Business Insight

Your Board, Their Rules: Inside SOCI's Proposed Ministerial Powers

By Clare Doneley and Rachael Falk

15 April 2026

Share Share
Print
Red swirls
Share
Print

    What you need to know

    • The Department of Home Affairs has released a Consultation Paper proposing reforms to the Ministerial directions powers under the Security of Critical Infrastructure Act 2018 (SOCI Act), which would significantly expand the Minister's ability to direct that actions be taken by impacted organisations in order to manage national security risks across critical infrastructure.

    The five proposed measures are:

    1. Amendments to the existing directions power under section 32 of the SOCI Act, including removing the requirement for a formal Adverse Security Assessment from ASIO and lowering the "regulatory exhaustion" threshold;
    2. New power to impose governance and control conditions, such as mandating security-cleared directors;
    3. New power to restrict high-risk vendors, products or technologies;
    4. New power to delay continuous disclosure obligations during high-risk cyber incidents; and
    5. Increased civil penalties: up to 2,000 penalty units for individuals and 10,000 for corporations.
    • If passed, these reforms would enable faster and more focused Government intervention in the governance, technology and supply chain arrangements of critical infrastructure entities.

    What you need to do

    • If these changes come into effect, they may have a significant impact on organisations that are caught by the SOCI Act. Those organisations should consider how the proposed amendments may affect their operations, including board and key management appointments, governance and risk management frameworks, supplier relationships, and procurement decisions, and assess what steps they need to take to prepare for these changes but also what steps they could take now to mitigate some of these risks.

    Proposed amendments to Ministerial directions powers under the SOCI Act

    As the threat landscape in Australia and globally becomes more dynamic and threat actors are increasingly targeting critical infrastructure for strategic advantage, disruption, control and theft of data, this has resulted in several proposed amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act).1

    The Department of Home Affairs (the Department) has released a public consultation paper proposing targeted reforms to the Ministerial directions powers in Part 3 of the SOCI Act. These reforms would significantly expand the Minister's power to direct and manage national security risks across Australia’s critical infrastructure ecosystem. If passed, these directions powers would mean critical infrastructure providers would, if directed by the Minister to do so, have to make significant changes, in some cases to board appointments, procurement decisions and management of these assets. It also means that boards will need to ensure they pay close attention to a broader range of risks that could present a national security risk to not just their organisation but also broader public safety implications.

    If you operate, manage, support, or supply critical infrastructure assets, these proposals are directly relevant to your board and your leadership teams.

    The proposed changes aim to ensure the Government can act earlier, more precisely and consistently, in the face of a more dynamic and diverse threat environment, in circumstances where the Government's view is that its existing powers are not agile and precise enough to respond effectively.

    The consultation paper proposes five measures.

    Measure 1: Amendments to the existing directions power under section 32 of the SOCI Act

    Under the current framework, the Minister may direct a reporting entity or operator of a critical infrastructure asset to take, or refrain from taking, certain actions where there is a risk that is prejudicial to security.

    However, the Government has identified two preconditions which have hindered application of this power in practice:

    • the requirement for the Minister to receive an Adverse Security Assessment (ASA) from ASIO before giving a direction; and
    • the requirement that no other regulatory system could instead be used to eliminate or reduce the risk.

    To improve flexibility and speed, particularly in time sensitive situations, the Government proposes to replace the requirement to obtain an ASA from ASIO, with a more practical and flexible obligation for the Minister to obtain and consider tailored ASIO advice. This is intended to preserve the need to receive intelligence input while avoiding the delays associated with the formal ASA process.

    To address the second condition, the Government also proposes to amend the “regulatory exhaustion” requirement. Instead of being barred from acting if another regulatory system could be used to address the risk, the Minister would instead need to consider a lower threshold question of whether other mechanisms could address the risk more effectively.

    In both cases, the Minister would still need to be satisfied that a direction is reasonably necessary and proportionate before issuing a direction.

    Why is this change important?

    This amendment will make it easier for Government to exercise the directions power. With the increased focus on foreign ownership, control or influence (FOCI) risk, query if an "easier" process will result in Government exercising this power where it has national security concerns.

    Measure 2: New conditions power to address governance and control risks

    The second measure would introduce a new power that would allow the Minister to impose targeted conditions on reporting entities where governance or control arrangements create a material national security risk that cannot be mitigated through existing obligations or voluntary measures. Conditions could include security vetting requirements for particular roles, voting exclusions for decisions affecting security, role based restrictions on access to sensitive systems, minimum numbers of independent, Australian security cleared directors, mandatory requirements for cyber security baselines, and auditing and reporting obligations.

    This measure is designed to address situations where governance structures in critical infrastructure create pathways for coercion, interference, or compromise that elevate national security risk.2 'Vulnerabilities could arise in individuals who are in positions of trust to have access to or can influence decision making processes, sensitive information, in a way that could materially weaken the security and resilience of the critical infrastructure asset.'

    Any conditions imposed would be tailored to the identified risk, time bound, and subject to periodic review.

    Why is this change important?

    If the Minister were to exercise this power, boards, of critical infrastructure entities will have to remove some board and senior roles and replace them with security vetted individuals. Some of these conditions feel similar to what we sometimes see raised as part of the FIRB approval process (which has been expanding its remit over time, with input from the Department of Home Affairs and other agencies) to impose data and security related controls as part of a FIRB approval.

    However, FIRB only has a role to play when it is assessing new investments or in some changes of control / ownership, meaning not all critical infrastructure assets will be caught by the FIRB approval process. This new power addresses the gap by giving the Minister a direct and ongoing power to impose controls that it considers critical to managing national security risk. This is important given some of these risks may intensify after an acquisition has been completed and would therefore fall outside the scope of any initial FIRB review. Critical infrastructure owners will need to pay attention to who they place into governance and sensitive roles and be prepared to expect some level of scrutiny from Home Affairs about these appointments and any mitigating controls.

    Measure 3: New vendor, product and technology restrictions

    The Government is also proposing a new power to address systemic supply chain vulnerabilities. This measure would allow the Minister to issue directions to responsible entities, either individually or by class, where a particular vendor, product, service or technology presents a material national security risk.

    This proposed power is aimed at situations where vendors, their products or services present a material risk to national security, either because they are subject to high-risk foreign laws or opaque ownership structures that can introduce security risks.

    Directions could require:

    • ceasing use of specified products or services
    • isolating or segmenting high risk technologies
    • refraining from future procurement
    • implementing compensating controls (segmentation, enhanced logging, code integrity assurance, supplier assurance, independent verification)

    However, before issuing a direction, the Minister would be required to consider the necessity of the direction, the economic and social impacts, and operational and availability implications.

    Why is this change important?

    This power, if exercised, could have a significant impact on critical infrastructure entities and longer term procurement decisions. Organisations from the board down should be aware of this new power in the context of the suppliers and technology that they currently use and procurements that they are proposing to run.

    Organisations should assess their entire supply chain for a wide range of vulnerabilities and risk – and be looking beyond the immediate contractor or tenderer to understand what other entities are involved, where they are based and where they are procuring their inputs from. It is far better to understand these risks and identify how they can be managed and mitigated, instead of spending a lot of money implementing new solutions that the Minister can then direct to be removed (presumably at your cost).

    Measure 4: Power to delay continuous disclosure obligations in high risk cyber incidents

    The fourth measure responds to concerns that immediate public disclosure of certain cyber incidents could compromise national security by revealing vulnerabilities, disrupting remediation efforts, or heightening systemic risks.

    Under the current framework, there is no mechanism to temporarily delay disclosure for national security reasons.

    The two options under consideration, and on which the Government is seeking consultation, are:

    • Option 1: Use of ASIC’s existing exemption power under section 111AT of the Corporations Act to temporarily exempt entities from disclosure obligations in the event of high risk cyber incidents.
    • Option 2: Insert a new SOCI Act directions power which would enable the Minister to delay disclosure for a prescribed period.

    Under either option, the threshold would be whether disclosure would threaten national security or public safety.

    Why is this change important?

    Organisations tend to disclose to the market even if they are unsure of whether a cyber incident would meet the continuous disclosure obligations, so there will continue to be a tension between wanting to be open with the market and be transparent about actions taken to remove the threat actor and to signal that remediation activity has commenced. It will be interesting to see whether this measure makes any practical difference.

    In our experience, the existence of a cyber incident usually becomes public through means other than mandatory reporting (systems offline, customers unable to access key or related services or media reporting). However, this measure may alleviate some of the time pressure to make decisions about whether a mandatory report needs to be made at the start of an incident when the facts surrounding it are still in a state of flux. Importantly, the discussion paper notes that this measure is 'not to shield entities from commercial impacts.'

    Measure 5: Increased civil penalties for non compliance

    Finally, the Government proposes to increase the maximum civil penalty for non compliance with a Ministerial direction under Part 3 from:

    • 250 penalty units to 2,000 penalty units for individuals; and 
    • 1,250 penalty units to 10,000 penalty units for corporations.

    What this means for organisations that own, manage or operate critical infrastructure assets

    These proposed reforms represent a significant uplift in the Commonwealth’s ability to intervene in the governance, technology and supply chain arrangements of organisations across the critical infrastructure sector with even more focus on national security and resilience.

    Organisations should expect:

    1. Greater scrutiny of governance, access and decision making;
    2. Increased focus on supply chain and technology risk;
    3. Faster and more assertive Government intervention; and
    4. Higher compliance expectations and penalties for failing to comply.

    Next steps

    Although these measures remain subject to consultation, they provide a clear indication of the direction of future regulatory reform. When combined with the findings of the Independent Review of the SOCI Act, we expect to see a lot of regulatory change for SOCI regulated entities this year.

    We encourage organisations, from the board down, to start considering how the proposed amendments may affect their board and key management appointments, operations, governance and risk management frameworks, key supplier relationships, long and short term procurement decisions and to assess what steps may be required to prepare for closer management of these risks.

    1. Department of Home Affairs, Consultation Paper, Proposed amendments to enhance the Critical Infrastructure Risk Management Program Rules (CIRMP Rules) page 2
    2. Department of Home Affairs, Public Consultation SOCI Act Ministerial Reforms, page 9

    Other author: Lakhveer Kaur, Graduate

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    Ashurst Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.

    Ashurst Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

    This material is current as at 15 April 2026 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    Key Contacts