Australia's Smart Device Security Standards: In Force Now

For years, the smart devices filling Australian homes — cameras, doorbells, baby monitors, smart speakers, connected appliances, fitness trackers — shipped with whatever security their makers chose to build in. Often that meant shared default passwords, no way to report a vulnerability, and no commitment to security updates. That era has formally ended.

The Cyber Security Act 2024 is Australia's first standalone cyber security law. Its Part 2 creates a regime of mandatory security standards for smart devices, and the detail lives in the Cyber Security (Security Standards for Smart Devices) Rules 2025. After a 12-month transition period, those Rules commenced on 4 March 2026. The standard now applies to "relevant connectable products" that are manufactured, or supplied new, on or after that date and that are acquired by consumers in Australia.

If you manufacture, import, or supply connectable consumer devices into the Australian market, this is an active legal obligation today — not a horizon-scanning exercise. Below is what the standard requires, who it captures, and why the businesses still catching up need to move immediately.

The Timeline

• 29 November 2024

  Cyber Security Act 2024 receives Royal Assent

  Australia's first standalone cyber security law becomes law, with Part 2 establishing the framework for mandatory smart device security standards.

• 2025

  Rules made; 12-month transition period

  The Cyber Security (Security Standards for Smart Devices) Rules 2025 set out the three security standards, with a 12-month transition window for industry to prepare.

• 4 March 2026

  Standard commences — now in force

  The Rules take effect. Relevant connectable products manufactured, or supplied new, on or after this date must comply and be supplied with a statement of compliance.

• From 4 March 2026 onward

  Active enforcement

  The Technology Assessment and Regulation Office, on behalf of the Secretary of the Department of Home Affairs, can issue compliance notices, stop notices and recall notices for non-compliant products.

Who Is in Scope

The regime applies to relevant connectable products (RCPs) — products that can connect directly or indirectly to the internet, or connect to such a device over a network, and that are intended for personal, domestic or household use. In practice this captures the vast bulk of consumer Internet-of-Things devices.

Both manufacturers and suppliers carry obligations, with the roles defined in line with Australian Consumer Law:

• Manufacturers must build relevant connectable products to meet the applicable security standard where they could reasonably be expected to be aware the product will be acquired in Australia.
• Suppliers must supply the product with a statement of compliance and retain a copy of that statement for at least five years.

Two features make the reach wider than many businesses assume. First, the regime is extraterritorial: it applies to overseas manufacturers and suppliers whose products reach Australian consumers, not just to Australian-based businesses. An importer or online marketplace shipping a connected gadget into Australia is squarely within scope. Second, "indirectly" connectable devices are captured too — a sensor that talks to a hub which talks to the internet is still an RCP.

The Three Mandatory Requirements

The standard is deliberately not a sprawling control catalogue. It adopts the first three provisions of the international standard ETSI EN 303 645 — the same "top three" baseline that the United Kingdom's Product Security and Telecommunications Infrastructure regime is built on. The requirements are concrete and testable.

Requirement	What it means in practice	Why it matters
No default or universal passwords	Passwords must be unique per device or set by the user — no shipping fleets of devices with the same admin credentials	Default credentials are the single most exploited weakness in consumer IoT, fuelling large botnets
A means to report security issues	Publish a vulnerability disclosure contact and process, with information on the status of reported issues	Gives researchers a clear channel and ensures flaws get triaged rather than ignored
Transparency on the update period	Publish the defined minimum length of time the device will receive security updates, including an end date	Lets buyers make informed decisions about a device's security lifecycle before purchase

1. No default or universal passwords

Devices can no longer ship with a shared factory password such as "admin/admin." Each device must either have a unique per-device password or require the user to set one on first use. This closes the door on the credential-stuffing and botnet attacks that have repeatedly turned cheap cameras and routers into weapons.

2. A published means to report security issues

Manufacturers must provide and publish a clear way for anyone — particularly security researchers — to report a vulnerability, together with information on how reported issues are handled and their status. In effect this mandates a basic vulnerability disclosure policy, so flaws reach the people who can fix them.

3. Transparency on the security update period

Manufacturers must publish how long the device will receive security updates, expressed as a defined minimum period with an end date. This does not force a particular support length, but it forces honesty: a buyer can see, before purchase, whether a device will be patched for years or abandoned in months.

