---
title: "Cyber Security Act 2024 Statements of Compliance FAQ"
canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance"
source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance"
author: "Sorena AI"
description: "FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "Cyber Security Act 2024 statements of compliance"
  - "Australia smart device security standard"
  - "consumer grade relevant connectable products"
  - "Cyber Security Act 2024"
  - "Statements of Compliance"
  - "Smart devices"
  - "Australia"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Cyber Security Act 2024 Statements of Compliance FAQ

FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations.

*FAQ* *Australia* *Statements of Compliance*

## Cyber Security Act 2024 Statements of Compliance FAQ

A statement of compliance is the smart-device security record that the manufacturer prepares and the supplier provides with covered products supplied in Australia.

Use this FAQ to check covered products, responsible actors, required statement contents, five-year retention, and audit-ready evidence.

Under section 16 of the Cyber Security Act 2024, statements of compliance sit in the smart-device security-standard regime. They are not a general cyber policy record: they apply when a relevant connectable product is in a class covered by the rules and will be acquired in Australia in the specified circumstances.

## What should teams do about statements of compliance under the Cyber Security Act 2024?

For covered smart devices, the manufacturer must provide a statement of compliance for supply in Australia, and the supplier must supply the product in Australia with that statement. Both manufacturer and supplier must retain a copy for the period set by the rules.

Start by confirming scope. The current Smart Devices Rules prescribe a security standard for consumer-grade relevant connectable products intended or likely to be used for personal, domestic, or household use or consumption, where the products will be acquired in Australia by a consumer. The rules exclude desktop and laptop computers, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components.

The manufacturer owns preparation of the statement, or preparation on its behalf. The supplier should not treat the statement as optional packaging copy: the Act requires the product to be supplied in Australia with a statement of compliance when the statutory conditions are met.

- Classify the product against the consumer-grade relevant connectable product scope and listed exclusions before drafting the statement.
- Map the actor role: manufacturer prepares or authorises the statement; supplier supplies the product with the statement and retains its copy.
- Tie the statement to the security-standard evidence for passwords, vulnerability-reporting information, and published defined support periods where those Schedule 1 duties apply.
- Keep the statement available for regulator review because the Secretary may request the product, the statement of compliance, or both for an independent examination.

Sources for this answer:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text/1/pdf?ref=sorena.io) - Section 16 establishes manufacturer and supplier statement-of-compliance duties for relevant connectable products supplied in Australia.
- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Section 8 defines the current covered class as consumer-grade relevant connectable products and lists exclusions.

## What must an Australian smart-device statement of compliance contain?

For statements of compliance with the security standard in Part 1 of Schedule 1 to the Smart Devices Rules, the statement must be prepared by, or on behalf of, the product manufacturer. It must identify the product and responsible parties, record manufacturer declarations, name the defined support period, and include execution details.

A useful implementation record should mirror the required legal contents instead of replacing them with a generic security attestation.

- Product type and batch identifier.
- Name and address of the manufacturer, an authorised representative of the manufacturer, and any other Australian authorised representatives.
- Declaration that the statement was prepared by, or on behalf of, the manufacturer.
- Manufacturer opinion that the product was manufactured in compliance with the security-standard requirements and that the manufacturer complied with other security-standard obligations for the product.
- Defined support period for the product at the date the statement is issued.
- Signature, name, and function of the manufacturer signatory, plus place and date of issue.

Sources for this answer:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Section 9 lists the required contents of a statement of compliance for consumer-grade relevant connectable products.
- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Schedule 1 defines the support-period concept that must appear in the statement.

## What evidence and retention should teams keep for statements of compliance?

Keep the statement for five years for the consumer-grade relevant connectable product security standard covered by the Smart Devices Rules. The retention file should allow a reviewer to connect the signed statement to the product batch, the manufacturer role, the supplier handoff, and the underlying security-standard controls.

Evidence should be practical and product-specific: retain the issued statement, the product classification decision, supporting test or engineering records, the published vulnerability-reporting and support-period materials, supplier distribution proof, and any notices or regulator correspondence about examination requests.

- Retain the issued statement version, date and place of issue, signatory details, product type, and batch identifier for five years.
- Keep scope evidence showing why the product is covered or excluded, including consumer-grade use analysis and any exclusion relied on.
- Keep control evidence for passwords, security-issue reporting, and defined support periods where those Schedule 1 requirements apply.
- Keep supplier evidence showing the statement accompanied the product in Australia, plus records of any corrections or replacement statements.
- Keep examination-readiness records so the product, statement, or both can be produced if requested in writing by the Secretary.

