Key Compliance Dates Under the Security of Critical Infrastructure Act 2018

Written By Lisa Malone

Attention stakeholders in critical infrastructure sectors - the compliance deadline under The Security of Critical Infrastructure Act 2018 (SOCI Act) is now in place!

As of 17 August 2024, clear and rigorous cybersecurity standards now apply under the SOCI Act to owners and operators in key sectors such as energy, health care, communications, water and transport. Under the Act’s reporting obligations, relevant entities are also required to submit their first annual report by 28 September 2024.

Notably, service providers may now be considered critical infrastructure assets due to their commercial relationship with entities covered by this framework, so it is essential to include appropriate clauses in commercial contracts to ensure entities are meeting their requirements.

Importantly, there are differing requirements across sectors and entities and no “one-size fits all” approach to SOCI compliance, so bespoke advice and guidance is needed.

Key new requirements under the SOCI Act

  • Identify + Register Critical Assets | Owners and operators in specific industries have an ongoing obligation to identify and register critical infrastructure assets, which include assets in sectors such as electricity, gas, water, and ports. This registration requirement helps the government to maintain a comprehensive understanding of the ownership and operational arrangements of critical infrastructure assets, including interdependencies of assets

  • Reporting Obligations | Entities must comply with reporting requirements, including notifying the relevant government bodies about any changes in ownership, operational control, or significant cyber security incidents affecting the infrastructure. The first annual report is due within 90 days of 30 June 2024.

  • Critical Infrastructure Risk Management Program (CIRMP) | Responsible sectors must implement a robust critical infrastructure risk management program tailored to address specified categories of threats, including physical security and cyber threats. This involves regular risk assessments, developing mitigation strategies and ensuring that all employees are aware of their roles in maintaining security.

  • Enhanced Cyber Security Obligations (ECSO) | Certain entities must adhere to enhanced cyber security obligations. These may include providing detailed information about network design and security practices as well as cooperating with government-led cyber security exercises and vulnerability assessments.

  • Positive Security Obligations (PSO) | These obligations mandate that owners and operators of critical infrastructure take proactive steps to protect their assets. This includes developing and maintaining security plans, conducting regular training, and ensuring physical and personnel security measures are in place.

  • Incident Response and Recovery | These obligations require establishment and maintenance of a robust incident response and recovery plan, which will ensure quick action in the event of a security breach, compliance with mandatory notification timeframes, minimising disruption and facilitating a swift return to normal operations.

If you still have reservations about the adequacy of your cybersecurity risk management obligations and programs or need assistance with your inaugural annual report , reach out urgently to our commercial lawyers via [email protected] to ensure you do not fall foul of the significant penalties and reputational damage that could now result from non-compliance.

Key Dates

17 August 2024 | Conclusion of the grace period for achieving compliance with cyber and information security framework requirements

28 September 2024 | First annual report is due

Lisa Malone
Previous

Law Squared Elevates In-House Expertise with Strategic Senior Hires 
Next

Importance of Document Localisation for UK Market Entry