Australia Cyber Security Act 2024 FAQ

The Australia Cyber Security Act 2024 (No. 98, 2024) is a federal law that received Royal Assent on 29 November 2024. Section 3 of the Act sets out five objectives. The first objective is to improve the cyber security of internet connectable products acquired in Australia by requiring manufacturers and suppliers to meet security standards specified in the rules. The second is to encourage reporting of ransomware payments by imposing mandatory reporting obligations. The third is to facilitate whole of Government coordination of significant cyber security incidents through the National Cyber Security Coordinator. The fourth is to establish the Cyber Incident Review Board to conduct reviews of certain incidents and recommend preventive actions. The fifth is to encourage voluntary information sharing by protecting reported data from being used as evidence against the reporting entity.

For readers searching for the Australia Cyber Security Act 2024 FAQ, the key takeaway is that the Act creates three distinct compliance streams. Part 2 covers smart device security standards. Part 3 covers ransomware payment reporting. Part 4 covers voluntary incident coordination through the National Cyber Security Coordinator. Each stream has its own commencement date, its own set of obligations, and its own enforcement path. The Act applies both within and outside Australia under Section 5 and extends to every external Territory. Section 6 confirms the Act binds the Crown in all capacities.

This frequently asked question about the Australia Cyber Security Act 2024 is essential for project planning. The commencement table in Section 2 sets out a staggered rollout across six provision groups.

Parts 1, 4, 6, and 7 commenced on 30 November 2024, the day after Royal Assent. These parts cover definitions, coordination of significant cyber security incidents through the National Cyber Security Coordinator, regulatory powers, and miscellaneous provisions. Part 3 (ransomware payment reporting) and Part 5 (Cyber Incident Review Board) commenced on 29 May 2025, six months after Royal Assent. Part 2 (the Act level framework for smart device security standards) commenced on 29 November 2025, twelve months after Royal Assent.

The Cyber Security (Security Standards for Smart Devices) Rules 2025 (F2025L00276) add a further layer. Part 1 of the Rules (preliminary provisions) was registered on 4 March 2025. Part 2 and Schedule 1 (the substantive security standards covering passwords, vulnerability disclosure, and support periods) commenced on 4 March 2026, twelve months after registration of the Rules. This means the enforceable compliance date for smart device manufacturers and suppliers under the Australia Cyber Security Act 2024 is 4 March 2026.

The Cyber Security (Ransomware Payment Reporting) Rules 2025 (F2025L00278) commenced at the later of the day after registration (4 March 2025) and the commencement of Part 3 of the Act (29 May 2025), meaning 29 May 2025 is the effective date for ransomware reporting obligations.

No. This is one of the most frequently asked questions about the Australia Cyber Security Act 2024. The Act defines a broad concept of relevant connectable product in Section 13, covering any product that is an internet connectable product or a network connectable product. However, the Cyber Security (Security Standards for Smart Devices) Rules 2025 narrow the current scope to a single class: consumer grade relevant connectable products. Section 8 of the 2025 Rules defines this class as all relevant connectable products that are intended by the manufacturer to be used, or are of a kind likely to be used, for personal, domestic or household use or consumption.

The Rules list six explicit exclusions from that class under Section 8(1)(b). Desktop computers and laptops are excluded. Tablet computers are excluded. Smartphones are excluded. Therapeutic goods within the meaning of the Therapeutic Goods Act 1989 are excluded. Road vehicles within the meaning of the Road Vehicle Standards Act 2018 are excluded. Road vehicle components within the meaning of the same Act are excluded. The specified circumstance is that the product will be acquired in Australia by a consumer, as defined by reference to Section 3 of the Australian Consumer Law.

This means the Australia Cyber Security Act 2024 FAQ answer to the applicability question depends on two tests. First, is the product a consumer grade smart device that is not on the exclusion list? Second, will a consumer acquire the product in Australia? If both answers are yes, the product falls within the current scope of the enforceable security standards.

The security standards under the Australia Cyber Security Act 2024 cover a wide range of consumer grade internet connectable and network connectable products. Examples include smart speakers, smart home hubs, connected cameras, connected doorbells, smart TVs, wearable fitness trackers, connected baby monitors, connected toys, smart appliances such as connected refrigerators and washing machines, smart lighting systems, connected routers, and IoT sensors intended for household use.

A product qualifies as an internet connectable product under Section 13(4) of the Act if it is capable of connecting to the internet using a communication protocol that forms part of the internet protocol suite to send and receive data. A network connectable product under Section 13(5) is a product that can send and receive data through electrical or electromagnetic energy and can connect directly to an internet connectable product or to two or more other products via a protocol that is not part of the internet protocol suite. The breadth of these definitions in the Australia Cyber Security Act 2024 means that many devices not traditionally considered computers still fall within scope.

This frequently asked question about the Australia Cyber Security Act 2024 matters for manufacturers who sell peripherals and accessories. A wireless keyboard and mouse set designed to facilitate the use of a computer may meet the network connectable product test under Sections 13(7) and 13(9) if each input product can connect wirelessly to a linking product that itself connects to an internet connectable product.

Suppliers have direct and independent obligations under the Australia Cyber Security Act 2024. This is a frequently asked question because many importers and distributors assume the regulatory burden sits entirely with the original manufacturer. Section 15(3) of the Act states that an entity must not supply a product in Australia if the product was not manufactured in compliance with the applicable security standard and the entity is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia by a consumer.

In addition, Section 16(3) requires every entity that supplies a relevant connectable product in Australia to supply the product accompanied by a statement of compliance that meets the requirements set out in the rules. Section 16(4) requires the supplier to retain a copy of the statement of compliance for the period specified in the rules, which the 2025 Smart Devices Rules set at five years under Section 10.

For this Australia Cyber Security Act 2024 FAQ, the practical implication is that suppliers must obtain the statement of compliance from the manufacturer before importing or distributing the product. If the manufacturer cannot provide a valid statement, the supplier faces enforcement exposure including compliance notices, stop notices, and recall notices under Division 3 of Part 2. The term 'supplier' and 'supply' carry the same meaning as in the Australian Consumer Law, which means obligations extend across the entire distribution chain.

Part 1 of Schedule 1 to the Cyber Security (Security Standards for Smart Devices) Rules 2025 prescribes three categories of mandatory requirements. This is one of the most important technical questions in the Australia Cyber Security Act 2024 FAQ.

The first requirement relates to passwords. Clause 2 of Schedule 1 requires that passwords for hardware and for software (whether preinstalled or required for the manufacturer's intended purposes) must be either unique per product or defined by the user. Passwords that are unique per product must not be based on incremental counters such as 'password1' and 'password2'. They must not be based on or derived from publicly available information. They must not be based on unique product identifiers such as serial numbers unless encrypted with good industry practice. They must not be otherwise guessable in a manner unacceptable under good industry practice.

The second requirement relates to reports of security issues. Clause 3 requires the manufacturer to publish at least one point of contact allowing any person to report security issues. The manufacturer must also publish the expected timeframe for acknowledging receipt and for providing status updates until resolution. This information must be accessible, clear, transparent, available in English, free of charge, and obtainable without requiring the person to provide personal information.

The third requirement relates to defined support periods and security updates. Clause 4 requires the manufacturer to publish the defined support period, expressed as a period of time with an end date, during which the manufacturer will provide security updates. The defined support period must not be shortened after publication. If the support period is extended, the new period must be published as soon as practicable. If the manufacturer sells the product on its website, the support period must appear prominently alongside the main product characteristics.

The statement of compliance requirements are detailed in Section 9 of the Cyber Security (Security Standards for Smart Devices) Rules 2025. This is a frequently asked question in the Australia Cyber Security Act 2024 FAQ because the statement is the primary compliance document that must travel with every product.

The statement must be prepared by, or on behalf of, the manufacturer. Section 9(3) lists seven categories of required content. The statement must include the product type and batch identifier to enable traceability. It must include the name and address of the manufacturer, the name and address of an authorised representative of the manufacturer, and the name and address of each additional authorised representative that is in Australia. It must include a declaration that the statement has been prepared by, or on behalf of, the manufacturer. It must include a declaration that, in the opinion of the manufacturer, the product has been manufactured in compliance with the requirements of the security standard and the manufacturer has complied with any other obligations in the security standard. It must include the defined support period for the product at the date the statement is issued. It must include the signature, name, and function of the signatory of the manufacturer. It must include the place and date of issue.

Section 10 of the Rules sets the retention period for the statement of compliance at five years. Both manufacturers under Section 16(2) of the Act and suppliers under Section 16(4) must retain copies for this full period.

No. Clause 4(4) of Schedule 1 to the 2025 Smart Devices Rules states that the manufacturer must not shorten the defined support period after it is published. This is an absolute prohibition with no exceptions or conditions. The rule is designed to protect consumers who rely on the published support period when making their purchase decision.

If the manufacturer extends the defined support period, Clause 4(5) requires the manufacturer to publish the new defined support period as soon as is practicable. This frequently asked question in the Australia Cyber Security Act 2024 FAQ is important for product lifecycle planning. Manufacturers should set a support period they can realistically honour before publishing it, because once published the period can only become longer.

Clause 4(7) adds a website prominence rule. If the manufacturer offers the product on its own website or another website under its control, the defined support period must be prominently published alongside the main product characteristics. Clause 4(7)(b) requires that for each instance on the website where the main characteristics of the product are published, the defined support period is given equal prominence. This prevents manufacturers from burying the support period in secondary pages or fine print.

Only a reporting business entity has the Part 3 reporting duty. This is a critical distinction in the Australia Cyber Security Act 2024 FAQ. Section 26(2) defines two categories of reporting business entity.

The first category under Section 26(2)(a) includes any entity that is carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold, and that is not a Commonwealth body, a State body, or a responsible entity for a critical infrastructure asset. The Cyber Security (Ransomware Payment Reporting) Rules 2025 set this turnover threshold at 3 million Australian dollars under Section 6(1). For businesses that operated for only part of the previous financial year, Section 6(2) provides a proportional formula: 3 million dollars multiplied by the number of days the business operated, divided by the total number of days in the financial year.

The second category under Section 26(2)(b) covers a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies. Entities in this category are caught regardless of their annual turnover.

This Australia Cyber Security Act 2024 FAQ answer means that small businesses with annual turnover below 3 million dollars and that do not hold a critical infrastructure asset under SOCI are currently outside the ransomware reporting obligation. However, businesses that crossed the 3 million dollar threshold in the previous financial year are caught regardless of their current year revenue.

Section 27(1) of the Australia Cyber Security Act 2024 states that the reporting business entity must give the designated Commonwealth body a ransomware payment report within 72 hours of making the ransomware payment or becoming aware that the ransomware payment has been made, whichever is applicable. The 72 hour clock therefore starts at the moment of payment or the moment of awareness, not at the moment the cyber security incident is first detected.

Section 27(2) provides an important qualification that is central to this Australia Cyber Security Act 2024 FAQ answer. The report only needs to contain information that the reporting business entity knows or is able, by reasonable search or enquiry, to find out within the 72 hour period. This means the entity is not expected to have completed a full forensic investigation before filing the report. The note to Section 7(1) of the 2025 Ransomware Payment Reporting Rules repeats this qualification.

For this frequently asked question about the Australia Cyber Security Act 2024, implementation teams should note two practical points. First, incident response playbooks should include a ransomware payment decision step that automatically triggers the 72 hour countdown. Second, the report must be given in the form approved by the Secretary and in any manner prescribed by the rules under Section 27(4), so teams should familiarise themselves with the approved form before an actual incident arises.

Section 7 of the Cyber Security (Ransomware Payment Reporting) Rules 2025 prescribes detailed content requirements. This frequently asked question about the Australia Cyber Security Act 2024 matters because incomplete reports can still satisfy the obligation if the entity has performed a reasonable search within the 72 hour window.

The report must include the reporting business entity's contact and business details, including the entity's ABN (if any) and address under Section 7(2). If another entity made the payment on behalf of the reporting entity, the other entity's contact details and ABN must also be included under Section 7(3). The report must include information about the cyber security incident and its impact under Section 7(4), covering when the incident occurred or is estimated to have occurred, when the reporting entity became aware of the incident, the impact on the entity's infrastructure, the impact on the entity's customers, what variants of ransomware or other malware were used, what vulnerabilities in the entity's system were exploited, and any information that could assist a Commonwealth body or State body in responding to or resolving the incident.

The report must also describe the demand made by the extorting entity under Section 7(5), including the amount or quantum demanded and the method of provision demanded. It must describe the actual ransomware payment under Section 7(6), covering the amount or quantum paid and the method of provision used. Finally, Section 7(7) requires a description of communications with the extorting entity, including the nature and timing of any communications, a brief description of those communications, and a brief description of any pre-payment negotiations.

Under Section 27(5) of the Australia Cyber Security Act 2024, failure to make a required ransomware payment report exposes the entity to a civil penalty of 60 penalty units. Under the Crimes Act 1914, one penalty unit is currently set at 313 Australian dollars for individuals. For bodies corporate, the standard multiplier under the Regulatory Powers (Standard Provisions) Act 2014 can increase the maximum penalty to five times the amount applicable to an individual.

This is a frequently asked question in the Australia Cyber Security Act 2024 FAQ because the penalty for failing to report is a civil penalty, not a criminal offence. The Act deliberately avoids criminalising ransomware payments themselves. Instead, the 60 penalty unit civil penalty targets only the failure to report the payment. This design encourages entities to report transparently without fear that the report itself will be used against them in unrelated civil or regulatory proceedings.

Section 32 of the Act provides additional protection. Information in a ransomware payment report is not admissible in evidence against the reporting entity in criminal proceedings (except for false statements under Section 137.1 or 137.2 of the Criminal Code or obstruction under Section 149.1), civil penalty proceedings for other laws, proceedings for a breach of other laws, or tribunal proceedings. Section 29 restricts the designated Commonwealth body from using report data to investigate or enforce any civil or regulatory contravention by the reporting entity other than a contravention of Part 3 itself or a criminal offence. Section 28 confirms that entities and their officers, employees, and agents are not liable in damages for acts done in good faith in compliance with the reporting obligation.

The Australia Cyber Security Act 2024 provides a staged enforcement path for smart device non-compliance under Division 3 of Part 2. This Australia Cyber Security Act 2024 FAQ answer walks through all three steps and the public notification power.

The first step is a compliance notice under Section 17. The Secretary may issue a compliance notice if the Secretary is reasonably satisfied that the entity is not complying with an obligation under Section 15 or 16, or is aware of information suggesting possible non-compliance. The notice must set out the name of the entity, brief details of the non-compliance, specify corrective action, and set a reasonable period for completion. Before issuing the notice, the Secretary must give the entity at least 10 days to make representations under Section 17(3). Only one compliance notice may be given per instance of non-compliance.

The second step is a stop notice under Section 18. The Secretary may issue a stop notice only if a compliance notice has already been given and the entity has either failed to comply or taken inadequate corrective action. The stop notice can require the entity to take or refrain from taking specified action. Again, the entity must receive at least 10 days to make representations before the notice is issued.

The third step is a recall notice under Section 19. The Secretary may issue a recall notice only if a stop notice has already been given and the entity has failed to comply or taken inadequate corrective action. The recall notice can require the entity to prevent acquisition of the product in Australia, prevent supply to other suppliers, or arrange for the return of the product to the manufacturer. If the entity fails to comply with a recall notice, Section 20 allows the Minister to publish the identity of the entity, details of the product, details of the non-compliance, and the associated risks on the Department website or in any other way the Minister considers appropriate.

Section 23 provides an additional tool. The Secretary may engage an independent expert to examine the product and determine whether it complies with the security standard and whether the statement of compliance meets the requirements. The entity is entitled to reasonable compensation from the Commonwealth for providing the product for testing.

The Australia Cyber Security Act 2024 and the Security of Critical Infrastructure Act 2018 (SOCI) are designed to work together, not to replace each other. This is one of the most frequently asked questions in the Australia Cyber Security Act 2024 FAQ for entities that hold critical infrastructure assets.

For ransomware payment reporting, Section 26(2)(b) of the Act explicitly includes a responsible entity for a critical infrastructure asset to which Part 2B of SOCI applies as a reporting business entity. This means SOCI regulated entities are automatically within scope for the ransomware reporting obligation regardless of their turnover. They do not need to satisfy the 3 million dollar threshold set in the Ransomware Payment Reporting Rules.

For incident coordination, Part 4 of the Australia Cyber Security Act 2024 allows impacted entities to voluntarily share information with the National Cyber Security Coordinator. Section 35(1)(d) expressly covers entities that are responsible entities for critical infrastructure assets. Section 44 states that information provided under Part 4 does not discharge any separate obligation under SOCI or any other Commonwealth law. This means a SOCI regulated entity that voluntarily reports to the Coordinator must still comply with all SOCI Part 2B notification obligations independently.

The Act also borrows several definitions directly from SOCI. The definition of cyber security incident in Section 9(1) incorporates the SOCI meaning. The definitions of critical infrastructure asset, responsible entity, and computer all have the same meaning as in SOCI. This alignment means that teams familiar with SOCI terminology will find the Australia Cyber Security Act 2024 definitions largely consistent.

The Act and the 2025 subordinate rules create several explicit record retention obligations. This Australia Cyber Security Act 2024 FAQ answer consolidates them for implementation teams seeking to build a compliance evidence package.

For smart device compliance, manufacturers and suppliers must each retain a copy of the statement of compliance for five years under Section 10 of the 2025 Smart Devices Rules. The statement itself must include the product type and batch identifier, manufacturer and authorised representative details, the required declarations of compliance, the defined support period at the date of issue, and the signatory details with place and date. Organisations should store these statements in a document management system that supports version control and audit trails.

For ransomware payment reporting, the 72 hour report must be filed with the designated Commonwealth body using the Secretary's approved form. Organisations should retain a timestamped copy of every ransomware payment report and a record of the circumstances that triggered the 72 hour clock, including the exact date and time of the payment or the exact date and time of becoming aware that the payment was made.

For voluntary incident sharing under Part 4, there is no mandatory retention period, but organisations should retain records of what was shared with the National Cyber Security Coordinator. Section 42 provides that voluntarily shared information is not admissible against the impacted entity, but this protection only applies to information actually provided under Subsection 35(2) or as referred to in Subsection 39(1). Maintaining clear records of what was shared and when helps the entity invoke these protections if they are ever needed in proceedings.

Yes. Section 5 of the Act states that the Act applies both within and outside Australia, and a note confirms that it extends to every external Territory. This is a frequently asked question in the Australia Cyber Security Act 2024 FAQ for overseas manufacturers that export consumer grade smart devices to the Australian market.

For smart device standards, the trigger is whether the manufacturer is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia by a consumer under Sections 15(1)(b) and 16(1)(b). A manufacturer based in China, Taiwan, the United States, or the European Union that sells directly to Australian consumers or through Australian distributors will need to comply with the security standards and provide a statement of compliance.

For ransomware reporting, the trigger under Section 26(2)(a) is whether the entity is carrying on a business in Australia. An overseas entity with Australian operations that exceeds the 3 million dollar annual turnover threshold is subject to the reporting obligation. Section 15(5) provides a constitutional nexus exception: to the extent a security standard requirement does not relate to internet connectivity, internet usage, or protective measures against internet based attacks, compliance is only required for entities that are constitutional corporations or engaged in interstate or international trade. This frequently asked question about the Australia Cyber Security Act 2024 is particularly relevant for global supply chain teams managing multi-jurisdictional compliance.

Part 5 of the Australia Cyber Security Act 2024 establishes the Cyber Incident Review Board under Section 60. This Australia Cyber Security Act 2024 FAQ answer explains the Board's function for teams that may be subject to a review. The Board's primary function under Section 62 is to cause reviews to be conducted in relation to certain cyber security incidents and to make recommendations to government and industry about actions that could prevent, detect, respond to, or minimise the impact of similar incidents in the future.

The Board is led by a Chair appointed by the Minister under Section 64 and includes standing members appointed under Section 66 and an Expert Panel established under Section 70. The Chair may request information or documents under Section 48 and may require certain entities to produce documents under Section 49. Failure to comply with a notice to produce documents carries a civil penalty of 60 penalty units under Section 50.

Reviews result in a draft review report under Section 51 that is shared with affected entities for comment, and then a final review report under Section 52 that is published with redactions for sensitive review information under Section 53. Protected review reports containing unredacted sensitive information are not published. The Board must not perform a function at a particular time if doing so would prejudice the investigation of a criminal offence or a civil penalty contravention under Section 62(4).

Section 88 provides for parliamentary oversight. The Parliamentary Joint Committee on Intelligence and Security may review the operation, effectiveness, and implications of the entire Australia Cyber Security Act 2024, with the review required to begin as soon as practicable after 1 December 2027.

Yes. This is one of the most important safe harbour questions in the Australia Cyber Security Act 2024 FAQ. Section 38 provides that the National Cyber Security Coordinator may only use or disclose information voluntarily provided under Subsection 35(2) for the purpose of assisting the impacted entity to respond to the incident or for a permitted cyber security purpose as defined in Section 10.

Section 38(2) explicitly prohibits the Coordinator from using the information to investigate or enforce any civil or regulatory contravention by the impacted entity, other than a contravention of Part 4 itself or a criminal offence. Section 42 further provides that voluntarily shared information is not admissible in evidence against the impacted entity in criminal proceedings (except for false statements or obstruction offences under the Criminal Code), civil penalty proceedings, breach proceedings, or tribunal proceedings.

These protections were designed to overcome the reluctance of impacted entities to share incident data with government. However, the protections have boundaries. They do not extend to information the entity has also provided under Part 3 ransomware reporting, SOCI Part 2B, or the Telecommunications Act 1997 under Subsection 38(4). They do not cover information already lawfully available to the public. And the protections do not apply to coronial inquiries or Royal Commissions under Section 42(3). This Australia Cyber Security Act 2024 FAQ answer is essential for legal counsel advising on voluntary disclosure strategy.

Yes. Section 22 of the Act provides that an entity may apply in writing to the Secretary for internal review of a decision to issue a compliance notice under Section 17, a stop notice under Section 18, a recall notice under Section 19, or a variation of any such notice under Section 21. The application must be made within 30 days after the notice was given to the entity.

The decision maker for the internal review is the Secretary or, if the Secretary made the original decision personally, a delegate who was not involved in the original decision under Section 22(3). The decision maker must complete the review within 30 days and must affirm, vary, or revoke the original decision under Section 22(4). A written statement of reasons must be provided as soon as practicable under Section 22(5).

This frequently asked question in the Australia Cyber Security Act 2024 FAQ matters because the internal review mechanism is the first available avenue for challenging an enforcement decision. Before any enforcement notice is issued, the Secretary must give the entity at least 10 days to make representations under Sections 17(3), 18(3), and 19(3). This pre-notice consultation step, combined with the 30 day internal review right, provides two layers of procedural fairness before enforcement escalates. Only one compliance notice, stop notice, or recall notice may be issued per instance of non-compliance, ensuring enforcement actions are proportionate.

This is a frequently asked question in the Australia Cyber Security Act 2024 FAQ for manufacturers selling into multiple jurisdictions. The UK PSTI Act 2022 and the Australia Cyber Security Act 2024 share a common heritage in the ETSI EN 303 645 standard and both focus on the same three baseline requirements: unique or user defined passwords, a vulnerability disclosure mechanism, and a published support period.

The key differences are in scope and enforcement. The UK PSTI Act covers all consumer connectable products and does not exclude smartphones and tablets to the same extent, whereas the current Australian rules explicitly exclude smartphones, tablets, laptops, desktop computers, therapeutic goods, road vehicles, and road vehicle components. The UK regime imposes penalties of up to 10 million British pounds or 4 percent of worldwide annual revenue, while the Australian regime uses a staged notice system (compliance, stop, recall) backed by civil penalties measured in penalty units.

Both regimes require the manufacturer to publish the defined support period alongside the product's main characteristics when the product is sold online. Both prohibit shortening the support period after publication. The Australian regime adds a specific requirement under Clause 3 of Schedule 1 that security issue reporting information must be available in English and free of charge without requiring personal information from the reporter. Products already compliant with the UK PSTI requirements may be able to reuse much of their compliance evidence for the Australian market, but teams should verify every Australian specific requirement independently.

The EU Cyber Resilience Act (CRA) and the Australia Cyber Security Act 2024 both regulate the cybersecurity of connected products, but the EU CRA is considerably broader in scope and more prescriptive in its technical requirements. This comparison is a frequently asked question in the Australia Cyber Security Act 2024 FAQ for multinational product teams managing compliance across multiple markets.

The EU CRA applies to all products with digital elements placed on the EU market, including commercial and industrial products, and it introduces tiered conformity assessment categories (default, important Class I, important Class II, and critical). The Australia Cyber Security Act 2024 currently applies only to consumer grade relevant connectable products through the 2025 Smart Devices Rules and does not introduce risk based product tiers.

The EU CRA imposes ongoing vulnerability handling obligations, mandatory incident reporting to ENISA within 24 hours of exploitation awareness, and CE marking requirements. The Australian regime focuses on three baseline requirements (passwords, vulnerability disclosure, and support periods) and does not require vulnerability reporting by manufacturers. However, Section 14 of the Australia Cyber Security Act 2024 gives the Minister broad rule making authority to expand security standards to additional product classes and to adopt external standards by reference, which could narrow the gap between the two regimes over time.