---
title: "How does the Australia Cyber Security Act overlap with the SOCI Act?"
canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap"
source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap"
author: "Sorena AI"
description: "FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "Australia Cyber Security Act"
  - "SOCI Act overlap"
  - "Security of Critical Infrastructure Act"
  - "ransomware payment reporting"
  - "critical infrastructure asset"
  - "Compliance"
  - "Regulatory guidance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# How does the Australia Cyber Security Act overlap with the SOCI Act?

FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties.

*FAQ* *Australia* *SOCI Act overlap*

## Australia Cyber Security Act SOCI Act overlap FAQ

The overlap is narrow and practical: the Cyber Security Act uses SOCI Act concepts for critical infrastructure assets and responsible entities, and it brings some SOCI responsible entities into ransomware payment reporting.

Smart-device security standards are a separate Cyber Security Act duty for relevant connectable products. Treat SOCI status, ransomware reporting, and smart-device compliance as separate checks.

Use this FAQ to decide whether an Australian incident or payment sits in the Cyber Security Act ransomware reporting regime, the SOCI Act critical infrastructure incident regime, or the separate smart-device product regime.

## How does the Australia Cyber Security Act overlap with the Security of Critical Infrastructure Act?

The Cyber Security Act does not supersede the Security of Critical Infrastructure Act 2018 (SOCI Act). It imports SOCI concepts for a critical infrastructure asset and a responsible entity, and its ransomware payment reporting regime expressly covers a responsible entity for a critical infrastructure asset to which SOCI Act Part 2B applies.

That means a ransomware payment incident can need a Cyber Security Act ransomware payment report while the same incident is also assessed against SOCI Act cyber security incident notification duties. The overlap question starts with asset status and entity role, not with whether the affected system is a consumer smart device.

- Confirm whether the affected system is a critical infrastructure asset under SOCI Act materials.
- Identify whether the organisation is the responsible entity for that asset.
- If a ransomware payment was made by, or on behalf of, that entity, assess the Cyber Security Act ransomware report obligation alongside SOCI Part 2B incident notification.

Sources for this answer:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest?ref=sorena.io) - Defines critical infrastructure asset and responsible entity by reference to the SOCI Act and sets when responsible entities for Part 2B assets are reporting business entities.
- [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Primary SOCI source for the critical infrastructure asset, responsible entity, and Part 2B cyber security incident notification concepts referenced by the Cyber Security Act.
- [Security of Critical Infrastructure (Application) Rules 2022](https://www.legislation.gov.au/F2022L00562/2022-04-06/text/original/word?ref=sorena.io) - Application Rules source for checking whether SOCI Act Part 2 or Part 2B applies before treating the organisation as in the critical-infrastructure overlap path.

## What should be separated from SOCI overlap?

Do not merge the smart-device product regime into the SOCI overlap analysis. Cyber Security Act Part 2 applies to relevant connectable products and product supply obligations. SOCI overlap for this FAQ is about critical infrastructure assets, responsible entities, SOCI Part 2B incident notification, and Cyber Security Act ransomware payment reporting.

A manufacturer or supplier may have smart-device duties for a relevant connectable product even when it is not the responsible entity for a SOCI asset. Conversely, a SOCI responsible entity can have ransomware reporting exposure even when the incident is not about placing a smart device on the Australian market.

- Smart-device check: relevant connectable product, manufacture or supply in Australia, security standard, and statement of compliance.
- SOCI overlap check: critical infrastructure asset, responsible entity, and whether SOCI Part 2B applies.
- Ransomware check: cyber security incident, extortion demand, payment or benefit, reporting business entity status, and report content.

Sources for this answer:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest?ref=sorena.io) - Separates Part 2 smart-device obligations from Part 3 ransomware payment reporting and cross-references SOCI concepts in the ransomware reporting definitions.
- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest?ref=sorena.io) - Primary legislation for the ransomware report-content categories: business details, cyber security incident impact, demand, payment, and communications.
- [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Primary SOCI source for keeping critical infrastructure asset and responsible entity analysis separate from product-supply smart-device duties.

## What evidence should support the SOCI overlap answer?

Keep a short overlap record that proves the asset, entity, incident, and payment analysis. The useful record is factual: which asset was affected, why SOCI Part 2B was or was not relevant, who the responsible entity was, whether a ransomware payment was made, and which report-content fields could be completed within the reporting window.

If the same event also touches a connected product, keep that product compliance file separate so SOCI incident triage is not confused with smart-device security-standard evidence.

