SOCI Act compliance for Victorian critical infrastructure

TL;DR

• ustralia's first mandatory Critical Infrastructure Risk Management Program (CIRMP) reporting period under the Security of Critical Infrastructure (SOCI) Act has now closed.

• In Victoria, operators face a second layer of obligations under the Emergency Management (Critical Infrastructure Resilience) Regulations 2025, which came into force in June 2025.

• April 2026 is the moment to mature your risk program — or risk falling behind as regulators move from awareness to enforcement.

• 6clicks gives Australian critical infrastructure operators a single platform to manage both federal SOCI Act and state EMV obligations, with pre-built CIRMP templates, multi-framework control mapping, and sovereign-ready AI. 

Why April 2026 is a critical moment for SOCI Act compliance

Australia's critical infrastructure compliance landscape has moved faster in the past 18 months than in the preceding decade. Three converging changes define the current environment for Victorian operators:

1. The first CIRMP annual reporting period has closed. Under the SOCI Act, responsible entities were required to adopt a written Critical Infrastructure Risk Management Program (CIRMP) by 18 August 2024. The 2024–2025 financial year was the first period requiring a formal annual compliance report to the Cyber and Infrastructure Security Centre (CISC). Organisations that are still building out their programs in 2026 are already in catch-up mode.

2. Business-critical data came into scope in April 2025. From 4 April 2025, the CIRMP Rules were expanded to include protection obligations for business-critical data and secondary data storage systems. This materially expands the risk surface that responsible entities must document and manage.

3. Victoria enacted new state-level regulations in 2025. The Emergency Management (Critical Infrastructure Resilience) Regulations 2025 came into force on 29 June 2025, updating Victoria's framework under the Emergency Management Act 2013. Victorian operators now face dual reporting obligations — federal (SOCI Act / CISC) and state (EMV) — with different regulators, terminology, and cadences.

For organisations still relying on spreadsheets or siloed tools to manage these obligations, the compliance gap is growing.

Join us at the sovereign AI roundtable in Melbourne on 23 April 2026 — part of the Ready for Sovereignty roadshow — to benchmark your SOCI Act compliance posture and explore how sovereign AI can accelerate your GRC program. Register now.

What Victorian critical infrastructure operators must have in place right now

The SOCI Act's CIRMP requires responsible entities to maintain a written, board-endorsed risk program that identifies material risks and, as far as reasonably practicable, minimises or eliminates them. Five hazard categories must be addressed:

1. Cybersecurity and information security — malicious interference with systems, networks, and data
2. Physical security — protecting assets and facilities from unauthorised access or physical damage
3. Supply chain security — identifying critical suppliers and managing third-party risk
4. Personnel security — vetting workers with access to critical systems and assets
5. Business continuity — maintaining service delivery during and after an incident, including data recovery

From April 2025, business-critical data and secondary data storage systems must also be explicitly addressed within the CIRMP.

What the Victorian EMV framework adds

Victoria's Emergency Management (Critical Infrastructure Resilience) Regulations 2025 require operators in eight critical infrastructure sectors — energy, water, transport, health, communications, food, finance, and emergency services — to maintain sector resilience plans aligned to an all-hazards approach. Emergency Management Victoria (EMV) published its Critical Infrastructure All Sectors Resilience Report 2025 to benchmark resilience maturity across these sectors and identify systemic gaps.

Key additional requirements under the Victorian framework include:

• Explicit mapping of sector interdependencies — operators must understand how their assets depend on, and affect, other sectors
• All-hazards planning that goes beyond cyber threats to include natural hazards, climate risk, and cascading failures
• Coordination with EMV and the Emergency Management Commissioner, in addition to CISC at the federal level

For most Victorian operators, the two frameworks are complementary. But managing them efficiently requires a structured approach that avoids duplicating effort across two separate compliance regimes.

The three compliance gaps regulators are looking for in 2026

Based on CISC guidance and EMV's 2025 sector assessment, the most common maturity gaps in 2026 are:

1. Incomplete asset and dependency registers

Many organisations have documented their primary critical assets but have not mapped third-party suppliers, secondary data systems, or cross-sector dependencies. Both the SOCI Act (supply chain and data obligations) and Victorian EMV regulations (interdependency mapping) require this.

2. Controls that are documented but not evidenced

Having a CIRMP on paper is not sufficient. Regulators expect evidence that controls are operating effectively — including background check records, incident response test outcomes, and supplier assessments. The shift from documentation to evidence is the defining compliance challenge in 2026.

3. Fragmented reporting across federal and state obligations

Organisations managing SOCI Act CIRMP reporting separately from Victorian EMV sector reporting are generating duplicated effort and inconsistent narratives. Auditors and regulators are increasingly looking for a single, coherent picture of an organisation's risk posture.

