From wrist to risk: a new security regime for smart devices

The final sitting day of the Australian Parliament in 2024 delivered a legislative marathon. Over 30 bills passed in a single day, with digital regulation taking centre stage – from social media age restrictions to the much-anticipated first tranche of privacy reforms. But the digital disruption began even earlier.

On 9 October 2024, the Cyber Security Legislative Package was introduced into the House of Representatives by the Minister for Home Affairs and Minister for Cyber Security, the Hon Tony Burke MP, following consultation that began in December 2023. The package was then reviewed by the Parliamentary Joint Committee on Intelligence and Security, with its findings delivered on 18 November 2024. By 29 November 2024, the package had passed both Houses and received Royal Assent.

At the centre of this reform effort is the Cyber Security Act 2024, a wide-reaching statute that introduces several new regimes, including:

• Minimum cyber security standards for IoT devices
  Products must comply with mandatory cyber security standards (set out in rules) and be accompanied by a formal statement of compliance. Enforcement tools include compliance, stop, and recall notices.
• Mandatory ransomware payment reporting
  Certain entities will be required to report ransomware payments or face civil penalties.
• National cyber security coordinator
  A new coordination role within government, including a voluntary information-sharing regime for significant cyber incidents.
• Cyber incident review board
  A statutory board empowered to review major cyber incidents and provide actionable recommendations to government and industry.

In recent months, the government has been busy finalising the rules that support the Act. On 4 March 2025, the first set of rules were registered, bringing these new frameworks into clearer focus.

This article focuses on one of the key parts of the new regime: the introduction of minimum cyber security standards for smart (IoT) devices.

The new smart device security regime

Part 2 of the Cyber Security Act 2024 (Cth) introduces a dedicated regime for security standards for smart devices sold in Australia.

In a nutshell:

All IoT and network-connectable products must meet minimum cyber security standards.
Manufacturers are required to issue a statement of compliance with each product.

Where a device does not comply, the government has the power to issue:

• Compliance notices – to address non-compliance
• Stop notices – to prevent continued supply
• Recall notices – to remove products from the market

Importantly, the regime has extraterritorial reach – applying not just to Australian organisations, but also to overseas manufacturers and suppliers whose products are sold in the Australian market.

Commencement date

The regime will commence on 4 March 2026.

Products that are covered

The regime applies to relevant connectable products, which include both internet-connectable and network-connectable devices, that are manufactured or supplied on or after 4 March 2026.

In practical terms, this captures most smart devices that can connect directly or indirectly to the internet or other devices over a network.

What is a relevant connectable product?

Certain classes of products may be exempted by the regulator under the rules. These exemptions may apply to specific devices or product categories, depending on the criteria set out in the legislation.

Who is regulated and what are the obligations?

Both manufacturers and suppliers of relevant connectable products (RCPs) have obligations under the regime. These roles are defined in line with the Australian Consumer Law, and the obligations are set out in Division 2 of Part 2 of the Cyber Security Act 2024, primarily in sections 15 and 16.

Section 15 – compliance with security standards

Section 15 requires that RCPs must be manufactured in compliance with the applicable security standard if they are to be acquired in Australia in specified circumstances.

• Manufacturers must ensure their products are built to meet the relevant security standards.
• Suppliers must ensure the products they supply in Australia were manufactured in accordance with those same standards.

These obligations only apply where the manufacturer or supplier knows or could reasonably be expected to know that the product will be acquired in Australia.

The Act includes a narrow constitutional exception. The obligations under section 15 do not apply where:

1. The entity is not a foreign corporation or an Australian trading/financial corporation, and
2. The relevant security requirement does not relate to:
   • The product’s connection (direct or indirect) to the internet or other communications services
   • Its use of such services
   • Measures to protect against attacks via such services

In other words: unless you’re a very specific type of entity dealing in very specific products, you’re likely caught by the regime.

What are the mandatory security standards? The Cyber Security (Security Standards for Smart Devices) Rules 2025 establish baseline cyber security requirements for consumer-grade smart devices sold in Australia. These standards apply to internet-connectable products and are designed to improve device security, protect consumers from cyber threats, and promote transparency from manufacturers. Manufacturers must ensure that covered devices comply with three core areas of obligation:

Password requirements Strong default credentials are essential to prevent unauthorised access. Under the rules: Passwords must be unique per product or defined by the user. Unique passwords must not be based on predictable patterns – such as incremental counters, publicly available info, or product IDs – unless encrypted or hashed in line with good industry practice. Passwords must not be easily guessable, as defined by recognised industry standards.

Security issue reporting Manufacturers must enable effective reporting of security vulnerabilities: Provide public instructions on how to report security issues (hardware and software). Offer at least one contact point, and details on how reports will be acknowledged and tracked. Ensure all information is: Clear, transparent and in plain English Free to access, and Available without requiring personal information

Support periods and security updates Manufacturers are also required to maintain and communicate device support timelines: Publish the defined support period for both hardware and software security updates. Deliver security updates throughout the full support period. Once published, the support period cannot be shortened – if extended, the new period must be published promptly. Support information must be: Clear, accessible, and in plain English Free of charge and understandable to non-technical users Prominently displayed on websites alongside key product features

Section 16 – obligation to provide and supply a statement of compliance

The second key obligation under the regime relates to the statement of compliance that must accompany relevant connectable products (RCPs) offered for sale in Australia.

Under section 16 of the Cyber Security Act 2024:

• Manufacturers must prepare and provide a statement of compliance with the security standard applicable to the relevant class of products that will be acquired in Australia in specified circumstances.
• Suppliers must ensure that any RCPs they supply in Australia are accompanied by this statement of compliance.

As with section 15, these obligations only apply where the manufacturer or supplier knows or could reasonably be expected to know that the product will be acquired in Australia.

Additionally, suppliers must retain a copy of the statement of compliance for at least five years.

What needs to be in the statement of compliance? The statement of compliance plays a central role in the new regime. It serves as a formal declaration that a smart device meets the required security standards, and that the manufacturer has fulfilled its legal obligations. To be valid, the statement must include the following: Product details – Product type and batch identifier. Manufacturer and representative details – Name and address of: the manufacturer an authorised representative any other authorised representatives located in Australia (if applicable) Compliance declarations Confirmation that the statement was prepared by or for the manufacturer. Confirmation that, in the manufacturer’s opinion: the product complies with the security standard, and the manufacturer has met all relevant obligations under the standard. Support commitment – The defined support period for the product as at the date of the statement. Signatory details Name, function, and signature of the authorised signatory. Place and date of issue.

The enforcement regime

Division 3 of Part 2 of the Cyber Security Act 2024 establishes the enforcement mechanisms applicable to non-compliance with the smart device security regime. There are no civil penalties, and the regime is designed to be light touch from an enforcement perspective. The framework provides the Secretary with escalating powers to issue regulatory notices where an entity fails to meet its obligations.

There are three primary types of notices, compliance, stop, and recall, each serving a distinct enforcement function. A summary of the notice types and their key features is set out below.

Prior to issuing any of these notices, the Secretary must provide written notice of the intention to do so and allow the relevant entity at least 10 days to make submissions as to why the notice should not be issued.

In addition to the notice regime, the Act also empowers the Secretary to appoint an independent expert to assess whether a product and/or its associated statement of compliance meets the requirements of the regime. To facilitate this process, the Secretary may issue a written request to the relevant manufacturer or supplier, requiring the provision of:

• the product in question (and the identity of the manufacturer, if known), and
• the corresponding statement of compliance.

The notice must also set out relevant procedural information, including:

• the period for response,
• the expected duration of product retention,
• the applicable security standards for testing,
• a description of the testing or analysis to be conducted, and
• the potential consequences for failing to comply with the request or the Act more broadly.

Manufacturers or suppliers who are required to provide products for examination are entitled to reasonable compensation. Once received, the appointed expert may undertake a range of testing and analysis activities to assess compliance with the security standard and accuracy of the compliance statement.

Avenues of review

In addition to the opportunity to make submissions prior to the issuance of a notice, entities are also entitled to seek an internal review of any decision to issue or vary a compliance, stop, or recall notice under Part 2 of the Act.

An application for review must:

• be made in writing to the Secretary,
• be submitted within 30 days of the notice being given.

The internal review will be conducted by the Secretary, or by a delegate if the Secretary personally made the original decision. The reviewer is required to:

• reconsider the decision within 30 days of receiving the application, and
• either affirm, vary, or revoke the original decision.

Written reasons must be provided for the outcome of the review.

This process provides a critical check on the exercise of regulatory power and ensures that affected entities have a timely avenue for redress.

Practical tips to prepare

With the regime now finalised and taking effect from 4 March 2026, manufacturers and suppliers of smart devices have a valuable lead-in period to prepare. While the obligations are clear, the operational readiness required to meet them should not be underestimated.

Below are key steps organisations should take now to ensure compliance:

1. Determine whether your products are in scope

Assess whether the products you manufacture or supply fall within the definition of a relevant connectable product (RCP). This includes both internet-connectable and network-connectable products, which are essentially, any consumer-grade device that can communicate with other devices or networks.

Also consider whether your organisation is reasonably expected to know that the product will be acquired in Australia — this is the threshold that triggers the regime’s obligations.

2. Review your current security posture

Examine the mandatory security standards set out in the Cyber Security (Security Standards for Smart Devices) Rules 2025 and compare them against your current product design, firmware policies, and support lifecycle.

You may already meet some requirements under international standards (e.g. ETSI EN 303 645 or ISO/IEC 27402), but the Australian regime introduces specific obligations – such as defined support periods and password handling – that may require changes.

3. Prepare a compliant statement of compliance

Start developing a template statement of compliance that includes all required information under section 16 of the Act. Ensure your teams (or external suppliers) understand the evidentiary basis for the declarations being made.

It’s advisable to align legal, engineering, product, and risk functions to co-develop this statement and ensure defensibility in case of regulatory scrutiny.

4. Establish internal processes for regulatory engagement

Entities should put in place clear procedures for:

• • Receiving and triaging contact from the Secretary
  • Responding to notices (including the 10-day pre-notice response window)
  • Coordinating the provision of products or compliance statements for examination
  • Retaining statements of compliance for the required five-year period

Clear lines of accountability – and a well-documented process – will reduce risk in the event of an inspection or inquiry.

5. Additional practical tips

• • Inventory review: maintain a register of RCPs you manufacture or supply into Australia, including relevant product classes and batch identifiers.
  • Training: ensure relevant teams (e.g. legal, product, security, compliance) are briefed on the regime and their roles in meeting its requirements.
  • Customer communications: consider updating product documentation, websites, and sales platforms to transparently display support periods, as required under the Rules.
  • Contract updates: review supply chain and distribution agreements to ensure downstream suppliers are aware of compliance responsibilities – particularly in multi-party arrangements.

The regime reflects a significant uplift in the regulation of consumer tech in Australia. Organisations that take early, coordinated action will not only reduce legal risk, but also be well-positioned to differentiate on trust and security in an increasingly connected world.

Further information

For further information on the new security regime for smart devices or any privacy & data, AI and cyber matters, please contact James Patto.