Blog
In December 2025, the Department of Home Affairs opened a public consultation on proposed changes to Australia’s Critical Infrastructure Risk
In December 2025, the Department of Home Affairs opened a public consultation on proposed changes to Australia’s Critical Infrastructure Risk Management Program (CIRMP) rules under the Security of Critical Infrastructure (SOCI) Act. The changes focus on lifting cyber risk requirements for nine high-risk asset classes, including electricity, gas, liquid fuel, water, broadcasting, domain names and freight.
The intent of the CIRMP is to increase security, reliability, and compliance of mission-critical services and keep up with the evolving cyber threat landscape. From Protectera’s point of view, it represents a growing expectation for organisations to manage cyber risk in a consistent and formalised manner throughout their operations as well as during an incident.
What’s Changing
High-risk asset classes in focus
The proposed rules apply to sectors considered critical to Australia’s economy and community. As a result, organisations that own or operate these assets are anticipated to develop a more formal and structured process for identifying and managing cyber risk with greater clarity and defined roles under the CIRMP Framework.
Stronger governance under the SOCI Act
Cyber risk governance will be more clearly enforced under the SOCI Act. Boards and senior leaders will be expected to understand their organisation’s cyber risks and how those risks are being managed. In Protectera’s experience, this means cyber risk can no longer sit solely with IT teams — it must be visible at the executive and board level.
Alignment with national cyber policy
The proposed amendments are consistent with the Australian Cyber Security Strategy 2023-2030, which places significant emphasis on the need to protect critical infrastructure, and further realises the need for organisations to prepare for cyber incidents and thereby obtain a rapid status post-disruption.
Cost and operational impact
The government has acknowledged that these changes will involve additional cost and effort for organisations. Industry feedback is being sought on these impacts. Protectera sees early planning as key; organisations that review their cyber risk programs now are likely to manage compliance more effectively and avoid rushed, reactive changes later.
Consultation and Next Steps to Go Ahead
Submissions open until February 2026
Written submissions are open until 13 February 2026. Asset owners, operators and suppliers are encouraged to provide feedback on how the proposed rules may affect their operations.
Online briefings available
The Department of Home Affairs will run virtual town halls on 12 December 2025 and 27 January 2026 to explain the proposals. Recordings will be available after each session.
What This Means for Organisations
For CISOs, IT leaders and executives, the message is clear: stronger cyber risk oversight is coming. Organisations providing essential services should review their current cyber risk management programs, including risk assessments, incident response plans and recovery processes.
There is also a clear expectation of board involvement. Based on what we see at Protectera, organisations that involve leadership early and clearly document responsibilities are better placed to meet regulatory requirements and respond to incidents when they occur.
Clear communication across business units and with third-party providers will also be important, particularly where suppliers play a role in delivering critical services.
How Protectera Can Help
At Protectera, we support boards and executives in meeting cyber risk and compliance obligations under the SOCI Act. If you want to understand how the proposed CIRMP changes may affect your organisation, speak with our team. Call us on 02 7227 5428 or book a consultation. Also, don’t forget to follow us on LinkedIn as well.