Security Standards for Smart Devices

​​​​​​​​​Securing consumer-grade smart devices​

The Australian Government is committed to enhancing the cyber security of the digital products that Australians use every day. From 4 March 2026, the Cyber Security (Security Standards for Smart Device) Rules 2025 (the Rules) will commence, following a 12-month transition period. These Rules introduce mandatory cyber security standards for most smart devices acquired in Australia by a consumer. The Rules are available to view on the Federal Register of Legislation website.

This initiative is a key action under the 2023-2030 Australian Cyber Security Strategy.

Smart devices are important to how Australians work, learn, transact and engage with entertainment. Despite their widespread use, many smart devices are not secure-by-design. Implementing security standards will make sure devices are secure by default, helping consumers trust that their smart products include effective built-in security protections.

The standards reflect international best practice, aiming to improve consumer protection while minimising regulatory burden for manufacturers and suppliers.

We are conducting a range of engagement and communication activities to help inform and raise awareness of the standards. Further information will be shared through our website and social media platforms.

Sc​​​​ope

The Rules apply to most smart devices manufactured on and from 4 March 2026 that are intended for personal, domestic or household use.

Devices excluded from the Rules include:

• desktop computers
• laptops
• smartphones
• tablet computers.

You can view a complete list of exempted products in section 8 of the Rules.

The security standards require:

• No universal default passwords – passwords must be unique per product or defined by the user of the product for a smart device’s hardware or pre-installed software used in any state other than factory default and where software is required to be installed for the product’s intended usage.
• Manufacturers publish a means to report security issues – allowing security issues to be reported to the manufacturer, with status updates on the resolution of these issues.
• Manufacturers publish information about how long the device will be supported for – providing transparency to consumers about the period, including an end date, that the product will receive security updates.

The Rules also specify requirements for statements of compliance for in-scope products, and set out the period for which those statements are to be retained by the product manufacturer and suppliers.​​

Supplying a product with a statement of compliance

Section 12 of the Cyber Security Act 2024 outlines that suppliers must supply a product ‘accompanied’ by a statement of compliance. Section 16(3) of the Act requires suppliers of a relevant connectable product to ‘supply the product with’ a statement of compliance with a security standard.

The Act does not define the term ‘accompanied’; the Act also does not specify the meaning of ‘supply a product with’ a statement of compliance. Each entity in scope of the provisions must determine how it will comply with section 16(3) in relation to its own individual products.

R​e​sources

To make adoption of the Rules easier, the following guidance material is available:

• Factsheet – Security standards for smart devices and consumer​-grade R​ules
  
• Frequently Asked Questions – Security standards for smart devices
• Statement of Compliance example template
• Decision flow chart – Do you have obligations under the Cyber Security (Security Standards for Smart Device) Rules 2025?​
  

If you would like further information, please contact us at securetechnology@homeaffairs.gov.au.