---
title: "Australia Cyber Security Act vs UK PSTI Act Guide"
canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act"
source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act"
author: "Sorena AI"
description: "Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "Australia Cyber Security Act 2024"
  - "UK PSTI Act"
  - "smart device security standards"
  - "ransomware payment reporting"
  - "statement of compliance"
  - "Australia Cyber Security Act"
  - "Australia Cyber Security Act vs UK PSTI Act"
  - "Compliance"
  - "Regulatory guidance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Australia Cyber Security Act vs UK PSTI Act Guide

Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime.

*Artifact Guide* *Australia* *Australia Cyber Security Act vs UK PSTI Act*

## Australia Cyber Security Act Australia Cyber Security Act vs UK PSTI Act

Australia's Cyber Security Act 2024 is not a one-for-one copy of the UK's PSTI regime: the Australian Act also covers ransomware payment reports, significant cyber incident coordination, and review-board powers.

Use this comparison to separate reusable connected-product evidence from Australia-only reporting, notice, and critical-infrastructure workstreams.

Use this page when a connected product, ransomware payment decision, or Australian critical-infrastructure dependency could be affected by Australia's Cyber Security Act 2024 while the same product program is already tracking the UK's PSTI Act and 2023 security requirements regulations.

## Australia Cyber Security Act 2024 vs UK PSTI Act: concrete compliance differences

Compare the Australian Cyber Security Act 2024 and UK PSTI Act only where the grounding supports it: connected-product security has overlap; ransomware reporting, incident coordination, review-board powers, and SOCI analysis remain Australia-specific.

- **Australia Cyber Security Act 2024**: Covers smart-device security standards for relevant connectable products acquired in Australia, plus separate ransomware payment reporting, significant incident coordination, Cyber Incident Review Board, and regulatory-powers workstreams.
- **UK PSTI Act**: Comparator regime for UK product security and telecommunications infrastructure, with this page limited to connected-product security facts supported by the existing UK sources and Australian explanatory statement.

