Australia Cyber Security Act 2024 vs EU Cyber Resilience Act

The Australia Cyber Security Act 2024 (No. 98, 2024) is a multi-part statute that covers product security for smart devices, ransomware payment reporting, coordination of significant cyber security incidents through the National Cyber Security Coordinator, and the establishment of the Cyber Incident Review Board. Part 2 of the Australia Cyber Security Act 2024 is the part that is most directly comparable to the EU Cyber Resilience Act because it creates mandatory security standards for relevant connectable products that will be acquired in Australia.

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal product security regulation that applies to all products with digital elements placed on the EU market. Unlike the Australia Cyber Security Act 2024, which bundles product security together with incident coordination and ransomware reporting, the EU Cyber Resilience Act is exclusively focused on product cybersecurity across the full product lifecycle.

This scope difference is the most important factor for teams doing a CRA comparison. A product team that has fully complied with the Australia Cyber Security Act 2024 smart device rules has addressed only a subset of the obligations that the EU Cyber Resilience Act imposes. Conversely, a team that has achieved EU Cyber Resilience Act compliance will find that much of the engineering evidence already satisfies the Australian requirements.

The Australia Cyber Security Act 2024 defines a 'relevant connectable product' as any product that is an internet-connectable product or a network-connectable product and is not exempted by the rules. An internet-connectable product is one that can connect to the internet using a protocol that forms part of the internet protocol suite. A network-connectable product is one that can send and receive data by electrical or electromagnetic means, is not itself internet-connectable, but can connect directly to an internet-connectable product or to two or more products simultaneously via non-IP protocols. The Security Standards for Smart Devices Rules 2025 then narrow the first regulated class further to consumer grade relevant connectable products that are intended for personal, domestic, or household use.

The Security Standards for Smart Devices Rules 2025 explicitly exclude desktop computers, laptops, tablet computers, smartphones, therapeutic goods (under the Therapeutic Goods Act 1989), road vehicles, and road vehicle components from the initial regulated product class. This means the Australia Cyber Security Act 2024 smart device rules currently cover items such as smart home hubs, connected cameras, smart speakers, IoT sensors, connected appliances, baby monitors, smart locks, and similar consumer IoT products.

The EU Cyber Resilience Act takes a much broader approach. It applies to all 'products with digital elements' placed on the EU market, meaning any software or hardware product and its remote data processing solutions. The EU Cyber Resilience Act classifies products into a default category, an 'important' category (Class I and Class II in Annex III), and a 'critical' category (Annex IV). Important Class I products include identity management systems, browsers, password managers, VPNs, network management tools, firewalls, routers, modems, switches, and operating systems. Important Class II products include hypervisors, container runtime systems, public key infrastructure, and secure element software. Critical products include hardware security modules, smart cards, and smart meter gateways.

This CRA comparison shows that the product scope under the EU Cyber Resilience Act is substantially larger than the product scope under the Australia Cyber Security Act 2024. The EU Cyber Resilience Act covers enterprise software, operating systems, development tools, network infrastructure, and industrial products. The Australia Cyber Security Act 2024 currently covers only consumer grade connectable products, though the Act gives the Minister power to expand the product classes over time through additional rules.

The Security Standards for Smart Devices Rules 2025 (Schedule 1, Part 1) prescribe three categories of mandatory security requirements for consumer grade relevant connectable products under the Australia Cyber Security Act 2024. These three categories are: requirements in relation to passwords, requirements relating to reports of security issues, and requirements relating to defined support periods and security updates. These requirements are closely aligned with the ETSI EN 303 645 baseline standard and the UK Product Security and Telecommunications Infrastructure Act 2022.

For passwords, the Australia Cyber Security Act 2024 rules require that all passwords for hardware and software of a relevant connectable product must be either unique per product or defined by the user. Passwords that are unique per product must not be based on incremental counters, must not be based on or derived from publicly available information, and must not be based on unique product identifiers such as serial numbers unless an encryption method or keyed hashing algorithm accepted as good industry practice is used. This means universal default passwords such as 'admin' or 'password' are prohibited under the Australia Cyber Security Act 2024.

For vulnerability reporting, the Australia Cyber Security Act 2024 rules require that the manufacturer of a relevant connectable product must publish at least one point of contact for reporting security issues, state when a reporter will receive acknowledgement, and provide status updates until resolution. This information must be accessible, clear, transparent, available without prior request, in English, free of charge, and must not require the reporter to provide personal information.

For defined support periods, the Australia Cyber Security Act 2024 rules require that the manufacturer must publish the period during which security updates will be provided. The defined support period must be expressed as a time period with an end date. The manufacturer must not shorten the defined support period after publication. If extended, the new period must be published as soon as practicable. When the product is offered on a website, the support period must be published with equal prominence alongside the main product characteristics.

