SOCI Act 2018 plus the ERP amendment
s.30AC and the CIRMP Rules 2023 set the obligation. Part 2B sets the incident reporting clock. The Security of Critical Infrastructure Amendment (Enhanced Response and Prevention) Act 2024 (the ERP amendment) added Schedule 1 for data centres, expanded all-hazards direction powers, and gave the regulator a written direction power against a deficient program. The March 2026 CIRMP enhancements consultation tightens the cyber and information security hazard further.
Cyber Security Strategy 2023 to 2030, Horizon 2
Horizon 2 (2026 to 2028) is the operational scaling phase. Essential Eight Maturity Level 2 as the all-industry baseline and ML3 for systems of national significance. Sovereign cyber capability framed as economic resilience, not Defence acquisition.
Cyber Security Act 2024
Mandatory ransomware payment reporting from a proclamation date in the first half of 2025 (verify against legislation.gov.au at publish time) stacks on top of SOCI Part 2B (12 hours for critical, 72 for other) and APRA CPS 234. The obligation surface is widening, not narrowing. The engine's reporting modules are being built to cover both clocks.
Citations verified against legislation.gov.au on 2026-05-23.
See the threat and maturity evidence on /research.