As of 4 March 2026, Australia has officially implemented the Cyber Security (Security Standards for Smart Devices) Rules 2025, introducing mandatory cybersecurity requirements for consumer smart devices manufactured on or after this date.
The new regulation aims to improve the cybersecurity posture of Internet-connected consumer products and reduce vulnerabilities across the growing ecosystem of smart home and IoT devices.
For manufacturers, importers, and suppliers, this means that cybersecurity compliance is no longer optional—products entering the Australian market must now meet defined security obligations.
What Devices Are Covered?
The rules apply broadly to consumer connectable devices designed for personal or domestic use, including many common IoT and smart home technologies.
Examples of in-scope products include:
Smart Home & Security Devices
- Smart security cameras and video doorbells
- Smart locks and connected garage door openers
- Smart thermostats and heating controls
- Smart smoke alarms and detectors
- Smart light bulbs, switches, and smart plugs
Networking & Communication Devices
- Home Wi-Fi routers and mesh network hubs
- Wi-Fi extenders and boosters
- Smart speakers and voice assistants
Home Entertainment Devices
- Smart TVs and streaming media players
- Connected soundbars and audio systems
- Gaming consoles and VR headsets
Smart Household Appliances
- Smart refrigerators and ovens
- Connected washing machines and dishwashers
- Robot vacuum cleaners and smart mops
- Networked air purifiers and humidifiers
Wearables & Personal Devices
- Fitness trackers and activity monitors
- Smartwatches (that do not function as standalone smartphones)
- Connected wireless headsets
Children’s Connected Devices
- Wi-Fi or Bluetooth baby monitors
- Internet-connected toys with cameras or microphones
- Interactive educational tablets for children
These categories represent a significant portion of the consumer IoT market.
Devices Not Covered by the Rules
Certain product categories are explicitly excluded from these requirements, including:
- Smartphones
- Laptops and desktop computers
- Standard tablets
- Medical devices
- Vehicles
Although these products may still require cybersecurity considerations under other regulatory frameworks, they are not governed by this specific standard.
Core Cybersecurity Requirements
The new rules introduce three mandatory cybersecurity obligations for in-scope devices.
1. No Universal Default Passwords
Devices must not use common or shared default passwords.
Each device must either:
- Have a unique password per device, or
- Require the user to create their own password during setup
This measure helps reduce mass exploitation of IoT devices using factory credentials.
2. Public Vulnerability Reporting Process
Manufacturers must publish a clear vulnerability disclosure process, allowing security researchers and users to report cybersecurity issues.
Manufacturers must also:
- Accept vulnerability reports
- Provide updates on remediation status
3. Clear Security Support Period
Manufacturers must disclose how long security updates will be provided, including a clear end date.
This ensures consumers know the expected cybersecurity lifespan of their devices.
Alignment with International IoT Security Standards
Australia’s requirements closely align with the international ETSI EN 303 645 cybersecurity standard for consumer IoT devices.
This global baseline includes best practices such as:
- Secure credential management
- Software integrity and update mechanisms
- Secure communications
- Vulnerability disclosure frameworks
Alignment with internationally recognised standards helps manufacturers implement cybersecurity requirements consistently across global markets.
Compliance Obligations for Manufacturers and Suppliers
Companies manufacturing, importing, or supplying smart devices in Australia must now ensure their products meet the new cybersecurity rules.
Key steps include:
- Ensuring firmware and software architecture comply with password and security requirements
- Establishing a public vulnerability disclosure process
- Defining and publishing security update support timelines
- Maintaining clear consumer-facing cybersecurity information online
- Preparing and retaining a Statement of Compliance for each in-scope product
Failure to address these requirements may prevent products from being legally supplied in the Australian market.
How C-PRAV Can Support Your Compliance
Navigating new cybersecurity regulations can be complex, particularly when launching connected devices across multiple global markets. We can also test and certify your products for European (RED/CRA), UK (PSTI), Singapore, India (ITSARs), etc for Cyber Security
With over 30 years of experience in product testing, regulatory approvals, and global certifications, C-PRAV supports manufacturers in achieving compliance across Australia, Europe, North America, and Asia.
Our services include:
- Cybersecurity compliance consulting
- IoT security standard alignment (including ETSI EN 303 645)
- Regulatory testing and certification support
- Technical documentation and compliance folder preparation
- End-to-end product compliance management
By addressing cybersecurity early in the product lifecycle, manufacturers can reduce risk, accelerate certification, and ensure smooth market access.
If your organisation manufactures or supplies connected devices in Australia, now is the time to review your product cybersecurity compliance strategy.
For expert guidance on cybersecurity testing and compliance requirements, contact the C-PRAV team.