SOCI Obligations for Data Centre Operators and Their Suppliers
Summary
Data storage and processing is a critical infrastructure sector under the SOCI Act, and the regulatory perimeter reaches further than most operators, hosts and suppliers assume. Whether you are inside it is a legal question worth answering before a regulator or a counterparty answers it for you.
Key Takeaways
- Under the Security of Critical Infrastructure Act 2018 (Cth), data storage and processing is a critical infrastructure sector in its own right.
- Obligations can include risk management programs and cyber incident reporting, and they are operational commitments, not paperwork.
- The perimeter can touch hosting and supply chain arrangements, not just facility owners, so suppliers and hosts can be inside the regime without realising it.
- SOCI exposure is increasingly allocated through contracts, and the party who has not analysed their position tends to absorb obligations drafted by the party who has.
- Foreign investment in data centres attracts FIRB scrutiny alongside SOCI, and structuring for both belongs at term sheet stage.

Most data centre conversations about the Security of Critical Infrastructure Act 2018 (Cth) start and end with the facility owner. That is the mistake. Data storage and processing is a critical infrastructure sector under the Act, and the regulatory perimeter can touch hosting and supply chain arrangements, not just the entity whose name is on the title. If your business operates, hosts within, supplies into or invests in Australian data centre infrastructure, the question is not whether SOCI is relevant to your sector. It is whether it is relevant to you, and a surprising number of businesses have never had that question answered properly.
In Brief
- Data storage and processing is a critical infrastructure sector under the SOCI Act, which puts data centres squarely inside Australia's critical infrastructure regime.
- Obligations under the regime can include risk management programs and cyber incident reporting, and both are operational disciplines rather than documents.
- The perimeter can capture hosting and supply chain arrangements, so suppliers, hosts and service providers can carry exposure they have never assessed.
- SOCI positions are increasingly set by contract, and the first draft always favours the party who wrote it.
- For investors, SOCI interacts with FIRB scrutiny, and structuring for both belongs at term sheet stage, not at closing.
Why Data Centres Sit Inside the Regime
The SOCI Act organises Australia's critical infrastructure protections by sector, and data storage and processing is one of those sectors. That single classification carries a lot of weight. It means the Commonwealth treats the availability, integrity and security of data infrastructure as a national concern, and it means the businesses connected to that infrastructure can find themselves owing obligations to a security regulator rather than merely to their customers.
For operators this is reasonably well known, even if the detail is not. What is far less well understood is how the regime's reach extends beyond the facility itself.
The Perimeter Problem
The perimeter of the SOCI regime does not stop at the freehold boundary. It can touch hosting and supply chain arrangements, which means the analysis has to cover the commercial ecosystem around a facility, not just its owner. A business that hosts infrastructure or workloads, a supplier embedded in an operator's delivery chain, a service provider whose access or role makes it material to the asset: each of these can sit closer to the regime than their own risk registers suggest.
The pattern we see is consistent. The facility owner has considered SOCI, at least at a high level. The counterparties mostly have not. They discover their position when an operator's contract lands on their desk with critical infrastructure clauses in it, or when an incident forces everyone to work out, under time pressure, who owed what to whom. Neither is a good moment for first contact with the Act.
What the Obligations Can Involve
Obligations under the regime can include risk management programs and cyber incident reporting. Neither is a compliance document you commission once and file. A risk management program is an operating discipline that has to reflect how the asset actually runs and survive scrutiny when tested. Incident reporting is a capability that has to work under the worst conditions your organisation will ever face, against a clock, with incomplete information.
Which obligations attach, to whom and from when are questions of legal analysis on your specific arrangements. The stakes of getting that analysis wrong run in both directions. Assume you are outside the regime when you are not and you are exposed to a security regulator. Assume you are inside it when you are not and you carry cost and contractual burden you never owed. Both errors are common and both are avoidable.
SOCI Arrives Through Contracts
Whatever the Act requires directly, the commercial reality is that SOCI exposure now flows through contracts. Operators push obligations toward hosts and suppliers. Suppliers push back or fail to. Customers of the facility want their own assurances layered on top. In every one of those negotiations the party who has analysed their statutory position negotiates from knowledge, and the party who has not absorbs whatever the first draft allocates to them.
If you are signing hosting agreements, supply contracts or services arrangements connected to data centre infrastructure, the SOCI clauses deserve the same scrutiny as the payment terms. They are quietly becoming some of the most consequential drafting in the document.
Investors: SOCI Meets FIRB
For investors there is a second layer. Foreign investment in data centres attracts FIRB scrutiny, and the interaction between foreign investment conditions and critical infrastructure obligations is a structuring question, not a diligence footnote. Structuring belongs at term sheet stage. Discovering at closing that the ownership structure collides with either regime is the expensive version of this lesson, and it is a lesson the market keeps paying to relearn.
Frequently Asked Questions
We do not own a data centre. Can SOCI still touch us?
Yes. The perimeter can reach hosting and supply chain arrangements, not just facility owners. Whether it reaches yours depends on your specific role and arrangements, which is exactly the analysis worth commissioning.
What obligations could apply to us?
Obligations under the regime can include risk management programs and cyber incident reporting. Which apply, and from when, turns on your position under the Act and cannot be responsibly answered by analogy to another business.
Our counterparty's contract includes critical infrastructure clauses. Should we just sign?
Not before understanding your own statutory position. Contracts are where SOCI exposure gets allocated, and the first draft reflects the other side's analysis of their risk, not yours.
We are raising foreign capital for a data centre asset. When does this analysis happen?
At term sheet stage. Foreign investment in data centres attracts FIRB scrutiny, and structuring for FIRB and SOCI together is a deal execution issue, not a closing formality.
Need your position under the SOCI regime established before a regulator or a counterparty establishes it for you? Contact Astris Law or call (07) 3519 5616, and visit our data centre approvals page for the full fixed fee program.
This article is for general information purposes only and does not constitute legal advice and should not be relied on as such. While we take reasonable care to ensure the accuracy of the information provided, we make no representations or warranties as to its completeness, currency or reliability. We accept no liability for any loss or damage arising directly or indirectly from the use of, or reliance on, this website's content. You should always seek professional advice tailored to your specific circumstances before acting on any information in this article. Liability limited by a scheme approved under Professional Standards Legislation.