The EU Cyber Resilience Act imposes a much more extensive set of essential cybersecurity requirements listed in Annex I. These include secure by design and by default, protection of confidentiality, integrity, and availability, minimisation of data processing, vulnerability handling throughout the lifecycle, provision of security updates for at least five years or the expected product lifetime, SBOM (software bill of materials) documentation, and coordinated vulnerability disclosure. The EU Cyber Resilience Act also requires that products be delivered with a secure default configuration, that all known exploitable vulnerabilities are addressed before placing on the market, and that manufacturers implement a documented vulnerability handling process.

This CRA comparison reveals that the three Australian requirements (passwords, vulnerability contact, support period) represent a focused subset of the EU Cyber Resilience Act essential requirements. A team that satisfies the EU Cyber Resilience Act Annex I requirements will generally also satisfy the Australia Cyber Security Act 2024 smart device standards, but a team that only satisfies the Australian standards will still need significant additional work to meet the EU Cyber Resilience Act.

The Australia Cyber Security Act 2024 uses a statement of compliance model. Under Section 16 of the Act and Section 9 of the Security Standards for Smart Devices Rules 2025, the manufacturer of a relevant connectable product must prepare a statement of compliance that includes the product type and batch identifier, the name and address of the manufacturer and any authorised representatives in Australia, a declaration that the statement was prepared by or on behalf of the manufacturer, a declaration that the product was manufactured in compliance with the security standard, the defined support period at the date of issue, the signature and details of the signatory, and the place and date of issue. Both manufacturers and suppliers must retain a copy of the statement of compliance for a period of five years.

The EU Cyber Resilience Act uses the established EU conformity assessment framework. For default category products, manufacturers may use Module A (internal production control), which is essentially a self-assessment with technical documentation. For important products in Class I, manufacturers may use Module A or harmonised standards with third-party involvement. For important products in Class II and for critical products, third-party conformity assessment by a notified body is required. Successful conformity assessment results in the application of the CE marking, which is the legal prerequisite for placing the product on the EU market.

The EU Cyber Resilience Act also requires manufacturers to prepare and maintain technical documentation that demonstrates conformity with the essential cybersecurity requirements. This technical documentation must include a general description of the product, design and development information, cybersecurity risk assessment, vulnerability handling documentation, test reports, the SBOM, the EU declaration of conformity, and details of any applied harmonised standards or common specifications.

In this CRA comparison, the Australian statement of compliance is simpler and more declarative than the EU conformity assessment process. The Australian model requires a manufacturer declaration and basic product identification. The EU model requires detailed technical documentation, risk assessment, and, for higher-risk product categories, independent assessment by a notified body. Teams that build comprehensive EU Cyber Resilience Act technical documentation will easily generate an Australian statement of compliance from the same evidence base, but the reverse is not true.

The Australia Cyber Security Act 2024 does not impose product-level vulnerability or incident reporting obligations on manufacturers of smart devices. Instead, the Act addresses incident reporting through two separate mechanisms: Part 3 imposes a ransomware payment reporting obligation on qualifying business entities, and Part 4 enables voluntary information sharing with the National Cyber Security Coordinator for significant cyber security incidents. These reporting mechanisms are not tied to the smart device product regime in Part 2.

Under Part 3 of the Australia Cyber Security Act 2024, a reporting business entity must give the designated Commonwealth body a ransomware payment report within 72 hours of making or becoming aware of a ransomware payment. A reporting business entity is one that carries on a business in Australia with an annual turnover above the prescribed threshold and is not a Commonwealth body, State body, or critical infrastructure asset responsible entity (unless the entity is a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies). The ransomware payment report must contain information about the business entity, the cyber security incident, the demand, the payment, and communications with the extorting entity.

The EU Cyber Resilience Act imposes direct incident and vulnerability reporting obligations on manufacturers. Starting 11 September 2026, manufacturers must notify ENISA (the EU Agency for Cybersecurity) of any actively exploited vulnerability in their product within 24 hours of becoming aware, followed by a full notification within 72 hours. Manufacturers must also notify ENISA of any severe incident that impacts the security of the product within 24 hours. These reporting obligations run throughout the expected product lifetime or the support period, whichever is longer.

The EU Cyber Resilience Act also requires manufacturers to inform users without undue delay about actively exploited vulnerabilities and about security incidents that impact the product. Manufacturers must describe the vulnerability or incident, the risk to users, and the corrective measures that have been taken or can be taken.

This CRA comparison shows that the incident reporting obligations are structurally different between the two regimes. The Australia Cyber Security Act 2024 addresses ransomware payments at the business entity level, not at the product level. The EU Cyber Resilience Act addresses vulnerabilities and incidents at the product level through direct manufacturer reporting to ENISA. A team complying with both regimes needs two separate reporting workflows: one for the EU Cyber Resilience Act product vulnerability and incident reports to ENISA, and one for any ransomware payment reporting obligations that may apply under the Australia Cyber Security Act 2024.

