Recent amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) included a new Mandatory Cyber Incident Reporting (MCIR) obligation for certain critical infrastructure assets (Part 2B of the SOCI Act). Critical infrastructure responsible entities and operators are required to report certain cyber security incidents if they are captured by the critical infrastructure asset definitions. The grace period for the MCIR obligation will end shortly and affected critical infrastructure industry stakeholders will be required to provide cyber incident reports from Friday 8 July 2022.

Further information about the new MCIR obligation is available via their Cyber and Infrastructure Security Centre (CISC) Fact Sheet – Cyber Security Incident Reporting, Mandatory Cyber Incident Reporting (MCIR) Guide and presentation slides. A range of other CISC fact sheets related to the amended SOCI Act can be found here. You can also join the Australian Government’s Trusted Information Sharing Network (TISN) for regular updates with further information on TISN available.

The CISC within the Department of Home Affairs is planning to hold a virtual awareness session on the new MCIR obligation on Thursday 7 July 2022, 11:00 AM – 12 Noon (AEST). Further information about this session can be found here. You can also contact them at with any questions. (Please also note that any advice provided from the CISC is general advice only and should not replace independent professional or legal advice.)