Australia’s Enhanced CIRMP Rules (2026)

Australia’s Enhanced CIRMP Rules (2026)

Australia has strengthened its Critical Infrastructure Risk Management Program (CIRMP) under the Security of Critical Infrastructure (SOCI) Act 2018 through amendments and updated rules that commenced in June 2026. These changes introduce more prescriptive and detailed obligations for operators of critical infrastructure assets, significantly raising expectations around risk management, cyber security, personnel security, supply chain resilience, and operational continuity.

What’s changed under the updated CIRMP rules

What does this mean for your organisation? Rather than a principles-based framework, CIRMP now requires operators to demonstrate structured, evidence-based controls across defined risk areas, with a stronger focus on national security and system resilience.

The updated CIRMP requirements represent a significant shift from principles-based guidance to a more prescriptive and enforceable compliance framework across Australia’s 9 critical infrastructure sectors. Under the revised CIRMP Rules, responsible entities have 12 months to achieve the first compliance milestone and 24 months to demonstrate full alignment with the new requirements.

Who is affected

The updated CIRMP rules apply to responsible entities across Australia’s critical infrastructure sectors, including:

  • Electricity, gas, water, and liquid fuel systems
  • Energy market operators
  • Freight, transport infrastructure, and transport services
  • Broadcasting services
  • Domain name system providers

These sectors were brought under strengthened requirements due to their importance to national continuity and essential services.

Key changes in the 2026 CIRMP update

Expanded risk categories

Operators must explicitly identify and manage a broader set of risks, including:

  • Foreign ownership, control, or influence (FOCI)
  • Offshore or remote access to systems and data
  • Risks to national security, economic stability, and essential services

Stronger cyber security requirements

CIRMP introduces more detailed cyber security expectations:

  • Phishing-resistant multi-factor authentication
  • Centralised logging and monitoring across systems
  • Stronger management of legacy and unpatched systems
  • Network segmentation to contain incidents and maintain continuity
  • Consideration of emerging risks such as AI-enabled threats

Enhanced personnel security requirements

Also effective under the June 2026 updates, operators must strengthen workforce assurance, including:

  • Formal vetting for critical workers (e.g. AusCheck or security clearances)
  • Alignment of access privileges with role criticality
  • Ongoing monitoring and reassessment at least every five years

Supply chain risk management obligations

The reforms expand expectations for third-party risk oversight, requiring operators to:

  • Map critical suppliers and dependencies
  • Assess foreign influence and sanctions exposure
  • Strengthen redundancy and diversification of key inputs
  • Improve oversight of outsourced services and components

Integration of cyber, physical, and supply chain security

Operators are also expected to integrate security domains by:

  • Coordinating cyber, physical, and supply chain risk management
  • Aligning controls across the organisation
  • Improving continuous monitoring and threat visibility

Compliance impact and timelines

The CIRMP updates that commenced in June 2026 significantly increase compliance obligations. Organisations are expected to:

  • Update existing CIRMP documentation
  • Undertake detailed gap assessments against new requirements
  • Begin uplift planning immediately

While compliance deadlines are staged, with some obligations extending into 2027–2028 depending on asset class, regulators expect operators to start implementation planning without delay.

What this means for operators

The June 2026 CIRMP reforms mark a significant shift to a more prescriptive, enforceable and resilience-focused regulatory framework for Australia’s critical infrastructure. While the reforms apply to 9 critical infrastructure sectors, energy operators are among the most heavily impacted, facing mandatory uplifts in cyber security, personnel security, supply chain risk management and physical security. With compliance deadlines now in effect, the statutory clock is already ticking.

A key requirement for the energy sector is the AESCSF maturity uplift. Under the enhanced Critical Infrastructure Risk Management Program (CIRMP) Rules introduced through the SOCI Act, energy operators must achieve Maturity Indicator Level 2 (MIL-2) across all AESCSF domains by 30 June 2028. This represents a substantial increase in governance, risk management and operational cyber security expectations across the sector.

If your organisation is navigating its CIRMP obligations or broader SOCI act compliance requirements, our team can help. We work with critical infrastructure organisations to interpret the new regulatory obligations, assess current maturity, identify compliance gaps and develop practical, risk-based roadmaps.

From OT asset management and OT maturity assessments to governance, risk and SOCI compliance, we help organisations strengthen operational resilience while meeting evolving regulatory expectations.

Scroll to Top