that supply chain risk management must be supported by documented vendor verification processes — not merely by contractual representations.

In practice, this means that responsible entities procuring goods or services that touch critical systems must verify the legal existence and identity of their vendors, confirm that key personnel provided by vendors hold appropriate credentials and clearances, and retain records of those verifications throughout the life of the supply relationship and for a defined period after its termination.

For vendor identity verification in Australia, the relevant documents include ASIC company extracts confirming legal registration and current status, ABN and ACN records from the Australian Business Register, and, where applicable, professional licences or certifications held by the vendor organisation. For individuals employed or engaged by vendors, Australian passports, state and territory driver licences, and ImmiCards are the primary identity documents in common use. Where a vendor employs non-citizens in roles that involve access to critical systems, responsible entities should consider whether VEVO (Visa Entitlement Verification Online) checks are appropriate to confirm work entitlements.

The supply chain risk management component of the CIRMP should document the responsible entity's methodology for categorising vendor risk, the types of documents required at each risk tier, the process for verifying those documents, and the cadence of periodic re-verification. Entities that outsource document verification to a third-party platform — such as CheckFile — should ensure that verification records produced by that platform are retained in a format that supports regulatory production. CheckFile supports over 3,200 document types across 32 jurisdictions, enabling responsible entities to verify vendor and personnel documentation from Australian and international sources within a single workflow. See our document compliance guide for a broader overview of how automated verification supports multi-framework compliance programs.

For guidance on building a robust vendor document program from the ground up, see our article on how to build a document compliance program from scratch.

---

Personnel documentation and access management records

Personnel and insider threat risk is explicitly called out as a CIRMP hazard category. Responsible entities must identify workers — including employees, contractors, and secondees — who have access to critical systems or sensitive data, assess the risk those workers pose, and implement controls to manage that risk.

From a document verification perspective, this translates into an obligation to verify the identity of all such workers using reliable and independent documents, to check that contractors and temporary workers have the legal right to work in Australia, and to retain records of those verifications. For Australian citizens and permanent residents, identity verification is typically conducted using an Australian passport, a state or territory driver licence, or a combination of documents under the TDIF (Trusted Digital Identity Framework) or comparable identity proofing standards.

Where workers are engaged through labour hire arrangements or managed service providers, the responsible entity retains the obligation to ensure that appropriate identity and background checks have been conducted, even if it relies on the labour hire firm to conduct those checks. The CIRMP documentation should specify what verification the entity requires of labour hire providers and how it confirms those verifications have been performed.

Tax File Number (TFN) records may also be relevant in contexts where responsible entities are verifying the tax status of individuals engaged as contractors, though TFN data is subject to strict privacy protections under the Privacy Act 1988 and the associated tax file number guidelines issued by the Office of the Australian Information Commissioner (OAIC). Responsible entities handling TFN data must comply with the Australian Privacy Principles (APPs) and the specific TFN rules, and should ensure that their document retention policies account for the sensitivity of this information.

Access management records — logs of who has been granted access to critical systems, when, and on what authorisation — form part of the evidentiary record that CISC may examine during a regulatory review or investigation. These records should be retained in a tamper-evident format and protected against unauthorised modification or deletion.

---

Incident reporting timelines: CISC, ACSC, APRA, and OAIC

One of the most operationally demanding aspects of the current Australian critical infrastructure framework is the multiplicity of incident reporting timelines. Responsible entities that are both SOCI Act regulated entities and APRA-regulated entities — which is common in the financial services sector — face overlapping obligations to different regulators, each with its own timeline and format.

Under the SOCI Act, cyber incidents must be reported to CISC within:

• 12 hours for a cyber attack that has had, or is having, a significant impact on the availability of the critical infrastructure asset (a "Category 1" or high-impact incident)
• 72 hours for a cyber attack that has had, or is having, a relevant impact on the critical infrastructure asset (a "Category 2" or significant-impact incident)

Reports must be made through the cyber.gov.au reporting portal and must include information about the nature of the incident, the systems affected, and the responsible entity's initial response actions. Supporting documentation — system logs, incident timelines, forensic summaries — should be prepared in parallel with the notification itself, as CISC may request additional information rapidly.

Under APRA CPS 234, material information security incidents must be notified to APRA within 72 hours. The definition of "material" under CPS 234 is broader than the SOCI Act's Category 2 threshold, and APRA-regulated entities in the financial sector may find that incidents requiring APRA notification do not meet the SOCI Act reporting threshold — and vice versa. Compliance teams should document the criteria they apply to each assessment and the reasoning behind each notification decision.

Under the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, organisations that experience an eligible data breach — a breach that is likely to result in serious harm to one or more individuals — must notify both the OAIC and affected individuals as soon as practicable. The OAIC recommends notification within 30 days of becoming aware of the breach, and organisations that fail to notify promptly face the risk of regulatory action. Notification documentation must include a description of the breach, the type of information involved, and a statement of the remedial action taken.

Responsible entities should maintain a documented incident response plan that maps each type of incident to the applicable regulatory reporting obligation, the responsible reporting officer, and the required timeline. That plan should itself be treated as a controlled document subject to version control and periodic review.

---

NIS2 vs. Australian framework: comparison table

While NIS2 applies to EU organisations and Australian entities fall outside its jurisdiction when operating domestically, the table above illustrates that the substantive obligations are closely aligned. Australian organisations tendering for EU contracts or operating EU-facing services should treat NIS2 and SOCI Act compliance as complementary rather than competing frameworks.