| Dimension | Australia Cyber Security Act 2024 | UK PSTI Act | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope boundary | Australia: the Smart Devices Rules apply the security standard to consumer grade relevant connectable products intended, or likely, to be used for personal, domestic, or household use, when acquired in Australia by a consumer; the rules exclude listed categories such as desktop/laptop computers, tablets, smartphones, therapeutic goods, road vehicles, and road-vehicle components. | UK PSTI: keep the UK scope analysis anchored to the Product Security and Telecommunications Infrastructure Act 2022 and the 2023 security requirements regulations for relevant connectable products; do not use this Australian page to add unsupported UK category exclusions or thresholds. | A product can reuse part of the product-security analysis only after the Australian consumer-grade and acquisition-in-Australia tests are documented separately from the UK PSTI scope decision. | [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports the need for a distinct Australian scope finding before evidence reuse.<br>[Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Existing UK public source in the file for the PSTI Act comparator framework.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source in the file for relevant-connectable-product security requirements. |
| Who carries the duty | Australia: the Smart Devices Rules place duties on manufacturers and suppliers of consumer grade relevant connectable products; the statement of compliance must be prepared by or on behalf of the manufacturer, and suppliers must hold a compliant statement before supplying the product in Australia. | UK PSTI: under the Product Security and Telecommunications Infrastructure Act 2022 the relevant economic actors are manufacturers, importers, and distributors of relevant connectable products placed on the UK market; this page does not extend UK actor duties beyond the existing UK sources. | Confirm the Australian actor role (manufacturer or supplier) and the UK actor role (manufacturer, importer, or distributor) separately, because the same business can hold different duties in each market. | [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports recording the Australian actor role separately from the UK actor role before reusing evidence.<br>[Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Existing UK public source for manufacturer, importer, and distributor duties under the PSTI Act. |
| What triggers the obligation | Australia: the smart-device standard is triggered when a consumer grade relevant connectable product is acquired in Australia by a consumer for personal, domestic, or household use; the separate ransomware duty is triggered only after a ransomware payment is made by a reporting business entity. | UK PSTI: the connected-product duty is triggered when a relevant connectable product is made available to consumers in the UK market, anchored to the Product Security and Telecommunications Infrastructure Act 2022 and the 2023 security requirements regulations. | Pin the trigger to a market event in each regime: Australian acquisition by a consumer versus UK availability on the UK market, and never assume a UK availability event satisfies the Australian acquisition test. | [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports treating the Australian trigger as a distinct market event from the UK availability trigger.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source for the UK-market availability trigger for relevant connectable products. |
| Core product obligations | Australia: the product standard covers password requirements, publication of security-issue reporting information, and publication of the defined support period for security updates; manufacturers and suppliers also need statement-of-compliance evidence. | UK PSTI: the Australian explanatory statement says the Australian Schedule 1 security standards closely follow the UK 2023 relevant-connectable-product security requirements regulations, so these product-security topics are the safest overlap area. | Map password, vulnerability-reporting, and support-period controls once, but keep an Australian compliance matrix showing each Australian clause and statement requirement is met. | [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports maintaining Australian clause-level evidence even where UK evidence is reused.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source for the comparator security requirements referenced by the Australian explanatory statement. |
| Evidence and retention | Australia: the statement must be prepared by or on behalf of the manufacturer and include product type and batch identifier, manufacturer and authorised-representative details, compliance declarations, defined support period, signatory details, and place and date of issue; statements must be retained for five years. | UK PSTI: Australian grounding says UK-market products can provide the same statement-of-compliance information for Australia only if all Australian section 9 requirements are met; the UK source in this file should not be treated as proving Australian retention or field requirements. | Reuse the same document only after adding an Australian field-by-field check and retention owner; otherwise keep a UK PSTI statement and an Australian statement as separate records. | [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports conditional reuse of statement evidence because Australia specifies its own statement requirements.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source for the UK connected-product comparator cited in the Australian explanatory statement. |
| Reporting timing | Australia: a reporting business entity must report after a ransomware payment when the Act and rules apply; the rules set a $3 million turnover threshold for businesses and require report information about the incident, demand, payment, and communications, with the Act setting a 72-hour report period. | UK PSTI: no UK PSTI ransomware-payment duty is supported by the grounding for this page. Keep UK PSTI out of ransomware reporting unless a separate UK source is added elsewhere. | Do not merge ransomware-payment playbooks with UK product-security evidence; route these cases to Australian incident response, legal, and executive approval owners. | [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Grounds the Australian obligation to report following a ransomware payment and the 72-hour report period.<br>[Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Supports a separate Australian evidence workflow for ransomware payment reports.<br>[Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Existing UK source is limited here to PSTI product-security comparison and does not support a ransomware-payment duty. |
| Enforcement and oversight | Australia: for smart-device non-compliance the Cyber Security Act supports compliance notices, stop notices, recall notices, public notification of recall-notice failure, expert examination, civil penalties, infringement notices, enforceable undertakings, and injunctions; the Act also creates a Cyber Incident Review Board process for significant incidents. | UK PSTI: keep enforcement conclusions to the UK Act and the 2023 regulations themselves; this page has no grounding for UK penalty amounts, regulator practice, or market-surveillance steps beyond the existing UK public sources. | Do not promise one enforcement playbook. Australian remediation needs notice-response, recall, public-notification, and examination evidence; UK PSTI remediation needs a separate UK-law review if enforcement details matter. | [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Supports separate Australian remediation evidence for notices, examination, and regulatory-powers escalation.<br>[Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Grounds additional matters that may be published after failure to comply with a recall notice.<br>[Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Existing UK source retained for the PSTI comparator without adding unsupported penalty details. |
| Where the regimes overlap | Australia: the explanatory statement says the Schedule 1 smart-device security standards closely follow the UK 2023 relevant-connectable-product security requirements regulations, so password, vulnerability-reporting, and support-period controls are the genuine overlap area with the UK regime. | UK PSTI: the 2023 security requirements regulations set the comparable password, security-issue reporting, and minimum-support-period duties for relevant connectable products that the Australian standard mirrors, while UK-only market-surveillance and enforcement detail stay outside this overlap. | Reuse mapped product-security controls across both regimes, but keep ransomware payment reporting, Cyber Incident Review Board, and SOCI critical-infrastructure obligations strictly Australia-only because they have no UK PSTI counterpart. | [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Grounds the Australian password, vulnerability-reporting, and support-period controls that align with the UK requirements.<br>[Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/C2018A00029/latest/text?ref=sorena.io) - Grounds the Australia-only SOCI critical-infrastructure track that has no UK PSTI overlap.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source for the comparable connected-product security requirements that the Australian standard mirrors.<br>[Cyber Security (Cyber Incident Review Board) Rules 2025](https://www.legislation.gov.au/F2025L00277/latest/text?ref=sorena.io) - Supports keeping review-board obligations outside the UK PSTI overlap area. |
| Decision rule | Australia: treat the Cyber Security Act 2024 as the controlling regime when a product is acquired by an Australian consumer, when a reporting business entity makes a ransomware payment, or when a Cyber Incident Review Board or SOCI critical-infrastructure obligation is in scope, and build Australian evidence first. | UK PSTI: treat the Product Security and Telecommunications Infrastructure Act 2022 and 2023 regulations as controlling only for UK-market connected-product duties, and do not let reused UK evidence stand in for Australian statement, retention, ransomware, or SOCI records. | Decide by trigger: if the event is an Australian consumer acquisition, ransomware payment, significant incident, or SOCI asset, run the Australian workstream; reuse UK PSTI product-security evidence only after every matching Australian requirement is independently satisfied. | [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Grounds the Australian multi-workstream split across smart devices, ransomware reporting, incident coordination, review board, and regulatory powers.<br>[Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Existing UK source retained for the PSTI comparator as the controlling UK product-security framework.<br>[Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Supports routing ransomware payment events to the Australian workstream rather than UK PSTI evidence. |

