Read the regime as a funnel
11 sectors. 22 asset classes. 13 carry the full CIRMP.
sectors named in the Act.
critical asset classes defined.
classes carry the full CIRMP.
Read the regime as a funnel. The Act names 11 sectors. The Definitions Rules (LIN 21/039) define 22 critical infrastructure asset classes across 10 of those sectors. The 11th sector, Space Technology, is named but currently has no defined critical asset class. Of the 22 classes, the CIRMP Rules (LIN 23/006) switch the full risk management program obligation on for 13. The other classes still carry other duties such as incident reporting or the Register, just not the full CIRMP.
Run the scope check →Three activities
Check scope. Test yourself. Spot the gaps.
Is my asset in scope?
Walk the decision tree for an asset class and get a scope verdict with the obligations that apply.
Open →Test your understanding
A short quiz on obligations, penalties, hazards and frameworks, with an explanation and a source for every answer.
Open →Spot what is missing
Read a worked annual report with sections withheld, then identify the required sections that are absent.
Open →The regime in context
The rest of the regime, in one line each.
The site already covers these in full. Follow the link for the detail.
Four hazards
A CIRMP must address cyber, personnel, supply chain, and physical and natural hazards. The failure patterns for each live in the anti-patterns guide.
Anti-patterns →Framework selection
The cyber-hazard requirement can be met against a recognised framework. See how the choice plays out on the home page.
Frameworks →Penalties and the stack
Civil penalties attach to the program, the annual report, incident reporting and directions, alongside the wider regulatory stack.
Policy →A finished CIRMP
One signed pack across four hazard domains, every line cited. See what the finished artefact looks like.
Overview →How the regime grew
A chronology, 2018 to 2025.
- 2018
The original SOCI Act. Narrow scope: a register of critical infrastructure assets and an information-gathering power, covering a handful of sectors (electricity, gas, water, ports).
- 2021
SLACI Act (Security Legislation Amendment (Critical Infrastructure) Act 2021). First major expansion: from four sectors to eleven, mandatory cyber incident reporting, and government assistance (step in) powers. Definitions Rules LIN 21/039 declare the 22 asset classes and thresholds.
- 2022
SLACIP Act (Security Legislation Amendment (Critical Infrastructure Protection) Act 2022). Added the two heavyweight obligations: the CIRMP (s.30AC) and enhanced obligations for Systems of National Significance (Part 2A and ECSO).
- 2023
CIRMP Rules (LIN 23/006) switched on. The risk management program obligation became live on 17 February 2023, with a grace period. The 13 CIRMP asset classes are set by the Rules, not the Act.
- 2024
ERP Act (Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024), commenced 20 December 2024. Consequence management, protected information reforms, business critical data brought into scope, a written direction power against a deficient program, and the lead-in to the 2025 rules. Penalty unit rose to $330 from 7 November 2024.
- 2025
2025 Measures No. 1 Rules and TSRMP Rules. From 4 April 2025, amendments clarified CIRMP obligations and added a dedicated telecommunications security regime (Part 2D and the TSRMP Rules 2025).
Important. General information only, not legal advice. Current as at 4 June 2026 against the in-force compilations on legislation.gov.au. The cyber-hazard framework floor (currently Essential Eight Maturity Level 1) is under active consultation: the March 2026 CIRMP enhancements exposure draft proposes lifting it to Maturity Level 2 and adding multi-factor authentication and network protection. Always read the latest compilation before relying on any figure.
The next cycle
Twenty minutes.
See it assemble itself.
See a sample CIRMP pack assembled live from real-world exports.