--- title: "Australia Cyber Security Act FAQ" canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq" source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/items/page/2" author: "Sorena AI" description: "Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Australia Cyber Security Act" - "smart device security standards" - "ransomware payment reporting" - "statement of compliance" - "FAQ" - "Smart devices" - "Ransomware reporting" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Australia Cyber Security Act FAQ Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review. *FAQ* *Australia* *Cyber Security Act* ## Australia Cyber Security Act FAQ Direct answers on who is covered, what smart device controls are required, what goes into statements of compliance, and when ransomware payment reports are triggered. Use these answers to route product, supplier, incident-response, and legal review questions against the Act and its 2025 rules. The Cyber Security Act 2024 covers several different workflows: security standards for relevant connectable products, statements of compliance, ransomware payment reports, National Cyber Security Coordinator information sharing, and Cyber Incident Review Board reviews. This FAQ separates those workflows so teams can identify the rule, actor, trigger, required evidence, and official source. ## Browse sub-FAQ modules ### [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md) What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks. - 3 items ### [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md) FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence. - 3 items ### [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md) FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations. - 4 items ### [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md) FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing. - 3 items ### [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md) FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties. - 3 items ### [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md) Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations. - 3 items ### [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md) FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep. - 3 items Browse all indexed questions: [/artifacts/apac/australia-cyber-security-act/faq/items](/artifacts/apac/australia-cyber-security-act/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 2 of 22 items.* ### [Which products are excluded from the current Australian smart-device security standard?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md#which-products-are-excluded-from-the-current-australian-smart-device-security-standard) *Module: [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md)* The Smart Devices Rules do not prescribe the current security standard for every connected product. Even when a product is a relevant connectable product and looks consumer-facing, section 8 excludes six product groups from the consumer-grade class. - Keep a separate exclusion field for each of the six carved-out product groups. - Do not treat a product as excluded merely because it has a screen, app, battery, or wireless module; tie the exclusion to one of the named categories in the Rules. - For mixed products, keep the bill of materials, marketing claims, user instructions, regulatory classification, and product-line rationale used to decide whether an exclusion applies. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Lists the six product groups excluded from the consumer-grade relevant connectable product class. ### [What records should teams keep for a Cyber Security Act 2024 smart-device scope answer?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md#what-records-should-teams-keep-for-a-cyber-security-act-2024-smart-device-scope-answer) *Module: [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md)* Keep enough evidence to re-run the answer without relying on memory. The record should show why the product is, or is not, a relevant connectable product; why it is, or is not, consumer-grade; whether an exclusion was checked; and whether the Australian consumer acquisition circumstance is present. - Scope evidence: product name, model or batch, hardware and software connectivity, protocols, companion app or gateway dependency, and whether the product can directly or indirectly connect to the internet. - Consumer-grade evidence: manufacturer's intended purpose, label, instructions for use, promotional or sales materials, likely personal, domestic, or household use, and intended Australian acquisition channel. - Exclusion evidence: desktop or laptop, tablet, smartphone, therapeutic good, road vehicle, and road-vehicle-component checks, including the source document or product classification used for each answer. - In-scope product evidence: statement of compliance, defined support period at issue date, password-control evidence, published security-issue reporting contact and acknowledgement/status-update information, and the five-year statement retention owner. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/Details/C2024A00098?ref=sorena.io) - Supports manufacturer and supplier duties for covered relevant connectable products and the statement-of-compliance obligation. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Supports statement contents, five-year retention, password controls, security-issue reporting information, and defined support-period records. ## FAQ Pagination - Canonical index (page 1): [/artifacts/apac/australia-cyber-security-act/faq/items](/artifacts/apac/australia-cyber-security-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/apac/australia-cyber-security-act/faq/items.md) | [2](/artifacts/apac/australia-cyber-security-act/faq/items/page/2.md) [Previous page](/artifacts/apac/australia-cyber-security-act/faq/items.md) *Recommended next step* *Placement: after the FAQ guidance* ## Turn Australia Cyber Security Act FAQ answers into assigned work Use these FAQ answers to assign smart-device scope checks, statement-of-compliance evidence, ransomware reporting intake, and incident-review response tasks inside Sorena. - [Open Assessment Autopilot for Australia Cyber Security Act](/solutions/assessment.md): Turn FAQ answers into scoped questions, evidence fields, and review tasks. - [Review Australia Cyber Security Act source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through Australia Cyber Security Act implementation](/contact.md): Review product scope, incident triggers, evidence, owners, and next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/items/page/2