The Australia Cyber Security Act 2024 provides an escalating enforcement pathway for the smart device regime in Part 2. If the Secretary is reasonably satisfied that a manufacturer or supplier is not complying with security standard or statement of compliance obligations under Sections 15 or 16, the Secretary may issue a compliance notice specifying the non-compliance and the actions required. If the compliance notice is not addressed, the Secretary may issue a stop notice requiring the entity to stop or take further corrective action. If the stop notice is not addressed, the Secretary may issue a recall notice requiring the entity to prevent further supply in Australia and arrange for the return of products. Before issuing any notice, the Secretary must give the entity at least 10 days to make representations.

If an entity fails to comply with a recall notice under the Australia Cyber Security Act 2024, the Minister may publicly disclose the entity's identity, details of the product, details of the non-compliance, and the risks posed. The Act also provides civil penalty enforcement through the Regulatory Powers (Standard Provisions) Act 2014. Civil penalty provisions carry a penalty of 60 penalty units. In Australia, one penalty unit for a body corporate is five times the base amount, and the base penalty unit value is AUD 313 (as of 2024-2025), meaning 60 penalty units for an individual is AUD 18,780. For a body corporate the maximum is five times that amount per contravention.

The Secretary may also engage an independent expert to examine a product to determine whether it complies with the security standard and whether the statement of compliance meets requirements. The entity is entitled to reasonable compensation for providing the product for examination.

The EU Cyber Resilience Act provides for market surveillance authorities in each EU member state to enforce the regulation. Penalties under the EU Cyber Resilience Act are significantly higher. For non-compliance with the essential cybersecurity requirements in Annex I, member states must provide for administrative fines of up to EUR 15,000,000 or 2.5% of the worldwide annual turnover, whichever is higher. For non-compliance with other obligations, fines of up to EUR 10,000,000 or 2% of worldwide annual turnover apply. For providing incorrect, incomplete, or misleading information to authorities or notified bodies, fines of up to EUR 5,000,000 or 1% of worldwide annual turnover apply.

EU market surveillance authorities can also order corrective measures, require product withdrawal or recall from the market, restrict or prohibit the making available of the product, and require the CE marking to be removed. The EU Cyber Resilience Act builds on the EU market surveillance regulation (Regulation (EU) 2019/1020) to coordinate enforcement across member states.

In this CRA comparison the EU Cyber Resilience Act penalty regime is far more severe. The Australian penalty structure uses relatively modest civil penalty units appropriate for a focused consumer device regime. The EU Cyber Resilience Act penalty structure uses percentage-of-turnover fines comparable to the GDPR, reflecting the broader product scope and the importance the EU places on horizontal product cybersecurity.

Teams that sell connected products into both Australia and the EU must track two sets of compliance deadlines. The Australia Cyber Security Act 2024 has already commenced in stages. Part 1 (preliminary) and Part 4 (incident coordination) commenced on 30 November 2024. Part 3 (ransomware payment reporting) and Part 5 (Cyber Incident Review Board) commenced on 29 May 2025. Part 2 (security standards for smart devices) commenced on 29 November 2025. The Security Standards for Smart Devices Rules 2025 were registered on 4 March 2025, with the substantive security standard in Schedule 1 taking effect on 4 March 2026.

The EU Cyber Resilience Act entered into force on 10 December 2024. The reporting obligations for actively exploited vulnerabilities and severe incidents apply from 11 September 2026. The full set of essential cybersecurity requirements and conformity assessment obligations apply from 11 December 2027. Obligations related to notified bodies apply from 11 June 2026.

For teams planning dual compliance, the practical sequencing is as follows. The Australian smart device security standard (passwords, vulnerability contact, support period) is enforceable from 4 March 2026. EU Cyber Resilience Act vulnerability and incident reporting to ENISA begins on 11 September 2026. The full EU Cyber Resilience Act essential cybersecurity requirements, technical documentation, and conformity assessment obligations apply from 11 December 2027. This means teams have an immediate need to address the Australia Cyber Security Act 2024 smart device rules for the Australian market, while building toward full EU Cyber Resilience Act compliance by late 2027.

Despite the differences in scope and detail between the Australia Cyber Security Act 2024 and the EU Cyber Resilience Act, there are significant areas of overlap where a single compliance effort can support both markets. These overlap areas reduce duplication and allow teams to build shared engineering evidence that satisfies both the Australian smart device standards and the EU Cyber Resilience Act essential requirements.

The strongest overlap is in credential management. The Australia Cyber Security Act 2024 requires unique per-product passwords or user-defined passwords and prohibits universal defaults. The EU Cyber Resilience Act requires products to be delivered without known default passwords and with secure authentication mechanisms. A product team that implements unique per-device credentials with proper cryptographic derivation will satisfy both requirements simultaneously.

