AESCSF SP-2 by June 2028: Why 25 Months Is Not as Much Time as It Sounds

The Security of Critical Infrastructure Act 2018 (SOCI Act) has been the legislative backbone of Australia's critical-infrastructure protection regime since the major 2021–2022 reforms. For responsible entities in the energy sector, the cyber security side of the obligation is evidenced primarily through the Australian Energy Sector Cyber Security Framework (AESCSF) — an AEMO-maintained maturity model with 11 domains, scored at Maturity Indicator Levels (MIL) 0 through 3, and bundled into three Security Profiles (SP-1, SP-2, SP-3).

Until now, the practical baseline has been AESCSF Security Profile 1. Responsible entities have demonstrated SP-1 maturity through their CIRMP and attested annually. The bar has been broadly fit for purpose: a meaningful uplift on what came before, but achievable through a once-a-year consultant-led assurance cycle.

The Department of Home Affairs has now closed consultation on a proposed Exposure Draft that would change that. The headline cyber security obligation — for designated high-risk asset classes including most of the energy sector — is Maturity Indicator Level 2 across all 11 AESCSF domains by 30 June 2028, with attestation due in the July–September 2028 attestation period.

That gives affected entities around 25 months from today. This piece explains what is being proposed, where the proposal currently sits in the legislative process, who is affected, why the SP-1 to SP-2 jump is qualitatively harder than the timeline suggests, and what a credible 25-month plan looks like.

Where the Proposal Currently Sits

The pathway from the December 2025 consultation paper to today's Exposure Draft has been compressed by Australian standards, reflecting the geopolitical context and the recommendations of Dr Jill Slay AM's Independent Review of the SOCI Act.

• 9 December 2025

  Initial Consultation Paper released

  Department of Home Affairs published the Consultation Paper on enhancements to the CIRMP Rules, identifying high-risk asset classes and proposing uplift to MIL-2 / SP-2 maturity.

• 31 January 2026

  Independent Review of the SOCI Act delivered

  Dr Jill Slay AM's review accepted the proposed CIRMP amendments while recommending broader simplification toward a principles-based SOCI Act. Recommendation 2 called for a shift from "light touch" compliance to penalty-based risk management with real enforcement.

• 13 February 2026

  Initial submissions closed

  Over 60 submissions received from approximately 1,900 stakeholders. Submissions were broadly supportive but raised significant concerns about implementation timeframes and costs.

• 25 March 2026

  Exposure Draft released

  Minister for Home Affairs opened consultation on the Exposure Draft of the enhanced CIRMP Rules plus proposed amendments to Ministerial Directions Powers under Part 3 of the SOCI Act.

• 8 April 2026

  Department town hall on the Exposure Draft

  Virtual session summarising feedback from the initial consultation period and how it informed the Exposure Draft.

• 1 May 2026

  Submissions on the Exposure Draft closed

  Concurrent consultations on the enhanced CIRMP Rules and the Ministerial Directions Powers closed. Department now considering submissions.

• Expected H2 2026

  Rules made

  Industry expectation is that the enhanced CIRMP Rules will be made in the second half of 2026, with the substance broadly intact.

• 30 June 2028

  Proposed compliance date

  Specific risk obligations — including cyber framework uplift to MIL-2 across the 11 domains — take effect. All-hazard obligations have a separate 6-month timeline from rule commencement.

• July–September 2028

  First attestation against enhanced obligations

  Annual board-approved CIRMP attestation period during which responsible entities must attest to compliance with the new bar.

What Is Being Proposed

The Exposure Draft proposes a substantial expansion of CIRMP obligations for designated high-risk asset classes. Several of the proposed obligations are significant, but the one most likely to drive multi-year programme work is the cyber security uplift.

Cyber Security Obligations

• Maturity Indicator Level 2 across all 11 domains of an appropriate cyber maturity framework. For energy sector responsible entities, the appropriate framework is AESCSF. For other entities, equivalent frameworks (such as C2M2) may be used; where the chosen framework does not contain maturity levels, the CIRMP must outline how the cyber programme is made equivalent to MIL-2.
• Network segregation between critical systems and connected components — the greatest practical level of segregation between asset critical systems and other (less secure) connected components by 30 June 2028.
• Multi-factor authentication on critical systems.
• Additional cyber-specific obligations covering vulnerability management practices and other operational areas.

