Australia’s new cyber security standards address a real and growing risk. Cyber security researchers recently exposed the Masjesu botnet, a DDoS for hire operation that hijacks everyday smart devices by exploiting unchanged default passwords, outdated firmware and missing vulnerability reporting channels. Once compromised, devices such as home routers and IP cameras can be quietly used in attacks on businesses and critical infrastructure, often without the owner’s knowledge.
As of 4 March 2026, those gaps are no longer just a product design problem; they are a legal compliance obligation for anyone who manufactures, imports or supplies consumer smart devices in Australia.
What has changed?
On 4 March 2026, mandatory cyber security standards for consumer smart devices took effect under the Cyber Security Act 2024 (Cth) (the Act), as set out in the Cyber Security (Security Standards for Smart Devices) Rules 2025 (the Rules). If your business manufactures, imports or supplies consumer smart devices in Australia, these changes directly affect you.
The Rules represent Australia's first legally enforceable, baseline cyber security standards for consumer-grade internet-connectable products – replacing the voluntary 'Code of Practice: Securing the Internet of Things for Consumers' issued by the Australian Government in 2020 with binding regulation.
With everyday consumer devices increasingly internet-connected and vulnerable to cyber threats, the Australian Government's 2023-2030 Australian Cyber Security Strategy requires that consumer smart devices are secure by design. Businesses in the supply chain need to understand their obligations under this new regime.
Does this apply to your business?
The security standards apply to your business if you manufacture or supply consumer-grade products that can directly or indirectly connect to the internet, and these are supplied in Australia, or manufactured to be acquired in Australia, from 4 March 2026. This captures most smart and Internet of Things (IoT) devices intended for personal, domestic or household use, although there is an exception for devices manufactured before 4 March 2026, as discussed below.
In-scope devices include:
- Smart TVs and speakers
- IP cameras and doorbells
- Home routers and gateways
- Smart lighting and appliances
- Other internet- or network-connectable consumer devices.
Excluded devices:
- Desktop, laptop and tablet computers
- Smartphones
- Therapeutic goods
- Road vehicles and vehicle components.
The concepts 'manufacturer', 'supply' and 'supplier' each has the same meaning as in the Australian Consumer Law (as set out in Schedule 2 to the Competition and Consumer Act 2010 (Cth)). In particular:
- 'supply' includes, in relation to goods, supply (including re-supply) by way of sale, exchange, lease, hire or hire-purchase;
- 'supplier' has a corresponding meaning and covers retail suppliers and wholesale suppliers (including importers) at any point of the supply chain for products that will be acquired in Australia; and
- under the Australian Consumer Law, Australian importers will also be treated as the 'manufacturer' where the actual manufacturer of the device does not have a place of business in Australia.
Compliance with mandatory cyber security standards
In-scope devices must meet three mandatory cyber security standards set out in Schedule 1 of the Rules:
1. No universal default passwords
Devices must not be supplied with shared or easily guessable default passwords. Any passwords to be used in relation to relevant hardware or software of a device must either be unique to the specific device or set by the device user. Where passwords are unique per device, they must not be based on easily guessable components as detailed in the Rules. This requirement is designed to eliminate the common vulnerability of using default usernames and passwords such as 'admin/admin' which has in practice exposed devices to easy access by threat actors.
We note that this requirement applies once a device ceases to operate in a factory default state – for example, once it is set up and used.
2. A published mechanism for reporting security issues
Each manufacturer must freely publish at least one point of contact through which a person can report security issues in relation to a device (in respect of its relevant hardware or software). The published information must also include the timing of when acknowledgement of receipt of a report will be provided and when status updates regarding resolution will be given.
3. Publication of the support period for security updates
Manufacturers must freely and publicly disclose a defined support period (with an end date) during which an in-scope device will receive security updates in respect of its relevant hardware and software. Once this support period is published, the manufacturer cannot shorten it but can extend it with an updated publication.
This support period must be prominently published on a website of or controlled by the manufacturer on which the device is offered to be supplied. It must appear where the website publishes either information intended to inform consumers’ decisions to acquire the device or the main characteristics of the device. In practice, the support period may need to be published across multiple webpages, such as product information pages, purchase pages and comparison pages.
There is no minimum length of support period prescribed by the Rules. In defining this period, manufacturers should consider the separate legal requirement of the guarantee under the Australian Consumer Law that they will take reasonable action to ensure that repair facilities and spare parts are reasonably available for a 'reasonable period' after the goods are supplied. While there is no statutory definition of a 'reasonable period', the Australian Competition and Consumer Commission (ACCC) has published guidance indicating that this depends on the type of product. As a general principle, the more expensive the item, the longer a reasonable period would be. By way of industry practice, manufacturers are considering multi-year support commitments, with 5+ years of security updates being contemplated for higher-end products.
Statement of compliance with security standards
Suppliers must accompany the supply of every in-scope device in Australia with a statement of compliance with the security standards. This statement must be prepared by or on behalf of the manufacturer and include specific information required by the Rules, including the device type and batch identifier, the defined support period for security updates, and a declaration that the device has been manufactured in compliance with the security standards. Both the manufacturer and the supplier must retain a copy of the statement of compliance for at least five years.
Obligations apply to devices manufactured on or from 4 March 2026
The new standards apply to in-scope devices manufactured on or from 4 March 2026. While the Act suggests that the standards apply to existing stock of in-scope devices sold after that date, guidance from the Department of Home Affairs states that devices manufactured before 4 March 2026 are not required to comply with the security standards, as the standards were not in effect at the time of their manufacture.
Manufacturers and suppliers should nevertheless review their existing inventory to confirm manufacture dates and assess which stock falls within the new regime. For devices manufactured on or after 4 March 2026, both the security standards and the statement of compliance requirements will apply if those devices are to be supplied in Australia.
Enforcement powers
The consequences of non-compliance are significant. Where in-scope devices do not comply with the security standards or are not accompanied with the required statement of compliance, the Secretary of the Department of Home Affairs may issue compliance notices, stop notices and recall notices. Details of an entity's failure to comply with a recall notice may be published on the Department of Home Affairs' website. Importantly, these enforcement powers may be invoked in respect of both Australian and overseas entities whose devices are sold in Australia, given the extraterritorial reach of the Act (which states in section 5 that the Act applies both within and outside Australia).
Early observations from the market
At the time of publishing, the new regime has been in effect for six weeks, and some practical themes are already emerging from businesses navigating the change. Awareness of the new obligations has been mixed. Some businesses in the supply chain may not have been aware of the regime and are now working to catch up.
For prepared organisations, the compliance exercise has been more involved than initially anticipated: while the three security standards are themselves straightforward, the operational work of implementing technology updates, documenting manufacturing dates, preparing statements of compliance across product lines, and updating website disclosures for support periods, required meaningful cross-functional coordination across different teams.
Consistent with the Australian Government's stated 'uplift-focused' approach to enforcement, the Department of Home Affairs has signalled it will prioritise engagement with manufacturers and suppliers, rather than immediate enforcement action, in the early period after the commencement of the Rules. This should not be read as an indefinite grace period – the enforcement powers are real, but it does mean that proactive engagement with the regulator may be more productive than a defensive posture for those still working through their obligations.
The new security standards are not just a compliance obligation – they present an opportunity to build consumer trust and demonstrate that cyber security is a priority for your business. Early compliance can also be a competitive differentiator as the market adjusts to the new regime.
Our Technology, Digital and Data team can help you assess your product portfolio, identify compliance gaps and implement practical steps to meet the new requirements. Please get in touch to discuss how these changes affect your business.
