1. Home
  2. News
  3. Lote Notes April 2026
  4. Data Centres, SOCI and the New Risk Landscape
 

Data Centres, SOCI and the New Risk Landscape

Keywords: SOCI, Data Centres, Critical Infrastructure, All-Hazards Approach, Cyber and Information Hazards, Personnel Hazards, Supply Chain Hazards, Physical Security and Natural Hazards, Risk Environment

Data Centres as Critical Infrastructure

Over the past three years, investments in data centres have grown by 65% not just a key component of the modern digital economy by underscoring the AI tsunami that has been inundating the technology landscape (NSW Treasury, 2026). The transition to digital and cloud environments, has meant that data centres are the backbone of national security, governance, and essential services such as the power grid, water and waste, and emergency services; thus, being classified as critical infrastructure under the Security of Critical Infrastructure Act 2018 (SOCI Act). Data centres are essential in ensuring the confidentiality, integrity and availability of essential services as they store and process critical business data (CISC, 2025a). Additionally, within hyperscale cloud environments, data centres represent a single point of failure, that could impact all sectors that they service simultaneously if they experience a massive outage. As a result, operators are now expected to implement robust security measures to protect against an increasingly complex threat landscape.

The SOCI Act

The SOCI Act outlines requirements that critical infrastructure operators must comply with to safeguard their assets. It applies to 11 sectors including but not limited to communications, data storage or processing and the defence industry. Although it covers a range of sectors, data centres underpin nearly all of them as they store and process data for all sectors (CISC, 2024).

Under the SOCI Act, operators of critical infrastructure are required to meet several obligations aimed at improving visibility, resilience and risk management (CISC, 2024). This includes:

  • Providing operational information to the Register of Critical Infrastructure Assets.
  • Reporting cybersecurity incidents that impact the operations of critical infrastructure assets.
  • Adopting, maintaining and complying with their asset specific Critical Infrastructure Risk Management Program (CIRMP).

These obligations establish minimum requirements for governance and risk oversight for data centre operators.

Certain assets may be classified as Systems of National Significance (SoNS) due to their potential impact on national security, the economy or public safety. If an asset is classified as a SoNS, operators are subject to Enhanced Cyber Security Obligations (ESCOs) (CISC, 2024). These ESCOs include:

  • Developing cyber security incident response plans.
  • Undertaking cyber security training.
  • Performing vulnerability assessments.
  • Providing system information to develop and maintain a real time threat picture.

Not all data centres will meet the threshold for SoNS designation. However, operators should assess whether their facility meets the relevant definitions to determine which measures are required to comply with the regulations.

Understanding the All Hazards Risk Environment

Under the CIRMP Rules, data centre operators are required to take an all-hazards approach to risk management (CISC, 2025b). This integrated approach considers multiple interconnected threat vectors that may impact critical infrastructure assets.


Figure 1. The All-Hazards Approach to Risk Management (AI Generated Image)

Cyber and Information Hazards

Cyber and information hazards are pertinent to data centres as they house critical assets that can be targeted by cyber threats. Operators should implement controls such as incident response plans, network segmentation and the principle of least privilege to reduce the likelihood and impact of cyber incidents.

Supply Chain Hazards

Data centres may use a range of suppliers, which can create operational dependencies. Disruptions to a single supplier may lead to vulnerabilities as it can affect the confidentiality, availability and integrity of critical data. Mitigation measures include conducting supplier due diligence, assessing third party risk and enforcing minimum security requirements across the supply chain.

Personnel Hazards

Data centre employees are classified as critical workers and have access to sensitive systems and data. Insider threats may therefore pose risks to stored data. These risks can be managed through measures such as background checks, access controls, a layered security approach and regular security awareness training to reduce the likelihood of insider threats.

Physical Security and Natural Hazards

Physical security threats to a data centre include unauthorised access and sabotage. Natural hazards include earthquakes and bushfires. Data centre operators should implement robust physical access control measures, surveillance systems and environmental monitoring. Technology enabled monitoring can support early detection and response, rather than the prediction of natural hazard impacts.

Emerging Threats

An “all hazards” approach to security risk management is context driven and where required emerging risk areas such as artificial intelligence, hyperscale cloud providers, quantum cryptography, space-based threats, and drone-detection and response may also have to be considered.

Effectiveness of the SOCI Act

An independent review of the SOCI Act was undertaken between November 2025 and January 2026, analysing its effectiveness in strengthening the governance of critical infrastructure. While the SOCI Act was designed to address evolving threats, the review identified challenges related to complexity, enforceability and operational clarity (Slay, 2026).

The benefits of the SOCI Act include improved visibility of critical infrastructure assets and ownership, enhanced transparency, and the establishment of baseline governance and accountability arrangements. Through the enactment of the SOCI Act, Australia has positioned itself as a global leader in critical infrastructure protection (Slay, 2026).

One criticism of the current operation of the SOCI legislation is that it tends to be very cyber heavy and reactive, ignoring physical and personnel risks. The independent review emphasises that these are addressed along with emerging threats in artificial intelligence, quantum cryptography vulnerabilities, hyperscale cloud providers, space-based assets, and drone detection and response.

Another pain point is regulatory duplication, with operators struggling to align SOCI obligations with APRA, Privacy Act, ISO, NIST and State Level frameworks. This is where the review highlighted the need for reform. Some SOCI requirements overlap with existing frameworks. In addition, enforcement mechanisms and penalties have not been applied consistently, limiting the Act’s overall effectiveness (Slay, 2026).

What Good Practice Looks Like for Operators

To effectively safeguard critical infrastructure assets, data centre operators should move beyond minimum compliance. CIRMPs should be regularly reviewed and audited to ensure they remain aligned with the evolving threat landscape. This enables operators to respond effectively to emerging risks.

Furthermore, operators should incorporate takeaways from Dr Jill Slay's independent review including a shift from compliance driven reporting to outcome driven effectiveness, supply chain vulnerability mapping, vendor risk assessments and management of foreign ownership, control or influence risks.

The 4th of March 2026 also marked the commencement of obligations under the Cyber Security (Security Standards for Smart Devices) Rules 2025. While these rules originated under the Cyber Security Act 2024, for critical infrastructure owners and operators, these rules shift IoT security from "best practice" to a mandatory baseline for any "relevant connectable products" used within their operational or corporate environments.

If a data centre procures any “relevant connectable products,” for example smart locks, IP security cameras, or smart lighting manufactured after 04 March 2026, they must comply with the three core standards:

  • Unique passwords. So that there are no universal default passwords. Each device must be shipped with a single and unique factory-set admin password, and require the user to set a strong, unique password before the device becomes operational.
  • Support period transparency. Where the manufacturer explicitly states a minimum period during which the device will receive security updates.
  • Vulnerability disclosure policy. Where the manufacturer provides a publicly accessible point of contact for security researchers and users to report vulnerabilities, where they also provide status and resolution updates on these reported issues.

The introduction of these standards also impacts upon the CIRMP and SOCI obligations, as part of the Supply Chain Risk Management, where under the “Positive Security Obligations” entities must identify and mitigate supply chain hazards. While data centre operators are generally required to meet Baseline CIRMP obligations, and hit Maturity Level 1 of the Essential Eight or equivalent framework like ISO 27001, there is an exception for Systems of National Significance. If your data centre has been formally declared a SoNS (typically the largest "hyperscale" facilities or those housing critical government/military data), you are subject to Enhanced Cyber Security Obligations (ECSO) under Part 6A of the SOCI Act. These can be even stricter than the enhanced CIRMP rules and may include:

  • Statutory Incident Response Planning: Mandatory "step-in" rights for the ASD.
  • Cyber Security Exercises: Compulsory participation in national stress-testing.
  • Vulnerability Assessments: Direct technical audits by government agencies.

Additionally, a layered physical security approach should be implemented to protect the critical assets held by data centres. Measures such as electronic access control systems, video surveillance and secure perimeter design help reduce both the likelihood and impact of threats. While systems provide certain capabilities, their efficacy is determined by how they are employed operationally to achieve security outcomes, or through standard operational procedures and an organisational security culture. By embedding these practices into day to day operations of data centres, operators can strengthen the resilience of their assets. While achieving compliance may be the regulatory goal, the true objective is the achievement of resilient security outcomes.

Conclusion: Security as a Strategic Imperative

As data centres continue to anchor Australia's digital economy, their role as critical infrastructure continues to grow. The SOCI Act provides a framework that recognises this importance, outlining obligations and expectations for operators to safeguard their assets against a wide array of risks. However, the effectiveness of this legislation is currently hindered by complexity and enforcement challenges, highlighting the need for substantial reform to ensure operators can respond to evolving threats. Embracing an all-hazards risk management approach and implementing layered security practices are essential steps for operators to meet compliance and protect their facilities. Ultimately, security must be viewed not merely as a compliance requirement but as a strategic imperative, underpinning the resilience and reliability of the nation's most vital digital assets.

References