All-Hazards and Other Obligations

• Specified risk advice obligation — responsible entities must respond to specified risk advice issued by the Department from time to time (12 months from the date of advice).
• Foreign Ownership, Control and Influence (FOCI) risk management across all aspects of the asset — including supply chain (6 months from rule commencement).
• Personnel security uplift — additional obligations on personnel security controls.
• Supply chain risk management uplift — particularly around critical vendor risk and dependencies.

This article focuses on the cyber security uplift to SP-2, since the multi-year remediation horizon for cyber maturity is the longest single thread in the work.

Who Is Affected

The Consultation Paper identifies the following asset classes as designated high-risk and therefore subject to the enhanced rules:

• Energy market operator (AEMO)
• Electricity
• Gas
• Liquid fuel
• Broadcasting
• Domain name systems
• Water and sewerage
• Freight services
• Freight infrastructure

Critical aviation and ports assets — already subject to equivalent obligations under the Aviation Transport Security Act 2004 and the Maritime Transport and Offshore Facilities Security Act 2003 — are not duplicated under the enhanced CIRMP Rules but face equivalent industry-specific all-hazards regimes.

Other asset classes already subject to existing CIRMP Rules — including healthcare, food and grocery, financial services market infrastructure, and data storage and processing — continue under the existing baseline requirements unless and until they are added to the designated high-risk list.

Why SP-1 to SP-2 Is Not Linear

The phrase "SP-1 to SP-2" sounds like a single step. In practice, each additional MIL point in the AESCSF model typically costs more effort than the last — and the SP-1 to SP-2 transition is the point at which the bar moves from "documented" to "operating effectively". Six factors compound the difficulty.

1. Operating effectiveness, not just design effectiveness

At SP-1, an entity can largely demonstrate that controls are designed appropriately — that policies exist, that processes are documented, and that responsibilities are assigned. SP-2 requires evidence that controls are actually working: tested, measured, and producing the outcomes the design intends. Operating effectiveness testing is qualitatively different from a documentation review. It typically requires sampled execution evidence over a defined assurance period, control walk-throughs, and re-performance testing of key control activities. Most consultant-led annual cycles cover operating effectiveness on only a sample of key controls each year. SP-2 expectation is closer to "all key controls covered annually".

2. Cross-domain consistency

SP-2 requires MIL-2 across all 11 AESCSF domains, not just the strongest ones. Many entities have uneven maturity profiles — strong on Risk Management or Workforce Management, weaker on Threat & Vulnerability Management or Supply Chain & External Dependencies Management. The weakest domain governs the Security Profile result, so the work to clear SP-2 is the work to lift the weakest domain to MIL-2, not the work to incrementally improve the strongest one. This shifts how remediation must be prioritised.

3. Stricter evidence standards

What passed evidentiary review at SP-1 will not pass at SP-2. SP-2 expects documented procedures backed by execution records — not just policy statements. Risk registers must be live, not annual. Asset inventories must be current, not last-quarter. Vulnerability findings must be tracked with closure evidence, not just opened. The increase in evidentiary rigour drives a substantial increase in the time and effort required to demonstrate compliance.

4. Programmatic, not project

MIL-2 means the entity has a programme doing the thing repeatedly — measured, reviewed, and improved — not a one-off project that delivered the artefact. This is structurally different from SP-1 compliance. An entity cannot reach SP-2 with a one-time uplift project; it must reach SP-2 with an operating cadence. That cadence has to be established before the deadline, not after it.

5. OT scope expansion

For energy sector entities, the cyber maturity obligation explicitly covers the operational technology (OT) environment. AESCSF was designed for OT-heavy environments. Achieving MIL-2 in domains like Asset, Change & Configuration Management and Threat & Vulnerability Management — within OT — requires capability that many responsible entities do not yet have. OT change windows are constrained, system lifetimes are long, and patching is materially harder than in IT environments. None of these realities relax the obligation.

6. Most responsible entities sit at SP-1 today

Public commentary and industry indications since the December 2025 consultation paper suggest that SP-1 has been the operational baseline for the bulk of energy responsible entities to date. Anecdotal evidence from the town halls and from professional services commentary points to a relatively narrow tail of entities already operating at or near SP-2, and a much larger middle band that will need to undertake material uplift to meet the proposed deadline.