Sources for this answer:

- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Section 10 sets the retention period for covered statements of compliance at five years.
- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text/1/pdf?ref=sorena.io) - Section 23 supports keeping examination-ready product and statement records because the Secretary may request them for an independent examination.

## Which mistakes create risk for statements of compliance?

The main risk is treating the statement as a broad cyber compliance memo rather than a product-specific statutory statement tied to the smart-device security standard. Another risk is relying on the manufacturer's statement but failing to retain supplier-side proof that the statement accompanied products supplied in Australia.

- Using the statement for products outside the current covered class without recording the scope analysis.
- Omitting the defined support period, signatory function, batch identifier, or Australian authorised-representative details required by the rules.
- Keeping only engineering test evidence and not the actual issued statement.
- Treating the five-year retention period as a manufacturer-only obligation when section 16 also gives suppliers a copy-retention duty.
- Publishing or supplying product information that conflicts with the support period recorded in the statement.

Sources for this answer:

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text/1/pdf?ref=sorena.io) - Section 16 assigns statement supply and copy-retention duties to both manufacturers and suppliers.
- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Schedule 1 requires the defined support period to be published and prevents shortening after publication.

## Primary sources

- [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text/1/pdf?ref=sorena.io) - Primary Act source for section 23 independent examination powers involving products and statements of compliance.
  - Quote: "whether the statement of compliance"
- [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Rules source for the covered consumer-grade relevant connectable product class, exclusions, required statement contents, and five-year retention period.
  - Quote: "Requirements for statement of compliance"

## Topic Guides

- [Australia Cyber Security Act 2024 scope and definitions](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap.
- [Australia Cyber Security Act and SOCI Act overlap](/artifacts/apac/australia-cyber-security-act/security-of-critical-infrastructure-act-overlap.md): How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records.
- [Australia Cyber Security Act Applicability Test](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario.
- [Australia Cyber Security Act Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks.
- [Australia Cyber Security Act Compliance Guide](/artifacts/apac/australia-cyber-security-act/compliance.md): A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness.
- [Australia Cyber Security Act Deadlines and Compliance Calendar](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review.
- [Australia Cyber Security Act FAQ](/artifacts/apac/australia-cyber-security-act/faq.md): Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review.
- [Australia Cyber Security Act penalties and fines](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records.
- [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md): What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks.
- [Australia Cyber Security Act Requirements](/artifacts/apac/australia-cyber-security-act/requirements.md): Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records.
- [Australia Cyber Security Act Statement of Compliance Evidence](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence.md): Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness.
- [Australia Cyber Security Act templates](/artifacts/apac/australia-cyber-security-act/templates.md): Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records.
- [Australia Cyber Security Act Timeline And Commencement Guide](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations.
- [Australia Cyber Security Act vs EU Cyber Resilience Act](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes.
- [Australia Cyber Security Act vs UK PSTI Act Guide](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime.
- [Australia ransomware payment reporting 72-hour duty](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain.
- [Australia Smart Device Security Standards under the Cyber Security Act](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records.
- [Australia Smart Device Statement of Compliance Evidence Workflow](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow.md): Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules.
- [CSA 2024 Ransomware Payment Reporting Workflow](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow.md): Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources.
- [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md): FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence.
- [CSA 2024 Smart Device Applicability Test](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope.md): Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules.
- [CSA 2024 Smart Device Statement of Compliance](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination.
- [Cyber Security Act 2024 Smart Device Compliance Checklist](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence.
- [Cyber Security Act vs EU CRA: scope and obligations comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes.
- [Cyber Security Act vs UK PSTI Act: device security obligations compared](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime.
- [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md): FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing.
- [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md): FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties.
- [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md): Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations.
- [Smart Device Applicability: CSA 2024](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-workflow.md): A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep.
- [SOCI overlap triage workflow for Australia Cyber Security Act](/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow.md): Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks.
- [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md): FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep.

*Recommended next step*

*Placement: after the FAQ answer*

## Turn statement-of-compliance duties into product records

Use Sorena to map covered smart-device products to statement contents, supporting control evidence, supplier handoffs, and five-year retention records.

- [Open Assessment Autopilot for smart-device scope](/solutions/assessment.md): Turn product scope, actor role, statement contents, and evidence fields into assigned review tasks.
- [Review Cyber Security Act 2024 source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material.
- [Talk through implementation](/contact.md): Review product scope, manufacturer and supplier records, retention, and next compliance actions with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance