Australia Introduces Mandatory Cyber Security Standards for Smart Devices

The Australian Government has enacted the Cyber Security Rules 2025, introducing mandatory requirements for internet-connected consumer devices. The new framework was officially registered on 4 March 2025 and will come into force in March 2026, allowing industry a one-year transition period to achieve compliance.

Under the rules, organisations placing smart devices on the Australian market must ensure that:

• Passwords are secure – devices must be supplied with unique credentials or allow users to set their own.
• Vulnerability reporting is supported – clear and accessible channels for reporting security issues must be provided.
• Support periods are transparent – the defined timeframe for security updates must be disclosed and maintained.
• Compliance is documented – a formal statement of compliance must accompany each product and be retained for five years.

The requirements apply to a broad range of consumer-grade smart devices. Exemptions include desktop and laptop computers, tablets, smartphones, therapeutic goods, and regulated road vehicles.

By establishing minimum cyber security standards, the Cyber Security Rules aim to enhance consumer protection, raise industry accountability, and ensure that connected devices sold in Australia are more resilient against cyber threats.

With its expertise in product testing, certification, and compliance, SIQ helps manufacturers and suppliers navigate the new cyber security rules, ensuring their smart devices meet all requirements and are ready for successful entry into the Australian market.

More information:
Mitja Rozman
E-mail: mitja.rozman@siq.si
Tel.: +386 1 4778 176