The 25-Month Sprint, in Numbers

From today (May 2026) to 30 June 2028 is approximately 25 months. The maths is unflattering.

Two assessment cycles is not enough. After cycle one finishes, the gap analysis lands and remediation begins; before remediation can complete, the deadline arrives. There is no time for a third cycle to verify that remediation worked. There is no time for a regression to be detected and corrected. There is no time to demonstrate the trajectory of improvement that a regulator will look for if a cyber incident occurs in the meantime.

This is before you subtract Q4 holidays, competing programmes, organisational change, and constrained OT change windows. Realistic execution time across 25 calendar months is closer to 18 working months — across 11 domains, at a qualitatively higher bar than today.

Why the Annual Consultant Cycle Will Not Deliver

The annual consultant-led AESCSF assessment cycle has served the sector reasonably well at SP-1. It struggles at SP-2 for four structural reasons.

The cycle is too slow

From the start of engagement to agreed remediation actions, a typical annual cycle runs 10 to 11 months: scoping, evidence collection, assessment, draft report, internal review, final report, management response, agreed actions. By the time the report is signed off and remediation can begin, most of the compliance year has elapsed. With only two such cycles available before the deadline, there is negligible time for remediation to land before the second cycle begins.

Operating effectiveness is undersampled

Annual cycles typically test design effectiveness on 100% of key controls but operating effectiveness on a sample — often 25%, sometimes less. At SP-1 this was tolerable. At SP-2, where operating effectiveness is the centre of the obligation, sample-based testing leaves substantial undetected risk in the residual 75%. A control that has not been tested in the assurance period may have regressed, and the assessment cannot say.

No visibility between assessments

Once a cycle closes, there is typically no further compliance-grade assurance until the next cycle starts. If a control regresses six weeks after the assessment, the regression can run for 10 to 11 months before it is detected. For SOCI obligations enforced through a board-approved annual report, this creates a year-long blind window between attestations.

Volume becomes overwhelming

Larger responsible entities operate dozens of sites and asset classes. Across 11 domains and multiple sites, the volume of raw assessment data accumulates faster than it can be consolidated. Without risk-prioritised aggregation, the assessment becomes a reporting exercise — collating evidence, generating findings, and writing reports — rather than a tool that surfaces the systemic gaps worth remediating first.

What the Regulator Will Actually Examine

The regulator's most consequential scrutiny does not happen at the annual attestation. It happens after a cyber incident.

If a responsible entity experiences a significant cyber incident between now and the deadline — or after — the regulator (the Australian Energy Regulator in cooperation with AEMO for energy assets, with input from ASD and the National Cyber Security Coordinator) will examine four questions:

• Was maturity being actively improved? Not "did the year-end snapshot look acceptable" — was there a credible trajectory of improvement against the proposed SP-2 bar?
• Was the assurance approach adequate? Did the entity have visibility into its own posture between annual snapshots, or was it operating in a year-long blind window?
• Did the board have visibility? Did the board see cyber posture quarterly, or only at the annual report? Did directors discharge their duty of oversight?
• Was the trajectory of improvement credible? If the entity was at SP-1 today and at SP-1 at incident time, what evidence is there that SP-2 by June 2028 was achievable on the chosen plan?

A year-end snapshot does not answer any of these questions. A quarterly cadence with structured evidence, ongoing operating effectiveness testing, and board-level visibility does.

What a Credible 25-Month Plan Looks Like

There is no single right answer to the SP-2 challenge — entities differ in starting maturity, asset profile, OT constraint, and resourcing. But the elements of a credible plan are increasingly clear.

1. A current SP-2 gap analysis, not just an SP-1 snapshot

Most entities have a recent SP-1 result and a sense of where they sit against it. Far fewer have a structured analysis of where they sit against MIL-2 in each of the 11 domains. The gap analysis is the foundation; without it, the next 25 months cannot be planned.

2. A remediation horizon, not a remediation list

A list of remediation actions is not a plan. A plan answers: what can realistically be moved by Q3 2027, by Q1 2028, by the deadline; what is blocked by OT change windows or vendor dependencies; what programme governance is needed to keep movement on track. The horizon shapes capital and headcount decisions that need to be made this financial year.

3. A quarterly assurance cadence

Two cycles before the deadline is not enough; eight is. Replacing the annual consultant cycle with quarterly self-assessment — on the same SOCI cadence — delivers four times the assessment frequency, full operating effectiveness coverage annually, and detection of control regression within roughly 13 weeks rather than 12 months. It also produces the structured quarterly evidence trail that demonstrates credible intent.

4. Board reporting on the SOCI cadence

The annual board-approved CIRMP report remains an obligation, but director duty and post-incident regulator scrutiny increasingly call for quarterly cyber posture visibility — not a single snapshot. Boards should see trajectory, trend, and rate of progress against SP-2 every quarter, not retrospectively at year end.

5. Systemic gap identification across sites and domains

Many compliance gaps appear at multiple sites in slightly different forms. The highest-leverage remediation is the one that closes the same gap at every site at once — fixing the policy, the platform, or the standard at the source rather than 50 times in 50 places. This requires aggregated cross-site analysis, not per-site reporting.

6. Document the journey, not just the destination

The trajectory is the evidence. Quarterly assessment results, board reports, remediation closure records, and the rate of MIL improvement across the 11 domains together form the artefact a regulator will examine post-incident. A responsible entity that can show "we were here at Q3 2026, here at Q1 2027, here at Q3 2027, on plan for the deadline" is in a materially stronger position than one that has only the year-end attestation.

Current State vs Target State

The shape of the change can be summarised on the dimensions that matter most to compliance and governance.

Dimension	Current SP-1 approach	SP-2-ready approach
Assessment cadence	Annual consultant-led	Quarterly self-assessment, supported by tooling
Operating effectiveness testing	Sample of key controls each year	All key controls tested annually (25% per quarter)
Control regression detection window	Up to 12 months	Within ~13 weeks
Remediation time per year	~0 weeks usable inside the compliance year	~40 weeks usable inside the year
SP-2 progress visibility	Annual snapshot — cannot tell if on track	Quarterly trend by domain and site
Board reporting frequency	1 per year (after ~9 months elapsed)	4 per year (on the SOCI cadence)
Regulator post-incident position	"We were compliant at last assessment"	"Here is the trajectory of improvement"

What to Do This Quarter

Three things are worth doing in the next 90 days regardless of how the final Rules read.

1. Confirm scope. Verify whether your asset class is on the designated high-risk list in the Consultation Paper and Exposure Draft. If you operate across multiple asset classes, confirm which obligations apply to which assets.
2. Commission an SP-2 gap analysis. Not another SP-1 reassessment — a gap analysis specifically against MIL-2 across the 11 AESCSF domains, structured to support a 25-month remediation horizon. Identify the weakest domains; those will govern your Security Profile result.
3. Brief the board. The deadline, the gap, and the proposed remediation horizon should be on the board's agenda this quarter — not next year. Set the expectation that cyber posture will move from an annual report to a quarterly view, and explain why that matters for director duty and post-incident regulator scrutiny.

Three things are worth doing in the next two quarters.

1. Establish the quarterly cadence. Run a first quarterly assessment as a baseline, even if the formal infrastructure is still being put in place. The exercise itself reveals what the cadence needs to support.
2. Identify systemic remediation themes. Look across sites and domains for the gaps that recur. Those are the highest-leverage things to fix first.
3. Engage with peers via TISN. The Trusted Information Sharing Network sector groups have already begun structured conversations about the SP-2 challenge. Peer benchmarking is one of the few ways to calibrate "what good looks like" before the regulator does it for you.

The Bottom Line

The proposed lift to AESCSF SP-2 by 30 June 2028 is a substantial regulatory uplift on a compressed timeline. The qualitative jump from SP-1 to SP-2 — operating effectiveness, cross-domain consistency, stricter evidence, programmatic execution, OT scope — is harder than the surface description suggests. The default annual consultant cycle does not have the cadence, coverage, or visibility to deliver across an OT-heavy 11-domain portfolio in 25 months. And the regulator's most consequential scrutiny is not the year-end attestation; it is the post-incident question of whether maturity was actively being improved.

Responsible entities that begin gap analysis and cadence redesign now — before the Rules are formally made — give themselves the runway and the evidence trail required to land at SP-2 on time, and to defend the journey if an incident occurs along the way. Those that wait for the Rules to be made may find that the work was always going to take 25 months, and they have already spent six of them.