Security Standards for Smart Devices

​​​​​Securing consumer-grade smart devices​

The Australian Government is committed to enhancing the cyber security of the digital products that Australians use every day. From 4 March 2026, the Cyber Security (Security Standards for Smart Device) Rules 2025 (the Rules) will commence, following a 12-month transition period. These Rules introduce mandatory cyber security standards for most smart devices acquired in Australia by a consumer. The Rules are available to view on the Federal Register of Legislation website.

This initiative is a key action under the 2023-2030 Australian Cyber Security Strategy.

Smart devices are important to how Australians work, learn, transact and engage with entertainment. Despite their widespread use, many smart devices are not secure-by-design. Implementing security standards will make sure devices are secure by default, helping consumers trust that their smart products include effective built-in security protections.

The standards reflect international best practice, aiming to improve consumer protection while minimising regulatory burden for manufacturers and suppliers.

We are conducting a range of engagement and communication activities to help inform and raise awareness of the standards. Further information will be shared through our website and social media platforms.

Scope

The Rules apply to most smart devices manufactured on and from 4 March 2026 that are intended for personal, domestic or household use.

Devices excluded from the Rules include:

• desktop computers
• laptops
• smartphones
• tablet computers.

You can view a complete list of exempted products in section 8 of the Rules.

The security standards require:

• No universal default passwords – passwords must be unique per product or defined by the user of the product for a smart device’s hardware or pre-installed software used in any state other than factory default and where software is required to be installed for the product’s intended usage.
• Manufacturers publish a means to report security issues – allowing security issues to be reported to the manufacturer, with status updates on the resolution of these issues.
• Manufacturers publish information about how long the device will be supported for – providing transparency to consumers about the period, including an end date, that the product will receive security updates.

The Rules also specify requirements for statements of compliance for in-scope products, and set out the period for which those statements are to be retained by the product manufacturer and suppliers.​​

Re​sources

To make adoption of the Rules easier, the following guidance material is available:

• Factsheet – Security standards for smart devices and consumer​-grade R​ules
  
• Frequently Asked Questions – Security standards for smart devices
• Statement of Compliance example template
• Decision flow chart – Do you have obligations under the Cyber Security (Security Standards for Smart Device) Rules 2025?​
  

If you would like further information, please contact us at securetechnology@homeaffairs.gov.au.