top of page

Preparing for Australia’s 2026 Smart Device Security Regulations

Updated: 4 days ago

On 27 February 2025, the Australian Government Department of Home Affairs published the Cyber Security (Security Standards for Smart Devices) Rules 2025, introducing mandatory cybersecurity requirements for certain smart devices supplied to Australian consumers.

From 4 March 2026, Part 2 and Schedule 1 of the Rules will come into force, marking a significant regulatory milestone for manufacturers and suppliers operating in the Australian market.


Scope of Application


Part 2 of the Rules defines the products captured by the new framework. The legislation applies specifically to:

Consumer-grade relevant connectable products supplied or acquired in Australia by consumers.

In practical terms, this includes smart devices capable of connecting to the internet or other networks, where such products are intended for consumer use.

However, several categories are explicitly excluded from the scope of the Rules:

  • Desktop computers and laptops

  • Tablet computers

  • Smartphones

  • Therapeutic goods

  • Road vehicles and their components

These exclusions clarify that the legislation is primarily directed at Internet of Things (IoT) and similar consumer smart devices rather than traditional computing devices or regulated medical and automotive products.

Manufacturer Obligations


Manufacturers of in-scope products must comply with new documentation and record-keeping requirements.

Most notably, they are required to:


  1. Prepare a Statement of Compliance confirming that the product has been manufactured in accordance with the prescribed security standards.

  2. Demonstrate conformity with the applicable cybersecurity requirements set out in Schedule 1 of the Rules.

  3. Retain the Statement of Compliance for a minimum of five (5) years.


The Statement of Compliance serves as formal evidence that the manufacturer has implemented the mandated security measures. This requirement strengthens accountability and ensures that manufacturers can substantiate compliance if requested by regulators.


Security Requirements


Schedule 1 outlines the specific security standards that in-scope products must meet. While the detailed technical obligations are set out in the Schedule itself, manufacturers must ensure that their product design, development, and production processes align with those requirements before placing products on the Australian market.


Regulatory Impact


The introduction of the Cyber Security (Security Standards for Smart Devices) Rules 2025 reflects Australia’s growing focus on enhancing cybersecurity resilience in the consumer technology sector. By imposing clear obligations on manufacturers and establishing enforceable standards, the Rules aim to:


  • Improve baseline security for connected consumer devices

  • Reduce vulnerabilities in household smart technologies

  • Strengthen consumer trust in digital products


With the compliance date of 4 March 2026 approaching, manufacturers and suppliers should begin reviewing product portfolios, assessing applicability, and implementing necessary cybersecurity controls to ensure readiness.

Early preparation will be essential to mitigate regulatory risk and ensure uninterrupted access to the Australian consumer market.

bottom of page