--- title: "Which smart devices are in scope under Australia's Cyber Security Act 2024?" canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope" source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope" author: "Sorena AI" description: "FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Australia Cyber Security Act smart device scope" - "relevant connectable product" - "consumer grade smart devices" - "Cyber Security Act 2024" - "Smart Device Scope" - "Australia" - "Relevant connectable products" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Which smart devices are in scope under Australia's Cyber Security Act 2024? FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep. *FAQ* *Australia* *Smart Device Scope* ## Cyber Security Act 2024 Smart Device Scope A product is in the current smart-device security standard only when it is a relevant connectable product, fits the consumer-grade class, is not carved out by the Rules, and will be acquired in Australia by a consumer. Use this FAQ to separate covered consumer smart devices from excluded products and to record the evidence behind the scope answer. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation. Australia's Cyber Security Act 2024 gives the rule-making power for mandatory security standards for relevant connectable products. The Cyber Security (Security Standards for Smart Devices) Rules 2025 then prescribe the current class: consumer-grade relevant connectable products acquired in Australia by a consumer, subject to express exclusions. ## Which smart devices are in scope under Australia's Cyber Security Act 2024? Start with the product. Under the Act, a relevant connectable product is an internet-connectable product or a network-connectable product that is not exempted under the rules. Internet-connectable means capable of connecting to the internet using a communication protocol in the internet protocol suite to send and receive data. Network-connectable covers products that can send and receive data by electrical or electromagnetic transmission, are not internet-connectable, and meet the Act's direct-connection tests. Then apply the Smart Devices Rules. The current security standard covers relevant connectable products intended by the manufacturer to be used, or of a kind likely to be used, for personal, domestic, or household use or consumption. The specified circumstance is that the product will be acquired in Australia by a consumer. - In scope: an internet-connectable or network-connectable product, not exempted by rules, that fits the consumer-grade personal, domestic, or household class and will be acquired in Australia by a consumer. - Examples identified in the explanatory statement include smart TVs, smart watches, home assistants, baby monitors, and consumer energy resources. - Do not rely only on the product name. Record connectivity, manufacturer's intended purpose, likely household use, sales channel, and Australian consumer acquisition facts. - If the product is connectable but not consumer-grade, or the acquisition circumstance is missing, record that the current Smart Devices Rules scope has not been met rather than forcing the product into scope. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/Details/C2024A00098?ref=sorena.io) - Supports the relevant connectable product definition and the internet-connectable and network-connectable product tests. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Supports the consumer-grade class, Australian consumer acquisition circumstance, and product exclusions for the current smart-device security standard. - [Explanatory Statement to the Smart Devices Rules 2025](https://www.legislation.gov.au/Details/F2025L00276/Explanatory%20Statement/Text?ref=sorena.io) - Provides official examples of consumer-grade smart devices discussed for the Rules. ## Which products are excluded from the current Australian smart-device security standard? The Smart Devices Rules do not prescribe the current security standard for every connected product. Even when a product is a relevant connectable product and looks consumer-facing, section 8 excludes six product groups from the consumer-grade class. The excluded groups are desktop computers or laptops, tablet computers, smartphones, therapeutic goods within the meaning of the Therapeutic Goods Act 1989, road vehicles within the meaning of the Road Vehicle Standards Act 2018, and road vehicle components within the meaning of that Act. - Keep a separate exclusion field for each of the six carved-out product groups. - Do not treat a product as excluded merely because it has a screen, app, battery, or wireless module; tie the exclusion to one of the named categories in the Rules. - For mixed products, keep the bill of materials, marketing claims, user instructions, regulatory classification, and product-line rationale used to decide whether an exclusion applies. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Lists the six product groups excluded from the consumer-grade relevant connectable product class. ## What records should teams keep for a Cyber Security Act 2024 smart-device scope answer? Keep enough evidence to re-run the answer without relying on memory. The record should show why the product is, or is not, a relevant connectable product; why it is, or is not, consumer-grade; whether an exclusion was checked; and whether the Australian consumer acquisition circumstance is present. For products that are in scope, keep the downstream compliance records with the scope file. The Act and Rules tie covered products to manufacturer and supplier duties, statement-of-compliance records, password requirements, security-issue reporting information, and defined support-period publication. - Scope evidence: product name, model or batch, hardware and software connectivity, protocols, companion app or gateway dependency, and whether the product can directly or indirectly connect to the internet. - Consumer-grade evidence: manufacturer's intended purpose, label, instructions for use, promotional or sales materials, likely personal, domestic, or household use, and intended Australian acquisition channel. - Exclusion evidence: desktop or laptop, tablet, smartphone, therapeutic good, road vehicle, and road-vehicle-component checks, including the source document or product classification used for each answer. - In-scope product evidence: statement of compliance, defined support period at issue date, password-control evidence, published security-issue reporting contact and acknowledgement/status-update information, and the five-year statement retention owner. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/Details/C2024A00098?ref=sorena.io) - Supports manufacturer and supplier duties for covered relevant connectable products and the statement-of-compliance obligation. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Supports statement contents, five-year retention, password controls, security-issue reporting information, and defined support-period records. ## Primary sources - [Cyber Security Act 2024](https://www.legislation.gov.au/Details/C2024A00098?ref=sorena.io) - Primary Act source for relevant connectable product scope and manufacturer and supplier duties for smart-device security standards. - Quote: "This Act provides for mandatory security standards for certain products" - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/Details/F2025L00276?ref=sorena.io) - Primary rules source for the consumer-grade relevant connectable product class, Australian consumer acquisition circumstance, exclusions, security controls, statement contents, and retention period. - Quote: "Part 1 of Schedule 1 provides a security standard for consumer grade relevant connectable products" - [Explanatory Statement to the Smart Devices Rules 2025](https://www.legislation.gov.au/Details/F2025L00276/Explanatory%20Statement/Text?ref=sorena.io) - Explains the Rules' consumer-grade scope and gives examples of covered smart-device product categories. - Quote: "smart TVs, smart watches, home assistants, baby monitors, and consumer energy resources" ## Topic Guides - [Australia Cyber Security Act 2024 scope and definitions](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap. - [Australia Cyber Security Act and SOCI Act overlap](/artifacts/apac/australia-cyber-security-act/security-of-critical-infrastructure-act-overlap.md): How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records. - [Australia Cyber Security Act Applicability Test](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario. - [Australia Cyber Security Act Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks. - [Australia Cyber Security Act Compliance Guide](/artifacts/apac/australia-cyber-security-act/compliance.md): A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness. - [Australia Cyber Security Act Deadlines and Compliance Calendar](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review. - [Australia Cyber Security Act FAQ](/artifacts/apac/australia-cyber-security-act/faq.md): Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review. - [Australia Cyber Security Act penalties and fines](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records. - [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md): What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks. - [Australia Cyber Security Act Requirements](/artifacts/apac/australia-cyber-security-act/requirements.md): Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records. - [Australia Cyber Security Act Statement of Compliance Evidence](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence.md): Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness. - [Australia Cyber Security Act templates](/artifacts/apac/australia-cyber-security-act/templates.md): Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records. - [Australia Cyber Security Act Timeline And Commencement Guide](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations. - [Australia Cyber Security Act vs EU Cyber Resilience Act](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Australia Cyber Security Act vs UK PSTI Act Guide](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [Australia ransomware payment reporting 72-hour duty](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain. - [Australia Smart Device Security Standards under the Cyber Security Act](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records. - [Australia Smart Device Statement of Compliance Evidence Workflow](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow.md): Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules. - [CSA 2024 Ransomware Payment Reporting Workflow](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow.md): Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources. - [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md): FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence. - [CSA 2024 Smart Device Applicability Test](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope.md): Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules. - [CSA 2024 Smart Device Statement of Compliance](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination. - [Cyber Security Act 2024 Smart Device Compliance Checklist](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence. - [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md): FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations. - [Cyber Security Act vs EU CRA: scope and obligations comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Cyber Security Act vs UK PSTI Act: device security obligations compared](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md): FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing. - [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md): FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties. - [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md): Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations. - [Smart Device Applicability: CSA 2024](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-workflow.md): A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep. - [SOCI overlap triage workflow for Australia Cyber Security Act](/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow.md): Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks. *Recommended next step* *Placement: after the FAQ answer* ## Turn smart-device scope into assigned evidence work Use this FAQ to turn Cyber Security Act 2024 product-scope questions into evidence requests for connectivity, consumer-grade use, exclusions, Australian acquisition, and statement records inside Sorena. - [Open Assessment Autopilot for Cyber Security Act 2024](/solutions/assessment.md): Turn smart-device scope criteria into product questions, evidence fields, and review tasks. - [Review Cyber Security Act 2024 source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited Australian source material. - [Talk through implementation](/contact.md): Review product scope, exclusions, statement records, and next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope