FAQ item index

Search every question across sub-FAQs

Find the exact question, open the source answer card, and copy a direct link to the anchored sub-FAQ response.

Indexed coverage
22of22items
Across 7 modules • Updated May 9, 2026
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Back to sub-FAQs
Which smart devices are in scope under Australia's Cyber Security Act 2024?

Which products are excluded from the current Australian smart-device security standard?

The Smart Devices Rules do not prescribe the current security standard for every connected product. Even when a product is a relevant connectable product and looks consumer-facing, section 8 excludes six product groups from the consumer-grade class.

The excluded groups are desktop computers or laptops, tablet computers, smartphones, therapeutic goods within the meaning of the Therapeutic Goods Act 1989, road vehicles within the meaning of the Road Vehicle Standards Act 2018, and road vehicle components within the meaning of that Act.

  • Keep a separate exclusion field for each of the six carved-out product groups.
  • Do not treat a product as excluded merely because it has a screen, app, battery, or wireless module; tie the exclusion to one of the named categories in the Rules.
  • For mixed products, keep the bill of materials, marketing claims, user instructions, regulatory classification, and product-line rationale used to decide whether an exclusion applies.
Citations
Jump to answerOpen module
Which smart devices are in scope under Australia's Cyber Security Act 2024?

What records should teams keep for a Cyber Security Act 2024 smart-device scope answer?

Keep enough evidence to re-run the answer without relying on memory. The record should show why the product is, or is not, a relevant connectable product; why it is, or is not, consumer-grade; whether an exclusion was checked; and whether the Australian consumer acquisition circumstance is present.

For products that are in scope, keep the downstream compliance records with the scope file. The Act and Rules tie covered products to manufacturer and supplier duties, statement-of-compliance records, password requirements, security-issue reporting information, and defined support-period publication.

  • Scope evidence: product name, model or batch, hardware and software connectivity, protocols, companion app or gateway dependency, and whether the product can directly or indirectly connect to the internet.
  • Consumer-grade evidence: manufacturer's intended purpose, label, instructions for use, promotional or sales materials, likely personal, domestic, or household use, and intended Australian acquisition channel.
  • Exclusion evidence: desktop or laptop, tablet, smartphone, therapeutic good, road vehicle, and road-vehicle-component checks, including the source document or product classification used for each answer.
  • In-scope product evidence: statement of compliance, defined support period at issue date, password-control evidence, published security-issue reporting contact and acknowledgement/status-update information, and the five-year statement retention owner.
Citations
Cyber Security Act 2024

Supports manufacturer and supplier duties for covered relevant connectable products and the statement-of-compliance obligation.

Jump to answerOpen module
Page 2 of 2
Previous12Next