---

How CheckFile supports Australian critical infrastructure document compliance

Managing identity, personnel, and vendor documentation across the obligations imposed by the SOCI Act, CPS 234, the Cyber Security Act 2024, and the Privacy Act 1988 is a substantial operational undertaking. Manual verification of Australian passports, state and territory driver licences, ImmiCards, ASIC company extracts, and international documents creates both throughput bottlenecks and consistency risks — particularly in high-volume onboarding contexts or where vendor documentation arrives in multiple formats and languages.

CheckFile provides automated document verification for over 3,200 document types across 32 jurisdictions. For Australian critical infrastructure operators, this means that the identity and credential documents required by the CIRMP personnel and supply chain hazard categories can be verified systematically, with verification records retained in a format suitable for regulatory production. Whether the document in question is an Australian passport, a state-issued driver licence, an ImmiCard for a foreign national contractor, or an ASIC company extract confirming a vendor's registered status, CheckFile's verification engine applies consistent checks and produces an auditable record.

For financial sector entities subject to APRA CPS 234, CheckFile's KYC banking solutions are designed to support the CDD and identity verification obligations that underpin both prudential compliance and AML/CTF requirements under the AML/CTF Act 2006. The platform's security standards have been designed with the data protection requirements of the Privacy Act 1988 and the APPs in mind.

For compliance teams building or reviewing their vendor documentation processes, our guide on third-party risk management provides a practical framework that can be adapted to the SOCI Act's supply chain risk requirements. Pricing information is available at CheckFile pricing.

---

Frequently Asked Questions

Does the SOCI Act apply to my organisation?

The SOCI Act applies to "responsible entities" — organisations that own or operate a "critical infrastructure asset" as defined in the Act and the relevant sector rules. The eleven sectors in scope are: communications, data storage and processing, financial services and markets, defence industry, energy, food and grocery, health, higher education and research, space technology, transport, and water and sewerage. Whether a specific asset falls within the definition depends on the applicable sector rules and, in some cases, whether the asset has been declared critical by the relevant minister. Organisations uncertain about their status should consult CISC directly at cisc.gov.au or seek independent legal advice.

What documents must be retained to demonstrate CIRMP compliance?

There is no exhaustive prescribed list, but responsible entities should maintain: the written CIRMP document itself (including all versions); board minutes or resolutions approving the program; the annual CIRMP report submitted to Home Affairs; evidence of the risk assessments conducted under each of the four hazard categories; identity and credential verification records for critical workers and vendors; access management logs; and incident response documentation. CISC guidance recommends a minimum seven-year retention period for records that support CIRMP compliance.

How does the Cyber Security Act 2024 interact with the SOCI Act?

The Cyber Security Act 2024 is complementary to rather than a replacement for the SOCI Act. Its primary additions for responsible entities are: mandatory reporting of ransomware payments to the ASD within 72 hours of making a payment; minimum cybersecurity standards for connectable products (smart devices) effective from 4 March 2026; and a formal framework for the Cyber Incident Review Board to conduct no-fault reviews of significant cyber incidents. SOCI Act obligations — including CIRMP, mandatory incident reporting to CISC, and the RCIA — continue to operate in parallel.

What are the penalties for failing to report a cyber incident to CISC within the required timeframe?

The SOCI Act provides for civil penalty orders for failure to comply with mandatory incident reporting obligations. As of 2026, the maximum civil penalty for a body corporate is 250 penalty units per contravention, which at the current penalty unit rate equates to approximately $82,500 per contravention. More significantly, a pattern of non-compliance or a failure to report a high-impact incident can attract regulatory scrutiny, increased government assistance powers, and reputational damage that may be more consequential than the civil penalty itself. Entities in the financial sector may also face separate action from APRA for non-compliance with CPS 234 notification requirements.

How does the Privacy Act 1988 NDB scheme interact with SOCI Act incident reporting?

The two schemes operate independently and have different triggers. SOCI Act reporting to CISC is triggered by a cyber attack that has a specified impact on a critical infrastructure asset — it is focused on the operational and security impact on the asset. The NDB scheme is triggered by an eligible data breach — an unauthorised access to, or disclosure of, personal information that is likely to result in serious harm to one or more affected individuals. A single cyber incident can trigger both: if a ransomware attack on a critical infrastructure asset also results in the exfiltration of customer personal information, the responsible entity must report to CISC (within 12 or 72 hours depending on impact category) and separately notify the OAIC and affected individuals under the NDB scheme. Compliance teams should ensure their incident response plans address both notification streams simultaneously.

---

Regulated disclaimer: This article is provided for general informational purposes only and does not constitute legal or compliance advice. Australian organisations should seek independent legal advice regarding their specific obligations under the Security of Critical Infrastructure Act 2018, the Cyber Security Act 2024, APRA Prudential Standard CPS 234, the Privacy Act 1988, and any other applicable legislation. Regulatory frameworks and penalty amounts referenced in this article are subject to change. CheckFile is not a legal or compliance advisory firm.

External references:

• Security of Critical Infrastructure Act 2018 — legislation.gov.au
• CISC — Cyber and Infrastructure Security Centre
• ACSC / ASD — Australian Cyber Security Centre
• APRA Prudential Standard CPS 234 (Information Security)
• OAIC — Notifiable Data Breaches scheme