SOCI, CPS 234, NIS2, DORA — critical infrastructure operators face overlapping cyber resilience requirements from multiple regulators. AuditDSS maps every obligation and shows where they converge.
1,498
CI obligations
4
Frameworks
320+
Regulatory frameworks
146,445+
Scored obligations
Critical infrastructure operators face a convergence of cyber resilience regulation unlike any other sector. In Australia, the Security of Critical Infrastructure Act (SOCI) imposes risk management programs, incident reporting, and government assistance orders. APRA's CPS 234 mandates information security capability commensurate with threats. The EU's NIS2 Directive applies to essential and important entities across 18 sectors. And DORA imposes digital operational resilience requirements on financial entities and their ICT service providers.
Each framework emerged from different regulators with different enforcement powers — but the underlying requirements share 60-70% common ground. A single incident response capability can satisfy SOCI mandatory reporting, CPS 234 security incident notification, NIS2 incident handling, and DORA ICT incident classification simultaneously. AuditDSS maps every cross-reference.
That's what AuditDSS does.
1,498 obligations across 4 frameworks, scored and ready. AuditDSS maps every obligation and shows where SOCI, CPS 234, NIS2, and DORA converge.
Updated March 2026 — new frameworks added regularly
Security of Critical Infrastructure Act. Risk management programs, incident reporting within 12 hours, government assistance orders. Covers 11 critical infrastructure sectors.
APRA information security standard. Security capability commensurate with threats. Board notification of material incidents. Applies to all APRA-regulated entities.
EU Network and Information Security Directive. Essential and important entities across 18 sectors. Supply chain security, incident reporting within 24 hours.
Digital Operational Resilience Act. ICT risk management, incident classification and reporting, digital operational resilience testing. Financial sector focus.
Determine your critical infrastructure classification under SOCI, NIS2, and DORA. Identify which sector-specific obligations apply.
See how a single cyber resilience control satisfies obligations across SOCI, CPS 234, NIS2, and DORA simultaneously. Identify unique requirements for each framework.
Generate risk management programs, incident response procedures, and resilience testing plans that satisfy all four frameworks. Every clause traced to specific regulatory text.
Pre-mapped evidence for SOCI compliance audits, APRA prudential reviews, NIS2 supervisory assessments, and DORA resilience testing requirements.
Incident detection logs, response playbooks, notification records, and post-incident reviews. AuditDSS maps your IR evidence to SOCI 12-hour reporting, CPS 234 board notification, NIS2 24-hour early warning, and DORA ICT incident classification simultaneously.
Risk registers, threat assessments, vulnerability management records, and risk treatment plans. Direct evidence for SOCI risk management programs, CPS 234 security capability, NIS2 risk management measures, and DORA ICT risk framework.
Penetration test results, scenario-based testing, business continuity exercises, and disaster recovery tests. Maps to SOCI exercise requirements, CPS 234 testing obligations, NIS2 resilience testing, and DORA TLPT (threat-led penetration testing).
Third-party risk assessments, vendor security questionnaires, ICT service provider contracts, and supply chain incident notifications. Evidence for SOCI supply chain obligations, NIS2 supply chain security, and DORA ICT third-party risk management.
You don't need four separate compliance programs. You need one platform that shows where SOCI, CPS 234, NIS2, and DORA converge — and where they diverge. 60-70% of requirements overlap. AuditDSS maps every cross-reference.
Most compliance platforms tell you what you must do to avoid penalties. AuditDSS also tells you what you gain by complying.
60-70% of requirements overlap. One control set, four frameworks satisfied.
Know your reporting obligations across all frameworks — 12 hours for SOCI, 24 hours for NIS2, 72 hours for DORA.
Pre-mapped evidence for SOCI audits, APRA reviews, NIS2 assessments, and DORA testing.
Obligation-level compliance scoring across all four frameworks for board risk committees.
SOCI directions carry significant penalties. NIS2 fines up to €10M or 2% of global turnover.
Genuine resilience improvement, not just checkbox compliance.
Energy, water, telecommunications, healthcare, financial services — if you're a SOCI-regulated entity, map your risk management program obligations and incident reporting requirements.
Banks, insurers, super funds — CPS 234 and SOCI both apply. See where they overlap and where CPS 234 has additional security capability requirements.
Map your existing security controls across all four frameworks. Identify the minimum control set that satisfies SOCI, CPS 234, NIS2, and DORA — no duplicate effort.
NIS2 and DORA apply to your EU operations. SOCI and CPS 234 apply domestically. AuditDSS shows the complete cross-jurisdictional picture.
Answer a few questions, discover every regulation that applies to your critical infrastructure operations
Not just 'you need SOCI compliance' but 1,498 specific obligations across 4 frameworks, scored by risk
See exactly where you're compliant and where you're exposed across all four frameworks
Deterministic document generation for risk management programs, incident response plans, and resilience testing procedures. Every clause traced to specific regulatory text.
Company Mode for your own compliance. Advisor Mode for consultants managing multiple critical infrastructure clients.
Discover which frameworks apply to your business in minutes — or book a walkthrough to see AuditDSS in action.
Building critical infrastructure technology? AuditDSS provides the compliance intelligence layer for SIEM, OT security, incident management, and resilience testing platforms. Contact us about integration partnerships