- Asset and role evidence: SOCI asset classification, responsible-entity reasoning, and any application-rule note used.
- Incident evidence: incident timing, impact on the entity or asset, and the information known or reasonably findable when the report is made.
- Payment evidence: demand, amount or non-monetary benefit, method of provision, communications, and whether another entity paid on the reporting business entity's behalf.

Sources for this answer:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest?ref=sorena.io) - Primary legislation for the ransomware payment trigger, reporting business entity test, and 72-hour ransomware payment report obligation.
- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest?ref=sorena.io) - Primary legislation for the report content categories to preserve when a SOCI responsible entity is also a reporting business entity.
- [Security of Critical Infrastructure (Application) Rules 2022](https://www.legislation.gov.au/F2022L00562/2022-04-06/text/original/word?ref=sorena.io) - Application Rules source for documenting whether the SOCI Part 2B overlap assumption was checked against the relevant application rule.

## Primary sources

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest?ref=sorena.io) - Primary legislation for smart-device duties, ransomware payment reporting, SOCI-linked definitions, and the responsible-entity reporting-business-entity test.
  - Quote: "responsible entity, for an asset, has the same meaning as in the Security of Critical Infrastructure Act 2018"
- [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Primary SOCI source for the asset, responsible entity, and Part 2B incident-notification concepts that determine whether the Cyber Security Act overlap path applies.
  - Quote: "Part 2B--Notification of cyber security incidents"
- [Security of Critical Infrastructure (Application) Rules 2022](https://www.legislation.gov.au/F2022L00562/2022-04-06/text/original/word?ref=sorena.io) - Application Rules source for documenting whether SOCI Act Part 2B applies before treating the entity as inside the critical-infrastructure ransomware overlap.
  - Quote: "Application of Part 2B of the Act"

## Topic Guides

- [Australia Cyber Security Act 2024 scope and definitions](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap.
- [Australia Cyber Security Act and SOCI Act overlap](/artifacts/apac/australia-cyber-security-act/security-of-critical-infrastructure-act-overlap.md): How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records.
- [Australia Cyber Security Act Applicability Test](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario.
- [Australia Cyber Security Act Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks.
- [Australia Cyber Security Act Compliance Guide](/artifacts/apac/australia-cyber-security-act/compliance.md): A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness.
- [Australia Cyber Security Act Deadlines and Compliance Calendar](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review.
- [Australia Cyber Security Act FAQ](/artifacts/apac/australia-cyber-security-act/faq.md): Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review.
- [Australia Cyber Security Act penalties and fines](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records.
- [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md): What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks.
- [Australia Cyber Security Act Requirements](/artifacts/apac/australia-cyber-security-act/requirements.md): Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records.
- [Australia Cyber Security Act Statement of Compliance Evidence](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence.md): Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness.
- [Australia Cyber Security Act templates](/artifacts/apac/australia-cyber-security-act/templates.md): Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records.
- [Australia Cyber Security Act Timeline And Commencement Guide](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations.
- [Australia Cyber Security Act vs EU Cyber Resilience Act](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes.
- [Australia Cyber Security Act vs UK PSTI Act Guide](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime.
- [Australia ransomware payment reporting 72-hour duty](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain.
- [Australia Smart Device Security Standards under the Cyber Security Act](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records.
- [Australia Smart Device Statement of Compliance Evidence Workflow](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow.md): Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules.
- [CSA 2024 Ransomware Payment Reporting Workflow](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow.md): Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources.
- [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md): FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence.
- [CSA 2024 Smart Device Applicability Test](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope.md): Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules.
- [CSA 2024 Smart Device Statement of Compliance](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination.
- [Cyber Security Act 2024 Smart Device Compliance Checklist](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence.
- [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md): FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations.
- [Cyber Security Act vs EU CRA: scope and obligations comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes.
- [Cyber Security Act vs UK PSTI Act: device security obligations compared](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime.
- [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md): FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing.
- [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md): Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations.
- [Smart Device Applicability: CSA 2024](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-workflow.md): A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep.
- [SOCI overlap triage workflow for Australia Cyber Security Act](/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow.md): Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks.
- [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md): FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep.

*Recommended next step*

*Placement: after the practical guidance*

## Turn Australia Cyber Security Act and SOCI overlap into assigned work

Use this FAQ to separate SOCI asset status, responsible-entity status, ransomware reporting, and smart-device compliance into evidence requests and owner tasks.

- [Open Assessment Autopilot for Australia Cyber Security Act](/solutions/assessment.md): Turn SOCI overlap into scoped asset, entity, incident, payment, and product questions.
- [Review Australia Cyber Security Act source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material.
- [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap