Security of Critical Infrastructure Act — Connectivity Operator Obligations

What's changedSuccessive amendments to the Security of Critical Infrastructure Act have expanded the sectors and assets within scope. The 2026 amendments bring connectivity-dependent operational technology systems under more explicit obligations, particularly for infrastructure operators whose SCADA, asset management, or compliance reporting systems depend on satellite connectivity as a primary or secondary channel.

Who's affectedCritical infrastructure operators across transport, water, energy, health, and communications sectors. Connectivity providers serving critical infrastructure. Satellite operators providing services to Australian critical infrastructure entities.

What to doInfrastructure operators: review your critical asset register to include connectivity dependencies. Assess whether your satellite connectivity arrangements include the contractual controls required to satisfy SOCI risk management obligations — including supplier security assurance, data sovereignty arrangements, and the ability to respond to directions under SOCI Part 6A in the event of a cybersecurity incident affecting a system of national significance.

Procurement teams: include SOCI risk management requirements in LEO connectivity procurement specifications. The commercial model for critical infrastructure connectivity must price in the regulatory obligations, not treat them as out-of-scope.

How we can helpCBS Group's LEO Transition Strategy and Procurement and Commercial Architecture engagements treat SOCI obligations as a commercial design input, not a downstream compliance check. The commercial architecture we produce includes the contractual controls, supplier assurance framework, and risk allocation structure that SOCI requires.