The Cyber Security Act 2024 has officially become law in Australia. As part of its implementation, the Australian Home Affairs Department has introduced the Security Standards for Smart Devices Rules 2025, setting mandatory cybersecurity requirements for consumer-grade smart devices.
Understanding Smart Device Security Standards
The Smart Device Security Rules will be enforced starting March 4, 2026, giving manufacturers and distributors one year to ensure compliance. These standards are designed to enhance cybersecurity and consumer protection by aligning with ETSI EN 303 645 and other international regulations.
Key Compliance Requirements
Manufacturers and distributors must adhere to strict security measures, including:
- Banning universal default passwords
- Implementing vulnerability reporting mechanisms
- Defining support periods for security updates
To sell consumer IoT products in Australia, businesses must provide a statement of compliance confirming adherence to these security standards. This document must include:
- Product type and batch identifier
- Manufacturer and representative details
- Declaration of compliance
- Support period information
- Place, date, and signature
Non-manufacturing suppliers can request this information from manufacturers to meet regulatory expectations.
Impact Assessment
Technical Standards? ✅ Yes
Type Approval & Market Access? ❌ No
Imports, Customs, Trade, or Market Surveillance? ❌ No
Spectrum Management? ✅ Yes
