Madre Janus Madre Janus
Madre Janus
  • Home
  • About
  • Services
  • Case Studies
  • Blog
  • Contact
  • Have any Questions?

    Enquire Now

CIRMP Compliance in 2026: A Complete Guide for Australia - Madre Janus

  • Blog
  • CIRMP Compliance in 2026: A Complete Guide for Australia
  • July 6, 2026
  • Madre Janus

Everything Australian critical infrastructure operators need to know about CIRMP compliance under the SOCI Act, including the new Enhanced CIRMP Rules

CIRMP compliance is no longer a box-ticking exercise for Australian critical infrastructure operators. The Enhanced CIRMP Rules became binding law in June 2026, and the grace-period clock is already running, with the first obligations landing around December 2026 for nine designated high-risk asset classes. This guide breaks down what a Critical Infrastructure Risk Management Program actually requires, what the new rules change, who they apply to, and the practical steps your organisation should take before the deadlines arrive.

What is a CIRMP?

A Critical Infrastructure Risk Management Program (CIRMP) is a written, board-approved program that responsible entities of critical infrastructure assets must adopt, maintain, review and comply with under Part 2A of the Security of Critical Infrastructure Act 2018 (Cth).

In plain terms: if you own or operate a critical infrastructure asset in Australia, the law requires you to identify every hazard that poses a material risk to that asset, and then minimise, eliminate or mitigate those risks, so far as it is reasonably practicable to do so.

A CIRMP is not a cyber security policy. It is an all-hazards framework that must address four hazard domains:


1. Cyber and information security hazards. Threats to the confidentiality, integrity and availability of your critical systems and data.

2. Personnel hazards. Insider threats, background checking, and the trusted insider risk across employees and contractors.

3. Supply chain hazards. Risks introduced through vendors, managed service providers, software dependencies and outsourced operations.

4. Physical and natural hazards. Unauthorised physical access, natural disasters, and threats to physical sites and assets.

Who needs CIRMP compliance in Australia?

Baseline CIRMP obligations apply to responsible entities across prescribed critical infrastructure asset classes under the SOCI Act, spanning sectors such as energy, water, communications, transport, healthcare, financial services, food and grocery, data storage and processing, higher education, and defence industry.

The scope has expanded in recent years. Data storage systems are captured as critical infrastructure, and telecommunications security obligations migrated into the SOCI Act framework in April 2025. If your organisation was outside the net two years ago, do not assume you still are.

Important distinction: the new Enhanced CIRMP Rules do not apply to every CIRMP entity. They target nine designated high-risk asset classes (detailed below). All other asset classes continue under their existing baseline CIRMP obligations.

What are the Enhanced CIRMP Rules?

The Security of Critical Infrastructure Legislation Amendment (Enhanced Critical Infrastructure Risk Management Program) Rules 2026 (F2026L00701) are the most significant reshaping of CIRMP compliance since the original rules commenced in 2023.

The timeline moved fast by Australian standards. A consultation paper landed in December 2025, an exposure draft followed in March 2026, submissions closed on 1 May 2026, the Minister for Home Affairs and Cyber Security made the rules on 4 June 2026, and they were registered on 9 June 2026, commencing the day after. They are binding law now, and the grace-period clock started in June 2026.

Which asset classes do the Enhanced CIRMP Rules apply to?

The enhanced requirements apply to responsible entities for nine designated high-risk asset classes:

  • Critical electricity assets
  • Critical energy market operator assets
  • Critical gas assets
  • Critical liquid fuel assets
  • Critical water assets
  • Critical broadcasting assets
  • Critical domain name system assets
  • Critical freight infrastructure assets
  • Critical freight services assets

These sectors were designated high-risk because the broader economy and other critical infrastructure sectors depend on their continued availability. Entities in these classes must comply with both the baseline CIRMP requirements and the new enhanced requirements. Where the two conflict, the enhanced requirement prevails.

What do the Enhanced CIRMP Rules add?

The enhanced obligations span every hazard category in the CIRMP:

  • Foreign ownership, control or influence (FOCI) risk. Entities must manage FOCI risks across all aspects of the asset, including the supply chain.
  • Specified risk advice. Entities must respond to specific risk advices issued by the Department of Home Affairs from time to time.
  • Patching, legacy and emerging technology. Unsupported operating systems, end-of-life software and emerging technology risks (including AI) must be formally identified and risk-managed, not quietly tolerated.
  • Cyber framework maturity uplift. Entities must comply with a recognised cyber security framework at a defined maturity level. For energy entities, the natural fit is the AESCSF at Security Profile 2, the framework AEMO already maintains and the one named explicitly in the rules. Equivalent frameworks achieving an equivalent level of security are permitted.
  • Phishing-resistant MFA and credential protections. Measures targeting credential compromise.
  • Lateral movement controls. Limiting an attacker’s ability to move between systems, including between critical and non-critical environments.
  • Personnel security uplift. Expanded insider threat and personnel security measures beyond baseline background checks.
  • Supply chain resilience. Deeper obligations around critical vendor risk and dependencies, reflecting the pattern of recent Australian breaches originating through suppliers.

