If your organisation is a critical infrastructure operator in Victoria, April 2026 marks a turning point. The first mandatory CIRMP annual reporting period under the Security of Critical Infrastructure (SOCI) Act 2018 has closed. Victoria's new Emergency Management (Critical Infrastructure Resilience) Regulations 2025 have been in force since June 2025. And regulators are shifting from education to enforcement. The question now is not whether you have a risk management program — it is whether it will hold up to scrutiny.TL;DR
ustralia's first mandatory Critical Infrastructure Risk Management Program (CIRMP) reporting period under the Security of Critical Infrastructure (SOCI) Act has now closed.
In Victoria, operators face a second layer of obligations under the Emergency Management (Critical Infrastructure Resilience) Regulations 2025, which came into force in June 2025.
April 2026 is the moment to mature your risk program — or risk falling behind as regulators move from awareness to enforcement.
6clicks gives Australian critical infrastructure operators a single platform to manage both federal SOCI Act and state EMV obligations, with pre-built CIRMP templates, multi-framework control mapping, and sovereign-ready AI.
Australia's critical infrastructure compliance landscape has moved faster in the past 18 months than in the preceding decade. Three converging changes define the current environment for Victorian operators:
1. The first CIRMP annual reporting period has closed. Under the SOCI Act, responsible entities were required to adopt a written Critical Infrastructure Risk Management Program (CIRMP) by 18 August 2024. The 2024–2025 financial year was the first period requiring a formal annual compliance report to the Cyber and Infrastructure Security Centre (CISC). Organisations that are still building out their programs in 2026 are already in catch-up mode.
2. Business-critical data came into scope in April 2025. From 4 April 2025, the CIRMP Rules were expanded to include protection obligations for business-critical data and secondary data storage systems. This materially expands the risk surface that responsible entities must document and manage.
3. Victoria enacted new state-level regulations in 2025. The Emergency Management (Critical Infrastructure Resilience) Regulations 2025 came into force on 29 June 2025, updating Victoria's framework under the Emergency Management Act 2013. Victorian operators now face dual reporting obligations — federal (SOCI Act / CISC) and state (EMV) — with different regulators, terminology, and cadences.
For organisations still relying on spreadsheets or siloed tools to manage these obligations, the compliance gap is growing.
Join us at the sovereign AI roundtable in Melbourne on 23 April 2026 — part of the Ready for Sovereignty roadshow — to benchmark your SOCI Act compliance posture and explore how sovereign AI can accelerate your GRC program. Register now.
The SOCI Act's CIRMP requires responsible entities to maintain a written, board-endorsed risk program that identifies material risks and, as far as reasonably practicable, minimises or eliminates them. Five hazard categories must be addressed:
From April 2025, business-critical data and secondary data storage systems must also be explicitly addressed within the CIRMP.
Victoria's Emergency Management (Critical Infrastructure Resilience) Regulations 2025 require operators in eight critical infrastructure sectors — energy, water, transport, health, communications, food, finance, and emergency services — to maintain sector resilience plans aligned to an all-hazards approach. Emergency Management Victoria (EMV) published its Critical Infrastructure All Sectors Resilience Report 2025 to benchmark resilience maturity across these sectors and identify systemic gaps.
Key additional requirements under the Victorian framework include:
For most Victorian operators, the two frameworks are complementary. But managing them efficiently requires a structured approach that avoids duplicating effort across two separate compliance regimes.
Based on CISC guidance and EMV's 2025 sector assessment, the most common maturity gaps in 2026 are:
Many organisations have documented their primary critical assets but have not mapped third-party suppliers, secondary data systems, or cross-sector dependencies. Both the SOCI Act (supply chain and data obligations) and Victorian EMV regulations (interdependency mapping) require this.
Having a CIRMP on paper is not sufficient. Regulators expect evidence that controls are operating effectively — including background check records, incident response test outcomes, and supplier assessments. The shift from documentation to evidence is the defining compliance challenge in 2026.
