Security Standards for Smart Devices

​​​​​​​​​​Securing consumer-grade smart devices​

The Australian Government is committed to enhancing the cyber security of the digital products that Australians use every day. The Cyber Security (Security Standards for Smart Device) Rules 2025 commenced on 4 March 2026, following a 12-month transition period. These Rules introduce mandatory cyber security standards for most smart devices acquired in Australia by a consumer. The Rules are available to view on the  Federal Register of Legislation website.

This initiative is a key action under the 2023-2030 Australian Cyber Security Strategy.

Smart devices are important to how Australians work, learn, transact and engage with entertainment. Despite their widespread use, many smart devices are not secure by design. Strengthening the security of everyday products is essential to protecting Australian families. It also builds consumer trust that their smart devices include effective, built-in security protections. These protections reduce opportunities for malicious actors to compromise their homes and networks.

The standards reflect international best practice. They aim to improve consumer protection while minimising regulatory burden for manufacturers and suppliers.

Scope

Most smart devices manufactured on and from 4 March 2026, and intended for personal, domestic or household use, must now meet new minimum cyber security requirements.

Devices excluded from the Rules include:

• desktop computers
• laptops
• smartphones
• tablet computers.

You can view a complete list of exempted products in section 8 of the Rules.

Products manufactured before 4 March 2026 are not required to comply with the security standards, as the security standards were not in effect on their date of manufacture. The obligation on suppliers to not supply non-compliant products will apply to products required to comply with the security standards.

Under the new rules, manufacturers and suppliers must meet clear, practical obligations that uplift the baseline cyber security of smart devices. These include:

• No universal default passwords –passwords must be unique per product or defined by the user of the product for a smart device’s hardware or pre-installed software used in any state other than factory default and where software is required to be installed for the product’s intended usage.
• Manufacturers publish a means to report security issues– allowing security issues to be reported to the manufacturer, with status updates on the resolution of these issues.
• Manufacturers publish information about how long the device will be supported for– providing transparency to consumers about the period, including an end date, that the product will receive security updates.

The Rules also specify requirements for statements of compliance for in-scope products, and set out the period for which those statements are to be retained by the product manufacturer and suppliers.

Supplying a product with a statement of compliance

Section 12 of the Cyber Security Act 2024 outlines that suppliers must supply a product ‘accompanied’ by a statement of compliance. Section 16(3) of the Act requires suppliers of a relevant connectable product to ‘supply the product with’ a statement of compliance with a security standard.

The Act does not define the term ‘accompanied’; the Act also does not specify the meaning of ‘supply a product with’ a statement of compliance. Each entity in scope of the provisions must determine how it will comply with section 16(3) in relation to its own individual products.

Regulating the cyber security of smart devices

The Department of Home Affairs is responsible for regulating the cyber security of smart devices. This includes supporting the Secretary of the Department of Home Affairs to exercise their enforcement and other regulatory powers, relating to the security standards for smart devices, under Part 2 of the Cyber Security Act 2024.

Our enforcement framework is designed to encourage engagement with manufacturers and suppliers of in-scope smart devices and uplift industry best practice. We will take an uplift-focused approach to regulation and ensure Australian end-users are kept at the centre of our activities.

R​e​sources

To make adoption of the Rules easier, the following guidance material is available:

• Factsheet – Security standards for smart devices and consumer​-grade R​ules
  
• Frequently Asked Questions – Security standards for smart devices
• Statement of Compliance example template
• Decision flow chart – Do you have obligations under the Cyber Security (Security Standards for Smart Device) Rules 2025?​
  

If you would like further information about how these new rules impact you and your devices, please contact us at securetechnology@homeaffairs.gov.au.