The Australian Government has issued the Cybersecurity (Security Standards for Smart Devices) Rules 2025, establishing mandatory cybersecurity requirements for consumer smart devices sold in the country. The new regulation was enacted under the Cybersecurity Act 2024 and will come into full effect on March 4, 2026.
Scope of Application
The regulation applies to consumer smart devices with networking capabilities used in personal or household settings. This includes:
- Smart home devices
- Wearables
- Smart printers
- Routers and gateways
Devices not covered by the regulation include desktop and laptop computers, tablets, smartphones, medical devices, and road vehicles or their components.
Main Requirements
The new rules require manufacturers and distributors to meet the following obligations:
- Password Security
Devices must not use universal default passwords. A unique password must be generated upon first use, or the user must be prompted to create one. - Vulnerability Handling
A vulnerability reporting channel must be established. Manufacturers must act on received reports through a formal response process. - Security Update Period
The duration of security update support must be clearly disclosed to consumers. - Compliance Declaration
An electronic declaration must be provided at the point of sale, containing product batch and manufacturer details. These records must be retained for five years.
Implementation Timeline
Businesses involved in the manufacturing or distribution of smart devices have until March 4, 2026, to ensure full compliance with the new requirements.
The full regulation text is available at: https://www.legislation.gov.au/F2025L00276/asmade/text