Sovereign AI and the emerging risk frontier for critical infrastructure

In 2026, artificial intelligence (AI) is introducing a new category of risk for critical infrastructure operators that existing CIRMP frameworks were not designed to address. AI systems embedded in operational technology, data processing, and decision-making introduce risks around data provenance, algorithmic integrity, and supply chain exposure.

Sovereign AI — AI systems that are hosted, operated, and governed within Australian jurisdiction — is increasingly a procurement and security requirement for government and critical infrastructure operators. The rationale is straightforward: if an AI system processes sensitive operational or risk data, that data must not be exposed to foreign jurisdictions.

This issue is the focus of the sovereign AI Melbourne roundtable on 23 April 2026, part of the Ready for Sovereignty roadshow. CISOs, risk managers, and compliance leaders from Victorian critical infrastructure sectors will examine how AI adoption intersects with SOCI Act obligations, data sovereignty requirements, and emerging AI governance frameworks. The Melbourne roundtable is one of four events across Canberra, Melbourne, Sydney, and Brisbane this April — targeted at Australian enterprise and public sector organisations navigating exactly these challenges.

How 6clicks helps Victorian operators meet SOCI Act and EMV obligations in 2026

6clicks is built for the compliance complexity that Victorian critical infrastructure operators face in 2026 — multiple frameworks, dual regulators, growing evidence requirements, and AI governance on the horizon. Rather than managing SOCI Act CIRMP obligations and Victorian EMV requirements in separate tools, 6clicks consolidates everything into a single, audit-ready platform.

What 6clicks delivers for SOCI Act compliance:

• Pre-built CIRMP templates aligned to CISC guidance — structured to cover all five hazard categories and business-critical data obligations, reducing setup time significantly
• Multi-framework control mapping — a single control can be mapped simultaneously to the SOCI Act CIRMP Rules, the Information Security Manual (ISM), ISO 27001, and Victorian EMV obligations, eliminating duplicate documentation
• Risk register with asset, supplier, and dependency mapping — the exact structure CISC and EMV auditors expect to see
• Evidence management and annual reporting dashboards — built for the CIRMP annual compliance report, with structured evidence libraries ready for submission
• Hailey AI — 6clicks' built-in AI assists with gap assessments, control mapping, and risk analysis; critically, Hailey is designed for data sovereignty, making it appropriate for government and critical infrastructure environments
• Hub & Spoke architecture — for organisations managing multiple critical infrastructure assets or operating across sectors, each asset or entity maintains its own risk program within a governed parent environment

For organisations navigating dual federal and Victorian obligations, 6clicks for SOCI is built to meet the cross-sector GRC maturity benchmark that regulators are now looking for.

Frequently asked questions

What has changed under the SOCI Act in 2025 and 2026?

Two significant changes took effect in 2025. From 4 April 2025, business-critical data and secondary data storage systems came into scope under the CIRMP Rules, expanding the data protection obligations for all responsible entities. The 2024–2025 financial year was also the first mandatory CIRMP annual reporting period — meaning organisations are now in their second year of formal compliance obligations under the federal framework.

What are Victoria's specific critical infrastructure obligations in 2026?

Victoria's Emergency Management (Critical Infrastructure Resilience) Regulations 2025, which came into force on 29 June 2025, update the state's critical infrastructure framework under the Emergency Management Act 2013. Victorian operators in eight critical infrastructure sectors must maintain sector resilience plans, map interdependencies with other sectors, and report to Emergency Management Victoria (EMV). These obligations sit alongside, and largely align with, federal SOCI Act CIRMP requirements.

How does a GRC platform reduce CIRMP compliance effort?

A purpose-built Governance, Risk, and Compliance (GRC) platform like 6clicks allows operators to maintain their CIRMP in a single, structured environment — covering risk assessments, control libraries, asset registers, evidence management, and annual reporting. Multi-framework mapping means a single control simultaneously satisfies SOCI Act CIRMP Rules, Victorian EMV obligations, and other frameworks (e.g. ISO 27001, ISM), removing the duplication that makes compliance costly under manual approaches.

What does "sovereign AI" mean for critical infrastructure compliance?

Sovereign AI refers to artificial intelligence systems that are hosted, operated, and governed within Australian jurisdiction, ensuring that sensitive risk and operational data processed by the AI does not leave the country. For critical infrastructure operators, sovereign AI is increasingly a procurement requirement — and is becoming relevant to CIRMP supply chain security obligations as AI tools are embedded deeper into operational and compliance workflows.

What is the Ready for Sovereignty roundtable and who should attend?

The Ready for Sovereignty roadshow is a series of four executive roundtables across Canberra, Melbourne, Sydney, and Brisbane in April 2026. The Melbourne event on 23 April brings together CISOs, heads of risk and compliance, and chief data officers from Victorian critical infrastructure, financial services, government, and defence organisations to discuss sovereign AI adoption, SOCI Act compliance maturity, and the future of GRC in Australia's critical sectors. It is co-hosted by 6clicks and its partner network.