Sources for Scope boundary - Australia Cyber Security Act 2024:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Grounds the Australian consumer grade relevant connectable product class, specified Australian consumer-acquisition circumstance, and listed exclusions.
  - Quote: "consumer grade relevant connectable products"

Sources for Scope boundary - UK PSTI Act:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Existing UK public source in the file for the PSTI Act comparator framework.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source in the file for relevant-connectable-product security requirements.
  - Quote: "Relevant Connectable Products"

Sources for Scope boundary - operational implication:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports the need for a distinct Australian scope finding before evidence reuse.
  - Quote: "acquired in Australia by a consumer"

Sources for Who carries the duty - Australia Cyber Security Act 2024:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Grounds the Australian manufacturer and supplier duties and the manufacturer-prepared statement of compliance.
  - Quote: "prepared by or on behalf of the manufacturer"

Sources for Who carries the duty - UK PSTI Act:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Existing UK public source for manufacturer, importer, and distributor duties under the PSTI Act.
  - Quote: "manufacturers, importers and distributors"

Sources for Who carries the duty - operational implication:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports recording the Australian actor role separately from the UK actor role before reusing evidence.
  - Quote: "supplier"

Sources for What triggers the obligation - Australia Cyber Security Act 2024:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Grounds the Australian acquisition-in-Australia trigger for the smart-device standard.
  - Quote: "acquired in Australia by a consumer"

Sources for What triggers the obligation - UK PSTI Act:

- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source for the UK-market availability trigger for relevant connectable products.
  - Quote: "Relevant Connectable Products"

Sources for What triggers the obligation - operational implication:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports treating the Australian trigger as a distinct market event from the UK availability trigger.
  - Quote: "personal, domestic or household"