Vulnerability handling is the second major overlap. The Australia Cyber Security Act 2024 requires a published contact point for security issue reports, acknowledgement timelines, and status updates through resolution. The EU Cyber Resilience Act requires a documented vulnerability handling process, coordinated vulnerability disclosure, and active vulnerability remediation. A team that builds a full vulnerability handling program to EU Cyber Resilience Act standards will easily satisfy the Australian vulnerability reporting contact requirements, because the EU requirements are a superset of the Australian ones.

Support period transparency is the third overlap. The Australia Cyber Security Act 2024 requires a published defined support period with an end date that cannot be shortened. The EU Cyber Resilience Act requires security updates for at least five years or the expected product lifetime, whichever is longer. A team that commits to a defined support period that meets the EU Cyber Resilience Act minimum will also satisfy the Australian publication requirement.

Beyond these three requirement-level overlaps, product design evidence such as threat models, architecture reviews, secure development lifecycle documentation, penetration test reports, and code review records can serve as shared evidence for both the Australian statement of compliance and the EU technical documentation file.

While shared engineering evidence is valuable, certain compliance activities remain specific to each regime and cannot be merged. Teams must maintain separate processes for these jurisdiction-specific obligations to avoid gaps in either market.

The EU Cyber Resilience Act requires conformity assessment, CE marking, and an EU declaration of conformity. These concepts do not exist under the Australia Cyber Security Act 2024. Teams selling into the EU must complete the appropriate conformity assessment procedure (Module A for default products, or notified body assessment for higher-risk categories), affix the CE mark, and issue a formal declaration of conformity. None of these steps are required or recognised under Australian law.

The Australia Cyber Security Act 2024 requires a specific statement of compliance that must be prepared by or on behalf of the manufacturer. This statement has prescribed content including the product type, batch identifier, manufacturer details, authorised representative details, the defined support period, and a signed declaration. This statement format is unique to the Australian regime and is not equivalent to an EU declaration of conformity.

The EU Cyber Resilience Act requires manufacturers to report actively exploited vulnerabilities and severe incidents to ENISA starting 11 September 2026. The Australia Cyber Security Act 2024 does not require product-level vulnerability or incident reporting from manufacturers of smart devices. Instead, Australia has a separate ransomware payment reporting obligation that applies at the business entity level.

The EU Cyber Resilience Act requires manufacturers to prepare and maintain an SBOM. The Australia Cyber Security Act 2024 does not currently require an SBOM.

The EU Cyber Resilience Act imposes obligations on importers and distributors in the EU supply chain. The Australia Cyber Security Act 2024 imposes obligations on manufacturers and suppliers, using the Australian Consumer Law definitions of those terms.

The most effective approach for teams that need to comply with both the Australia Cyber Security Act 2024 and the EU Cyber Resilience Act is a layered compliance model with a shared engineering evidence base and separate legal and regulatory wrappers for each jurisdiction.

The shared engineering evidence base should include secure product design documentation (threat models, architecture reviews, security design decisions), credential management evidence (how unique per-device passwords are generated, how default credentials are eliminated), vulnerability handling program documentation (intake process, triage criteria, remediation workflow, disclosure policy, contact information), security update infrastructure documentation (update delivery mechanism, support period commitments, end-of-support planning), test evidence (penetration test reports, security functional testing, regression testing), and secure development lifecycle records (code review processes, dependency management, build integrity checks).

The Australian compliance wrapper should include the statement of compliance in the format prescribed by Section 9 of the Security Standards for Smart Devices Rules 2025, records showing that the product falls within the consumer grade relevant connectable product class (or a future class defined by additional rules), evidence of compliance with each of the three schedule requirements (passwords, vulnerability reporting contact, defined support period), supply chain documentation confirming that the statement of compliance accompanies the product when supplied in Australia, and records demonstrating the five-year retention of the statement of compliance.

The EU compliance wrapper should include the technical documentation file required by the EU Cyber Resilience Act (covering all essential cybersecurity requirements in Annex I), the conformity assessment records (internal production control under Module A, or notified body assessment records for higher-risk products), the EU declaration of conformity, CE marking application records, the SBOM, the vulnerability and incident reporting procedures for ENISA notification, and the user notification procedures for actively exploited vulnerabilities.

A single governance review before each product launch should verify that both the Australian and EU wrappers are complete and that the underlying engineering evidence base supports the claims made in each wrapper. This approach avoids duplication of engineering effort while ensuring that each jurisdiction's specific legal requirements are met.

The following summary captures the key comparison points between the Australia Cyber Security Act 2024 smart device regime and the EU Cyber Resilience Act. This table format is designed for product security, compliance, and legal teams that need a quick reference when planning dual-market product launches.