--- title: "Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024" canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations" source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations" author: "Sorena AI" description: "Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Cyber Security Act 2024" - "smart device manufacturer obligations" - "supplier obligations" - "statement of compliance" - "Smart devices" - "Manufacturers" - "Suppliers" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024 Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations. *FAQ* *Australia* *Smart-device supply chain* ## Cyber Security Act 2024 manufacturer, importer, and supplier duties The smart-device duties attach to manufacturers and suppliers of relevant connectable products. Importers should be triaged by the role they actually perform, especially whether they supply the product in Australia. This is implementation support for reading the official Act and Rules; it is supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. For smart devices under Australia's Cyber Security Act 2024, start with the Act's actual actor roles: manufacturer and supplier. The cited Act and Smart Device Rules state the operative duties through manufacturer and supplier obligations, so an importer needs a role-based check instead of a separate importer label. ## What do manufacturers, importers, and suppliers have to do under Australia's Cyber Security Act 2024? Manufacturers must make an in-scope relevant connectable product in line with the applicable security standard when the product is in the covered class and the manufacturer is aware, or could reasonably be expected to be aware, that it will be acquired in Australia in the specified circumstances. The Smart Device Rules target consumer-grade relevant connectable products, with listed exclusions for desktops and laptops, tablets, smartphones, therapeutic goods, road vehicles, and road vehicle components. Suppliers must not supply a non-compliant covered product in Australia when they are aware, or could reasonably be expected to be aware, that it will be acquired in Australia in the specified circumstances. Suppliers must also supply the product with a statement of compliance and retain a copy for the period set by the Rules. Importers are not given a separate importer-specific duty label in the cited Act and Rules. Treat an importer as in scope when its facts also make it a manufacturer or a supplier, such as importing a covered consumer-grade smart device for supply in Australia. Keep the role analysis explicit instead of assuming that every overseas purchase, distributor, or logistics movement is automatically covered. - Manufacturer duty: confirm the product class, build against the password, vulnerability-reporting, and defined-support-period requirements, and provide a compliant statement of compliance for Australian supply. - Supplier duty: do not supply a known non-compliant covered product in Australia, supply it with the statement of compliance, and keep the retained statement record. - Importer triage: record whether the importer manufactures, supplies, or only handles logistics; apply the manufacturer or supplier duties only when the facts support that role. - Exception check: confirm whether the product is outside the Rules because it is not consumer-grade, will not be acquired by a consumer in Australia, or is one of the product exclusions listed in section 8 of the Smart Device Rules. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Official Act source for the manufacturer and supplier duties in sections 15 and 16, including compliance, non-supply, statement-of-compliance, and retention obligations. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Official Rules source for consumer-grade relevant connectable product scope, listed product exclusions, statement contents, and the five-year statement retention period. ## What records should prove the manufacturer, importer, or supplier role? Keep records that show why the product and actor were placed inside or outside the smart-device obligations. The useful evidence set is a product-scope file, a role file, a security-standard file, and a statement-of-compliance file, not a generic compliance memo. The statement of compliance should be prepared by, or on behalf of, the manufacturer and include the product type and batch identifier, manufacturer and authorised representative details, compliance declarations, defined support period, signatory details, and place and date of issue. Both manufacturers and suppliers should be able to retrieve the statement for the Rules' five-year retention period. - Product-scope evidence: product type, batch identifier, intended use, consumer acquisition analysis, connection capability, and any section 8 exclusion relied on. - Role evidence: manufacturer identity, authorised representative details, Australian supplier or importer entity, contracts or purchase orders showing who supplies the product in Australia, and the basis for any out-of-scope conclusion. - Security-standard evidence: password design proof, security-issue reporting contact and acknowledgement/update process, published defined support period, and security-update publication records. - Statement evidence: issued statement of compliance, signatory name and function, issue date and place, defined support period at issue, retention owner, and retrieval path for regulator requests or independent examination. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Official Act source for statement-of-compliance duties, retention by manufacturers and suppliers, and the Secretary's power to request a product or statement for examination. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Official Rules source for the required statement fields and five-year retention period for statements of compliance. ## Which edge cases should be escalated before supply in Australia? Escalate cases where the supply-chain label does not match the legal role. An offshore OEM, Australian distributor, online marketplace seller, local importer, and reseller may each need a separate manufacturer-or-supplier assessment based on who manufactures, who supplies in Australia, and who knows or should know the product will be acquired in Australia by a consumer. Also escalate products near the Rules' scope boundary: bundled products, accessories with their own connection capability, consumer energy resources, business devices that may still be consumer acquisitions, and excluded product categories. Do not use ransomware reporting or Security of Critical Infrastructure Act workflows as substitutes for the smart-device product duties; those are separate regimes unless the same facts independently trigger them. - Do not call a product exempt just because it is sold to a business; the Rules use the Australian Consumer Law consumer concept and the specified circumstance of acquisition by a consumer. - Do not rely on a support-period statement hidden only in a regulatory page if product information or main characteristics are published elsewhere on a manufacturer-controlled website. - Do not ship without a statement record simply because the manufacturer is overseas; the supplier duty still turns on supply in Australia of a covered product with the required statement. - Do not shorten a published defined support period; if it is extended, publish the new period as soon as practicable. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Official Rules source for consumer-grade scope, excluded products, support-period publication requirements, and the rule that a published defined support period must not be shortened. - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Official Act source for the awareness standard attached to manufacturer and supplier duties when products will be acquired in Australia in specified circumstances. ## Primary sources - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Official Act source for smart-device manufacturer and supplier obligations, statement-of-compliance duties, enforcement notices, and compliance examination requests. - Quote: "manufacturers must manufacture the product in compliance" - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Official Rules source for consumer-grade relevant connectable product scope, exclusions, security-standard requirements, statement contents, and retention period. - Quote: "Part 1 of Schedule 1 provides a security standard" ## Topic Guides - [Australia Cyber Security Act 2024 scope and definitions](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap. - [Australia Cyber Security Act and SOCI Act overlap](/artifacts/apac/australia-cyber-security-act/security-of-critical-infrastructure-act-overlap.md): How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records. - [Australia Cyber Security Act Applicability Test](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario. - [Australia Cyber Security Act Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks. - [Australia Cyber Security Act Compliance Guide](/artifacts/apac/australia-cyber-security-act/compliance.md): A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness. - [Australia Cyber Security Act Deadlines and Compliance Calendar](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review. - [Australia Cyber Security Act FAQ](/artifacts/apac/australia-cyber-security-act/faq.md): Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review. - [Australia Cyber Security Act penalties and fines](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records. - [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md): What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks. - [Australia Cyber Security Act Requirements](/artifacts/apac/australia-cyber-security-act/requirements.md): Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records. - [Australia Cyber Security Act Statement of Compliance Evidence](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence.md): Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness. - [Australia Cyber Security Act templates](/artifacts/apac/australia-cyber-security-act/templates.md): Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records. - [Australia Cyber Security Act Timeline And Commencement Guide](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations. - [Australia Cyber Security Act vs EU Cyber Resilience Act](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Australia Cyber Security Act vs UK PSTI Act Guide](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [Australia ransomware payment reporting 72-hour duty](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain. - [Australia Smart Device Security Standards under the Cyber Security Act](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records. - [Australia Smart Device Statement of Compliance Evidence Workflow](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow.md): Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules. - [CSA 2024 Ransomware Payment Reporting Workflow](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow.md): Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources. - [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md): FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence. - [CSA 2024 Smart Device Applicability Test](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope.md): Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules. - [CSA 2024 Smart Device Statement of Compliance](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination. - [Cyber Security Act 2024 Smart Device Compliance Checklist](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence. - [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md): FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations. - [Cyber Security Act vs EU CRA: scope and obligations comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Cyber Security Act vs UK PSTI Act: device security obligations compared](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md): FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing. - [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md): FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties. - [Smart Device Applicability: CSA 2024](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-workflow.md): A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep. - [SOCI overlap triage workflow for Australia Cyber Security Act](/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow.md): Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks. - [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md): FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep. *Recommended next step* *Placement: after the FAQ answer* ## Turn smart-device supply-chain duties into assigned work Use this Cyber Security Act 2024 FAQ to assign manufacturer, importer, and supplier role checks, statement records, and launch blockers for smart devices supplied in Australia. - [Open Assessment Autopilot for Cyber Security Act 2024](/solutions/assessment.md): Turn smart-device role, scope, and statement checks into assigned evidence requests. - [Review Cyber Security Act 2024 source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited Australian source material. - [Talk through implementation](/contact.md): Review product scope, actor roles, statement records, and supply blockers with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations