Canberra’s Horizon 2 Action Plan, released on 11 June, and the Department of Home Affairs’ March acceptance of Jill Slay’s independent review of the Security of Critical Infrastructure (SOCI) Act are both serious attempts to move Australia from an architecture of compliance to an architecture of resilience.
That shift is necessary. When Medibank was breached in 2022, the lesson was not that compliance had failed; it was that compliance had not been designed to succeed. A framework built around checklists and minimum standards alone offered no meaningful defence against cyber threat actors moving faster than regulatory cycles could follow.
The action plans outline the implementation of the Australian Cyber Security Strategy, focusing on specific phases, known as ‘horizons.’ Horizon 2 builds on what Horizon 1 established: the Cyber Security Act, the Executive Cyber Council, mandatory reporting frameworks and baseline obligations for critical-infrastructure operators. With 19 actions, 64 initiatives and a A$89.3 million investment over four years, Horizon 2 extends that reach to small business, workforce capability, supply chains and the secure uptake of AI.
This is reinforced by the independent Slay review. It found that the SOCI framework, while world-leading, needed to adapt to deliver meaningful risk management. Home Affairs accepted all six recommendations in principle and, earlier this month, enhanced Critical Infrastructure Risk Management Program (CIRMP) rules were made for specified high-risk critical infrastructure asset classes. Further changes to ministerial directions powers remain part of the broader reform agenda. The enhanced CIRMP rules matter because they define resilience in operational terms. They call for critical-system inventories, supplier mapping and vendor assessment, among other requirements.
The central insight shared by Horizon 2 and the SOCI reforms – that critical infrastructure resilience is no longer simply a property of individual critical infrastructure operators – deserves more weight than public debate has given it. Australia’s critical systems are embedded in webs of cloud providers, managed service platforms, software vendors, AI systems and operational technology environments. Because those dependencies are shared across sectors, exposure is cumulative and cascading. A single operator’s risk management plan cannot account for it. Resilience, in this environment, is a property of systems.
ASPI’s 2025 report In Whose Tech We Trust documented the need to shift away from vendor-by-vendor risk assessments towards system-level evaluations of foreign ownership, control and influence across the entire technology ecosystem. The question is how to operationalise trust as a persistent, enforceable standard. This is precisely what Horizon 2 and the SOCI reforms can enable.
Forthcoming ASPI analysis on legacy technology debt will deepen that picture, examining how accumulated end-of-life systems create compounding exposure that no compliance cycle, however well designed, can fully capture without continuous technological modernisation underpinning it.
Legacy systems are a resilience problem. The enhanced CIRMP rules treat the failure to replace legacy systems, or adequately mitigate redundant or obsolete technology, as a material cyber and information security risk. Meanwhile, Horizon 2 commits the government to establishing a legacy technology baseline for critical systems, and prioritising remediation.
Horizon 2’s most consequential design choice is implicit – it bets on shared responsibility as the primary mechanism for economy-wide uplift. But shared responsibility works when roles, expectations and consequences are clearly allocated. The Slay review also identified this challenge – when penalties are viewed as a cost of doing business, the regulatory regime cannot drive genuine and persistent security uplift.
We can see where government thinking is heading. In a 10 June speech, Andrew Leigh, Assistant Minister for Productivity, Competition, Charities and Treasury, called for the tech sector to extend pro bono capability to charities and not-for-profits. Canberra is moving towards a model in which industry’s surplus capacity becomes a structural input to community resilience. The cyber exposure of organisations that hold significant personal data but lack the resources to protect it is not a charity problem but rather a supply-chain problem. Disruption cascades; it does not observe sector boundaries.
Read together, Horizon 2 and the SOCI reforms show that Australia’s response is adapting and maturing to match the threat environment. The government is designing a cyber strategy that expands reach, alongside a critical infrastructure framework restructured for accountability and agility. The next challenge is to focus on the connective tissue – the governance architecture that links them.
Three things would make that architecture more durable. First, Australia should extend resilience obligations explicitly to critical suppliers – such as cloud providers, managed service vendors and AI platforms – not just operators. Second, boards of critical-infrastructure entities should be required to certify exposure to concentrated suppliers, offshore dependencies and legacy technology environments as a director-level accountability mechanism, not a documentation exercise. Third, the government should specify what ‘outcome-driven’ means in practice: measurable standards, independent audit mechanisms and consequences that allow regulators and boards alike to distinguish genuine security uplift from documented compliance.
As technology evolves, threat actors move with it, exploiting each new layer of interdependency before regulation can follow. As a response, persistent adaptation is the only viable posture. Static compliance served Australia when the threat was simpler and the tech ecosystem less interconnected. But maximising the effects of Horizon 2 and SOCI reforms requires a sharper theory of how resilience is produced. This needs to be shared across governments, operators, suppliers and the broader digital economy.