Sources for Core product obligations - Australia Cyber Security Act 2024:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Grounds Australian password, security-issue reporting, support-period publication, and statement-of-compliance duties.
  - Quote: "Requirements in relation to passwords"

Sources for Core product obligations - UK PSTI Act:

- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source for the comparator security requirements referenced by the Australian explanatory statement.
  - Quote: "security requirements"

Sources for Core product obligations - operational implication:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports maintaining Australian clause-level evidence even where UK evidence is reused.
  - Quote: "defined support period"

Sources for Evidence and retention - Australia Cyber Security Act 2024:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Grounds the Australian statement fields and five-year retention period.
  - Quote: "the period is 5 years"

Sources for Evidence and retention - UK PSTI Act:

- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source for the UK connected-product comparator cited in the Australian explanatory statement.
  - Quote: "Relevant Connectable Products"

Sources for Evidence and retention - operational implication:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports conditional reuse of statement evidence because Australia specifies its own statement requirements.
  - Quote: "Requirements for statement of compliance"

Sources for Reporting timing - Australia Cyber Security Act 2024:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Grounds the Australian obligation to report following a ransomware payment and the 72-hour report period.
  - Quote: "within 72 hours"
- [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Grounds the reporting-business-entity threshold and required report contents.
  - Quote: "turnover threshold"

Sources for Reporting timing - UK PSTI Act:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Existing UK source is limited here to PSTI product-security comparison and does not support a ransomware-payment duty.
  - Quote: "Product Security"

Sources for Reporting timing - operational implication:

- [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Supports a separate Australian evidence workflow for ransomware payment reports.
  - Quote: "ransomware payment report"

Sources for Enforcement and oversight - Australia Cyber Security Act 2024:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Grounds Australian compliance notice, stop notice, recall notice, public notification, expert examination, and regulatory-powers routes.
  - Quote: "Compliance notice"
- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Grounds additional matters that may be published after failure to comply with a recall notice.
  - Quote: "recall notice"

Sources for Enforcement and oversight - UK PSTI Act:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Existing UK source retained for the PSTI comparator without adding unsupported penalty details.
  - Quote: "Product Security"

Sources for Enforcement and oversight - operational implication:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Supports separate Australian remediation evidence for notices, examination, and regulatory-powers escalation.
  - Quote: "Regulatory powers"

Sources for Where the regimes overlap - Australia Cyber Security Act 2024:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Grounds the Australian password, vulnerability-reporting, and support-period controls that align with the UK requirements.
  - Quote: "defined support period"
- [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/C2018A00029/latest/text?ref=sorena.io) - Grounds the Australia-only SOCI critical-infrastructure track that has no UK PSTI overlap.
  - Quote: "Notification of cyber security incidents"

Sources for Where the regimes overlap - UK PSTI Act:

- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source for the comparable connected-product security requirements that the Australian standard mirrors.
  - Quote: "Relevant Connectable Products"

Sources for Where the regimes overlap - operational implication:

- [Cyber Security (Cyber Incident Review Board) Rules 2025](https://www.legislation.gov.au/F2025L00277/latest/text?ref=sorena.io) - Supports keeping review-board obligations outside the UK PSTI overlap area.
  - Quote: "Cyber Incident Review Board"

Sources for Decision rule - Australia Cyber Security Act 2024:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Grounds the Australian multi-workstream split across smart devices, ransomware reporting, incident coordination, review board, and regulatory powers.
  - Quote: "Cyber Security Act 2024"

Sources for Decision rule - UK PSTI Act:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Existing UK source retained for the PSTI comparator as the controlling UK product-security framework.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"

Sources for Decision rule - operational implication:

- [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Supports routing ransomware payment events to the Australian workstream rather than UK PSTI evidence.
  - Quote: "ransomware payment report"

### How to use the comparison without overreaching

- Start with the Australian scope split: smart-device standard, ransomware payment report, significant incident coordination, Cyber Incident Review Board, or SOCI overlap.
- Reuse UK PSTI evidence only for connected-product security where Australian statement, support-period, retention, and consumer-acquisition requirements are independently satisfied.
- Flag any UK penalty, deadline, regulator-practice, importer, or distributor detail for separate UK PSTI grounding before publishing it as a comparison fact.

