A detailed product security comparison of the Australia Cyber Security Act 2024 and the UK PSTI Act for manufacturers and suppliers of connectable products.
Both regimes target the same three baseline controls (passwords, vulnerability disclosure, and support periods) but differ in scope exclusions, enforcement mechanisms, statement of compliance requirements, and civil penalty structures.
Structured answer sets in this page tree.
Cited legal and guidance references.
The Australia Cyber Security Act 2024 and the UK PSTI Act both establish mandatory product security baselines for consumer connectable products. Both regimes share a common origin in the ETSI EN 303 645 standard and require manufacturers to address the same three core controls: eliminating weak default passwords, publishing a vulnerability disclosure route, and declaring a defined support period. However, the Australia Cyber Security Act 2024 and the UK PSTI Act differ in important ways. They have different product scope exclusions, different enforcement escalation paths, different statement of compliance requirements, and different penalty structures. This product security comparison page explains exactly where the Australia Cyber Security Act 2024 and the UK PSTI Act overlap, where they diverge, and how manufacturers and suppliers can build one product security baseline that satisfies both markets with minimal rework.
Both the Australia Cyber Security Act 2024 and the UK PSTI Act apply to products that can connect directly or indirectly to the internet. The Australia Cyber Security Act 2024 defines these as relevant connectable products and splits them into two categories. Internet-connectable products are products capable of connecting to the internet using a communication protocol that forms part of the internet protocol suite to send and receive data over the internet (Section 13(4) of the Act). Network-connectable products are products capable of both sending and receiving data by means of electrical or electromagnetic energy that are not internet-connectable products but that can connect directly to an internet-connectable product via an internet protocol or can connect directly to two or more products at the same time via a non-internet protocol and also to an internet-connectable product (Section 13(5) to (7) of the Act). The UK PSTI Act uses materially similar definitions for its two categories of connectable products.
The Australia Cyber Security Act 2024 security standard applies specifically to consumer grade relevant connectable products. Under Section 8 of the Cyber Security (Security Standards for Smart Devices) Rules 2025, a consumer grade product is one that is intended by the manufacturer to be used, or is of a kind likely to be used, for personal, domestic or household use or consumption, and that is acquired in Australia by a consumer. The term consumer is defined by reference to section 3 of the Australian Consumer Law.
The product security comparison of the Australia Cyber Security Act 2024 and the UK PSTI Act becomes critical at the exclusion list. The Australia Cyber Security Act 2024 Rules exclude desktop computers, laptops, tablet computers, smartphones, therapeutic goods (under the Therapeutic Goods Act 1989), road vehicles, and road vehicle components (under the Road Vehicle Standards Act 2018). The UK PSTI Act has its own set of exceptions under the 2023 Regulations. Manufacturers must check both exclusion lists independently because a product excluded from the Australia Cyber Security Act 2024 may still be in scope for the UK PSTI Act, and the reverse. Consumer energy resources such as solar inverters and connected batteries are within scope of the Australia Cyber Security Act 2024, and the Australian Government found that all major CER original equipment manufacturers examined also supplied products to the UK market.
Password security is the first shared requirement under both the Australia Cyber Security Act 2024 and the UK PSTI Act. Both regimes require that passwords for consumer smart devices must be either unique per product or defined by the user. Neither regime permits universal or factory default passwords that are the same across all units of a product model.
Under the Australia Cyber Security Act 2024, Schedule 1 Clause 2 of the Smart Devices Rules 2025 specifies that passwords must be unique per product or user-defined. Passwords that are unique per product must not be based on incremental counters (such as password1 and password2), must not be based on or derived from publicly available information, must not be based on or derived from unique product identifiers (such as serial numbers) unless encrypted or hashed using an encryption method or keyed hashing algorithm that is accepted as part of good industry practice, and must not be otherwise guessable in a manner unacceptable under good industry practice. The Rules define specific terms: a keyed hashing algorithm means an algorithm that uses a data input and a secret key to produce a value which cannot be guessed or reproduced without knowledge of both. Good industry practice means the exercise of that degree of skill, diligence, prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced cryptographer engaged in the same type of activity.
The password requirements under the Australia Cyber Security Act 2024 apply to passwords for hardware of the product when the product is not in factory default state, software that is preinstalled on the product at the point of consumer supply when the product is not in factory default state, and software that must be installed for all of the manufacturer's intended purposes. The UK PSTI Act Regulations 2023 contain equivalent requirements covering the same product and software categories. One password implementation can satisfy both the Australia Cyber Security Act 2024 and the UK PSTI Act simultaneously.
Research Copilot can take Australia Cyber Security Act 2024 Cyber Security Act vs UK PSTI Act from how this topic compares with adjacent regulations or standards to a reusable workflow inside Sorena. Teams working on Australia Cyber Security Act 2024 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.
Start from Australia Cyber Security Act 2024 Cyber Security Act vs UK PSTI Act and answer scope, timing, and interpretation questions with cited outputs.
Review your current process, evidence gaps, and next steps for Australia Cyber Security Act 2024 Cyber Security Act vs UK PSTI Act.
Both the Australia Cyber Security Act 2024 and the UK PSTI Act require manufacturers to publish a vulnerability disclosure policy that tells security researchers and members of the public how to report security issues. This is the second shared ETSI EN 303 645 control in the product security comparison.
Under the Australia Cyber Security Act 2024, Schedule 1 Clause 3 of the Smart Devices Rules 2025 requires the manufacturer to publish at least one point of contact for reporting security issues, and to state when a person who makes such a report will receive an acknowledgement of the receipt of the report and status updates until the resolution of the reported security issues. The vulnerability disclosure obligation covers hardware of the product, software that is preinstalled at the point of consumer supply, software that must be installed for all of the manufacturer's intended purposes, and software used for or in connection with any of the manufacturer's intended purposes of the product.
The published vulnerability disclosure information under the Australia Cyber Security Act 2024 must be accessible, clear and transparent. It must be made available to a person without prior request, in English, free of charge, and without requesting personal information about the person. The UK PSTI Act contains equivalent vulnerability reporting requirements. For manufacturers already compliant with the UK PSTI Act, the same vulnerability disclosure policy, contact channels, and acknowledgement workflows will satisfy the Australia Cyber Security Act 2024 requirements.
Both the Australia Cyber Security Act 2024 and the UK PSTI Act require manufacturers to publish a defined support period for security updates. Under the Australia Cyber Security Act 2024, Schedule 1 Clause 4 of the Smart Devices Rules 2025 defines a security update as a software update that protects or enhances the security of the product, including a software update that addresses a security issue which has been discovered by or reported to the manufacturer. The defined support period is the period, expressed as a period of time with an end date, for which security updates will be provided by or on behalf of the manufacturer.
The Australia Cyber Security Act 2024 imposes specific rules on the defined support period. The manufacturer must not shorten the defined support period after it is published. If the manufacturer extends the defined support period, the new period must be published as soon as practicable. The defined support period information must be accessible, clear and transparent. It must be made available to a person without prior request, in English, free of charge, without requesting personal information, and in such a way that is understandable by a reader without prior technical knowledge.
If the manufacturer offers to supply the product on its website or another website under its control, the Australia Cyber Security Act 2024 requires that the defined support period information must be prominently published with the other information intended to inform consumers' decisions to acquire the product. For each instance on the website where the main characteristics of the product are published, the support period must be published alongside or otherwise given equal prominence to the publication of the main characteristics. The UK PSTI Act contains comparable requirements for defined support period publication. One support period publication can serve both the Australia Cyber Security Act 2024 and the UK PSTI Act.
The statement of compliance is where the product security comparison shows the most significant procedural difference between the Australia Cyber Security Act 2024 and the UK PSTI Act. Section 16 of the Australia Cyber Security Act 2024 requires manufacturers to provide a statement of compliance for every in-scope product supplied in Australia, and requires suppliers to supply each product accompanied by that statement. Both manufacturers and suppliers must retain a copy of the statement of compliance for the period specified in the Rules.
Under Section 9 of the Cyber Security (Security Standards for Smart Devices) Rules 2025, the statement of compliance must be prepared by or on behalf of the manufacturer. It must include the product type and batch identifier, the name and address of the manufacturer, the name and address of an authorised representative of the manufacturer, the names and addresses of any other authorised representatives of the manufacturer that are in Australia, a declaration that the statement was prepared by or on behalf of the manufacturer, a declaration that in the opinion of the manufacturer the product was manufactured in compliance with the requirements of the security standard and the manufacturer has complied with any other obligations relating to the product in the security standard, the defined support period for the product at the date the statement of compliance is issued, the signature and name and function of the signatory of the manufacturer, and the place and date of issue of the statement of compliance.
The retention period for the statement of compliance is 5 years under Section 10 of the Rules. This applies to both manufacturers (who must retain the statement they prepared) and suppliers (who must retain a copy of the statement that accompanied the product). The UK PSTI Act requires compliance documentation under its own regime, but the specific fields, format, and retention period differ. The Australian Government Explanatory Statement confirms that products supplied to the UK market under the UK PSTI Regulations 2023 can reuse the same information for the Australian statement of compliance as long as all Australian requirements are met.
The Australia Cyber Security Act 2024 establishes a three-step enforcement escalation path for product security in Part 2, Division 3 of the Act. This enforcement model differs from the UK PSTI Act enforcement regime and is an important part of this product security comparison.
The first step is a compliance notice under Section 17 of the Australia Cyber Security Act 2024. The Secretary of the Department of Home Affairs may issue a compliance notice if the Secretary is reasonably satisfied that an entity is not complying with its obligations under Section 15 (compliance with the security standard) or Section 16 (statement of compliance), or if the Secretary is aware of information that suggests the entity may not be complying. The compliance notice must set out the name of the entity, brief details of the non-compliance or possible non-compliance, specify action within the entity's control that the entity must take, specify a reasonable period for taking that action, and explain what may happen if the entity does not comply. Before issuing the compliance notice, the Secretary must notify the entity and give the entity at least 10 days to make representations.
The second step is a stop notice under Section 18 of the Australia Cyber Security Act 2024. The Secretary may issue a stop notice if the entity has already been given a compliance notice and has not complied with it, or if the actions taken to address the non-compliance are inadequate. The stop notice can require the entity to take or refrain from taking specific actions within a reasonable period. The third step is a recall notice under Section 19 of the Australia Cyber Security Act 2024. The Secretary may issue a recall notice if the entity has already been given a stop notice and has not complied with it. The recall notice can require the entity to ensure the product is not acquired in Australia, ensure the product is not supplied to suppliers for supply in Australia, and arrange for the return of the product within a specified reasonable period. If the entity fails to comply with the recall notice, the Minister may publish the entity's identity, product details, non-compliance details, and the risks posed by the product under Section 20 of the Australia Cyber Security Act 2024.
The UK PSTI Act is enforced by the Office for Product Safety and Standards (OPSS) and also uses compliance notices, stop notices, and recall notices. Under the Australia Cyber Security Act 2024, entities may apply for internal review of a decision to issue any notice within 30 days after the notice was given (Section 22). The decision-maker must review the decision and affirm, vary, or revoke it within 30 days of the application.
The Australia Cyber Security Act 2024 uses the Regulatory Powers (Standard Provisions) Act 2014 as its penalty and enforcement framework. Under Part 6 of the Australia Cyber Security Act 2024, each civil penalty provision is subject to monitoring powers (Part 2 of the Regulatory Powers Act), investigation powers (Part 3), civil penalty orders from a relevant court (Part 4), infringement notices (Part 5), enforceable undertakings (Part 6), and injunctions (Part 7). Sections 15 and 16 of the Australia Cyber Security Act 2024, which contain the core product security obligations (security standard compliance and statement of compliance), are specifically subject to monitoring and enforceable undertakings.
The Secretary of the Department of Home Affairs may also engage an appropriately qualified and experienced expert to carry out an independent examination of any product to determine whether it complies with the security standard and whether the statement of compliance meets the requirements (Section 23 of the Australia Cyber Security Act 2024). The expert may open product packaging, operate the product, test or analyse the product using electronic equipment, read records or documents contained in the product, and take photographs or video recordings. An entity is entitled to reasonable compensation from the Commonwealth for complying with such a request.
The UK PSTI Act empowers OPSS to impose financial penalties of up to GBP 10 million or 4% of qualifying worldwide revenue, whichever is greater, for each compliance failure. The UK PSTI Act also allows daily penalties of up to GBP 20,000 for ongoing non-compliance. In this product security comparison, the UK PSTI Act penalty structure is more explicitly quantified with specific maximum amounts, while the Australia Cyber Security Act 2024 relies on the general civil penalty regime of the Regulatory Powers Act, which calculates maximum penalties based on penalty units.
The timeline differences in this product security comparison are critical for planning. The UK PSTI Act security requirements have been in force since 29 April 2024. Any manufacturer or supplier placing relevant connectable products on the UK market must already comply with the UK PSTI Act.
The Australia Cyber Security Act 2024 received Royal Assent on 29 November 2024. Part 1 (preliminary provisions and definitions) commenced on 30 November 2024. Part 2 (security standards for smart devices) commenced on 29 November 2025. The substantive security standard is in the Cyber Security (Security Standards for Smart Devices) Rules 2025, which were registered on 4 March 2025 with a 12 month transition period. Part 2 of the Rules and Schedule 1, which contains the actual password, vulnerability disclosure, and defined support period requirements, commenced on 4 March 2026. Part 3 (ransomware reporting obligations) commenced on 29 May 2025. Part 4 (coordination of significant cyber security incidents) commenced on 30 November 2024. Part 5 (Cyber Incident Review Board) commenced on 29 May 2025. Parts 6 and 7 (regulatory powers and miscellaneous) commenced on 30 November 2024.
This means that as of 4 March 2026, both the Australia Cyber Security Act 2024 and the UK PSTI Act are actively enforceable for their respective markets. Manufacturers that already comply with the UK PSTI Act should have most of the technical controls in place for the Australia Cyber Security Act 2024 and need to focus on the statement of compliance documentation, product scope analysis against the Australian exclusion list, and assessment of whether the broader business triggers ransomware reporting obligations under Part 3 of the Australia Cyber Security Act 2024.
An important dimension of this product security comparison that does not exist in the UK PSTI Act is the ransomware reporting obligation in Part 3 of the Australia Cyber Security Act 2024. While the product security controls in Part 2 of the Australia Cyber Security Act 2024 apply to manufacturers and suppliers of consumer connectable products, Part 3 introduces separate reporting duties for any reporting business entity that makes a ransomware payment in connection with a cyber security incident.
Under Section 26 of the Australia Cyber Security Act 2024, a reporting business entity is an entity carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the prescribed threshold, that is not a Commonwealth body or State body, and that is not a responsible entity for a critical infrastructure asset. Alternatively, an entity that is a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies is also a reporting business entity under the Australia Cyber Security Act 2024. If a reporting business entity provides or is aware that another entity has provided a ransomware payment to an extorting entity in connection with a cyber security incident, the entity must report the payment under Section 27 of the Australia Cyber Security Act 2024. Failure to report carries a civil penalty of 60 penalty units.
Information in ransomware payment reports is protected under the Australia Cyber Security Act 2024. Ransomware payment reports may only be used or disclosed for permitted cyber security purposes (Section 29). Certain information is not admissible in evidence in proceedings against the reporting business entity (Section 32). This protection is designed to encourage reporting without exposing entities to additional legal risk. The UK PSTI Act does not contain any ransomware reporting obligation. Manufacturers entering the Australian market should assess whether their broader business, beyond product security, is captured by the ransomware reporting obligations of the Australia Cyber Security Act 2024.
Because the Australia Cyber Security Act 2024 and the UK PSTI Act both derive their core controls from ETSI EN 303 645, manufacturers can build one product security baseline that satisfies the technical requirements of both regimes. The practical dual compliance strategy has three layers: a shared engineering baseline, an Australia Cyber Security Act 2024 compliance wrapper, and a UK PSTI Act compliance wrapper.
The shared engineering baseline should implement the three mandated controls. For password security, implement unique-per-product passwords or user-defined passwords and document the generation method, including the encryption or keyed hashing algorithm used. For vulnerability disclosure, publish a contact point, acknowledgement timeline, and status update commitment on the manufacturer's website in English, free of charge. For support period transparency, publish the defined support period with an end date alongside product characteristics on the manufacturer's website with equal prominence. Retain all design evidence, test reports, and published content centrally in one evidence repository.
The Australia Cyber Security Act 2024 compliance wrapper should include the formal statement of compliance with all prescribed fields from Section 9 of the Smart Devices Rules 2025 (product type, batch identifier, manufacturer name and address, authorised representative details, compliance declarations, defined support period, signatory details, date and place of issue). Both the manufacturer and any supplier must retain the statement of compliance for 5 years. The wrapper should also include a regulatory response plan that addresses the compliance notice, stop notice, and recall notice escalation path under the Australia Cyber Security Act 2024, and an assessment of whether the business is a reporting business entity for ransomware reporting under Part 3.
The UK PSTI Act compliance wrapper should include the required compliance documentation under the 2023 Regulations, a regulatory response plan that addresses OPSS enforcement actions, and financial penalty exposure analysis based on the UK PSTI Act penalty structure (up to GBP 10 million or 4% of qualifying worldwide revenue). Product teams should run a single governance review before each market launch that checks both the Australia Cyber Security Act 2024 and the UK PSTI Act compliance packs are complete and current.
This product security comparison of the Australia Cyber Security Act 2024 and the UK PSTI Act can be summarised across seven dimensions. On scope, both regimes cover consumer connectable products, but the Australia Cyber Security Act 2024 explicitly excludes desktops, laptops, tablets, smartphones, therapeutic goods, road vehicles, and road vehicle components, while the UK PSTI Act has its own exclusion list. On security requirements, both regimes mandate the same three ETSI EN 303 645 controls (passwords, vulnerability disclosure, support periods). On compliance documentation, the Australia Cyber Security Act 2024 requires a prescribed statement of compliance with specific fields and a 5 year retention period, while the UK PSTI Act has its own documentation requirements. On enforcement, the Australia Cyber Security Act 2024 uses a compliance notice, stop notice, recall notice escalation administered by the Secretary of the Department of Home Affairs, while the UK PSTI Act is enforced by the Office for Product Safety and Standards (OPSS). On penalties, the Australia Cyber Security Act 2024 applies civil penalties under the Regulatory Powers (Standard Provisions) Act 2014, while the UK PSTI Act allows fines of up to GBP 10 million or 4% of global revenue. On product examination, the Australia Cyber Security Act 2024 authorises independent expert examinations of products under Section 23. On broader obligations, the Australia Cyber Security Act 2024 includes ransomware reporting duties in Part 3 that have no equivalent in the UK PSTI Act.