The SOCI Enhanced CIRMP Rules Are Now Law
What critical infrastructure operators must do now

From exposure draft to law

The path here has been quick by Australian standards. A consultation paper landed in December 2025, an exposure draft followed in March 2026, and submissions closed on 1 May 2026. On 4 June 2026 the Minister for Home Affairs and Cyber Security, Tony Burke, made the rules, and they were registered on the Federal Register of Legislation on 9 June 2026 as F2026L00701. They commence the day after registration, are made under section 61 of the Security of Critical Infrastructure Act 2018, and amend the 2023 CIRMP Rules (LIN 23/006).

The headline is simple: the obligations we covered as "proposed" in our earlier piece on the AESCSF SP-2 deadline are now binding law. What changes for responsible entities is not the direction of travel but the certainty — and the start of the statutory grace-period clock.

Who the enhanced requirements apply to

The enhanced requirements apply to responsible entities for nine designated asset classes:

• Critical electricity assets
• Critical energy market operator assets
• Critical gas assets
• Critical liquid fuel assets
• Critical water assets
• Critical broadcasting assets
• Critical domain name system assets
• Critical freight infrastructure assets
• Critical freight services assets

Entities for these assets must comply with both the existing baseline CIRMP requirements and the new enhanced requirements. Where the two conflict, the enhanced requirement prevails. Asset classes outside this list continue under their existing baseline CIRMP obligations.

What the enhanced requirements actually are

The rules insert new obligations across every hazard category in the CIRMP. In plain terms:

• Additional material risks (s 6A). Account for foreign ownership, control or influence (FOCI), offshore or remote access to critical components and business-critical data, and any impairment that could prejudice national security or Australia's social and economic stability.
• Cyber and information security (s 8A). Timely patching; retiring or mitigating legacy and end-of-life technology; managing the risks of new and emerging technology; and — critically — complying with a recognised cyber framework at a set maturity (see the table below).
• Credential compromise (s 8B). If your chosen framework does not already mandate it, you must implement phishing-resistant multi-factor authentication.
• Lateral movement (s 8C). Controls to stop an attacker moving between systems to reach critical systems.
• Personnel (s 9A). Enhanced personnel security, including provision for relevant security clearances and managing FOCI in key roles.
• Supply chain (s 10A). Enhanced supply-chain risk management for critical components and providers.
• Physical and natural hazards (s 11A). Enhanced physical security and natural-hazard resilience — including critical systems able to keep operating for at least three months while other systems are restored.

The cyber framework you must meet

Section 8A requires a process or system in your CIRMP to comply with one of the following frameworks, as in force from time to time, and to meet any stated condition:

Framework	Condition	Best fit
AS ISO/IEC 27001:2023	Comply with the standard	Organisations with an ISMS programme
ASD Essential Eight Maturity Model	Maturity Level 2	ACSC-aligned baselines
NIST Cybersecurity Framework 2.0	Comply with the framework	Globally benchmarked programmes
C2M2 v2.1 (US Dept of Energy)	Maturity Indicator Level 2	Energy entities using the US model
2023 AESCSF Framework Core (AEMO)	Security Profile 2	Australian energy responsible entities

An entity may instead use an equivalent framework that achieves an equivalent level of security and meets the relevant condition. For energy responsible entities, the AESCSF route at Security Profile 2 is the natural fit — it is the framework AEMO already maintains, the one most energy entities attest against today, and the one named explicitly in the rules.

The deadlines: 12 and 24 months

The rules commence the day after registration — 10 June 2026 — and then run two grace periods before the new obligations bite:

• ~ June 2027 · 12 months

  First-tranche requirements

  Additional material risks (s 6A), the patching, legacy and emerging-technology measures (s 8A(2)), and the first personnel measures (s 9A(2)).

• ~ June 2028 · 24 months

  Framework, SP-2 and the remaining hazards

  The cyber framework / AESCSF SP-2 obligation (s 8A), credential compromise and phishing-resistant MFA (s 8B), lateral movement (s 8C), the remaining personnel measures (s 9A), supply chain (s 10A), and physical and natural hazards (s 11A).

For assets that become critical infrastructure after commencement, the same 12 and 24-month clocks run from the date the asset first becomes a CI asset. For energy responsible entities the SP-2 framework obligation aligns to the AESCSF annual attestation cycle, which places the practical deadline around 30 June 2028.

What to do now

The rules are made, the dates are fixed, and the regulator's post-incident question will be whether maturity was being actively improved — not whether a year-end snapshot looked good. A credible response over the next 12 months:

• Confirm your framework. For energy, that is almost certainly AESCSF at Security Profile 2; for others, choose from the s 8A table and check whether it already mandates phishing-resistant MFA.
• Run a baseline gap analysis against the target maturity now, so you know the true distance from where you sit today.
• Build a remediation horizon that fits OT change windows — the framework obligation is 24 months away, but operational technology rarely moves quickly.
• Adopt a repeatable cadence. A quarterly self-assessment with structured remediation and board reporting demonstrates a defensible trajectory and gives far more execution time than an annual consultant cycle.