Sources for the practical decision rule:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Supports the Australian multi-workstream split across smart devices, ransomware reporting, incident coordination, review board, and regulatory powers.
  - Quote: "Cyber Security Act 2024"
- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports conditional product-security evidence reuse through Australian statement and security-standard requirements.
  - Quote: "statement of compliance"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source for the PSTI security-requirements comparator, without extending unsupported UK facts.
  - Quote: "Relevant Connectable Products"

## What is actually comparable between the Australian and UK regimes?

The closest overlap is connected-product security. Australia's Smart Devices Rules establish a security standard for consumer grade relevant connectable products acquired in Australia by a consumer, while the Australian explanatory statement says those standards closely follow the UK's 2023 relevant-connectable-product security requirements regulations.

The overlap stops there. Australia's Cyber Security Act 2024 also contains ransomware payment reporting, significant cyber incident coordination, and Cyber Incident Review Board provisions, and SOCI remains a separate Australian critical-infrastructure regime. Do not treat UK PSTI evidence as covering those Australian workstreams.

- Use product-security evidence across both regimes only for password requirements, vulnerability-reporting publication, support-period publication, and statement-of-compliance content where the Australian rules are met.
- Create separate Australian records for ransomware payment reporting, including the reporting business entity test, payment trigger, 72-hour report clock, and required report fields.
- Keep SOCI asset scoping separate from UK PSTI product scope because SOCI is about Australian critical infrastructure assets, reporting, risk management, and enhanced cyber obligations.
- Treat Cyber Incident Review Board requests and significant incident coordination as Australia-only governance matters unless another source creates a separate UK duty.

Sources for this answer:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Defines the Australian smart-device security standard, statement-of-compliance requirements, and five-year retention period.
- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Primary Act covering smart-device standards, ransomware payment reports, significant incident coordination, review-board powers, and regulatory powers.
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source in this file for the comparator product-security requirements referenced by the Australian explanatory statement.

## Which evidence can be reused, and which must stay Australia-specific?

For connected products, the Australian explanatory statement allows responsible entities operating across similar consumer-grade smart-device frameworks to use the same statement-of-compliance information for Australia, including UK-market products, if every Australian section 9 requirement is met.

That reuse is conditional. Australian records still need the Australian product class and consumer-acquisition analysis, manufacturer-prepared statement fields, defined support period, five-year retention, and any Australian supply decision. Ransomware payment reports and SOCI records are not PSTI artifacts.

- Product owner: maintain product type, batch identifier, manufacturer and authorised-representative details, support-period text, and compliance declaration for Australian statement-of-compliance use.
- Security engineering: prove unique or user-defined passwords, security-issue reporting details, acknowledgement and status-update process, and security-update support period publication.
- Incident response and legal: keep Australian ransomware payment report facts separate, including ABN/address details where applicable, incident impact, demand, payment, and communications fields.
- Critical infrastructure owner: document whether SOCI asset obligations apply separately from product-security duties before reusing any control or audit evidence.

Sources for this answer:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Grounds statement-of-compliance fields, security-standard requirements, support-period publication, and retention evidence.
- [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Grounds Australian ransomware payment reporting threshold, 72-hour report period, and required report fields.
- [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/C2018A00029/latest/text?ref=sorena.io) - Grounds separate SOCI asset, register, risk-management, incident-reporting, and enhanced cyber-obligation checks.