Organisations managing SOCI Act CIRMP reporting separately from Victorian EMV sector reporting are generating duplicated effort and inconsistent narratives. Auditors and regulators are increasingly looking for a single, coherent picture of an organisation's risk posture.
In 2026, artificial intelligence (AI) is introducing a new category of risk for critical infrastructure operators that existing CIRMP frameworks were not designed to address. AI systems embedded in operational technology, data processing, and decision-making introduce risks around data provenance, algorithmic integrity, and supply chain exposure.
Sovereign AI — AI systems that are hosted, operated, and governed within Australian jurisdiction — is increasingly a procurement and security requirement for government and critical infrastructure operators. The rationale is straightforward: if an AI system processes sensitive operational or risk data, that data must not be exposed to foreign jurisdictions.
This issue is the focus of the sovereign AI Melbourne roundtable on 23 April 2026, part of the Ready for Sovereignty roadshow. CISOs, risk managers, and compliance leaders from Victorian critical infrastructure sectors will examine how AI adoption intersects with SOCI Act obligations, data sovereignty requirements, and emerging AI governance frameworks. The Melbourne roundtable is one of four events across Canberra, Melbourne, Sydney, and Brisbane this April — targeted at Australian enterprise and public sector organisations navigating exactly these challenges.
6clicks is built for the compliance complexity that Victorian critical infrastructure operators face in 2026 — multiple frameworks, dual regulators, growing evidence requirements, and AI governance on the horizon. Rather than managing SOCI Act CIRMP obligations and Victorian EMV requirements in separate tools, 6clicks consolidates everything into a single, audit-ready platform.
What 6clicks delivers for SOCI Act compliance:
For organisations navigating dual federal and Victorian obligations, 6clicks for SOCI is built to meet the cross-sector GRC maturity benchmark that regulators are now looking for.
Two significant changes took effect in 2025. From 4 April 2025, business-critical data and secondary data storage systems came into scope under the CIRMP Rules, expanding the data protection obligations for all responsible entities. The 2024–2025 financial year was also the first mandatory CIRMP annual reporting period — meaning organisations are now in their second year of formal compliance obligations under the federal framework.
Victoria's Emergency Management (Critical Infrastructure Resilience) Regulations 2025, which came into force on 29 June 2025, update the state's critical infrastructure framework under the Emergency Management Act 2013. Victorian operators in eight critical infrastructure sectors must maintain sector resilience plans, map interdependencies with other sectors, and report to Emergency Management Victoria (EMV). These obligations sit alongside, and largely align with, federal SOCI Act CIRMP requirements.
A purpose-built Governance, Risk, and Compliance (GRC) platform like 6clicks allows operators to maintain their CIRMP in a single, structured environment — covering risk assessments, control libraries, asset registers, evidence management, and annual reporting. Multi-framework mapping means a single control simultaneously satisfies SOCI Act CIRMP Rules, Victorian EMV obligations, and other frameworks (e.g. ISO 27001, ISM), removing the duplication that makes compliance costly under manual approaches.
Sovereign AI refers to artificial intelligence systems that are hosted, operated, and governed within Australian jurisdiction, ensuring that sensitive risk and operational data processed by the AI does not leave the country. For critical infrastructure operators, sovereign AI is increasingly a procurement requirement — and is becoming relevant to CIRMP supply chain security obligations as AI tools are embedded deeper into operational and compliance workflows.
What is the Ready for Sovereignty roundtable and who should attend?
The Ready for Sovereignty roadshow is a series of four executive roundtables across Canberra, Melbourne, Sydney, and Brisbane in April 2026. The Melbourne event on 23 April brings together CISOs, heads of risk and compliance, and chief data officers from Victorian critical infrastructure, financial services, government, and defence organisations to discuss sovereign AI adoption, SOCI Act compliance maturity, and the future of GRC in Australia's critical sectors. It is co-hosted by 6clicks and its partner network.