Australia Cyber Security Act Cyber Security Act vs UK PSTI Act

Australia: the Smart Devices Rules apply the security standard to consumer grade relevant connectable products intended, or likely, to be used for personal, domestic, or household use, when acquired in Australia by a consumer; the rules exclude listed categories such as desktop/laptop computers, tablets, smartphones, therapeutic goods, road vehicles, and road-vehicle components.

UK PSTI: keep the UK scope analysis anchored to the Product Security and Telecommunications Infrastructure Act 2022 and the 2023 security requirements regulations for relevant connectable products; do not use this Australian page to add unsupported UK category exclusions or thresholds.

A product can reuse part of the product-security analysis only after the Australian consumer-grade and acquisition-in-Australia tests are documented separately from the UK PSTI scope decision.

Australia: manufacturers and suppliers need to keep the smart-device standard, statement-of-compliance fields, and retention obligations aligned with Australian requirements, while the Act separately reaches reporting businesses for ransomware payment reporting and the entities involved in Cyber Incident Review Board and SOCI matters.

UK PSTI: the comparator is narrower and centers on manufacturers, importers, distributors, and authorised representatives for relevant connectable products, as shown in the UK Act and guidance sourced on this page.

Do not assume the same controlled party list across Australia and the UK; first identify whether the task is product compliance, ransomware reporting, or critical-infrastructure reporting.

Australia: the statement must be prepared by or on behalf of the manufacturer and include product type and batch identifier, manufacturer and authorised-representative details, compliance declarations, defined support period, signatory details, and place and date of issue; statements must be retained for five years.

UK PSTI: Australian grounding says UK-market products can provide the same statement-of-compliance information for Australia only if all Australian section 9 requirements are met; the UK source in this file should not be treated as proving Australian retention or field requirements.

Reuse the same document only after adding an Australian field-by-field check and retention owner; otherwise keep a UK PSTI statement and an Australian statement as separate records.

Australia: a reporting business entity must report after a ransomware payment when the Act and rules apply; the rules set a $3 million turnover threshold for businesses and require report information about the incident, demand, payment, and communications, with the Act setting a 72-hour report period.

UK PSTI: no UK PSTI ransomware-payment duty is supported by the grounding for this page. Keep UK PSTI out of ransomware reporting unless a separate UK source is added elsewhere.

Do not merge ransomware-payment playbooks with UK product-security evidence; route these cases to Australian incident response, legal, and executive approval owners.

Australia: the Cyber Security Act includes voluntary information sharing with the National Cyber Security Coordinator for significant cyber security incidents and creates a Cyber Incident Review Board process; SOCI separately covers critical infrastructure asset registration, risk management programs, cyber-incident notification, and enhanced cyber obligations.

UK PSTI: the provided UK PSTI sources support connected-product security comparison, not Australian-style review-board referrals or SOCI critical-infrastructure asset obligations.

When a connected product is also part of an Australian critical-infrastructure service, run product-security, SOCI, and incident-review checks as separate tracks with separate owners and evidence.

Australia: for smart-device non-compliance, the Cyber Security Act supports compliance notices, stop notices, recall notices, public notification of recall-notice failure, expert examination, civil penalties, infringement notices, enforceable undertakings, and injunctions.

UK PSTI: keep enforcement conclusions to the UK Act and regulations themselves; this page does not have grounding for UK penalty amounts, regulator practice, or market-surveillance steps beyond the existing UK public sources.

Do not promise one enforcement playbook. Australian remediation needs notice-response, recall, public-notification, and examination evidence; UK PSTI remediation needs a separate UK-law review if enforcement details matter.

Australia: the Act also treats product non-compliance as a matter that can escalate through notices, infringement action, enforceable undertakings, and injunctions, so the Australian response can move beyond a single product-label or statement fix.

UK PSTI: the UK source set on this page is about the PSTI connected-product regime, but it is not the right place to infer Australian enforcement escalation or Australian notice practice.

If the issue is enforcement, separate the Australian legal path from the UK product-security path before deciding on owners, escalation timing, or records to keep.

Australia: only the product-security portion can overlap with PSTI-style evidence, and even then the Australian rules still require their own statement, support-period, and retention checks.

UK PSTI: keep the UK comparator limited to the connected-product regime supported by the UK Act and 2023 regulations on this page.

Treat the overlap as a narrow documentation reuse lane, not a blanket transfer of Australian findings into the UK file or vice versa.

Australia: start by deciding whether the task is smart-device compliance, ransomware reporting, Cyber Incident Review Board material, or SOCI material, because each one uses different Australian legal hooks.

UK PSTI: use the UK comparator only after you have confirmed the matter is actually a connected-product issue and not one of Australia's separate reporting or infrastructure workstreams.

If the issue is anything other than connected-product compliance, the UK PSTI comparison should stop at the first scope check.