The Cybersecurity Act 2024 has become official Australian law. As part of the implementation of the law, on March 4, 2025, the Australian Department of Home Affairs introduced the Cyber Security (Security Standards for Smart Devices) Rules 2025, which set mandatory cybersecurity requirements for consumer-grade smart devices.
The Rule will begin on March 4, 2026, giving manufacturers and distributors one year to ensure compliance. Manufacturers and distributors must comply with strict safety measures similar to EN 303 645, including:
- It is forbidden to use a universal default password;
- implement a vulnerability reporting mechanism;
- Define the support period for security updates.
To sell consumer IoT products in Australia, businesses must provide a declaration of compliance confirming compliance with these security standards. The document must include: product type and batch identifier; Manufacturer and representative details; Declaration of Compliance; support period information; Location, date, and signature.
Click this link to view the original Cyber Security (Security Standards for Smart Devices) Rules 2025.