The Cyber Security Act 2024: mandatory security standards for smart devices

Australia now has mandatory minimum cyber security standards for consumer "smart" (Internet of Things) devices. They flow from Part 2 of the Cyber Security Act 2024, which received Royal Assent on 29 November 2024, and are given effect by the Cyber Security (Security Standards for Smart Devices) Rules 2025. The standards commenced on 4 March 2026 and apply to relevant connectable products supplied to the Australian market, including by overseas manufacturers.

In short: if you manufacture, import or supply consumer smart devices in Australia, those devices must meet a baseline security standard and ship with a statement of compliance. The regime is administered by the Department of Home Affairs, and the headline obligations align with the international consumer-IoT baseline, ETSI EN 303 645.

What the smart device standards require

The standards set a floor, not a ceiling. They target the most common, low-effort security failures in cheap connected devices rather than imposing a full security-engineering regime. Three obligations form the core of the rules:

• no universal default passwords;
• a published means for reporting security vulnerabilities; and
• a published defined support period during which security updates will be provided.

Manufacturers must also provide a statement of compliance with each affected product. These mirror the first three (and most impactful) provisions of ETSI EN 303 645, which is also the basis for the UK's PSTI regime and informs the EU Cyber Resilience Act. For broader context on how this fits Australia's cyber framework, see the cyber security topic hub.

Which devices and businesses are in scope

The rules apply to consumer-grade smart devices — internet- or network-connectable products marketed to, and used by, ordinary consumers. Typical examples named by Home Affairs include:

• home security cameras and smart doorbells;
• baby monitors;
• smartphone-controlled appliances and smart-home hubs;
• connected speakers, wearables and similar consumer gadgets.

Critically, the obligations are tied to supply into the Australian market, so they have extraterritorial reach. An overseas manufacturer whose product is sold here is captured just as an Australian one would be. The duties fall on the parties in the supply chain — manufacturers and, in some cases, importers and suppliers — rather than on end users.

Some categories sit outside the consumer regime. Enterprise, industrial and medical devices, vehicles and certain regulated product classes are generally addressed by other frameworks. If your product is borderline (for example, a device sold to both businesses and households), assess it on its marketing and intended use, and verify the precise carve-outs in the current Rules before relying on an exemption.

The three mandatory security requirements

No universal default passwords. Devices must not ship with a single shared default password across a product line (the classic "admin/admin" failure that lets attackers compromise devices en masse). Passwords must be unique per device or require the user to set one on first use.

A vulnerability disclosure mechanism. Manufacturers must publish a clear point of contact and process so security researchers and the public can report flaws — typically a security.txt file, a dedicated web page or a monitored mailbox. The point is that reports can actually reach the people who can fix them.

A defined support period. Manufacturers must publish, in an accessible way, the minimum length of time the device will receive security updates. This lets buyers make informed decisions and prevents "abandonware" devices remaining connected without patches.

These requirements are deliberately practical. Most can be met through product configuration, documentation and a published web page rather than third-party certification — though evidence of compliance still needs to exist.

Statements of compliance and timing

A central mechanism in the regime is the statement of compliance. Manufacturers of relevant products must prepare and provide a statement confirming the device meets the applicable security requirements, and this must accompany the product as required by the Rules.

The Rules include transitional arrangements so that products already on the market are not immediately caught, with the obligations focused on devices manufactured or supplied from commencement onward. The exact length of any transition or grace period, and how it applies to existing stock, should be confirmed against the current Rules (verify the current detail with the Department of Home Affairs) rather than assumed.

Enforcement: compliance, stop and recall notices

The Secretary of the Department of Home Affairs has graduated enforcement powers. These include the ability to commission independent audits to verify compliance and to issue:

• compliance notices, requiring a supplier to fix non-compliance;
• stop notices, halting further supply of a non-compliant device; and
• recall notices, requiring removal of a non-compliant product from the market.

This escalation ladder — audit, then notice, then stop, then recall — gives the regulator scope to respond proportionately. Non-compliance can therefore have commercial consequences (lost market access, recalls) well beyond any direct penalty. Because amounts and notice mechanics can change, confirm the current penalty and enforcement settings with Home Affairs before quantifying exposure.

What manufacturers and suppliers should do now

A practical compliance pathway:

1. Inventory your products. Identify which SKUs supplied in Australia are in-scope consumer connectable devices.
2. Map to ETSI EN 303 645. Use the standard's baseline provisions as your control set; the three Australian requirements are the minimum, but aligning to the wider standard future-proofs against UK/EU regimes.
3. Eliminate default passwords. Move to per-device credentials or forced first-use password setting.
4. Publish a vulnerability disclosure policy. Stand up a monitored channel and document your triage process.
5. Publish a defined support period. Commit to, and disclose, a minimum security-update window.
6. Prepare statements of compliance and retain supporting evidence (test records, configuration documentation).
7. Assign accountability internally — this is a board-level supply-chain and product-safety issue, not just an engineering one.

Organisations already maturing their broader security posture can use the Essential Eight assessment as a complementary internal control baseline, and entities in regulated sectors should align this work with their obligations under SOCI cyber incident reporting where relevant.

Common pitfalls

• Assuming overseas manufacture is a shield. It is not — supply into Australia triggers the obligations.
• Treating it as a paperwork exercise. A statement of compliance must be substantiated; an audit can test the underlying device.
• Forgetting the support period must be honoured. Publishing a window then failing to ship updates is itself a problem.
• Letting the vulnerability mailbox go unmonitored. A published contact that nobody reads defeats the requirement.
• Over-reading exemptions. Borderline consumer/enterprise products are easy to misclassify; check the current Rules.
• Ignoring inventory churn. New SKUs, firmware variants and rebadged products each need their own assessment.

The smart-device standards are a relatively light-touch first step, but they are mandatory and enforceable. Building the three core controls into product design and documentation now is far cheaper than responding to a stop or recall notice later.