Australia Cyber Security Act Australia Cyber Security Act vs UK PSTI Act

Australia: the Smart Devices Rules apply the security standard to consumer grade relevant connectable products intended, or likely, to be used for personal, domestic, or household use, when acquired in Australia by a consumer; the rules exclude listed categories such as desktop/laptop computers, tablets, smartphones, therapeutic goods, road vehicles, and road-vehicle components.

UK PSTI: keep the UK scope analysis anchored to the Product Security and Telecommunications Infrastructure Act 2022 and the 2023 security requirements regulations for relevant connectable products; do not use this Australian page to add unsupported UK category exclusions or thresholds.

A product can reuse part of the product-security analysis only after the Australian consumer-grade and acquisition-in-Australia tests are documented separately from the UK PSTI scope decision.

Australia: the Smart Devices Rules place duties on manufacturers and suppliers of consumer grade relevant connectable products; the statement of compliance must be prepared by or on behalf of the manufacturer, and suppliers must hold a compliant statement before supplying the product in Australia.

UK PSTI: under the Product Security and Telecommunications Infrastructure Act 2022 the relevant economic actors are manufacturers, importers, and distributors of relevant connectable products placed on the UK market; this page does not extend UK actor duties beyond the existing UK sources.

Confirm the Australian actor role (manufacturer or supplier) and the UK actor role (manufacturer, importer, or distributor) separately, because the same business can hold different duties in each market.

Australia: the smart-device standard is triggered when a consumer grade relevant connectable product is acquired in Australia by a consumer for personal, domestic, or household use; the separate ransomware duty is triggered only after a ransomware payment is made by a reporting business entity.

UK PSTI: the connected-product duty is triggered when a relevant connectable product is made available to consumers in the UK market, anchored to the Product Security and Telecommunications Infrastructure Act 2022 and the 2023 security requirements regulations.

Pin the trigger to a market event in each regime: Australian acquisition by a consumer versus UK availability on the UK market, and never assume a UK availability event satisfies the Australian acquisition test.

Australia: the product standard covers password requirements, publication of security-issue reporting information, and publication of the defined support period for security updates; manufacturers and suppliers also need statement-of-compliance evidence.

UK PSTI: the Australian explanatory statement says the Australian Schedule 1 security standards closely follow the UK 2023 relevant-connectable-product security requirements regulations, so these product-security topics are the safest overlap area.

Map password, vulnerability-reporting, and support-period controls once, but keep an Australian compliance matrix showing each Australian clause and statement requirement is met.

Australia: the statement must be prepared by or on behalf of the manufacturer and include product type and batch identifier, manufacturer and authorised-representative details, compliance declarations, defined support period, signatory details, and place and date of issue; statements must be retained for five years.

UK PSTI: Australian grounding says UK-market products can provide the same statement-of-compliance information for Australia only if all Australian section 9 requirements are met; the UK source in this file should not be treated as proving Australian retention or field requirements.

Reuse the same document only after adding an Australian field-by-field check and retention owner; otherwise keep a UK PSTI statement and an Australian statement as separate records.

Australia: a reporting business entity must report after a ransomware payment when the Act and rules apply; the rules set a $3 million turnover threshold for businesses and require report information about the incident, demand, payment, and communications, with the Act setting a 72-hour report period.

UK PSTI: no UK PSTI ransomware-payment duty is supported by the grounding for this page. Keep UK PSTI out of ransomware reporting unless a separate UK source is added elsewhere.

Do not merge ransomware-payment playbooks with UK product-security evidence; route these cases to Australian incident response, legal, and executive approval owners.

Australia: for smart-device non-compliance the Cyber Security Act supports compliance notices, stop notices, recall notices, public notification of recall-notice failure, expert examination, civil penalties, infringement notices, enforceable undertakings, and injunctions; the Act also creates a Cyber Incident Review Board process for significant incidents.

UK PSTI: keep enforcement conclusions to the UK Act and the 2023 regulations themselves; this page has no grounding for UK penalty amounts, regulator practice, or market-surveillance steps beyond the existing UK public sources.

Do not promise one enforcement playbook. Australian remediation needs notice-response, recall, public-notification, and examination evidence; UK PSTI remediation needs a separate UK-law review if enforcement details matter.

Australia: the explanatory statement says the Schedule 1 smart-device security standards closely follow the UK 2023 relevant-connectable-product security requirements regulations, so password, vulnerability-reporting, and support-period controls are the genuine overlap area with the UK regime.

UK PSTI: the 2023 security requirements regulations set the comparable password, security-issue reporting, and minimum-support-period duties for relevant connectable products that the Australian standard mirrors, while UK-only market-surveillance and enforcement detail stay outside this overlap.

Reuse mapped product-security controls across both regimes, but keep ransomware payment reporting, Cyber Incident Review Board, and SOCI critical-infrastructure obligations strictly Australia-only because they have no UK PSTI counterpart.

Australia: treat the Cyber Security Act 2024 as the controlling regime when a product is acquired by an Australian consumer, when a reporting business entity makes a ransomware payment, or when a Cyber Incident Review Board or SOCI critical-infrastructure obligation is in scope, and build Australian evidence first.

UK PSTI: treat the Product Security and Telecommunications Infrastructure Act 2022 and 2023 regulations as controlling only for UK-market connected-product duties, and do not let reused UK evidence stand in for Australian statement, retention, ransomware, or SOCI records.

Decide by trigger: if the event is an Australian consumer acquisition, ransomware payment, significant incident, or SOCI asset, run the Australian workstream; reuse UK PSTI product-security evidence only after every matching Australian requirement is independently satisfied.