When do the Enhanced CIRMP Rules take effect?

The rules commenced in June 2026, and the obligations then bite in three stages:

  • Around December 2026 (6 months from commencement): the all-hazard obligations, including FOCI risk management.
  • Mid-2027 (12 months from commencement): additional material risks, the patching, legacy and emerging-technology measures, and the first personnel measures.
  • Mid-2028 (24 months from commencement): the cyber framework maturity obligation, phishing-resistant MFA, lateral movement controls, the remaining personnel measures, and supply chain measures. For energy entities, AESCSF Security Profile 2 maturity is required by 30 June 2028, with attestation due in the July to September 2028 period.

That timeline sounds generous. It is not. Most energy responsible entities sit at Security Profile 1 today, and the SP-1 to SP-2 jump is a multi-year uplift for many operators. Building FOCI risk mapping in six months, or uplifting OT patching regimes and vendor assurance across a critical infrastructure environment, routinely consumes every month you have.

What are the board and reporting obligations?

CIRMP compliance is a directors’ issue, not just a CISO issue. Three obligations make sure of that:

The annual report. The board or governing body of a responsible entity must approve an annual report on the CIRMP and submit it after the end of the financial year. Directors are attesting that the program is up to date and that identified risks are being managed. From 2028, entities under the enhanced rules will be attesting against the new, higher bar.

Incident reporting. Separately from the CIRMP itself, critical infrastructure entities must report cyber security incidents to the Australian Cyber Security Centre, in some cases within 12 hours for significant incidents. Add the 72-hour ransomware payment reporting obligation under the Cyber Security Act 2024, and one incident can trigger multiple reporting clocks simultaneously.

Penalties and accountability. Non-compliance carries civil penalties under the SOCI Act, multiplied for bodies corporate. Beyond the fines, inadequate cyber risk management is increasingly viewed through the lens of directors’ duties, an area ASIC has flagged as a 2026 enforcement focus, and the independent review that produced these reforms explicitly aimed to increase board and executive accountability for security outcomes.

How does the Essential Eight retirement affect CIRMP compliance?

Many CIRMPs satisfy their cyber hazard obligations by adopting the Essential Eight as their designated cyber security framework. In June 2026, the Australian Signals Directorate announced the Essential Eight will be retired within two years and replaced by a broader Essentials series, with the first chapter, Essentials for enterprise IT, in consultation through July 2026.

This is an evolution, not a rebuild. ASD has confirmed that organisations that have invested in Essential Eight implementation will not see their work made redundant, with the new series expected to align closely with existing controls. Both frameworks will run in parallel during the transition, with deprecation expected around mid-2027 and full retirement around mid-2028.

One important distinction: for Commonwealth government entities, the Essential Eight at Maturity Level Two remains the mandated baseline under the Protective Security Policy Framework (PSPF), and alternative frameworks must be mapped back to it. The framework flexibility discussed in this guide, including ISO 27001, the NIST Cybersecurity Framework and the AESCSF, applies to the recognised framework options under the CIRMP Rules for SOCI entities, which is a separate regime.

For CIRMP compliance, responsible entities should:

  • Confirm which framework their CIRMP formally designates
  • Track the Essentials series consultation and how existing Essential Eight maturity maps across
  • Continue building controls now rather than pausing for the new framework, since ASD has confirmed existing work carries forward

CIRMP compliance checklist: 7 steps to take now

  • Confirm your status. Verify whether your assets are captured under the SOCI Act, and specifically whether you fall within the nine high-risk asset classes subject to the Enhanced CIRMP Rules.
  • Start FOCI risk mapping immediately. The foreign ownership, control or influence obligations land first, around December 2026. Entities with FOCI exposure deep in their supply chain have mapping work to do before they can even assess the risk.
  • Run a gap assessment against the enhanced obligations. Map your current program against the patching, legacy technology, personnel, MFA, lateral movement and supply chain requirements while there is still runway.
  • Inventory legacy and end-of-life technology. You cannot risk-manage what you have not catalogued. OT environments are the usual blind spot.
  • Plan the framework maturity uplift now. If you are an energy entity at AESCSF SP-1, the jump to SP-2 by 30 June 2028 is the longest single thread of work in the entire program. Treating mid-2028 as far away is how operators end up doing two years of uplift in six months.
  • Pressure-test incident response. A documented plan is not readiness. Run exercises that simulate the 12-hour SOCI reporting clock and the 72-hour ransomware payment reporting obligation together.
  • Brief the board early. Directors approve the annual report. Give them visibility of the staged 2026 to 2028 roadmap now, not in the month the attestation is due.
  •  

How Madre Janus helps with CIRMP compliance

CIRMP compliance is a program, not a project. It demands continuous monitoring, tested incident response, hardened supply chains and evidence your board can stand behind.

Madre Janus works with critical infrastructure and enterprise organisations across Australia and the GCC to close exactly these gaps. As a Fortinet Engage Advocate MSSP, we deliver 24×7 managed detection and response, third-party risk monitoring, incident response readiness exercises, and framework-aligned security uplift that maps to your CIRMP obligations across every stage of the 2026 to 2028 timeline.

The Enhanced CIRMP Rules started the clock in June 2026. We help you get there before it runs out.

Talk to our team about a CIRMP gap assessment today.

Frequently asked questions about CIRMP compliance

What does CIRMP stand for?

CIRMP stands for Critical Infrastructure Risk Management Program, a mandatory risk management obligation under Australia’s Security of Critical Infrastructure Act 2018.

Are the Enhanced CIRMP Rules in force?

Yes. The Enhanced CIRMP Rules (F2026L00701) were made on 4 June 2026, registered on 9 June 2026, and commenced the day after registration. The grace periods are already running.

Who do the Enhanced CIRMP Rules apply to?

Nine designated high-risk asset classes: critical electricity, energy market operator, gas, liquid fuel, water, broadcasting, domain name system, freight infrastructure and freight services assets. Other CIRMP entities remain on baseline obligations.

When are the Enhanced CIRMP deadlines?

Staged at roughly 6, 12 and 24 months from commencement: all-hazard and FOCI obligations around December 2026, patching, legacy technology and initial personnel measures by mid-2027, and the cyber framework uplift, phishing-resistant MFA, lateral movement, remaining personnel and supply chain measures by mid-2028.

Is a CIRMP only about cyber security?

No. A CIRMP is an all-hazards program covering cyber and information security, personnel, supply chain, and physical and natural hazards.

Which cyber security frameworks satisfy CIRMP requirements?

Recognised frameworks include the Essential Eight Maturity Model, ISO 27001, the NIST Cybersecurity Framework and, for energy entities, the AESCSF. Under the enhanced rules, energy entities must reach AESCSF Security Profile 2 by 30 June 2028. With the Essential Eight set to be retired within two years, entities should monitor the ASD consultation on its replacement.

What happens if we do not comply?

Civil penalties apply under the SOCI Act, multiplied for bodies corporate, alongside growing directors’ duties exposure and regulatory scrutiny from ASIC and the Cyber and Infrastructure Security Centre.

Tags:

Australian cybersecurity complianceCIRMPCIRMP complianceCritical Infrastructure Risk Management ProgramCritical infrastructure securityEnhanced CIRMP RulesEssential EightSOCI Act
Previous Post

Leave a comment

Cancel reply

Enquire Now

Recent Posts

  • CIRMP Compliance in 2026: A Complete Guide for Australia
  • How the Tata Electronics data breach exposed Apple and Tesla
  • FIFA World Cup 2026 Cyber Threats: What Every Enterprise Needs to Know Right Now
  • Healthcare Cyber Resilience: Why it is now a Strategic Imperative in 2026
  • Why MSSPs Need a Security Growth Platform

Recent Post

  • crysa
    July 6, 2026
    CIRMP Compliance in 2026: A Complete Guide for Australia
  • crysa
    July 2, 2026
    How the Tata Electronics data breach exposed Apple and Tesla
  • crysa
    June 23, 2026
    FIFA World Cup 2026 Cyber Threats: What Every Enterprise Needs to Know Right Now

Categories

  • Blog
  • Phishing and Social Engineering
  • Uncategorized

Archives

  • July 2026
  • June 2026
  • May 2026
  • September 2025
Madre Janus

Madre Janus leverages industry expertise, certifications, and cutting-edge technology to safeguard your organization’s data, networks, and brand reputation.

Facebook Instagram Youtube Linkedin

Services

  • Network Security
  • Cloud Security
  • Endpoint Security
  • Threat Intelligence
  • Incident Response and Forensics

Contact Info

Qatar

Office No. 01, Mezzanine Floor, Building No. 222, Zone 45, Street No. 310, Old Airport Road, Doha, Qatar.

 

India – Thiruvananthapuram

The Atomic, near Technopark Phase 1, Technopark Campus, Kazhakkoottam, Thiruvananthapuram, Kerala 695582

 

India – Kochi

Madre Janus Tech Solutions Pvt. Ltd.
Office No: TA 303, Third Floor, Amenity Block
Lulu IT Twin Towers
Smart City, Kakkanad, Kochi 682042

 

Australia 

SE 4 1933 LOGAN RD
UPPER MOUNT GRAVATT QLD
4122

  • Reach Us: info@madre-janus.com

© 2026 All Rights Reserved Madre Janus | Website by FMI