*Recommended next step*

*Placement: after the evidence section*

## Turn the Australia and UK product-security split into assigned work

Use this comparison to assign Australian smart-device, ransomware-reporting, SOCI, and UK PSTI evidence work without merging different legal triggers.

- [Open Assessment Autopilot for Australia Cyber Security Act](/solutions/assessment.md): Turn Australian and UK product-security scope into focused questions, evidence fields, and review tasks.
- [Review Australia Cyber Security Act source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material.
- [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena.

## Primary sources

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Supports the Australian multi-workstream split across smart devices, ransomware reporting, incident coordination, review board, and regulatory powers.
  - Quote: "Cyber Security Act 2024"
- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports conditional product-security evidence reuse through Australian statement and security-standard requirements.
  - Quote: "statement of compliance"
- [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Supports routing ransomware payment events to the Australian workstream rather than UK PSTI evidence.
  - Quote: "ransomware payment report"
- [Cyber Security (Cyber Incident Review Board) Rules 2025](https://www.legislation.gov.au/F2025L00277/latest/text?ref=sorena.io) - Supports keeping review-board obligations outside the UK PSTI overlap area.
  - Quote: "Cyber Incident Review Board"
- [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/C2018A00029/latest/text?ref=sorena.io) - Grounds the Australia-only SOCI critical-infrastructure track that has no UK PSTI overlap.
  - Quote: "Notification of cyber security incidents"
- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Existing UK source retained for the PSTI comparator as the controlling UK product-security framework.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Existing UK public source for the PSTI security-requirements comparator, without extending unsupported UK facts.
  - Quote: "Relevant Connectable Products"

## Related Topic Guides

- [Australia Cyber Security Act 2024 scope and definitions](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap.
- [Australia Cyber Security Act and SOCI Act overlap](/artifacts/apac/australia-cyber-security-act/security-of-critical-infrastructure-act-overlap.md): How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records.
- [Australia Cyber Security Act Applicability Test](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario.
- [Australia Cyber Security Act Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks.
- [Australia Cyber Security Act Compliance Guide](/artifacts/apac/australia-cyber-security-act/compliance.md): A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness.
- [Australia Cyber Security Act Deadlines and Compliance Calendar](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review.
- [Australia Cyber Security Act FAQ](/artifacts/apac/australia-cyber-security-act/faq.md): Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review.
- [Australia Cyber Security Act penalties and fines](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records.
- [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md): What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks.
- [Australia Cyber Security Act Requirements](/artifacts/apac/australia-cyber-security-act/requirements.md): Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records.
- [Australia Cyber Security Act Statement of Compliance Evidence](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence.md): Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness.
- [Australia Cyber Security Act templates](/artifacts/apac/australia-cyber-security-act/templates.md): Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records.
- [Australia Cyber Security Act Timeline And Commencement Guide](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations.
- [Australia Cyber Security Act vs EU Cyber Resilience Act](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes.
- [Australia ransomware payment reporting 72-hour duty](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain.
- [Australia Smart Device Security Standards under the Cyber Security Act](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records.
- [Australia Smart Device Statement of Compliance Evidence Workflow](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow.md): Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules.
- [CSA 2024 Ransomware Payment Reporting Workflow](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow.md): Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources.
- [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md): FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence.
- [CSA 2024 Smart Device Applicability Test](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope.md): Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules.
- [CSA 2024 Smart Device Statement of Compliance](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination.
- [Cyber Security Act 2024 Smart Device Compliance Checklist](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence.
- [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md): FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations.
- [Cyber Security Act vs EU CRA: scope and obligations comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes.
- [Cyber Security Act vs UK PSTI Act: device security obligations compared](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime.
- [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md): FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing.
- [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md): FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties.
- [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md): Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations.
- [Smart Device Applicability: CSA 2024](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-workflow.md): A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep.
- [SOCI overlap triage workflow for Australia Cyber Security Act](/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow.md): Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks.
- [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md): FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act