The Cyber Security (Security Standards for Smart Devices) Rules 2025, administered by the Australian Government’s Department of Home Affairs, officially came into force on 4 March 2026 following a 12-month transition period for manufacturers and suppliers to prepare for compliance. 

The rules form part of the broader Cyber Security Act 2024 and support the objectives of the 2023–2030 Australian Cyber Security Strategy, which aims to improve the security of everyday digital technologies used by Australians. 

With smart devices increasingly embedded across homes, workplaces and public infrastructure, the government has emphasised the need for products to be “secure by default”, addressing longstanding vulnerabilities that have allowed poorly protected devices to be exploited by cybercriminals. 

Why the New Rules Were Introduced

Internet-connected devices, commonly known as Internet of Things (IoT) products, have grown rapidly in recent years. These devices range from smart TVs and home assistants to routers, security cameras and smart lighting systems. 

However, many consumer devices have historically shipped with weak or default security settings, creating opportunities for attackers to exploit them as entry points into networks.

The Australian Government’s new standards aim to address these risks by ensuring that devices entering the consumer market meet baseline security protections from the outset.

Key Security Requirements

Under the new rules, manufacturers, importers and distributors must ensure that consumer smart devices meet several minimum cyber security requirements.

1. No Universal Default Passwords

Devices can no longer ship with generic default passwords such as “admin” or “1234”. Instead, passwords must either be unique to each device or defined by the user during setup.

This measure aims to prevent large-scale attacks where a single compromised password can grant access to thousands of devices.

2. Vulnerability Reporting Mechanisms

Manufacturers must provide clear and accessible channels for reporting security vulnerabilities, enabling security researchers and users to notify companies about potential flaws in hardware or software.

These reporting mechanisms are intended to support faster identification and remediation of emerging cyber threats.

3. Transparency on Security Updates

Manufacturers must publicly disclose the minimum length of time that a device will receive security updates and support.

This requirement ensures consumers are aware of how long their devices will remain protected against vulnerabilities after purchase.

Alignment with Global Security Standards

The Australian framework closely aligns with the ETSI EN 303 645 standard, a widely recognised international benchmark for consumer IoT cyber security.

This alignment helps ensure consistency with similar regulatory initiatives in other regions, including the United Kingdom’s Product Security and Telecommunications Infrastructure Act, which addresses comparable risks in connected consumer devices. 

What It Means for Industry

The new standards apply to most consumer devices capable of connecting directly or indirectly to the internet and acquired by consumers in Australia.

For manufacturers and suppliers, compliance is now a market access requirement for selling connected devices in the Australian market. 

For organisations and security professionals, the rules also highlight the importance of understanding and managing the growing number of connected devices operating within corporate environments.

As workplaces adopt smart technologies for automation, security monitoring and building management, ensuring that devices meet baseline cyber security standards will play an increasingly important role in protecting digital infrastructure.

ICYMI Australian News: Australia and Indonesia Sign New Security Treaty to Boost Bilateral Cooperation