The Australian government is ramping up efforts to bolster the cybersecurity for consumer-grade smart technology. The government announced that additional safety measures will be compulsory starting March 4, 2026. As part of the Cyber Security Act 2024 and associated regulations, the objective is to ensure all connected smart devices, ranging from smart TVs and home assistants to baby monitors, are secure by means of effective design and fighting resistance against an array of cyber threats.
Smart technology has become a mainstay in modern home and work life
The rapid expansion of the Internet of Things has introduced an array of vulnerabilities, which has made the technology a target for cyber criminals. Numerous devices are shipped new from the factory with low security configurations defaulted and a lack of realizable policies for ongoing, effective updating and security reporting.
Each of these attributes raises additional exposure to consumers for data breaches, ransomware, and other forms of unauthorized access.
The Cyber Security (Security Standards for Smart Devices) Rules 2025 were developed in response to issues contributing to Australian Cyber Security in the 2023-2030 Strategy Document. The Strategy Document aims to make Australia a leader in Cyber Security in the world in the next decade. These rules abide by the best practices from around the world.
Best practice standards from ETSI EN 303 645, Product Security UK, and Telecommunications Infrastructure regulations
By March 2026, the manufacturers of smart devices for individual, household, and domestic use will need to meet 3 central standards:
- Smart devices must not be sold with default or easily guessable passwords, or even common shared passwords: Every smart device must have a unique password or one that can be set by the user, as one of the greatest attack vulnerabilities by a cyber criminal is through default passwords.
- Manufacturers are required to make available a proper, user-friendly, secure, and easy-to-use channel to report security vulnerabilities: All manufacturers must respond in a timely manner with transparency in the process, steps taken, and completion of issues reported.
- Users will be able to see the duration of security updates on their devices and know the end date explicitly: This will help users know how long their devices can last to make better buying choices and how much risk is involved.
These obligations apply to almost all internet-connected devices, with the exception of desktop computers, laptops, smartphones, and some regulated items like therapeutic devices and motor vehicles.
The law requires manufacturers to be compliant
The law also requires manufacturers to provide and maintain a compliance statement for each device and for five years after. If a manufacturer is non-compliant, the law provides for a wide range of regulatory responses, from compliance and stop notices to product destruction.
Australia has incorporated quite a bit from other countries’ policies, although, from the compliance policies, Australia seems to be taking the most aggressive approach.
Australia has implemented these rules to provide clarity to the users and manufacturers. On the other hand, users and manufacturers recognize the upcoming challenges Australia has implemented. For example, the manufacturers will have to come up with new product designs and have new supply chain management in place, in addition to the systems they already have in place for cybersecurity. For these smaller vendors, their already limited systems will have to be adequately increased to meet these requirements.
For now, the rules will be in a standby position. The Protection of devices by Australiaโs new rules will help take a huge step in the right direction in the protection of Digital Ecosystems. It will also help to protect Australia in the cyber realms and put Australia on the map for a positive global view and reputation for cybersecurity.