The Statement of Compliance

Beyond meeting the three requirements, there is a documentation obligation that trips up businesses focused only on engineering. Under the Cyber Security Act 2024, a supplier must supply each relevant connectable product with a statement of compliance — a document confirming the product meets the applicable security standard. Suppliers must retain a copy of that statement for at least five years.

The Act does not prescribe a single rigid format for how the statement must "accompany" the product, which means each business has to decide how it will satisfy the obligation for its own product lines and supply arrangements — and be able to produce the records on request. Treating the statement of compliance as an afterthought is a common and avoidable gap.

Crucially, a statement of compliance is only as defensible as the work behind it. The statement asserts that a product meets the standard — but if a regulator asks you to substantiate that assertion, you need the underlying assessment to point to. A signed declaration with no documented assessment behind it is an assertion, not evidence.

Prove It: The Assessment Audit Trail and Due Diligence

This is the part businesses most often underestimate. Meeting the three requirements protects your product; being able to demonstrate that you assessed each product against the standard, found it compliant, and can show your working is what protects you. In a regulated regime, the burden falls on the manufacturer or supplier to evidence compliance — and "we believed it was fine" is not the same as "here is the documented assessment that shows it is."

A credible audit trail turns a claim of compliance into provable due diligence. For each relevant connectable product, it should capture:

• What was assessed and against what — the product (and version/firmware), mapped to each of the three requirements and the relevant ETSI EN 303 645 provisions.
• The evidence behind each finding — how unique/user-set passwords are enforced, where the vulnerability-reporting process is published, and the documented update-support period and end date.
• Who assessed it and when — a dated record with the responsible person or team, so the assessment is attributable and time-stamped.
• The link to the statement of compliance — the assessment that substantiates each statement, retained alongside it for the full five-year period.
• Re-assessment on change — a fresh record when firmware, components or the support commitment change, so the trail stays current rather than frozen at launch.

This audit trail does double duty. If the Department of Home Affairs investigates or issues a notice, a documented, dated, evidence-backed assessment is your demonstration of due diligence — the difference between a defensible position and an indefensible one. And well before any regulator is involved, Australian retailers and online marketplaces increasingly ask suppliers to show compliance before listing a product; a ready audit trail answers that request in minutes instead of scrambling to reconstruct it.

Enforcement: Compliance, Stop and Recall Notices

Division 3 of Part 2 of the Act sets out the enforcement regime, regulated by the Technology Assessment and Regulation Office within the Department of Home Affairs on behalf of the Secretary. Where a product does not comply, the available powers escalate:

• Compliance notices — directing a manufacturer or supplier to bring a product into compliance.
• Stop notices — requiring that supply of a non-compliant product cease.
• Recall notices — requiring a non-compliant product to be recalled from the market.

Non-compliance — including failing to comply with a notice — attracts civil penalties. For a consumer-hardware business, a stop or recall notice is more than a fine: it can halt sales, strand inventory, and do lasting reputational damage in a market that is now actively watching for compliance.

Why Businesses Need to Move Quickly

Because the standard is already in force, the usual "we have until the deadline" cushion is gone. Several factors make speed the right posture:

• Every shipment now counts. Products manufactured or supplied new from 4 March 2026 must already comply. Each non-compliant unit that reaches a consumer is a potential enforcement trigger, not a future risk.
• Engineering changes take lead time. Removing default passwords, standing up a vulnerability disclosure process, and defining and publishing an update-support period are not same-day fixes — especially across an existing product range and overseas supply chain.
• The audit trail can't be back-dated. A compliant device with no statement of compliance — or no documented, dated assessment behind it — leaves you unable to prove due diligence if challenged. Reconstructing an evidence trail after a notice arrives is far harder, and far less convincing, than building it as you assess.
• Retailers and marketplaces are de-risking. Australian sellers and platforms increasingly ask suppliers to evidence compliance before listing, so a gap can cost shelf space well before any regulator gets involved.

The practical path is straightforward: confirm which of your products are relevant connectable products (and which are exempt under section 8), assess each against the three requirements, close the gaps in passwords, vulnerability reporting and update transparency, and put a defensible statement-of-compliance process and record-keeping system in place. Above all, document the assessment as you go — a dated, evidence-backed audit trail for every product is what lets you prove due diligence on request, not just claim it. Done methodically, it is very achievable — but it rewards starting now rather than waiting for a notice to arrive.