Australia has introduced mandatory cybersecurity requirements for consumer-grade smart devices under the Cyber Security (Security Standards for Smart Devices) Rules 2025. The Rules were registered on March 4, 2025 and will take full effect on March 4, 2026, following a 12-month transition period.
The framework forms part of the government’s 2023–2030 Australian Cyber Security Strategy and establishes baseline security obligations for manufacturers and suppliers of connected consumer products acquired in Australia.
Scope of Application
The Rules apply to relevant connectable products that are intended for personal, domestic, or household use and that will be acquired by consumers in Australia. Manufacturers must comply where they are aware, or reasonably expected to be aware, that the product will be supplied into the Australian consumer market.
Excluded from scope are:
- Desktop computers and laptops
- Tablets and smartphones
- Therapeutic goods
- Road vehicles and road vehicle components
The full list of exemptions is outlined in Section 8 of the Rules.
Core Security Requirements
The mandatory security standard is detailed in Schedule 1 of the Rules and introduces three primary technical and transparency obligations for in-scope products.
1. No Universal Default Passwords
Manufacturers must ensure that passwords used in relation to hardware or relevant software are either unique per individual product or defined by the user.
Passwords must not:
- Be based on incremental counters such as sequential numbering
- Be derived from publicly available information
- Be generated from serial numbers or identifiers unless protected using encryption or keyed hashing consistent with good industry practice
- Be otherwise easily guessable
These requirements apply once the product is no longer in its factory default state and extend to pre-installed software and certain required installable software.
2. Vulnerability Reporting Mechanism
Manufacturers are required to publish clear and accessible information explaining how security issues can be reported. This must include:
- At least one point of contact for reporting vulnerabilities
- Defined timelines for acknowledgement and status updates
The information must be available in English, free of charge, and accessible without requiring the submission of personal information. It must also be clearly presented and publicly available without prior request.
3. Defined Support Period for Security Updates
Manufacturers must publish a defined support period for security updates, including a specific end date. This applies to hardware and software capable of receiving security updates, including pre-installed and required software components.
Key regulatory conditions include:
- The support period cannot be shortened once published
- Any extension must be updated and published promptly
- Information must be clear, accessible, and understandable to non-technical consumers
- If the product is offered for sale on the manufacturer’s website, the support period must be displayed prominently alongside product characteristics
A security update is defined as a software update that protects or enhances product security, including updates addressing reported vulnerabilities.
Statement of Compliance Obligations
Under the Cyber Security Act 2024, suppliers must provide in-scope products accompanied by a statement of compliance. Division 3 of the Rules specifies the required content and retention period for these statements.
Each statement must include:
- Product type and batch identifier
- Manufacturer name and address, including Australian authorized representatives
- A declaration of conformity with the security standard
- The defined support period at the time of issuance
- Signature and date of issue
Manufacturers or their representatives must prepare the statement, and both manufacturers and suppliers are required to retain the documentation for five years.
The legislation requires suppliers to ensure that products are supplied “with” or “accompanied by” the statement of compliance. While the Act does not prescribe the exact format or delivery method, entities are responsible for determining how they will meet this obligation in practice.
Enforcement and Implications for Manufacturers and Suppliers
The Rules also allow for publication of additional information in cases where a manufacturer fails to comply with a recall notice. Authorities may publish details of the recall and recommend actions consumers should take, such as product disposal or precautionary measures.
With the compliance date set for March 4, 2026, manufacturers supplying consumer smart devices into Australia should assess product design, password architecture, update lifecycle commitments, vulnerability disclosure processes, and compliance documentation workflows.
The Rules align Australia with emerging international best practices for consumer IoT security, placing clear accountability on manufacturers to implement secure-by-design principles and provide transparent lifecycle support information.
For this article’s source information and any product certification guidance, please contact Global Validity.
Quick Country Facts
Australia
Certification Body: The Australian Communications and Media Authority (ACMA)
Certification Type: Mandatory
License Validity: Indefinite
Application Language: English
Legal License Holder: Local Representative
In-Country Testing Requirement: Testing Not Required
The regulatory information above is based on radio type approval certification. Access additional certification requirements in over 200 countries and territories with Global Validity’s free proprietary product certification management software, Access Manager. Learn more about the platform here or fill our quick contact form!
Global Validity is your partner for global certification success
Want to learn more about regulatory compliance and how we can help? Simply fill out the form below and we’ll be in touch!