Are your products ready for Australia’s new cyber security standards for connected products?

Source: https://www.homeaffairs.gov.au/cyber-security-subsite/files

The Australian Government has introduced mandatory security requirements under the Cyber Security Act 2024 and the Cyber Security (Security Standards for Smart Devices) Rules 2025. These standards ensure that internet connected devices are secure by design, protecting consumers from common cyber threats.

---

When do these changes come into effect?
The new standards apply to all in-scope products manufactured on and from 4 March 2026.

What products are covered?
The rules apply to "relevant connectable products." These are smart devices that connect to the internet either directly or indirectly (such as via a Bluetooth phone app). This includes products intended for personal, domestic, or household use, or those that could reasonably be expected to be acquired for such use.

What products are excluded?
Specific categories are exempt because they are managed under other regulations. These include:

• Desktop computers, laptops, smartphones, and tablet computers.
• Therapeutic goods as defined by the Therapeutic Goods Act 1989.
• Road vehicles and road vehicle components under the Road Vehicle Standards Act 2018.

Note: Aftermarket vehicle systems, such as audio and navigation units, are not considered road vehicle components and must comply with these new standards.

What are the four key requirements?

1. Provided passwords must be unique per product or defined by the user. This applies to the device hardware and any pre-installed software required for its intended use. This requirement ensures that a single leaked password cannot be used to compromise thousands of different devices. Note: this requirement only applies to products that use a password for the smart device’s hardware or pre-installed software and where software is required to be installed for the product’s intended usage
2. Manufacturers must publish a clear way for people to report security vulnerabilities. This reporting process must be available in English, free of charge, and accessible without requiring personal information from the reporter (email address only). Manufacturers must also provide status updates on the resolution of any reported issues.
3. Manufacturers must be transparent about how long a device will receive security updates. This information must be clear and accessible to consumers before they buy the product. The security standards require the defined support period to be a period of time with an end date, rather than an end to a period of time. Examples of fixed end dates are "no earlier than 30 June 2027" or "ending on 30 June 2029".
4. Every in-scope product must be accompanied by a formal Statement of Compliance (SoC). This document must be provided with the supply of the product and can also be published on the manufacturer's website. Both manufacturers and suppliers are required to retain a copy of this statement for five years. The Statement of Compliance must accompany the product. This can be achieved by including a physical copy in the box or by providing a prominent QR code or URL on the packaging or in the user manual that links directly to the digital statement.

 
What must be included in the Statement of Compliance?
At minimum, the statement must include:

• The product type and batch identifier.
• The name and address of the manufacturer.
• The name and address of an authorised representative of the manufacturer, including any representatives located in Australia.
• A declaration that the statement was prepared by or for the manufacturer.
• A declaration that, in the manufacturer's opinion, the product complies with the security standards.
• The defined support period for the product at the date the statement is issued.
• The signature, name, and function of the signatory.
• The place and date of issue.
  

An example statement of compliance template is available on the Department of Home Affairs website.
 
Disclaimer: This information is a general summary for informational purposes only. For definitive requirements, the official regulatory documents, including the Cyber Security Act 2024 and associated Rules, should always be referred to.