A$89.3 million over four years is heading into Canberra’s Horizon 2 Action Plan, which pairs 19 actions with 64 initiatives to push Australia’s cyber posture from checklist compliance toward operational resilience.
Horizon 2 Action Plan: scope, cost and targets
Canberra’s Horizon 2 Action Plan, released on 11 June, builds on earlier reforms such as the Cyber Security Act, the Executive Cyber Council, mandatory reporting frameworks and baseline obligations for critical‑infrastructure operators. The plan lists 19 actions and 64 initiatives, and allocates A$89.3 million over four years to extend government reach into small business, workforce capability, supply chains and the secure uptake of AI.
Horizon 2 explicitly treats the job of national uplift as phased: it advances what Horizon 1 established while shifting emphasis toward outcomes rather than minimum-compliance checklists.
Jill Slay’s SOCI review and the enhanced CIRMP rules
In March, the Department of Home Affairs accepted Jill Slay’s independent review of the Security of Critical Infrastructure (SOCI) Act. Home Affairs accepted all six recommendations in principle, and earlier this month enhanced Critical Infrastructure Risk Management Program (CIRMP) rules were made for specified high‑risk critical infrastructure asset classes.
Those enhanced CIRMP rules matter because they define resilience in operational terms: they require critical‑system inventories, supplier mapping and vendor assessment among other requirements. The Slay review concluded that the SOCI framework, while world‑leading, needed to adapt to deliver meaningful risk management — a finding the department has taken on board.
Legacy technology baseline and remediation
Both Horizon 2 and the CIRMP changes recognise legacy systems as a present durability risk. The enhanced CIRMP rules treat the failure to replace legacy systems, or adequately mitigate redundant or obsolete technology, as a material cyber and information security risk. Horizon 2 commits the government to establishing a legacy technology baseline for critical systems, and prioritising remediation.
ASPI has signalled related concerns: its 2025 report In Whose Tech We Trust documented the need to move from vendor‑by‑vendor assessments to system‑level evaluations of foreign ownership, control and influence across technology ecosystems. Forthcoming ASPI analysis on legacy technology debt will deepen that picture by examining how accumulated end‑of‑life systems create compounding exposure.
Shared responsibility, suppliers and board accountability
Horizon 2’s most consequential design choice is implicit: it bets on shared responsibility as the primary mechanism for economy‑wide uplift. But shared responsibility works only when roles, expectations and consequences are clearly allocated. The Slay review warned that when penalties are viewed as a cost of doing business, regulation cannot drive persistent security uplift.
To strengthen the governance that links a strategy and a critical‑infrastructure framework, the source recommends three specific steps that would make the architecture more durable: first, extend resilience obligations explicitly to critical suppliers such as cloud providers, managed service vendors and AI platforms; second, require boards of critical‑infrastructure entities to certify exposure to concentrated suppliers, offshore dependencies and legacy technology environments as a director‑level accountability mechanism; third, specify what “outcome‑driven” means in practice by setting measurable standards, independent audit mechanisms and consequences that allow regulators and boards to distinguish genuine security uplift from documented compliance.
What this means for technologists, policymakers, and critical‑infrastructure boards
- Technologists and security teams: expect operational requirements — inventories, supplier mapping and vendor assessment — to move from guidance into enforceable rules for specified high‑risk assets, and to be measured against a legacy technology baseline.
- Policymakers and regulators: will need to translate Horizon 2’s commitments and the Slay review’s recommendations into defined standards, audit regimes and consequences so “outcome‑driven” supervision can be enforced.
- Critical‑infrastructure boards and executives: face increasing director‑level accountability pressure to certify exposure to concentrated suppliers, offshore dependencies and legacy environments, rather than treating those exposures as paperwork exercises.
Canberra has shifted the frame: cyber resilience is being treated as a system property, not merely the sum of individual operators’ checklists. The combined thrust of Horizon 2 and the SOCI reforms pivots Australia toward shared responsibility across operators, suppliers and government — but the reforms leave open the decisive questions of governance. Will resilience obligations be extended explicitly to critical suppliers? Will “outcome‑driven” regulation be made measurable and auditable? The answers will determine whether these initiatives become durable change or another regulatory cycle that threat actors will again outpace.
