FAQAustraliaSOCI Act overlap

Australia Cyber Security Act SOCI Act overlap FAQ

The overlap is narrow and practical: the Cyber Security Act uses SOCI Act concepts for critical infrastructure assets and responsible entities, and it brings some SOCI responsible entities into ransomware payment reporting.

Smart-device security standards are a separate Cyber Security Act duty for relevant connectable products. Treat SOCI status, ransomware reporting, and smart-device compliance as separate checks.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Use this FAQ to decide whether an Australian incident or payment sits in the Cyber Security Act ransomware reporting regime, the SOCI Act critical infrastructure incident regime, or the separate smart-device product regime.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

How does the Australia Cyber Security Act overlap with the Security of Critical Infrastructure Act?

The Cyber Security Act does not supersede the Security of Critical Infrastructure Act 2018 (SOCI Act). It imports SOCI concepts for a critical infrastructure asset and a responsible entity, and its ransomware payment reporting regime expressly covers a responsible entity for a critical infrastructure asset to which SOCI Act Part 2B applies.

That means a ransomware payment incident can need a Cyber Security Act ransomware payment report while the same incident is also assessed against SOCI Act cyber security incident notification duties. The overlap question starts with asset status and entity role, not with whether the affected system is a consumer smart device.

  • Confirm whether the affected system is a critical infrastructure asset under SOCI Act materials.
  • Identify whether the organisation is the responsible entity for that asset.
  • If a ransomware payment was made by, or on behalf of, that entity, assess the Cyber Security Act ransomware report obligation alongside SOCI Part 2B incident notification.
Citations
Cyber Security Act 2024

Defines critical infrastructure asset and responsible entity by reference to the SOCI Act and sets when responsible entities for Part 2B assets are reporting business entities.

Question 2

What should be separated from SOCI overlap?

Do not merge the smart-device product regime into the SOCI overlap analysis. Cyber Security Act Part 2 applies to relevant connectable products and product supply obligations. SOCI overlap for this FAQ is about critical infrastructure assets, responsible entities, SOCI Part 2B incident notification, and Cyber Security Act ransomware payment reporting.

A manufacturer or supplier may have smart-device duties for a relevant connectable product even when it is not the responsible entity for a SOCI asset. Conversely, a SOCI responsible entity can have ransomware reporting exposure even when the incident is not about placing a smart device on the Australian market.

  • Smart-device check: relevant connectable product, manufacture or supply in Australia, security standard, and statement of compliance.
  • SOCI overlap check: critical infrastructure asset, responsible entity, and whether SOCI Part 2B applies.
  • Ransomware check: cyber security incident, extortion demand, payment or benefit, reporting business entity status, and report content.
Citations
Cyber Security Act 2024

Separates Part 2 smart-device obligations from Part 3 ransomware payment reporting and cross-references SOCI concepts in the ransomware reporting definitions.

Cyber Security Act 2024

Primary legislation for the ransomware report-content categories: business details, cyber security incident impact, demand, payment, and communications.

Question 3

What evidence should support the SOCI overlap answer?

Keep a short overlap record that proves the asset, entity, incident, and payment analysis. The useful record is factual: which asset was affected, why SOCI Part 2B was or was not relevant, who the responsible entity was, whether a ransomware payment was made, and which report-content fields could be completed within the reporting window.

If the same event also touches a connected product, keep that product compliance file separate so SOCI incident triage is not confused with smart-device security-standard evidence.

  • Asset and role evidence: SOCI asset classification, responsible-entity reasoning, and any application-rule note used.
  • Incident evidence: incident timing, impact on the entity or asset, and the information known or reasonably findable when the report is made.
  • Payment evidence: demand, amount or non-monetary benefit, method of provision, communications, and whether another entity paid on the reporting business entity's behalf.
Citations
Cyber Security Act 2024

Primary legislation for the ransomware payment trigger, reporting business entity test, and 72-hour ransomware payment report obligation.

Cyber Security Act 2024

Primary legislation for the report content categories to preserve when a SOCI responsible entity is also a reporting business entity.

Recommended next step

Turn Australia Cyber Security Act and SOCI overlap into assigned work

Use this FAQ to separate SOCI asset status, responsible-entity status, ransomware reporting, and smart-device compliance into evidence requests and owner tasks.

Assessment workflow
Open Assessment Autopilot for Australia Cyber Security Act

Turn SOCI overlap into scoped asset, entity, incident, payment, and product questions.

Explore next step
Research workflow
Review Australia Cyber Security Act source evidence

Use Research Copilot to answer follow-up questions with cited source material.

Explore next step
Talk to Sorena
Talk through implementation

Review scope, evidence, owners, and the next compliance actions with Sorena.

Explore next step
Primary sources

References and citations

Cyber Security Act 2024
legislation.gov.au
Referenced sections
  • Primary legislation for the report content categories to preserve when a SOCI responsible entity is also a reporting business entity.
"the cyber security incident, including its impact on the reporting business entity"
Security of Critical Infrastructure Act 2018
legislation.gov.au
Referenced sections
  • Primary SOCI source for keeping critical infrastructure asset and responsible entity analysis separate from product-supply smart-device duties.
"Meaning of responsible entity"
Related guides

Explore more topics

Australia Cyber Security Act 2024 scope and definitions
Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap.
Australia Cyber Security Act and SOCI Act overlap
How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records.
Australia Cyber Security Act Applicability Test
Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario.
Australia Cyber Security Act Compliance Checklist
Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks.
Australia Cyber Security Act Compliance Guide
A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness.
Australia Cyber Security Act Deadlines and Compliance Calendar
Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review.
Australia Cyber Security Act FAQ
Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review.
Australia Cyber Security Act penalties and fines
Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records.
Australia Cyber Security Act recordkeeping FAQ
What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks.
Australia Cyber Security Act Requirements
Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records.
Australia Cyber Security Act Statement of Compliance Evidence
Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness.
Australia Cyber Security Act templates
Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records.
Australia Cyber Security Act Timeline And Commencement Guide
Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations.
Australia Cyber Security Act vs EU Cyber Resilience Act
Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes.
Australia Cyber Security Act vs UK PSTI Act Guide
Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime.
Australia ransomware payment reporting 72-hour duty
Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain.
Australia Smart Device Security Standards under the Cyber Security Act
Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records.
Australia Smart Device Statement of Compliance Evidence Workflow
Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules.
CSA 2024 Ransomware Payment Reporting Workflow
Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources.
CSA 2024 Ransomware Threshold & Report FAQ
FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence.
CSA 2024 Smart Device Applicability Test
Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules.
CSA 2024 Smart Device Statement of Compliance
What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination.
Cyber Security Act 2024 Smart Device Compliance Checklist
Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence.
Cyber Security Act 2024 Statements of Compliance FAQ
FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations.
Cyber Security Act vs EU CRA: scope and obligations comparison
Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes.
Cyber Security Act vs UK PSTI Act: device security obligations compared
Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime.
How do notices and recalls work under the Australia Cyber Security Act?
FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing.
Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024
Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations.
Smart Device Applicability: CSA 2024
A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep.
SOCI overlap triage workflow for Australia Cyber Security Act
Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks.
Which smart devices are in scope under Australia's Cyber Security Act 2024?
FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep.