New Cyber Security Rules for Smart Devices in Australia – Effective March 2026
October 2025
From 4 March 2026, the Cyber Security (Security Standards for Smart Devices) Rules 2025 will come into effect. If you manufacture, import, or sell connected products in Australia, you must prepare now to ensure your devices comply.
Which Smart Devices Are Affected?
The rules apply to any connectable product, defined in two main ways:
- Internet-connectable products: devices that connect directly to the internet via TCP/IP, UDP, or IP.
Examples: routers, IP cameras, VoIP phones, smart switches. - Network-connectable products: devices that connect to internet-connectable products via internet protocols, or support multiple connections via alternative communication protocols.
Examples: Bluetooth speakers, televisions, wireless headsets.
Exempt products include:
- Desktop and laptop PCs
- Smartphones and tablets
- Medical devices regulated under the Therapeutic Goods Act
- Vehicles and components regulated under the Road Vehicle Standards Act
What Are the Key Requirements?
Manufacturers and importers must ensure that:
- Unique Passwords
- Devices cannot ship with generic default passwords (e.g. “admin123”). Each unit must have a unique, non-guessable password.
- Security Issue Reporting
- Users must have a clear channel to report vulnerabilities in both hardware and software.
- Defined Support Period
- Manufacturers must publish the length of product support and updates. This period cannot be shortened once declared.
- Statement of Compliance
- A formal compliance statement must be prepared and kept on file by the manufacturer or authorised representative.
Important: Information for consumers must be:
- In English
- Free of charge
- Easy to understand
- Clearly displayed online (e.g. on the product’s website)
How Does This Relate to European Standards?
The Australian rules are closely aligned with EN 303 645, the EU standard for IoT cybersecurity.
- A device already compliant with EN 303 645 will meet most Australian requirements.
- However, a Statement of Compliance for Australia is still mandatory.
Timeline for Compliance
- 4 March 2025 – Rules published
- 4 March 2026 – Rules enforced
- All products sold on or after this date must comply.
- There are no grandfather exemptions for existing stock.
Upcoming IoT Labelling Scheme
From March 2027, the Australian Government and IoT Alliance Australia plan to introduce a cyber security labelling scheme for IoT products.
This is likely to follow models already in place in countries like Germany and Singapore, giving consumers greater confidence in secure products.
What This Means for Your Business
Non-compliance could mean blocked market access, reputational risk, or enforcement action. Preparing now will ensure smooth transition into 2026 requirements.
At Comtest, we can help you:
- Assess your smart device against the Australian Rules and EN 303 645.
- Prepare and file your Statement of Compliance.
Ensure your existing and future products meet mandatory cyber security standards.
Get Compliance Ready Today
Don’t leave it until 2026. Talk to Comtest now about IoT cyber security testing and certification.
Contact us on +61396455933 or email comtest@comtest.com.au for a 30-minute free consultation regarding the new cyber security rules for smart devices.
