| Scope boundary | Australia: start with relevant connectable products that will be acquired in Australia in specified circumstances. The smart-device rules prescribe a standard for consumer-grade relevant connectable products and exclude listed product categories such as desktop computers, laptops, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components. | EU: start with products with digital elements and whether they are placed on the Union market. The CRA is framed as horizontal cybersecurity requirements for hardware and software products with digital elements, not only consumer smart devices. | A connected consumer device may need both reviews, but the Australian scope file should prove the relevant-connectable-product and consumer-grade analysis while the EU file proves the product-with-digital-elements and Union-market analysis. |
|---|
| Covered actors | Australia: the smart-device duties distinguish manufacturers and suppliers. Manufacturers must manufacture covered products in compliance with the security standard and provide a statement of compliance for Australian supply; suppliers must not supply non-compliant covered products and must supply covered products with the statement of compliance. | EU: the CRA allocates duties across economic operators, including manufacturers, authorised representatives, importers, and distributors. Do not assume the Australian supplier role maps one-to-one to an EU importer or distributor role. | Build a role matrix by market: Australian manufacturer, Australian supplier, EU manufacturer, EU authorised representative, EU importer, and EU distributor may be different legal entities. |
|---|
| Trigger | Australia: the smart-device rules specify concrete consumer-device controls, including password requirements, a published security-issue reporting contact and response information, and a published defined support period for security updates. | EU: the CRA sets essential cybersecurity requirements for products with digital elements and expects cybersecurity to be addressed across the product lifecycle. | A secure-by-design program can support both sides, but the Australian evidence should explicitly show the password, vulnerability-reporting, and support-period items required by the smart-device rules. |
|---|
| Core obligations | Australia: for covered consumer-grade relevant connectable products, the statement of compliance must be prepared by or on behalf of the manufacturer, include product and manufacturer details, declare compliance, state the defined support period, and include signature, place, and date of issue. The rules specify a five-year retention period. | EU: the CRA workstream should keep EU product technical documentation, conformity assessment evidence, declarations, CE marking evidence, and economic-operator records separate from the Australian statement of compliance. | Treat the Australian statement of compliance as an Australian artifact. It may reuse underlying test evidence, but it is not automatically the EU CRA conformity file. |
|---|
| Evidence record | Australia: the Act and ransomware rules create a separate ransomware payment reporting workstream. A reporting business entity includes certain SOCI responsible entities or a business in Australia above the rules' turnover threshold, and the report must cover the incident, extortion demand, payment, and communications to the extent the entity can find the information within the 72-hour reporting period. | EU: the CRA is not a ransomware payment reporting regime. Its incident and vulnerability handling should be managed through the EU product-security workstream, not through the Australian ransomware payment report. | Keep Australian ransomware payment reporting separate from EU CRA product vulnerability handling, even when the same cyber incident affects the same product or customer environment. |
|---|
| Timing and deadlines | Australia: the Act provides Australian notice and enforcement tools for smart-device obligations, including compliance notices, stop notices, recall notices, public notification of failure to comply with a recall notice, examinations to assess compliance, monitoring, civil penalty orders, infringement notices, enforceable undertakings, and injunctions. | EU: the CRA workstream should be managed as an EU market-access and market-surveillance file for products with digital elements. The public source in this page supports the EU product-regulation character, but this file does not add unsupported fine amounts or authority assignments. | Escalate enforcement issues by jurisdiction: an Australian notice or examination request and an EU market-surveillance issue require different evidence owners and response files. |
|---|
| Enforcement | Australia: reuse EU CRA engineering evidence only where it proves the specific Australian requirement, such as password design, security-issue reporting, support-period publication, statement-of-compliance content, or ransomware report content. | EU: reuse Australian engineering evidence only where it maps to the EU CRA product-with-digital-elements obligation and economic-operator file. Australian smart-device statements, SOCI records, and ransomware payment reports do not replace EU CRA conformity evidence. | Maintain a bridge table with three columns: shared engineering evidence, Australian legal artifact, and EU CRA legal artifact. Leave a row blank where the regimes do not match. |
|---|
| Overlap and reuse | Australia: start with relevant connectable products that will be acquired in Australia in specified circumstances. The smart-device rules prescribe a standard for consumer-grade relevant connectable products and exclude listed product categories such as desktop computers, laptops, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components. | EU: start with products with digital elements and whether they are placed on the Union market. The CRA is framed as horizontal cybersecurity requirements for hardware and software products with digital elements, not only consumer smart devices. | Use this row to spot shared product-security controls, then switch to the decision rule to choose the first file to complete and the evidence to keep separate. |
|---|
| Practical decision rule | Step 1: decide whether the product is a relevant connectable product acquired in Australia and whether it falls within the consumer-grade smart-device rules. Step 2: if yes, complete the Australian statement of compliance, support-period, and reporting record set. Step 3: separately assess whether the same product is a product with digital elements placed on the Union market and, if so, complete the EU CRA technical, conformity, and economic-operator file. | EU: if the product is not placed on the Union market, the CRA file may not apply. If it is placed on the Union market, proceed with the EU workstream even if the Australian file is already complete. | The decision is not to pick one regime and ignore the other. First classify the market and product, then complete the Australian and EU files that apply in parallel, keeping their legal artifacts separate. |
|---|