Lander & Rogers logo
1 Insights

SOCI Act 2026 reforms: what managed service providers and IT contractors need to know about proposed "Relevant Operator" obligations

SOCI Act 2026 reforms: what managed service providers and IT contractors need to know about proposed "Relevant Operator" obligations

On 3 July 2026, the Department of Home Affairs released a consultation paper on the second tranche of proposed amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). The reforms respond to the Independent Review of the SOCI Act delivered by Dr Jill Slay AM in January 2026, which found that the Act requires ongoing refinement as the threat environment evolves.

The tranche two amendments propose to introduce a new concept of a "relevant operator" that would, for the first time, impose direct obligations on service providers who exercise practical control over critical infrastructure assets or functions, systems or services on which critical infrastructure assets depend. Providers of key software systems, asset maintenance and outsourced business processes are likely to be captured.

The consultation period closes on 31 July 2026.

Key Takeaways

Service providers who deliver operational, maintenance, configuration, restoration or platform services to responsible entities for critical infrastructure assets should be aware that under the proposed reforms:

  • You may be classified as a "relevant operator" based on what you do, not what your contract says. If your organisation can operate, configure, maintain, disable, restore or materially influence the operation, availability, integrity or security of a client's critical infrastructure asset or a critical function, system or service on which the asset materially depends, you may fall within scope.
  • Relevant operators would face directly enforceable statutory duties. These include duties to register with CISC as a relevant operator, cooperate with the responsible entity in relation to its SOCI compliance, notify the responsible entity of events or changes that could materially affect the asset, and not to take or omit to take action that would materially compromise the asset.
  • Breach of these duties would attract civil penalties enforceable directly against the service provider.
  • Clients may require additional cyber security assurance and contractual protection. Responsible entities will be required to ensure contracts with relevant operators include appropriate provisions, including in relation to compliance, incident response and access to information. Further, under enhancements to the CIRMP requirements responsible entities will be required to implement contractual or equivalent measures to manage cyber security risks with all major suppliers, not only relevant operators.

Service providers whose customers include responsible entities for critical infrastructure should consider making a submission before consultation closes on 31 July 2026.

Implications for service providers

The "Relevant Operator" Concept

The introduction of the concept of a "relevant operator" is intended to address the in many cases, services provided by third parties have the ability to directly affect the operation, availability, integrity and security of critical infrastructure assets.

The proposed concept of "relevant operator" would turn on two elements: practical operational authority and material operational dependency. A person would be a relevant operator where:

  • it has the ability to operate, configure, maintain, disable, restore, materially alter or materially influence the operation, availability, integrity or security of the asset or a critical function; and
  • the responsible entity depends on the exercise of that control for the continued operation, availability, integrity or security of the asset.

Importantly, the concept would be assessed by what the entity can do in practice, not by its contractual label.

The concept of a "critical function" does not currently exist in the SOCI Act and is not defined in the consultation. It is clear, however, that the effect is that service providers do not need to have operational influence over the critical infrastructure asset as a whole to be captured.

Examples of service providers who may be considered relevant operators include physical asset maintenance providers, physical and IT security providers, managed service providers, and providers of key software systems the failure of which may affect the operation, availability, integrity or security of the underlying asset.

Excluded services

The provision of professional advice, monitoring-only services, minor maintenance, emergency support, commodity inputs, general-purpose infrastructure, software support, equipment or ordinary subcontracted services will not be sufficient to render a provider a relevant operator. The authority of an entity to take action which may affect the underlying critical infrastructure asset will be key to delineating between relevant operators and other service providers.

Direct Obligations

Relevant operators would be required to register with CISC, with both the responsible entity and relevant operator having independent obligations to provide information about their role in relation to the critical infrastructure asset.

The consultation paper proposes that relevant operators should be subject to the following obligations:

  • a duty to cooperate and support the responsible entity's compliance with Part 2A, including by providing reasonable access to information, systems and personnel for risk management, assurance, incident response or remediation;
  • an obligation to notify the responsible entity, without unreasonable delay, of events, changes or circumstances within the operator's knowledge that could materially affect the asset. This may overlap with existing notification requirements under the Privacy Act 1988 (Cth) in relation to notifiable data breaches;
  • an obligation not to materially compromise the security, integrity, availability or operation of the asset.

Consequences of breach

Breaches of a relevant operator's obligations would attract civil penalties under the SOCI Act.

Contractual Implications

As well as the direct obligations on relevant operators, responsible entities would have a new obligation to maintain appropriate contractual, governance or operational arrangements with relevant operators to support compliance, incident response, access to information, oversight, assurance, testing and remediation.

If implemented, service providers can expect responsible entities to seek new contractual commitments including in relation to cooperation, incident notification, audit and information-sharing. It appears from the consultation that these obligations may apply to existing contracts, requiring responsible entities to seek amendments to ongoing arrangements. A limited safe harbour mechanism is proposed for responsible entities that are unable to agree appropriate contractual provisions with relevant operators.

Supply Chain Cyber Security Assurance

Alongside the introduction of relevant operators, the consultation proposes amendments to CIRMP requirements in relation to cyber security assurance of major suppliers. Responsible entities would be expected to assess supplier cyber security practices of suppliers whose products or services are material to the security, availability, integrity, reliability or operation of the critical infrastructure asset (not limited to relevant operators) and implement contractual or equivalent measures to address cyber security risk at contract entry, renewal or material variation. Again, this requirement would likely lead to more prescriptive cyber security requirements being sought in supplier contracts.

The consultation paper also flags the possible introduction of a cyber security certification scheme to allow suppliers to be certified or accredited as meeting criteria relevant to the SOCI Act.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.